Solved

Cisco 2600/Watchguard Firebox: Config for subnet change

Posted on 2004-09-28
14
590 Views
Last Modified: 2012-05-05
Hello. I'm trying to implement a new subnet on my network to open up more usable IP addresses. I understand that I need to change the subnet mask to 255.255.254.0 which will allow clients to communicate within both the 192.168.0.0 and 192.168.1.0 networks.

I have added the address "192.168.1.1" as a secondary IP address under my Ethernet0/0 configuration with the correct subnet mask. On my workstation I have changed my subnet mask as well. However, I still cannot ping my router using the new IP address. Does it have to be rebooted?

I am also using a Watchguard Firebox firewall and need some pointers on getting it configured. I have added a new route for 192.168.1.0/24 to 192.168.0.1, but have not yet been able to get things going. Thanks.
0
Comment
Question by:danielrlm
  • 7
  • 5
14 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12179317
There are a couple of ways to deal with adding more IP addresses.  

Routing/secondary ip address
One way as you suggested is to add a secondary IP address to a router interface.  Adding the secondary IP address creates a "route" between the two subnets.  Each network would still have a 24-bit subnet mask (255.255.255.0) and each subnet would have its default gateway as the router.  e.g 192.168.0.1 for the 192.168.0.0/24 network and 192.168.1.1 for the 192.168.1.0/24 network.  The second way to do this is to use a 23 bit mask to create a larger subnet where no routing will occur between hosts.

One big subnet:
If you want to add more than 254 ip addresses without routing, using the 23-bit mask as you suggested will work.  From the Solarwinds subnet calculator:

Subnet            Mask            Subnet Size                    Host Range                          Broadcast
192.168.0.0  255.255.254.0      510      192.168.0.1  to  192.168.1.254      192.168.1.255

I would set the gateway to the first address as a general practice - 192.168.0.1.  Assuming that you are using DHCP to dynamically assign IP addresses, set up your DHCP scope for the entire IP range above and exclude maybe the first 50 addresses for statically assigned devices like printers and network equipment.  So your DHCP assigned addresses would start at 192.168.0.50 and end at 192.168.1.254.  Each host gets an ip address plus a subnet mask of 255.255.254.0, a default gateway/router of 192.168.0.1 and also DNS addresses.

Whataver device is your gateway needs to be configured your to have a static inside address of 192.168.0.1 - assuming that this will be your gateway address.  Configure your outside to static or dynamic depending on what kind of service you have from your ISP.  If you have a static IP address for the ISP interface, you will need to add a static/default route to your ISP's router (next hop).  I think Watchguard has a startup wizard to help you with this.

If you have a Windows server in your network, I would recommend using this for DNS and DHCP particularly if it is W2K or W2K3.

Are you talking about a Cisco router + Watchguard or just using the Watchguard?  What model?  If you are going with the routing, you need to have the performance to handle the load.  Also, if you opt for the larger subnet, it is possible that you may have excessive broadcasts.

How many hosts are on your network?  What protocols will be loaded?

Hope this gets you started.
0
 

Author Comment

by:danielrlm
ID: 12180280
OK, thanks. Here's a little more info on the network itself...

Router - Cisco 2600 series
Firewall - Watchguard Firebox II (I think)
Switches - Mostly HP, 1 managed with static IP address
Servers - 3x Windows Server 2003, 1x Windows 2000 Advanced Server
Workstations - Approx. 60 being assigned IP addresses with reservations
Printers - Several Canon network printers with static IP addresses

Services running on our network:
* Web (HTTP)
* MS Exchange (POP3 & SMTP)

Services I will be adding soon:
* Streaming Audio (Windows Media Services)

It may not seem like enough to justify 510 addresses, and honestly it's not. But our web guy insists on using a ton of IP's for IIS, so I've easly got 20+ IP's going into just the web site and they're just coming from wherever in the IP scheme. I want to split things up so that we have some kind of an understandable scheme.

Thanks for the answer so far, hopefully this information helps.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12181699
The "one big subnet solution" should work fine unless you have a need to route or add another VLAN.  Are the web servers for Internet or Intranet?  Does your firebox have  a DMZ segment that you will be using?

No matter which direction you head, organizing your IP address structure is a good thing.  Carve out ranges for printers, network gear, servers, etc.

Are you really using reservations for all of your PCs?  Why?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 5

Expert Comment

by:netspec01
ID: 12181715
Is this your proposed network diagram

pc--switch--firewall--router--ISP
         |
pc--switch
         |
pc--switch
0
 

Author Comment

by:danielrlm
ID: 12181799
     ISP
       |
      Router
       |
      Firewall
     /          \
  Switch   Switch
(trusted) (external)
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12182367
Is this network already in place as you describe above?

What is the WAN connection:  adsl, T1, cable?  Is it up and running?
0
 

Author Comment

by:danielrlm
ID: 12182381
Basically, yes. I currently do not have anything running on the DMZ side of things, but I will be adding a new server in October.

That WAN connection is currently a T1. I also have a wireless T1 that is lying dormant, ready to go if needed.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12182507
Ok.  With 60-80 network devices I wuld go ahead and do the single subnet with the 255.255.254.0 subnet mask allowing 510 hosts.  This should be defined in your DHCP server and your Watchguard exactly the same.  If at a later date you need to segment your network you should be able to do layer 3 switching on your HP switches (if L3 capable) or by adding a layer 3 switch for interVLAN routing.  I would stay away from trying to have your Watchguard do this work.

I am assuming that you have a small network defined between you Watchguard and router.  A normal mask here would be 255.255.255.252 allowing exactly two hosts (router and Watchguard).

On your WAN Watchguard interface I am guessing that you have mask like 255.255.255.248 (6 hosts) or 255.255.255.240 (14 hosts)?
0
 

Author Comment

by:danielrlm
ID: 12182558
No. Actually I have just recently become the network guy at my workplace. The initial setup was actually done under the guidance of a former Cisco employee, but your suggestions never came to my attention. I see exactly what you mean. Any more details I may be missing? =)
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12182654
Not right now, other than the suggestions mentioned above.  Just be diligent in applying your network configurations and configuring your firewall.  Watchguard has a pretty decent GUI an I don't think that you should have much difficulty in getting it going.  ALso, theri tech support is helpful.  

When you add your DMZ hosts make sure that you identify protocols/ports and limit access to no more than you need.  Use NMAP or other scanner to test your network from the outside for weaknesses.
0
 
LVL 5

Accepted Solution

by:
netspec01 earned 250 total points
ID: 12280629
Are you still working on this?  Do you need more assistance?  Can you close out this question?  Thanks!
0
 

Author Comment

by:danielrlm
ID: 12308762
Hopefully I will know this week... Then I will close the question. :)
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPv6 question 1 31
Fortigate 100D NTP Issue 4 105
BGP routing on Windows 2016 7 89
Expanding Subnet Mask 20 149
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question