Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JJezek
Participant
Jump to solution

Routing between subnets

Hi,

 

can you help me. I can't set up routing between 2 separate site interfaces.

I have office lan 10.0.0.138/24 on LAN1:10.0.0.138
and CMS lan 198.19.133.80 on LAN4: 198.19.133.82 (198.19.133.81 is a T-mobile modem). I cannot reach the T-mobile IP (198.19.133.81) from the office network.  I set the object group and put them in the policy, But the communication does not work. ping to the IP address of the modem only works with FW checkpoint. I am attaching a picture for clarification.

 

BR Jaroslav

0 Kudos
1 Solution

Accepted Solutions
JJezek
Participant

SOLVED by source NAT

View solution in original post

10 Replies
Lesley
Advisor

I think t-mobile modem does not know how to route 10.0.0.0/24 back to the CP.

What does tcpdump -nni LAN4 host 198.19.133.81  , show when you send traffic from the LAN?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
JJezek
Participant

Hi Lesley,  Thank you for your response.

I tried setting up monitoring. There is a syntax error. I spoke with the technician who was setting up the T-mobile router. He told me that on CP I should have S-NAT for office lan 10.0.0.0/24 to IP address 198.19.133.82 (LAN4 port) when requesting communication to CMS 10.240.0.0/12. CMS 10.240.0.0/12 is a closed network that is only reachable from the 198.19.133.80/29 network.

I am afraid that it will be necessary to turn off the default hidden NAT on CP.

 

The CPS network is reachable now only from CP from tool.

 

BR Jaroslav

 

 

 

 

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

How is any NAT configured / defined in the existing setup and which appliance firmware version/build?

CCSM R77/R80/ELITE
0 Kudos
JJezek
Participant

Hi Chris,

The natu configuration is the default. A hidden nat that masks the office to one WAN. That can be ten problems. I need to mask part of the traffic from the office LAN behind an IP from the range 198.19.133.80/29, i.e. for IP LAN4 198.19.133.82 ? This is what the Tmobile technician told me and the second thing is to set the route. 10.240.0.0/12 next hop 198.19.133.81.

 

BR Jaroslav

0 Kudos
JJezek
Participant

applance is box 1550

Version:R81.10.08
0 Kudos
the_rock
Legend
Legend

Did you do any captures/debugs to see whats happening with the traffic?

Andy

0 Kudos
JJezek
Participant

HI Andy,

 

I only have one log where I try to ping IP 10.250.142.198 to the CMS subnet for testing. I would need the office LAN 10.0.0./24 in this case the IP from the server 10.0.0.250 to be masked behind the IP from the range 198.19.133.80/29. This is enforced by CMS as a condition.

0 Kudos
JJezek
Participant

LOG:

 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on LAN4, link-type EN10MB (Ethernet), capture size 262144 bytes
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20916, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20917, length 40
ARP, Request who-has 198.19.133.81 tell 198.19.133.82, length 28
ARP, Reply 198.19.133.81 is-at e4:77:27:1b:ec:7c, length 46
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20918, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20919, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
IP 10.0.0.251 > 10.250.142.198: ICMP echo request, id 1, seq 20920, length 40
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43
STP 802.1w, Rapid STP, Flags [Learn, Forward, Agreement], bridge-id 8000.e4:77:27:1b:ec:7c.8001, length 43

0 Kudos
JJezek
Participant

SOLVED by source NAT

the_rock
Legend
Legend

Good job!

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events