We have a site that has an MPLS. Each site has a Netvanta 3430 which connects to the MPLS. We are adding some new subnets and I'm currently testing they can all talk with each other.
Right now I can ping from a server to a remote Adtran but not from the servers Adtran to the same remote Adtran.
A1 = Site 1's Adtran
A2 = Remote site Adtran
S1 = Site 1's Server
S2 = Remote site server
----> = ping
A1---->A2
Does not work
S1--->A2
Works
A2--->A1
Works
A2 is the only router with any ACL which is as follows.
ip access-list extended NAME
permit ip any host x.x.x.x
permit ip host x.x.x.x any
permit icmp any host x.x.x.x
permit icmp host x.x.x.x any
Would this be blocking it?
When pinging from router to router, are you using the 'source' command to source the ping from the interface on the LAN?
Example: NV3448#ping 192.168.2.1 source 192.168.1.1 (each of those addresses would be supposing .1 is on the router interface)
Depending on the MPLS configuration on the WAN side, a simple ping command wouldn't result in returned traffic as the routing table doesn't always need to know your far-end WAN IP. Since the simple ping would source from WAN side, the far end wouldn't know how to get back to you. This is likely why a ping from Server to Router works, because the source is from a known subnet.
marvison wrote:
We have a site that has an MPLS. Each site has a Netvanta 3430 which connects to the MPLS. We are adding some new subnets and I'm currently testing they can all talk with each other.
Have you informed your MPLS carrier about the new subnets? How are they advertised? Static routes on the provider side? Dynamic routing such as BGP or OSPF between your CE Adtran and the carrier's PE router? If dynamic, are you redistributing the connected and static subnets into MPLS?
A2 is the only router with any ACL which is as follows.
ip access-list extended NAME
permit ip any host x.x.x.x
permit ip host x.x.x.x any
permit icmp any host x.x.x.x
permit icmp host x.x.x.x any
Would this be blocking it?
It certainly could be depending on what host x.x.x.x is and to what interface the ACL is applied. Try removing the ACL temporarily and re-test. Note that if x.x.x.x is the same IP, you don't need to permit ICMP if you are permitting IP. ICMP is a subset of IP.