Routing issue

[cbeazley]

I have a basic network with 2 segments (inner and outer) and a firewall connected to the outer segment. I have acl's in place but not bound to any interface. I can route from the inner segment through the outer segment and gain access to the internet through the firewall.

The problem is that I can't gain access (ping, ftp) to any devices in my outer segment. Since it the router separating the inner from the outer is before the firewall there is no need to adjust the firewall.

Why ? I basically have no acl's bound so what's the problem ?

 

[wybnormal]

*basically no ACLs*.. that is like saying you are little bit pregnant. Either you have access lists enabled or you dont.

A posting of the configuration file (show running-config) with the IPs edited if needed would be a great help in answering your question.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[cbeazley]

Well here is is. Like I said, I have acl's but not bound to and interface.

________________________________________________________



version 12.0
service config
service telnet-zeroidle
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
enable secret 5 ****************
enable password 7 **************
!
!
!
!
!
ip subnet-zero
no ip finger
no ip domain-lookup
ip domain-name ***********
ip name-server ***********
ip name-server ***********
!
!
!
!
interface FastEthernet0/0
ip address 192.1.1.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 192.1.2.1 255.255.255.0
no ip directed-broadcast
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
router rip
network 192.1.1.0
network 192.1.2.0
network 0.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.1.2.1
ip route 192.1.1.0 255.255.255.0 0.0.0.0
no ip http server
!
access-list 1 deny 192.1.2.4
access-list 1 deny 192.1.2.5
access-list 1 deny 192.1.2.6
access-list 1 deny 192.1.2.7
access-list 1 permit 192.1.2.1
access-list 1 deny 192.1.2.2
access-list 1 deny 192.1.2.3
access-list 1 deny 192.1.2.8
access-list 1 deny 192.1.2.9
access-list 101 deny tcp any any eq telnet
no cdp run
banner login ^CUnauthorized access is prohibited^C
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password 7 ***********
login
!
no scheduler allocate
end

_______________________________________________________

 

[dnels]

Get rid of the 'ip route 192.1.1.0 255.255.255.0 0.0.0.0'

Dave

 

[dnels]

Still thinking about this one. The 192.1.1.0 is a connected network, so you shouldn't need a route. That doesn't explain how you have devices accessing the internet. Are the devices accessing the internet on a network other than 192.1.1.0? A show IP route would be useful.

Dave

 

[svermill]

I would agree with dnels that the static route situation looks a litte strange. However, my first question would be whether or not your outside devices have the appropriate route back to the inside to answer the echo requests, etc?. In other words, is thier default gateway the router that is attached to the inside and knows how to reach the inside? Or is thier default gatway pointing out towards the world/firewall (likely)? If so, does the firewall know to redirect back towards the inside? Or can you enter static routes in the outside devices back towards the inside?

 

[dnels]

Sorry for the response bombardmant but another issue I have seen if if the default gateways for the devices on the outside is the address of the firewall, you could need to put rules in to allow access from the devices on the outside to the devices on the inside,

Good Luck,
Dave

 

[cbeazley]

Wow thanks for everyones replies. It nice to know there are people so willing to help out there.

Update: I have tried as dnels first suggestion "Get rid of the 'ip route 192.1.1.0 255.255.255.0 0.0.0.0" but this did nothing.

Yes it's a firewall on the outside. This part of our network is simple: innernet > router > outernet > firewall. I can ping from the outernet to the innernet and I can ping from the innernet through the router>outernet>firewall but I can't ping from the innernet to any other device in the outernet. Strange.

I will review your other comment to see if I can figure out this simple but frustrating issue.

 

[svermill]

This is the point where I break out my protocol analyzer and see where things are failing. Do you have a switch on your outernet that you can set a span port up on? Or is everything on a hub?

I use a pretty good open-source PA called Ethereal.

http://www.ethereal.com

Barring that, debug icmp can be helpful. Also, I don't know exactly what it is that you have on the outside, but often times when a machine can ping but can't be pinged, a personal firewall app turns out to be to blame. Just a thought...

 

[wybnormal]

I second the debugs.. you can do alot with them and ACLs setup for the debug session only.

A thought would to get rid of the "no ip directed-broadcast" on each interface. I did an upgrade once and 6 hours (everyone started to timeout on their lease) later my DHCP broke on that segment. It was the damndest thing until I saw this line on the interfaces. It breaks any directed broadcast by blocking them. Good for security but bad for the day to day stuff


MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[cbeazley]

Thanks for everyone's help. Turns out to be a routing issue on the firewall. I changed the gateway on the devices themselves and all was good. Bonehead award goes to me.

 

[svermill]

Thanks for the update.