Network Routing                            Help Us!

Network Routing Analysis
How to Configure Windows 2000 to Be a Router
 How to display the routing table
How to enable ip routing on a W2K Pro?
How to open Cisco PIX 515 firewall ports for inside VPN accessing outside VPN server
 How to setup a W2K server as a router connecting to two different networks
How to add a static entry to the PAT table on the Cisco 600
 Route command and examples
 We have a PIX 515. what's the command to block outside people ping public ip

Network Routing Analysis

In our Lab, we have a network small  network connecting to our main network through 3COM wireless router and  the main network has another Cisco router connecting to the Internet. The computers in the Lab can ping main network computers and the Internet. But computers in the main network can't ping the lab computers. Here are settings:

 LAB IP: 192.168.2.0 mask 255.255.255.0, GW (default gateway): 192.168.2.1 connecting to 3com router and then to 10.0.0.100 as GW in main network that 10.0.0.0 and 255.255.0.0. Main network has Cisco router GW is 10.0.0.2.

Analysis 1: before changing the route table, any computers in 192.168.2.0 can access the resources on 10.0.0.0 network and the Internet because all traffic goes to 192.168.2.1 GW to 10.0.0.0 network and then through 10.0.0.2 GW to the Internet. However, computers on network 10.0.0.0 can't access the 192.168.2.0 network because all traffic will go to 10.0.0.2 GW.

Resolutions: all 10.0.0.X clients need to know how to get back to the 192.168.2.0 network.  This can be accomplished in several ways:

1) Add a GW to each client pointing to 10.0.0.100  by using add 192.168.2.0 mask 255.255.0.0 10.0.0.100. Here is the route table after adding the route.

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 01 03 28 89 cf ...... 3Com EtherLink PCI
0x1000004 ...00 90 27 55 44 07 ...... Intel(R) PRO Adapter
===========================================================================

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface    Mretric
           0.0.0.0          0.0.0.0         10.0.0.2       10.0.0.11   1
          10.0.0.0      255.255.0.0        10.0.0.11       10.0.0.11   1
         10.0.0.11  255.255.255.255        127.0.0.1       127.0.0.1   1
         10.0.0.20  255.255.255.255        10.0.0.11       10.0.0.11   1
    10.255.255.255  255.255.255.255        10.0.0.11       10.0.0.11   1
         127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
       192.168.2.0    255.255.255.0       10.0.0.100       10.0.0.11   1
         224.0.0.0        224.0.0.0        10.0.0.11       10.0.0.11   1
   255.255.255.255  255.255.255.255        10.0.0.11       10.0.0.11   1
 Default Gateway:        10.0.0.2
===========================================================================
Persistent Routes:
None

2) Add route on the Cisco pointing 192.168.2.0 mask 255.255.255.0 10.0.0.100. The client then would send the 192.168.2 traffic to
10.0.0.2 which should then forward the packet to 10.0.0.2 and send the client an ICMP Redirect to use 10.0.0.2 when talking to
192.168.2.x.
3) Also rather than adding static routes, you could configure the 2 routers to dynamically learn each others routes via a routing protocol like RIP or OSPF.

Analysis 2: After we tried one of the resolutions, still, we can't ping 192.168.2.x. The tracert shows any traffic to 192.168.2.0 will stop at GW 10.0.0.100. So, we know that the route table is correct but the 3COM router block the traffic. After called 3COM tech support, we found this is one way router.

Resolution: we must setup VPN to establish the connection between the networks.

How to Configure Windows 2000 to Be a Router

To setup Windows 2000 as a router for a LAN, you need to two network adapters. To enable LAN routing. go to Administrative Tools>Routing and Remote Access>Action>Configure and Enable Routing and Remote Access, and then complete the wizard. Right-click the server for which you want to enable routing, and then click Properties>General>Router, check Local area network (LAN) routing only, and then click OK.

Still need help, contact consultant  Your feedback and contributions to this web site

How to display the routing table

To display the routing table, 1) use netstat -r command; 2) or route print.

How to enable ip routing on a W2K Pro?

You can do that by using regedit.  Go to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters, Set 'IPEnableRouter' to 1.

How to open Cisco PIX 515 firewall ports for inside VPN accessing outside VPN server

Symptom: When attempting to connect to a VPN server on the outside of the PIX it returns error 721, the computer failed to respond.

Resolution: In order to PPTP through a PIX, you must have a one-to-one mapping from the external IP to an internal IP for type 47 GRE packets and port 1723. Add for pptp: conduit permit gre host x.x.x.197 any AND conduit permit tcp host x.x.x.197 eq 1723. For l2tp over ipsec: conduit permit esp host x.x.x.197 any, conduit permit udp host x.x.x.197 eq 1701 any AND conduit permit udp host x.x.x.197 eq 500 any.

How to setup a W2K server as a router connecting to two different networks

Q: I have a W2K server at work with two nic cards hooked to two different networks. I have turned on IP forwarding in the registry but when I try to ping an address on the 2nd network the ping gets routed thru the gateway for the 1st network. How can I fix this? Here is the route table.

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 02 55 1a 71 38 ...... Intel 8255x-based Integrated Fast Ethernet
0x3000004 ...00 02 2a f1 3e 6f ...... NDIS 5.0 driver

===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
0.0.0.0          0.0.0.0    192.175.140.1  130.175.140.102   1
0.0.0.0          0.0.0.0    10.219.217.1  10.219.217.252   1
127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
192.175.140.0    255.255.255.0  192.175.140.102  192.175.140.102   1
192.175.140.102  255.255.255.255        127.0.0.1       127.0.0.1   1
192.175.255.255  255.255.255.255  192.175.140.102  192.175.140.102   1
10.219.217.0    255.255.255.0  10.219.217.252  10.219.217.252   1
10.219.217.252  255.255.255.255        127.0.0.1       127.0.0.1   1
10.219.255.255  255.255.255.255  10.219.217.252  10.219.217.252   1
224.0.0.0        224.0.0.0  192.175.140.102  192.175.140.102   1
224.0.0.0        224.0.0.0  10.219.217.252  10.219.217.252   1
255.255.255.255  255.255.255.255  192.175.140.102  192.175.140.102   1
Default Gateway:     192.175.140.1
===========================================================================
Persistent Routes:
None

A: Assuming you don't have a router connecting to the Internet, you should delete the following line:
Network Destination        Netmask          Gateway       Interface  Metric
 0.0.0.0          0.0.0.0    130.175.140.1  130.175.140.102   1
 0.0.0.0          0.0.0.0    143.219.217.1  143.219.217.252   1
Default Gateway:     130.175.140.1

In other words, you should not have multiple default gateways ( 0.0.0.0 ) in the same network and don't assign gateway IPs on both nics.

Route command and examples

PRINT Prints a route - route PRINT 157* .... Only prints those matching 157*
ADD Adds a route - route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
DELETE Deletes a route - route DELETE 157.0.0.0
CHANGE Modifies an existing route - route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

We have a PIX 515. what's the command to block outside people ping public ip?

To Block outside people to ping your public IP, do one of them: 1) by default it should deny pings. 2) conduit permit icmp any any echo-reply, and icmp deny any echo outside. 3) access-list acl_outside deny icmp any OUTSIDE_IP_ADDR.  4) add access-list acl_outside deny icmp any any.

How to add a static entry to the PAT table on the Cisco 600

The full syntax for set NAT entry, specifying source and destination addresses, port, and protocol: set nat entry add {inside address} {port} {outside PAT address} {port} {ip protocol}.

For IP protocols TCP, UDP, and ICMP, the keywords tcp, udp, and icmp are defined for the IP protocol tag. For example, the TCP port of 25 is specified as both the inside and outside port: set nat entry add 10.0.0.50 25 103.1.1.1 25 tcp.

For an IP protocol other than TCP, UDP, or ICMP, use the protocol number and set the port values to 0. For example, the Generic Routing Encapsulation (GRE) IP protocol (protocol number 47) is added to the table: set nat entry add 10.0.0.50 0 103.1.1.1  0 47.

You can use a wildcard method in which only the inside IP address, port, and IP protocol are defined. Using this method, the default outside IP address is assumed as the outside NAT address. Also, the outside port and IP protocol are the same as the inside port and IP protocol defined.

This method is especially useful when the default outside IP address changes due to a user running PPPoA and obtaining a new address from the service provider. For example, set nat entry add 10.0.0.2 25 200.1.1.1 25 tcp can be set nat entry add 10.0.0.2 25 tcp

In Cisco Broadband Operating System (CBOS) versions 2.4(1) and later, you can use port ranges. The ports do not have to be the same, but the range of ports must be consistent. For example, 

set nat entry add {inside address} {port range} {outside NAT address} {port range} {protocol}

set nat entry add 10.0.0.2 10-20 200.1.1.1 30-40 tcp

To remove an entry, issue the set nat entry delete command. The following options are available:

set nat entry delete all 

set nat entry delete {inside address} – match entries with same inside address

set nat entry delete {outside address} – match entries with same outside address

set nat entry delete {inside address} {port} {protocol} – match inside address, port, and protocol 

set nat entry delete {inside address} {port} {outside address} {port} {protocol} – match entire entry

Telnet

To allow Telnetting to a device behind the Cisco 600, add one of the following commands: set nat entry add {internal device address} 23 {outside NAT address} 23 tcp or set nat entry add {internal device address} 23 tcp.

PPTP

Point-to-Point Tunneling Protocol ( PPTP) uses TCP Port 1723 and IP Protocol 47 GRE.

Issue the set nat entry add command using the following syntax:

set nat entry add {internal device address} 0 {outside NAT address} 0 47 
set nat entry add {internal device address} 1723 {outside NAT address} 1723 tcp

L2TP/L2F

L2TP and L2F both use UDP port 1701.

To allow an L2TP or L2F session through PAT, use the set nat entry add command with the following values:

set nat entry add {internal device address} 1701 {outside NAT address} 1701 udp

IPsec

There are many implementations of IP Security (IPsec) but not all of them can be used with PAT on the Cisco 600.

The following examples have been tested only with Cisco's VPN solution; success with other vendors' solutions is not guaranteed.

Some Cisco VPN clients can embed the IPsec packets into a UDP/TCP port that is specified on the client and server sides. In this scenario, a static PAT entry can be added that matches the ports used.

For example, if the VPN client and server are set to embed IPsec packets within UDP packets of port 8000, the following command would be added:

set nat entry add {inside client address} 8000 {outside PAT address} 8000 udp


Still need help, contact consultant at http://hidev.com/contactus.asp for the tech support.

   Main Menu