Host cannot ping another host in a different subnet

Question

Host cannot ping another host in a different subnet

Jakezxz1 40

Hello I have a private address space of 10.1.0.0/16

From this I have 2 Subnets:

WAN X1 - 10.1.0.0/24

LAN X0 - 10.1.1.0/24

I have 2 VMS

1 of the VMs [NSv270] has 2 NICs

WAN X1 Private: 10.1.0.4 Public 1.2.3.4

LAN X0 Private 10.1.1.4

The other VM [Host1] has 1 NIC

Host1NIC Private IP 10.1.1.5 Public 5.6.7.8

All VMs are in the same resource group, share the same NSG and are contained within the same vnet.

I have a route table and have associated both subnets to it.

I have no UDR's implemented

The NSG has an any any rule from my public IP address.

I cannot reach the public IP of the VM Host1

Host 1 and NSv270 can ping one another.

Inside of NSv270 I have very standard NAT and Access Rules.

I have tested adding a static route from source: Host1 [10.1.1.5] to 0.0.0.0/0 to X0 IP / X1 IP / Any

Nothing works.

I'm not sure why something so simple is posing such a challenge here, is anyone able to gleem the issue?

Thank you

Accepted answer

1 additional answer

Your answer

Answer 1

Jackson Martins 10,606 MVP Volunteer Moderator

Hi @Jakezxz1

You mentioned that you are unable to access the public IP of VM Host 1, correct? Is the public IP address 5.6.7.8?

Since you have configured a route to forward packets to your NSv, the VM's public IP will not be accessible. Instead, you should use the entry IP address 1.2.3.4 and perform a Network Address Translation (NAT) for Host 1.

Get in touch if you need more help with this issue.

--please don't forget to "[Accept the answer]" if the reply is helpful--

Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T17:02:18.7233333+00:00

If you configured the gateway of host 1 (10.1.1.5) as your NSv 10.1.1.4 all packets are forwarded to it.

the "router" that is your public ip 5.6.7.8 will no longer have a response from host 1, because the packet is being forwarded to Nsv
Jakezxz1 40 Reputation points

2023-05-05T17:34:30.0633333+00:00

Thanks @Jackson Martins - I query your response further if I may.

My NSv as you know, is a firewall appliance - So naturally it rutes, it switches it does it all.

What I would ask is whether this would be a NAT rule on the NSv directly (Which I already have) or a NAT on the NSG ?

When I ping the Ip of Host1 - The firewall never sees this traffic.

What I hope to achieve is:

Remote Site (Me) - > PING/RDP/SSH Host1 [5.6.7.8] -> NSv - > Host1

Is my understanding that your response will fulfil this?

Thanks!
Jakezxz1 40 Reputation points

2023-05-05T17:38:31+00:00

I added a NAT rule on the NSv

Source 5.6.7.8 -> Translated 10.1.1.5

Unfortunately no hits from ICMP
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T17:42:08.0733333+00:00

@Jakezxz1

In this presented way it will not work

Remote Site (Me) -> PING/RDP/SSH Host1 [5.6.7.8] -> NSv -> Host1

The flow should be:

Remote Site (Me) -> PING/RDP/SSH NSv [1.2.3.4] -> Host 1

Unless you want to customize what will be sent to the NSV and leave host 1 accessible from outside it.
In this case you will need to create a route from the origin of ip and forward to the NSV only that address.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T17:44:13.4533333+00:00

the public ip 5.6.7.8 is not on your firewall (NSv), when you use the Azure route table, you only work with the VM's private ip, the public is on the Microsoft routers
Jakezxz1 40 Reputation points

2023-05-05T17:45:51.9733333+00:00

I will certainly test this thank you.

To further query, if I implemented this in this fashion, how would I access the NSv270 directly if all traffic forwarded to it's public IP is immediately NATTED to the IP of Host1?

I would like to be able to connect directly to both VM's - I apologise if my request is quite basic, I'm new to Azure but consequently this seems like a standard issue networking rule perhaps!
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T17:46:05.7233333+00:00

In this case the rule would be:

Source 1.2.3.4 -> Translated 10.1.1.5

The public ip 5.6.7.8 will not be able to route the entry to your firewall.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T17:49:38.5466667+00:00

You don't need to forward all ports to that host, you can for example do it this way:

1.2.3.4 port 22 -> translated 10.1.1.5 on port 22

1.2.3.4 port 2222 -> translated 10.1.1.10 on port 22

There is no need to forward ICMP packets, so instead of doing "bridge" you just do NATs on the ports
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T17:51:17.2366667+00:00

@Jakezxz1

Please "[Accept the answer]" if the information helped you. This will help us and others in the community as well.
Jakezxz1 40 Reputation points

2023-05-05T18:30:50.72+00:00

Thank you Jackson for your support.

I thought I would share with you the config on the NSv:

As well as the config on the Azure Route table:

Unfortunately this doesn't work.

The other routes as described are 0.0.0.0/0 Next Hop Internet.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T18:35:48.5533333+00:00

@Jakezxz1

On Azure route Table

You need to forward all traffic from host 01 to the firewall

Address Prefix

0.0.0.0/0

next hop type

VirtualAppliance

Next hop IP Address:

10.1.1.4
Jakezxz1 40 Reputation points

2023-05-05T18:38:06.59+00:00

And this is the route I had previously - It breaks everything and causes loops in my routing.

When I implemented this before hand, I could no longer reach the firewall on it's public IP and when I tested traffic from Host 1 to the internet, it would reach 10.1.1.4 and then Azure troubleshooting would report a UDR loop.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T18:42:27.8166667+00:00

I will test it in the structure that I have and let you know, but only for test purposes

Compare your structure together with official sonicwall documentation

https://www.sonicwall.com/support/knowledge-base/how-do-i-route-all-traffic-to-sonicwall-nsv-using-the-same-address-space-same-vnet-and- same-subnet/191112224656416/
Jakezxz1 40 Reputation points

2023-05-05T18:42:54.14+00:00

My Route table is bound to both LAN and WAN

The public IP of the NSv is bound to the NIC WAN-X0

Traffic comes from my public to the public IP of the NSv and from here I'm trying to work out how to route this to the Host1 VM.

Confusing it seems!
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T18:56:13.04+00:00

@Jakezxz1

Is your structure not the same as the example below?

https://www.sonicwall.com/support/knowledge-base/how-do-i-route-all-traffic-to-sonicwall-nsv-using-the-same-address-space-same-vnet-and- same-subnet/191112224656416/
Jakezxz1 40 Reputation points

2023-05-05T18:58:25.4833333+00:00

This is exactly the guide I've followed - I set it up exactly as instructed.

Unfortunately for reasons I'm unsure of, mine is simply not working.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T19:01:43.27+00:00

@jakezxz1
I'll test it in my environment and let you know in a few hours
Jakezxz1 40 Reputation points

2023-05-05T19:03:13.0866667+00:00

Thanks so much I look forward to it! Best of luck
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T19:22:12.7633333+00:00

@Jakezxz1

The structure is being provisioned, but looking at your inbound rule, did you do an ICMP forwarding?

Can you forward SSH port 2222 for testing? since SSH is used by the firewall itself

Firewall access rules -

Inbound - any any any (just for test)

Firewall nat policies-

Original destination (fw public ip 1.2.3.4)

translated Destination 10.1.1.5

Original Service = Port 2222

Translated Service = SSH

Test the incoming connection please
Jakezxz1 40 Reputation points

2023-05-05T19:33:48.3433333+00:00

Hi Jackson,

without appearing pedantic, when you refer to firewall rules, are you explicitly asking about the NSv which is a firewall, or the NSG Rules?

The NSG is already setup to allow everything through from my public IP

On the NSv:

Security rule (Access rule) Any/Any implemented

NAT Policy: As you have described (Reflexive)

Route Table on Azure:

For testing I added only the LAN Subnet to the table and applied the following test routes
Jakezxz1 40 Reputation points

2023-05-05T19:34:59.9533333+00:00

Also just to be clear, nothing is being seen on the firewall I have running a Ping from my laptop to the public IP of Host1 and I get no response or packets on the firewall.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T19:38:18.4933333+00:00

@Jakezxz1

I'm talking about the firewall, the structure has already provisioned it, I'm activating the license on the firewall and I'll get back to you
Jakezxz1 40 Reputation points

2023-05-05T19:50:14.3033333+00:00

No worries. Something interesting I noticed is that in previous iterations of me trying to complete this POC, the Host1 would be seen on the topology page of the sonicwall, on this occasion this isn't the case.

IP forwarding is enabled on all interfaces.
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T20:20:51.5933333+00:00

Hi @Jakezxz1

In my structure it worked, below are the prints and information:

VNET = 10.4.0.0/16
WAN-X1= 10.4.0.0/24
LAN-X0= 10.4.1.0/24

NSV

NSV IP WAN = 20.226.124.215
NSV IP WAN Private = 10.4.0.4

HOST

Host IP LAN Private = 10.4.1.5

ROUTE TABLE

name = Default-NSV
Address prefix = 0.0.0.0/0
Next hop type = Virtual Appliance
Next hop IP Address = 10.4.1.4 (Private WAN IP NSv)

Subnet assossiated

LAN-X0
Address range = 10.4.1.0/24
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T20:23:51.8866667+00:00

SONICWALL
Jakezxz1 40 Reputation points

2023-05-05T20:43:07.59+00:00

Thank you so much for your dedicated support.

I think the difference I've seen between mine and yours is that my Host1 has a public IP that I am trying to reach.

Since this is the primary distance between our deployments, could this therefore be the issue?

I am trying to reach the public IP of Host1 behind the firewall from my public IP of the router. Perhaps this is the issue? Do you therefore recommend I disassociate the public IP ? If I do, I'm unsure of how I might reach this VM unless I add a NAT rule on the NSv that forwards RDP/SSH towards 10.1.1.5 from my public IP perhaps
Jackson Martins 10,606 Reputation points MVP Volunteer Moderator

2023-05-05T20:49:32.68+00:00

my host has a public ip, but the public ip associated with it is invalid after I do the routing with the table route. in this case you will need to use the firewall ip and the rules in it to access your host.
Jakezxz1 40 Reputation points

2023-05-05T21:03:32.2+00:00

Agreed, This is what has caused the issues seen and annoyingly if you look at the guide from sonicwall, the guides clearly show the host has a public, hence why I associated with it.

I think there is more work for me but for right now, I have removed the public IP and I am able to send packets towards the host with response.

Your support as been sublime and I couldnt thank you more for all that you've done so far.

My next goals will be to work out how to be able to SSH to the host as well as the firewall.

Have a great weekend, if you work on this further and wish to update me, please feel free to.

Answer 2

Hello @Jakezxz1

It seems like the issue may be related to the lack of a specific route for the public IP address of Host1. Even though the NSG has an any any rule from your public IP address, the VM Host1 needs a specific route to send traffic back to your public IP address.

You mentioned that you added a static route from Host1 to 0.0.0.0/0 to X0 IP / X1 IP / Any, but this may not be sufficient to route traffic to your public IP address.

You could try adding a specific route for your public IP address on NSv270, with the next hop being the private IP address of Host1. This should allow traffic from NSv270 to reach Host1 and back.

Additionally, you should ensure that the necessary firewall rules are in place on Host1 to allow traffic from NSv270 and your public IP address.

If this helped kindly Accept the answer or send us additional feedback so we can help!

Regards

Share via

Host cannot ping another host in a different subnet

NSV

HOST

ROUTE TABLE

SONICWALL

1 additional answer

Your answer