[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] jsdy networking puzzlement
On Mon, 28 Nov 2005, Joseph S D Yao wrote:
> Apologies to anyone for multiple postings.
>
> I know enough about networking to route myself out of a paper bag, given
> network routers and switches of various varieties. But this one puzzles
> me quite a bit. I figured I'd ask the area's premiere group of puzzle
> solvers.
>
> I have a local network connected to a private internet as shown below.
> I wanted to put a monitoring workstation in as shown. Please don't yell
> at me about the Cisco configuration, I am powerless to do anything about
> it.
>
> internet
> |
> Cisco 36xx router
> |
> | X.X.15.1
> Cisco 295x network switch 1 (.5)
> | X.X.15.7 |
> (3DNS?) |
> name server |
> |
> |
> Cisco 295x network switch 2 (.6)
> | | |
> | .3 | .4 | X.X.15.14
> Pix525 Pix525 workstation
> | |
> | |
> local network - several /24's, including X.X.15.0/24
> |
> DNS servers etc.
>
> Workstation IP = X.X.15.14, netmask = 255.255.255.240,
> default gateway = X.X.15.1
>
you've puzzled me right off the bat. Above you have one statement
saying local network is several /24s including x.x.15.0/24
and in the second you have a workstation with a netmask of
255.255.255.240 which is a /28 and may not be able to get to 15/16
of the hosts in that same 15.0/24.
What is the subnet mask of the cisco 36XX interface?
what is subnet mask of .3?
> I loaded Linux (RHEL4) onto the workstation, figuring that would give me
> the best variety of tools with which to keep an eye on the network and
> debug any problems. BUT I found my network connectivity using multiple
> services to be very limited:
> (a) I can only 'ping' .3 or .14 on X.X.15.0/28
what other machines are in that broadcast range? do they see the pings?
Does .1 have an access list?
> (b) I can 'traceroute -I' and connect into the local network.
> The 'traceroute -I' shows the host being contacted, twice
> (PIX signature). No other hops, e.g. ".1"!
> (c) Despite not getting any responses from .1, as far as I can
> tell, it IS in my arp table per 'arp -a'.
smells like an access list.
> (d) I can't get out into the private internet, using 'ping',
> 'traceroute -I', or other network services.
>
> I should mention that all 'traceroute's are 'traceroute -I' to use ICMP,
> since UDP-based 'traceroute's are blocked to begin with.
>
*really* smells like an access list (on the router) or pix firewall issue.
> Iptables is off. First thing I turned off. No IP rule-based routing.
> No routes other than self and to X.X.15.1. I are stumped.
>
> I found a block in the 36xx [printed-out configuration file] and had it
> removed. I can't find any other IP rules blocking me in the switches or
> router.
>
Did you re-check the live configuration?
> Here is the kicker, because this is just what the networking guy told me
> would happen. I put an MS Windows machine on the network, configured
> with the same IP/netmask/gateway. AND IT WORKED. A 'tracert' in
> shows me X.X.15.1 before the PIX signature. A 'tracert' out works.
> I can 'ping' X.X.15.1 [but didn't want to write a CMD script to test the
> rest]. I can get to both internal and external networks.
>
ok, now smells less like an access list.
> Obviously, the Cisco configuration is working better with the MS Windows
> box than with the Linux box. [Did I mention I loaded RH8 just to check
> for any gotchas in newer code?]
>
> Has anybody run into anything like this, and be able to tell me why?
>
> Thanks!
>
> Note: I ran the MS Windows test at the end of last work week, pointing
> me back at the Linux machine and whatever differences Linux IP has from
> MSW IP, and I haven't gotten back to looking more intensively at the
> Linux machine yet this week.
>
> Note: I have now also tried the Linux machine with the directly-
> connected name server and the directly-connected PIXen disconnected, and
> have the same problems.
>