[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [SAGE] jsdy networking puzzlement
On Mon, Nov 28, 2005 at 09:14:46AM -0600, Doug Hughes wrote:
...
> > internet
> > |
> > Cisco 36xx router
> > |
> > | X.X.15.1
> > Cisco 295x network switch 1 (.5)
> > | X.X.15.7 |
> > (3DNS?) |
> > name server |
> > |
> > |
> > Cisco 295x network switch 2 (.6)
> > | | |
> > | .3 | .4 | X.X.15.14
> > Pix525 Pix525 workstation
> > | |
> > | |
> > local network - several /24's, including X.X.15.0/24
> > |
> > DNS servers etc.
> >
> > Workstation IP = X.X.15.14, netmask = 255.255.255.240,
> > default gateway = X.X.15.1
> >
> you've puzzled me right off the bat. Above you have one statement
> saying local network is several /24s including x.x.15.0/24
> and in the second you have a workstation with a netmask of
> 255.255.255.240 which is a /28 and may not be able to get to 15/16
> of the hosts in that same 15.0/24.
>
> What is the subnet mask of the cisco 36XX interface?
> what is subnet mask of .3?
The network between the PIXen is X.X.15.0/28, netmask 255.255.255.240,
for all devices [checked via sanitized printouts of the configs]. I
should have said, more clearly, that all of X.X.15.0/24 except
X.X.15.0/28 is inside the PIXen. My apologies.
> > I loaded Linux (RHEL4) onto the workstation, figuring that would give me
> > the best variety of tools with which to keep an eye on the network and
> > debug any problems. BUT I found my network connectivity using multiple
> > services to be very limited:
> > (a) I can only 'ping' .3 or .14 on X.X.15.0/28
>
> what other machines are in that broadcast range? do they see the pings?
> Does .1 have an access list?
I have shown all devices. I have no access to the other devices. Yes,
.1 has access lists, but after the one fix I had the Cisco guy make, it
doesn't seem to exclude the workstation by IP address.
> > (b) I can 'traceroute -I' and connect into the local network.
> > The 'traceroute -I' shows the host being contacted, twice
> > (PIX signature). No other hops, e.g. ".1"!
> > (c) Despite not getting any responses from .1, as far as I can
> > tell, it IS in my arp table per 'arp -a'.
> smells like an access list.
tastes, feels, ... but doesn't look.
> > (d) I can't get out into the private internet, using 'ping',
> > 'traceroute -I', or other network services.
> >
> > I should mention that all 'traceroute's are 'traceroute -I' to use ICMP,
> > since UDP-based 'traceroute's are blocked to begin with.
> >
> *really* smells like an access list (on the router) or pix firewall issue.
I intend to go over the config thoroughly again later, to see what it
might be blocking that is not IP address but includes Linux.
There is no change in behavior when everything is removed except the
workstation, the router, and the switches, so I am not really thinking
that the PIXen are at fault. Anything is possible, however.
> > Iptables is off. First thing I turned off. No IP rule-based routing.
> > No routes other than self and to X.X.15.1. I are stumped.
> >
> > I found a block in the 36xx [printed-out configuration file] and had it
> > removed. I can't find any other IP rules blocking me in the switches or
> > router.
> >
> Did you re-check the live configuration?
I have no access. I have to trust what I get sent back.
> > Here is the kicker, because this is just what the networking guy told me
> > would happen. I put an MS Windows machine on the network, configured
> > with the same IP/netmask/gateway. AND IT WORKED. A 'tracert' in
> > shows me X.X.15.1 before the PIX signature. A 'tracert' out works.
> > I can 'ping' X.X.15.1 [but didn't want to write a CMD script to test the
> > rest]. I can get to both internal and external networks.
> ok, now smells less like an access list.
You are achieving the enlightened perplexicity ... ;-)
--
/*********************************************************************\
**
** Joe Yao jsdy@tux.org - Joseph S. D. Yao
**
\*********************************************************************/