Solved

Cisco 2600/Watchguard Firebox: Config for subnet change

Posted on 2004-09-28
14
586 Views
Last Modified: 2012-05-05
Hello. I'm trying to implement a new subnet on my network to open up more usable IP addresses. I understand that I need to change the subnet mask to 255.255.254.0 which will allow clients to communicate within both the 192.168.0.0 and 192.168.1.0 networks.

I have added the address "192.168.1.1" as a secondary IP address under my Ethernet0/0 configuration with the correct subnet mask. On my workstation I have changed my subnet mask as well. However, I still cannot ping my router using the new IP address. Does it have to be rebooted?

I am also using a Watchguard Firebox firewall and need some pointers on getting it configured. I have added a new route for 192.168.1.0/24 to 192.168.0.1, but have not yet been able to get things going. Thanks.
0
Comment
Question by:danielrlm
  • 7
  • 5
14 Comments
 
LVL 5

Expert Comment

by:netspec01
ID: 12179317
There are a couple of ways to deal with adding more IP addresses.  

Routing/secondary ip address
One way as you suggested is to add a secondary IP address to a router interface.  Adding the secondary IP address creates a "route" between the two subnets.  Each network would still have a 24-bit subnet mask (255.255.255.0) and each subnet would have its default gateway as the router.  e.g 192.168.0.1 for the 192.168.0.0/24 network and 192.168.1.1 for the 192.168.1.0/24 network.  The second way to do this is to use a 23 bit mask to create a larger subnet where no routing will occur between hosts.

One big subnet:
If you want to add more than 254 ip addresses without routing, using the 23-bit mask as you suggested will work.  From the Solarwinds subnet calculator:

Subnet            Mask            Subnet Size                    Host Range                          Broadcast
192.168.0.0  255.255.254.0      510      192.168.0.1  to  192.168.1.254      192.168.1.255

I would set the gateway to the first address as a general practice - 192.168.0.1.  Assuming that you are using DHCP to dynamically assign IP addresses, set up your DHCP scope for the entire IP range above and exclude maybe the first 50 addresses for statically assigned devices like printers and network equipment.  So your DHCP assigned addresses would start at 192.168.0.50 and end at 192.168.1.254.  Each host gets an ip address plus a subnet mask of 255.255.254.0, a default gateway/router of 192.168.0.1 and also DNS addresses.

Whataver device is your gateway needs to be configured your to have a static inside address of 192.168.0.1 - assuming that this will be your gateway address.  Configure your outside to static or dynamic depending on what kind of service you have from your ISP.  If you have a static IP address for the ISP interface, you will need to add a static/default route to your ISP's router (next hop).  I think Watchguard has a startup wizard to help you with this.

If you have a Windows server in your network, I would recommend using this for DNS and DHCP particularly if it is W2K or W2K3.

Are you talking about a Cisco router + Watchguard or just using the Watchguard?  What model?  If you are going with the routing, you need to have the performance to handle the load.  Also, if you opt for the larger subnet, it is possible that you may have excessive broadcasts.

How many hosts are on your network?  What protocols will be loaded?

Hope this gets you started.
0
 

Author Comment

by:danielrlm
ID: 12180280
OK, thanks. Here's a little more info on the network itself...

Router - Cisco 2600 series
Firewall - Watchguard Firebox II (I think)
Switches - Mostly HP, 1 managed with static IP address
Servers - 3x Windows Server 2003, 1x Windows 2000 Advanced Server
Workstations - Approx. 60 being assigned IP addresses with reservations
Printers - Several Canon network printers with static IP addresses

Services running on our network:
* Web (HTTP)
* MS Exchange (POP3 & SMTP)

Services I will be adding soon:
* Streaming Audio (Windows Media Services)

It may not seem like enough to justify 510 addresses, and honestly it's not. But our web guy insists on using a ton of IP's for IIS, so I've easly got 20+ IP's going into just the web site and they're just coming from wherever in the IP scheme. I want to split things up so that we have some kind of an understandable scheme.

Thanks for the answer so far, hopefully this information helps.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12181699
The "one big subnet solution" should work fine unless you have a need to route or add another VLAN.  Are the web servers for Internet or Intranet?  Does your firebox have  a DMZ segment that you will be using?

No matter which direction you head, organizing your IP address structure is a good thing.  Carve out ranges for printers, network gear, servers, etc.

Are you really using reservations for all of your PCs?  Why?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 5

Expert Comment

by:netspec01
ID: 12181715
Is this your proposed network diagram

pc--switch--firewall--router--ISP
         |
pc--switch
         |
pc--switch
0
 

Author Comment

by:danielrlm
ID: 12181799
     ISP
       |
      Router
       |
      Firewall
     /          \
  Switch   Switch
(trusted) (external)
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12182367
Is this network already in place as you describe above?

What is the WAN connection:  adsl, T1, cable?  Is it up and running?
0
 

Author Comment

by:danielrlm
ID: 12182381
Basically, yes. I currently do not have anything running on the DMZ side of things, but I will be adding a new server in October.

That WAN connection is currently a T1. I also have a wireless T1 that is lying dormant, ready to go if needed.
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12182507
Ok.  With 60-80 network devices I wuld go ahead and do the single subnet with the 255.255.254.0 subnet mask allowing 510 hosts.  This should be defined in your DHCP server and your Watchguard exactly the same.  If at a later date you need to segment your network you should be able to do layer 3 switching on your HP switches (if L3 capable) or by adding a layer 3 switch for interVLAN routing.  I would stay away from trying to have your Watchguard do this work.

I am assuming that you have a small network defined between you Watchguard and router.  A normal mask here would be 255.255.255.252 allowing exactly two hosts (router and Watchguard).

On your WAN Watchguard interface I am guessing that you have mask like 255.255.255.248 (6 hosts) or 255.255.255.240 (14 hosts)?
0
 

Author Comment

by:danielrlm
ID: 12182558
No. Actually I have just recently become the network guy at my workplace. The initial setup was actually done under the guidance of a former Cisco employee, but your suggestions never came to my attention. I see exactly what you mean. Any more details I may be missing? =)
0
 
LVL 5

Expert Comment

by:netspec01
ID: 12182654
Not right now, other than the suggestions mentioned above.  Just be diligent in applying your network configurations and configuring your firewall.  Watchguard has a pretty decent GUI an I don't think that you should have much difficulty in getting it going.  ALso, theri tech support is helpful.  

When you add your DMZ hosts make sure that you identify protocols/ports and limit access to no more than you need.  Use NMAP or other scanner to test your network from the outside for weaknesses.
0
 
LVL 5

Accepted Solution

by:
netspec01 earned 250 total points
ID: 12280629
Are you still working on this?  Do you need more assistance?  Can you close out this question?  Thanks!
0
 

Author Comment

by:danielrlm
ID: 12308762
Hopefully I will know this week... Then I will close the question. :)
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question