Results 1 to 8 of 8

Thread: In a Big Bind, Need Help Bad - 2 Internal Subnets Won't Communicate

  1. #1
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288

    Angry In a Big Bind, Need Help Bad - 2 Internal Subnets Won't Communicate

    Hey Gang,

    I am at my wits end and in a hell of a bind right now...any help would be very, very, very appreciated at this point.

    The issue in a nutshell is that I have 2 internal subnets that will not communicate properly and the client needs to get to their systems behind the new subnet range.

    Access to the main LAN segment from outside is not a problem...I have them connecting via VPN to a Cisco ASA 5500 and they can access resources on the Internal 10.x.x.x network without fail.

    There is an existing Netgear Firewall/Router with a primary LAN IP Address of 192.168.1.250 and a Multi-Honed IP of 10.125.1.80. From the Netgear interface I can Ping all the systems behind it on the 192.168.1.0 subnet and I can also Ping all the systems from the Netgear to the 10.125.1.0 Network.

    The Netgear firewall connects to a Switch that is assigned 192.168.1.50 (the gateway of the internal PCs on the 192.168.1.0 subnet)....this is transparent at this point and not an issue.

    The problem is I cannot connect to the systems on 192.168.1.0 from any system on the 10.125.1.0 Network or even ping for that matter....the Cisco ASA sees the Netgear Firewall and is able to ping on both ranges as well. I can (obviously) get to the Netgear IP of 10.125.1.80 from the main LAN.

    I really, really, hope someone can provide some insight on this...I have tried quite a few solutions and I just cannot get it to go.....my window to get this done is just about closed and I need to figure something out by Monday.....I also cannot re-ip the systems on the 192 subnet as they tie in to production machines and to stay as they are.

    Please, please, lend a hand gang......Thank you so very much, I would be more thankful than you know on this one.....

    Thanks,

    Wazz
    "It is a shame that stupidity is not painful" - Anton LaVey

  2. #2
    Disgruntled Postal Worker fourdc's Avatar
    Join Date
    Jul 2002
    Location
    Vermont, USA
    Posts
    797
    I have to think about this but I think the problem is in the fact that you have built 2 separate lans with private IPs and private IPs by nature don't forward.

    http://tools.ietf.org/html/rfc1918

    I'm not sure you can create an exception, anyone one else want to weigh in? I'm interested in this solution myself
    ddddc

    "Somehow saying I told you so just doesn't cover it" Will Smith in I, Robot

  3. #3
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    Thanks fourdc, reading the RFC now....I was thinking the same thing and thinking the only way this may work is through the Cisco ASA....I just don't want to blow the existing route if I add the 192 range as I'm an hour away from the physical location and working remotely now....argh! Thanks again, I have faith that one of us will come up with a solution..... :-)


    One other thing I should add is that the hosts on the 192.168.1.0 range do not need Internet access, as long as the can be accessed from the 10.x.x.x range, all will be well......
    Last edited by Wazz; January 7th, 2012 at 12:50 AM.
    "It is a shame that stupidity is not painful" - Anton LaVey

  4. #4
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    You need to be able to NAT it. The lans can see each other but dont have a static route in place. I suspect you need to create that static route.

    EDIT: Why is the gateway the switch and not the netgear of the internal pc's?
    Last edited by Cider; January 7th, 2012 at 01:06 AM.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  5. #5
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    Hey Cider,

    I thought the NAT had to be disabled because the 192. devices have static IP Addresses? The gateway is the Switch because I do not have access to the devices on the 192.x.x.x range and from what I was told by the vendor, their Gateway is 192.168.1.50.....I had the switch in place with that IP Addy so that I could add the Netgear in case any Port Forwarding, etc was needed.....do you think that may be the problem? Thanks....


    Also - Should I created a Static Route from the Cisco? I tried it on the Netgear and I get a command error when I try to mix Subnets.....Thx
    "It is a shame that stupidity is not painful" - Anton LaVey

  6. #6
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    im not sure what the deal is with the switch but i configured a network the other day.

    Internal_1 > 10.X.X.X
    internal_2 > 192.X.X.X

    Now the router in between these two networks, i had to create an SNAT rule as the 192 router wouldnt know how to send packets back to the 10 range. Im not really a network fundi but thats what I can see
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #7
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    Your suggestion makes perfect sense......however, this Netgear is giving me command errors when I try to do the following:

    Add a Static Route with the following:

    Destination Address - 10.125.1.0
    Subnet Mask - 255.255.255.0
    Interface - Inside (the only active int)
    Gateway - 10.125.1.1 (Cisco ASA) But I have also tried 10.125.1.80 (Netgear Secondary) and the 192.168.1.250 (Netgear Primary)

    Do you think a Static Route from the Cisco ASA would do it? I tried a Static on it from 192.168.1.0 to a gateway of 192.168.1.250 and 10.125.1.80 with no luck.

    Argh! Very Frustrating......Thank you for you suggestions, let me know if my input gives you any additional thoughts.....Thanks Cider!
    "It is a shame that stupidity is not painful" - Anton LaVey

  8. #8
    HYBR|D
    Guest
    Thread Moved from General Chit Chat to Network Sec Discussions.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Iptables NAT Tutorial
    By str34m3r in forum The Security Tutorials Forum
    Replies: 7
    Last Post: June 22nd, 2008, 06:29 PM
  3. CERT-2002-19: Remote DNS resolver library exploit
    By draziw in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: June 29th, 2002, 01:08 AM
  4. Proxies and Packet Filters in Plain English
    By Remote_Access_ in forum Security Archives
    Replies: 3
    Last Post: December 13th, 2001, 10:58 PM
  5. BIND Weaknesses
    By Remote_Access_ in forum Security Archives
    Replies: 4
    Last Post: November 28th, 2001, 05:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •