Communication between Subnets

0 pts.
Tags:
Cabling
Cisco
Hardware
Hubs
Networking
Routers
Switches
What is the best way to get nodes on different subnets to communicate? I need my public web server to talk to the rest of my network. I tried adding a route in my routing table but that did not seem to do the trick. I'll take any suggustions.
ASKED: August 15, 2005  9:25 AM
UPDATED: August 18, 2005  2:15 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

DNS – DNS – DNS
Skipping past the questions about what type of server, what type of client, what browser, what web server which would have made a definitive answer easier.

When you ‘browse’ (try to make an internet connection) there are three interfaces involved – you to the computer, the computer to the network, and the network to the router/switch (potentially many routers). In reverse order – the network to/from router/switch only knows numbers (IP addresses) take packets from this port and pass them to another port based on address. To achieve the number we pass names to a ‘Name Server’ [Domain Name Service]. When you type a name in the browser it asks the computer ‘Do You know where this is?’. If the answer is no then the computer asks the router/switch to pass the message to one of the DNS servers for an answer. You or DHCP saved the addresses of one or more DNS units when you set up networking. Try to ping the web server by name and see if the address is resolved, If not then ping by ip address (numbers) and if that doesn’t work you are being blocked by firewall.

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Bobkberg
    The other item is whether or not the various subnets have IP connectivity. You haven't actually mentioned whether or not you have routers or L3 switches in place. Do you? What does your address scheme look like? Bob
    1,070 pointsBadges:
    report
  • TechInOk
    The Routing table is on a Cisco router. I added the info to DNS. I pinged by name, which it did resolve to the correct ip, and got back 3 of 4 packets. However, the 3 I got back gave me "TTL expired in transit." and the other timed out. When I get on the webserver and try to ping something in my network by name it cannot resolve it. Please keep in mind, I have taken over a network that was not set up by someone who understands how to network.
    0 pointsBadges:
    report
  • Bobkberg
    Ok, it's time for fun with traceroute, and using a sniffer. Are there any ACLs on the cisco router? Check the DNS server, Default Gateway, and any static routes on all equipment - starting with the web server. Also - the "ICMP Expired in Transit" which system generated that error and returned it to you? That would be helpful. Log into the cisco router and see if you can ping everywhere from there. Then dump its routing tables and look for anomalies. If you just inherited this network, I'd also suggest that you download a demo copy of the Solar Winds toolkit (from solarwinds.net) and map it from all possible vantage points. Let us know what you discover, Bob
    1,070 pointsBadges:
    report
  • Astronomer
    There are too many unknowns in your description. You said public web server. So this system is visible to the internet? Is the rest of your net visible to the internet? Are you doing network address translation for your internal net? Is there a firewall between the internal net and the web server? Is it a stateful firewall, (internal clients can initiate connections to the outside but outside systems like a web server in a DMZ can't initiate connections to internal systems)? What is the default gateway for the web server? Does the router at this default gateway address know how to get to your internal net? All of these questions affect affect basic connectivity. This is reflected by pings to the actual IP, not the DNS name. Once you have worked out your connectivity by IP, then you can focus on resolving things by name. Is the DNS server for your internal net visible to the outside/web server? There are often very good reasons not to publish the internal DNS server to the outside. If there are specific internal systems you want to reach from the web server you may want to add them to the local hosts file on the web server. I have only scratched the surface here. With more information, the connectivity issue shouldn't be hard to track down. rt
    15 pointsBadges:
    report
  • TechInOk
    The web server is visible to the internet, the rest of the netowrk is not. There is no firewall between the webserver and internal network. The webserver is connected to a 4-port netgear switch, which is connected to one of our internal switches. Pings by IP give the same results as ping by name. 4 sent, 3 received, 1 lost. The 3 received had "TTL expired in Transit" which was from the cisco router. The DNS servers that the webserver is pointing to are public. I thought I should try removing one of them and inserting my internal DNS but then thought that it wouldn't be able to reach it as it is not visible to the outside. When I remove the route that I added all packets were lost. So I added that route back. The webserver has an internal of 192.168.0.165 and the netgear switch has a 192.168.0.1 which is the default gateway. The route I added was 192.168.0.0 255.255.255.0 216.60.149.10 to the interface that was connected to the DMZ. Any suggestions?? Ben
    0 pointsBadges:
    report
  • Bobkberg
    We're not supposed to use this forum to advertise or sell our stuff/services, but given the picture you've painted, you pretty clearly need a network expert on site. Try using Google to find one in your area. If your management balks at the expense, point out what this is costing them to NOT have the connectivity. One of my favorite subjects to rant about is "The cost of lost opportunity" since it's often overlooked until it's too late. Bob
    1,070 pointsBadges:
    report
  • Ghigbee
    Are your subnets on different VLANs on the Cisco switch or do they exist on the same one?
    0 pointsBadges:
    report
  • TechInOk
    They are all on the same VLAN.
    0 pointsBadges:
    report
  • Astronomer
    Ben: Let's start by focusing on connectivity and ignore DNS for now. Since you have a 192.168.x.y net, you must be doing address translation somewhere. Is translation happening in your cisco router, or some internet gateway device? Is 216.60.149.10 your outside address or is this the address of your ISP? Expired in transit means the packets were lost because of too many hops. You may have programmed a loop here. Since your internal web server is on the same net as the netgear "switch", (If it's just a switch how can it be the default gateway?), you should be able to ping it from the web server. I assume the cisco router is your central router for the internal net. How does it connect to this netgear switch? You should be able to ping each interface from the web server working your way link by link until you reach the internal clients. Find out where this chain breaks. You can also try it from the other direction. Now for some real suggestions: We will assume you have a small network with a single cisco router. If this is incorrect, let me know. You should firewall any public servers from your internal net. Since you have a cisco router you should be able to partition the nets with it even if you can't do a proper DMZ. Just put access lists on the router to limit how DMZ systems can talk to the rest of the internal net. Naturally, a proper firewall with DMZ is much better. If all internal nets sit on the cisco router, you don't need to add a route for internal systems to see each other. Make the cisco router the default gateway for clients on each subnet and all internal pings should work unless prevented by ACLs. I assume you have a default route on the cisco pointing to the ISP connection, (is this what the netgear "switch" is providing? is it your firewall?), so all internal clients can reach the internet. The ISP gateway system needs to know how to reach all of the systems behind the cisco. You should have a route in its table for this. Remember this route points toward the cisco for the local net, not the ISP. If you have the subnets configured correctly, this should allow proper connectivity between all internal devices and allow access to the internet as well. The only special case here is the public server. Since you use private addresses internally, your internet gateway device is doing dynamic address translation for internal clients when they browse the internet. For you server to be visible, it needs a static IP translation. If this server sits on the subnet connecting the cisco router and the internet gateway, then it can use either router on that net as its default gateway, since both have route tables to reach anywhere. Does this approximate you current network? What are the differences? rt
    15 pointsBadges:
    report
  • Astronomer
    Ben: This route table seems a little strange to me. Based on your information it looks like your connection to the internet uses s0/0. Why is it using subinterfaces? I don't see the configuration for the subinterfaces. Eth0/0 is on 216.60.149.0 and the VPN concentrator is on the same net. I don't see a netgear router IP for this net. Is the netgear on this net or is there an intervening router? I looks like the VPN concentrator is a router between the netgear and the cisco since 192.168.0.0 is reached thru 216.60.149.10. Also, 172.17.0.0 is reached thru the VPN concentrator. Are you sure this isn't a router? The line for 192.168.2.0/24 doesn't make sense unless there is a port on the cisco router connected to the 192.168.4.0 net with another router on that net at 192.168.4.2. The same is true of 192.168.3.0 thru 192.168.4.6. What do you mean by "the .214 is the router"? rt
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following