Clearapps network inventory
software.

Routing

Network Routing Analysis
VPN Routing Analysis
Can't access a computer behind a router
Can't access the server after disable 2nd NIC
Can't access the Internet after replacing modem
Can't access the TS from inside using WAN IP or domain name
Cannot ping from Server2008 to virtual server Server2003
Cannot access other subnet using Windows as router
Cannot access the Internet because of two gateways
Cisco Routing Issue - Case Study
Client computers cannot access internet because of multihomed
Destination not unreachable
Don't add default gateway across disjoining networks
Double Connection
Dual NICs on Server 2003 routing issue
Is it possible both sites of the VPN using the same IP range
Issues of a multihomed computer with two gateways
Issue with Two NICs in RRAS
Metric is the same for both the remote gateway and the local gateway
Multihomed with two gateways may cause a connectivity problem
No internet access - Destination net unreachable
One router goes to the corporation email server and another one goes to the Internet
Remote router no the return static route
Route command and examples
Routing issue if the LAN and VPN are in different subnets
Router loopback issue
Routing order
Some web servers can't access the internet because of router
Two gateways for redundancy
Two gateways in a multihomed computer
Understanding Route Automatic Metric
We have a PIX 515. what's the command to block outside people ping public ip
Windows Server 2003 with two network cards

For how to setup multiple routers, visit this page: http://www.howtonetworking.com/Networking/multiplerouters1.htm.

Network Routing Analysis

In our Lab, we have a network small network connecting to our main network through 3COM wireless router and the main network has another Cisco router connecting to the Internet. The computers in the Lab can ping main network computers and the Internet. But computers in the main network can't ping the lab computers. Here are settings:

LAB IP: 192.168.2.0 mask 255.255.255.0, GW (default gateway): 192.168.2.1 connecting to 3com router and then to 10.0.0.100 as GW in main network that 10.0.0.0 and 255.255.0.0. Main network has Cisco router GW is 10.0.0.2.

Analysis 1: before changing the route table, any computers in 192.168.2.0 can access the resources on 10.0.0.0 network and the Internet because all traffic goes to 192.168.2.1 GW to 10.0.0.0 network and then through 10.0.0.2 GW to the Internet. However, computers on network 10.0.0.0 can't access the 192.168.2.0 network because all traffic will go to 10.0.0.2 GW.

Resolutions: all 10.0.0.X clients need to know how to get back to the 192.168.2.0 network. This can be accomplished in several ways:

1) Add a GW to each client pointing to 10.0.0.100 by using add 192.168.2.0 mask 255.255.0.0 10.0.0.100. Here is the route table after adding the route.

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 01 03 28 89 cf ...... 3Com EtherLink PCI
0x1000004 ...00 90 27 55 44 07 ...... Intel(R) PRO Adapter
===========================================================================

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface    Mretric
           0.0.0.0          0.0.0.0         10.0.0.2       10.0.0.11   1
          10.0.0.0      255.255.0.0        10.0.0.11       10.0.0.11   1
         10.0.0.11 255.255.255.255        127.0.0.1       127.0.0.1   1
         10.0.0.20 255.255.255.255        10.0.0.11       10.0.0.11   1
    10.255.255.255 255.255.255.255        10.0.0.11       10.0.0.11   1
         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
       192.168.2.0    255.255.255.0       10.0.0.100       10.0.0.11   1
         224.0.0.0        224.0.0.0        10.0.0.11       10.0.0.11   1
   255.255.255.255 255.255.255.255        10.0.0.11       10.0.0.11   1
Default Gateway:        10.0.0.2
===========================================================================
Persistent Routes:
None

2) Add route on the Cisco pointing 192.168.2.0 mask 255.255.255.0 10.0.0.100. The client then would send the 192.168.2 traffic to
10.0.0.2 which should then forward the packet to 10.0.0.2 and send the client an ICMP Redirect to use 10.0.0.2 when talking to
192.168.2.x.
3) Also rather than adding static routes, you could configure the 2 routers to dynamically learn each others routes via a routing protocol like RIP or OSPF.

Analysis 2: After we tried one of the resolutions, still, we can't ping 192.168.2.x. The tracert shows any traffic to 192.168.2.0 will stop at GW 10.0.0.100. So, we know that the route table is correct but the 3COM router block the traffic. After called 3COM tech support, we found this is one way router.

Resolution: we must setup VPN to establish the connection between the networks.

VPN Routing Analysis

B. VPN Client Routing

Before connecting to the VPN server, all traffic except 192.168.0.0 will go through default gateway 192.168.0.1.

Network            Destination                 Netmask             Gateway Interface     Metric
0.0.0.0                0.0.0.0                    192.168.0.1         192.168.0.105         30
.............
Default Gateway: 192.168.0.1

After connecting to the VPN server with using default gateway on remote network settings, all traffic except 192.168.0.0 will go to default gateway 192.168.1.3 (VPN server assigned ip). If subnet 192.168.1.x doesn't point to the Internet default gateway, the VPN client won't be able to access the Internet.

Network             Destination                 Netmask             Gateway Interface     Metric
0.0.0.0                 0.0.0.0                     192.168.0.1         192.168.0.105         31
0.0.0.0                 0.0.0.0                     192.168.1.3         192.168.1.3             1
67.203.43.194     255.255.255.255     192.168.0.1         192.168.0.105         30
............
192.168.1.3         255.255.255.255      127.0.0.1             127.0.0.1                 50
192.168.1.255     255.255.255.255       192.168.1.3         192.168.1.3             50
..............
Default Gateway: 192.168.1.3

The VPN client may be able to access the Internet if you uncheck Use default gateway in remote network. However, if your remote network resources are located in another subnet like 10.x.x.x, you may not be able to access the resources because the traffic goes to Default Gateway 192.168.0.1.

Network             Destination                 Netmask                 Gateway Interface     Metric
0.0.0.0                 0.0.0.0                     192.168.0.1             192.168.0.105         30
67.203.43.194     255.255.255.255     192.168.0.1             192.168.0.105         30
.................
192.168.1.0         255.255.255.0         192.168.1.3             192.168.1.3             1
192.168.1.3         255.255.255.255     127.0.0.1                 127.0.0.1                 50
..................
Default Gateway: 192.168.0.1

To solve this problem, you may add 10.0.0.0 subnet into the route table so that you can access to 10.0.0.0 network. To do this, type command on client: route add 10.0.0.0 mask 255.255.0.0 192.168.0.1. The route table looks like the below after adding 10.0.0.0 subnet.

Network             Destination                 Netmask             Gateway Interface             Metric
0.0.0.0                 0.0.0.0                     192.168.0.1         192.168.0.105                 30
10.0.0.0             255.255.0.0                 192.168.1.3         192.168.1.3                     1
67.203.43.194     255.255.255.255     192.168.0.1             192.168.0.105             30
.................
192.168.1.0         255.255.255.0         192.168.1.3             192.168.1.3                 1
192.168.1.3         255.255.255.255     127.0.0.1                 127.0.0.1                     50
..................
Default Gateway: 192.168.0.1

Alternatively, to be able to access the Internet and also 10.0.0.0 subnet, you may need to modify the route table manually. You may use the following commands route delete 0.0.0.0, route add 10.0.0.0 mask 255.255.0.0 192.168.1.3 and route add 0.0.0.0 mask 0.0.0.0 192.168.0.1. After the modification, the VPN client should have this route table and the client will be able to access the remote network, the local network and the Internet:

Network             Destination                 Netmask             Gateway Interface             Metric
0.0.0.0                 0.0.0.0                     192.168.0.1         192.168.0.105                 1
10.0.0.0             255.255.0.0                 192.168.1.3         192.168.1.3                     1
67.203.43.194     255.255.255.255     192.168.0.1             192.168.0.105             30
.................
Default Gateway: 192.168.0.1

Don't add default gateway across disjoining networks

Multihomed with two gateways may cause a connectivity problem

It is not recommend that you add default gateways across disjoint networks such as proxy servers and multihomed computers that are typically configured to connect two or more subnets: one public Internet and one or more private intranets. In this situation, you should not assign the default gateways on the private interfaces, as doing so may result in improper routing on your network.

Case 1: the multihomed computer can't access the Internet.

Case 2: The remote computer can't establish VPN connection or Remote Desktop Connection on the multihomed computer because no route returns or can't return.

Is it possible both sites of the VPN using the same IP range

Theoretically, you should not do setup both sites to use the same IP range. However, if this is the case, what you may do is modifying the routing table manually and accordingly. For the consultants, refer to case 121504RL.

Metric is the same for both the remote gateway and the local gateway

Symptom: Whenever connecting to VPN server, my laptop the routing table shows that the Interface Metric is the same for both the remote gateway and the local gateway, and I can't access the remote network.

Resolution: if you unchecked "use default gateway on remote network" option in the properties of the VPN connection and you setup the Automatic Metric manually, you may have the same Metric. Check "use default gateway on remote network" option and you should be able to access the remote network.

One router goes to the corporation email server and another one goes to the Internet

Symptoms: you have one router connecting to the corporation for email and the Internet access. However, the corporate Proxy server filters web sites and watches you access. Then, you add another router for the Internet access and want to use the corporate router for the email only, but the traffic always go to the corporation router.

Resolution: You need to modify the routing table. Make all traffic go to the Internet and point the email server to the corporation ip range.

For consultants, refer to the case 110104TC.

Route command and examples

PRINT Prints a route - route PRINT 157* .... Only prints those matching 157*
ADD Adds a route - route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
DELETE Deletes a route - route DELETE 157.0.0.0
CHANGE Modifies an existing route - route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2.

Routing issue if the the LAN and VPN are in different subnets

If your LAN is 10.0.0.0 and VPN is 192.168.1.0, you must enable the RRAS server as a LAN router as well as a remote access server.

Understanding Route Automatic Metric

The Automatic Metric feature is enabled by default in XP, and it can also be manually configured to assign a specific metric if the routing table contains multiple routes for the same destination. For example, if you have a computer with a 10 MB NIC and a 100 MB NIC, and the computer has a default gateway that is configured on both NICs, you may want to assigns a higher metric to the slower NIC. This will force all of the traffic to use the fastest NIC to access the Internet. The traffic will use slower NIC only if the faster NIC is not available. Also refer to MS Q299540.

Routing order

If you have two NICs in the same subnet on one w2k/xp computer, you wonder which NIC is been used as primary NIC to access the Internet. In most cases, when adding the second NIC on a w2k/xp computer, the first one is the primary NIC. You may change the order by going to Advanced menu of the Network Connection>Advanced Settings>Adapter and Bindings. If the settings doesn't work (by default, the faster NIC will be chooses as primary NIC) or if you want to override the settings, you can assign metric # manually by going to the Properties of the Network Connection>the Properties of the Network Connection>Advanced.

We have a PIX 515. what's the command to block outside people ping public ip?

To Block outside people to ping your public IP, do one of them: 1) by default it should deny pings. 2) conduit permit icmp any any echo-reply, and icmp deny any echo outside. 3) access-list acl_outside deny icmp any OUTSIDE_IP_ADDR. 4) add access-list acl_outside deny icmp any any.