Page 2 of 2 First 12
  • Jump to page:
    #16
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    When using a DNS as a Domain Controller, the Domain Controller also acts as the DHCP server. When the DHCP server assigns the IP address, it should be automatically registered with the DNS server and manual updating is not necessary. If however, you are using fixed IP addressing (which I prefer), then the DNS must be manually updated.

    If the 2 networks that you speak of are physically separated (each network has it's own gateway), then routing must be provided for between the 2 networks since they are both private networks and the default routing will be to the public network. If the routings are not persistent, they will time out from non-use. This might explain why it worked for a while, and then stopped.

    J.A. Coutts
  2. #17
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    This explanation is going to get technical, so please bear with me.

    All communication on the local network is via MAC address. In other words, an IP packet is embedded inside an Ethernet packet that uses the MAC address. Finding the IP address is only the first step. The sending computer must then find out what MAC address is assigned to that IP address. How it normally does this is through the ARP table and network broadcasts. Each subnet is defined by the Netmask. For example, the subnet 10.1.x.x/16 might use a netmask of 255.255.0.0. So the broadcast address would be 10.1.255.255. If you go to the command prompt and enter the command "arp -a", it will list the current contents of the ARP table. One of those entires will be Static with a MAC address of ff-ff-ff-ff-ff-ff. This is the broadcast address, and all Ethernet cards on the subnet would listen on this address. When one computer tries to send a packet to another computer, it first of all applies the Netmask to the destination IP and compares that to it's own IP address. If the result is not zero, the destination is not on the same network and the packet is sent to the gateway. If the result is zero, and there is no entry in it's ARP table (timed out), it will send out an ARP broadcast request. The computer with the corresponding IP address will respond with it's MAC address, and the table will be updated. What is not shown in the Microsoft ARP command is the timeout value. When the timeout expires because of non-use, it will be dropped from the table. So the table only shows the active addresses, plus the static ones.

    These requests don't normally go through the gateway router, unless it has been setup to do so. This is the responsibility of the RIP protocol. If the router has been setup properly, you should actually see 2 sets of ARP tables using the ARP command, one for each network.

    To allow proper communication between the 2 subnets, I believe that the route table will be properly updated by the RIP protocol (but not 100% sure). But you can check that by using the "route print" command. It will contain something along the lines of:
    Network Destination Netmask Gateway Interface Metric
    10.2.0.0 255.255.0.0 10.1.0.1 10.1.0.2 276
    Since you are using XP machines, it won't be complicated by IPv6 routings.

    Hope this helps. Communication between 2 different subnets is never straight forward.

    J.A. Coutts

    Comments on this post

    • Nilpo agrees : Nice explanation. Thanks for taking the time to provide such detail.
  4. #18
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    13
    Rep Power
    0
    Thanks for all the info. I did a route print from both networks and neither have persistent routes. And neither shows the other network. Each network does have a different gateway. One is a Cisco 2950 switch and I just read they cant be configured to have a static route assigned. But pinging (except by name only from one of the networks) and telneting across both subnets seems to be fine so my guess is that its not a routing issue but something else. There may be an access list somewhere that was set up I dont know about. But I guess that wouldnt explain why it worked briefly yesterday. I'll keep looking. Thanks again
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    1. Can you verify the DNS server is listed in the Name Server section for your forward lookup and reverse lookup zone.
    2. Also, verify the server is listening on the proper IP address. If you run netstat -a it will show you all the ports it's listening on.
    3. DNS uses UDP port 53 so you should see it listening on port 53. Make sure the firewall is allowing port 53 traffic through (both the software firewall and the firewall on the ASA). Guessing the software firewall is working though since DNS seems fine on the 10.2.x.x network.
    4. Lastly, if all else fails, and I'm not sure on this one, you might have to create a NAT rule that forwards DNS traffic to your DNS server since it's on a different subnet. Such as:
    Code:
    config)# static (inside,outside) <ip address of 10.1.x.x ASA port> <inside ip address of 10.1.x.x DNS server> netmask 255.255.255.255 dns
    Last edited by seack79; January 3rd, 2013 at 06:43 PM.
  8. #20
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    A switch only physically connects various Ethernet devices. It is not a router. I assumed because you were using private addresses that each subnet was behind a different NAT router. This sounds like a bad assumption. Just because the 2 networks are connected to 2 different switches does not mean that the 2 switches aren't piggy backed together. If you could give us the IP address, Netmask address, and gateway address from a machine on each network, we would be able to tell.

    J.A. Coutts
  10. #21
  11. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Good call Coutts,

    I'm assuming the switches are both going to different ports on the ASA; and the ASA is handling routing and NAT.
  12. #22
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    13
    Rep Power
    0
    Sorry guys I have been pretty sick. Servers on the 10.1 network plug into a 3750 Catalyst switch. XP clients on the 10.2 plug into a 2950 Catalyst and that plugs directly into the 3750 switch. The 3750 is plugged directly into the ASA. The ASA does the NAT and routing like you said.

    one network is 10.1.1.x with 255.255.255.0 and gateway of 10.1.1.1

    other network is 10.2.1.x with same gateway and subnet.

    thanks
  14. #23
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    44
    Originally Posted by nfv111
    Sorry guys I have been pretty sick. Servers on the 10.1 network plug into a 3750 Catalyst switch. XP clients on the 10.2 plug into a 2950 Catalyst and that plugs directly into the 3750 switch. The 3750 is plugged directly into the ASA. The ASA does the NAT and routing like you said.

    one network is 10.1.1.x with 255.255.255.0 and gateway of 10.1.1.1

    other network is 10.2.1.x with same gateway and subnet.

    thanks
    The netmask basically defines each network as consisting of 254 potential addresses. The first address (10.1.1.0/10.2.1.0) defines the network, although some routers are capable of utilizing it as a member of the subnet. The broadcast address on the 10.1 network would be 10.1.1.256, and on the 10.2 network it would be 10.2.1.256. They would not be able to talk to each other unless the ASA unit is setup to allow for it. According to the Cisco web site, the ASA unit is not really a router, and that is about as far as my knowledge can take me. I believe the answer to your original question lies within the ASA unit.

    J.A. Coutts

    Edit: No one picked up on my mistake. You can't have a number bigger than 255 with 8 bits. The broadcast addresses should be 10.1.1.255 & 10.2.1.255.
    Last edited by couttsj; January 7th, 2013 at 06:44 PM.
  16. #24
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    13
    Rep Power
    0
    oops my bad,

    the 10.2 has a subnet mask of 255.255.255.0 but gateway is 10.2.1.1
  18. #25
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    13
    Rep Power
    0
    OK thanks for all the help. I will keep plugging away at at.

    Much appreciated.
  20. #26
  21. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    The 2950 and 3750 should both plug into the ASA directly I believe. The 3750 can't do NAT, though it is a layer 3 switch. This may be your problem.
  22. #27
  23. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2013
    Posts
    13
    Rep Power
    0
    the 2950 definitely does not plug into the ASA. This was all setup by someone else. It looks like their is a VLAN thing going on. Why it was done this way I do not know.
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo