- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Routing between subnets
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing between subnets
Hi,
can you help me. I can't set up routing between 2 separate site interfaces.
I have office lan 10.0.0.138/24 on LAN1:10.0.0.138
and CMS lan 198.19.133.80 on LAN4: 198.19.133.82 (198.19.133.81 is a T-mobile modem). I cannot reach the T-mobile IP (198.19.133.81) from the office network. I set the object group and put them in the policy, But the communication does not work. ping to the IP address of the modem only works with FW checkpoint. I am attaching a picture for clarification.
BR Jaroslav
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SOLVED by source NAT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think t-mobile modem does not know how to route 10.0.0.0/24 back to the CP.
What does tcpdump -nni LAN4 host 198.19.133.81 , show when you send traffic from the LAN?
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lesley, Thank you for your response.
I tried setting up monitoring. There is a syntax error. I spoke with the technician who was setting up the T-mobile router. He told me that on CP I should have S-NAT for office lan 10.0.0.0/24 to IP address 198.19.133.82 (LAN4 port) when requesting communication to CMS 10.240.0.0/12. CMS 10.240.0.0/12 is a closed network that is only reachable from the 198.19.133.80/29 network.
I am afraid that it will be necessary to turn off the default hidden NAT on CP.
The CPS network is reachable now only from CP from tool.
BR Jaroslav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is any NAT configured / defined in the existing setup and which appliance firmware version/build?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
The natu configuration is the default. A hidden nat that masks the office to one WAN. That can be ten problems. I need to mask part of the traffic from the office LAN behind an IP from the range 198.19.133.80/29, i.e. for IP LAN4 198.19.133.82 ? This is what the Tmobile technician told me and the second thing is to set the route. 10.240.0.0/12 next hop 198.19.133.81.
BR Jaroslav
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
applance is box 1550
Version: | R81.10.08 |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you do any captures/debugs to see whats happening with the traffic?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI Andy,
I only have one log where I try to ping IP 10.250.142.198 to the CMS subnet for testing. I would need the office LAN 10.0.0./24 in this case the IP from the server 10.0.0.250 to be masked behind the IP from the range 198.19.133.80/29. This is enforced by CMS as a condition.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LOG:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on LAN4, link-type EN10MB (Ethernet), capture size 262144 bytes
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20916, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20917, length 40
ARP, Request who-has 198.19.133.81 tell 198.19.133.82, length 28
ARP, Reply 198.19.133.81 is-at e4:77:27:1b:ec:7c, length 46
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20918, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20919, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20920, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SOLVED by source NAT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good job!
Best,
Andy