Solved

Cisco 2600/Watchguard Firebox: Config for subnet change

Posted on 2004-09-28
14
578 Views
Last Modified: 2012-05-05
Hello. I'm trying to implement a new subnet on my network to open up more usable IP addresses. I understand that I need to change the subnet mask to 255.255.254.0 which will allow clients to communicate within both the 192.168.0.0 and 192.168.1.0 networks.

I have added the address "192.168.1.1" as a secondary IP address under my Ethernet0/0 configuration with the correct subnet mask. On my workstation I have changed my subnet mask as well. However, I still cannot ping my router using the new IP address. Does it have to be rebooted?

I am also using a Watchguard Firebox firewall and need some pointers on getting it configured. I have added a new route for 192.168.1.0/24 to 192.168.0.1, but have not yet been able to get things going. Thanks.
0
Comment
Question by:danielrlm
  • 7
  • 5
14 Comments
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
There are a couple of ways to deal with adding more IP addresses.  

Routing/secondary ip address
One way as you suggested is to add a secondary IP address to a router interface.  Adding the secondary IP address creates a "route" between the two subnets.  Each network would still have a 24-bit subnet mask (255.255.255.0) and each subnet would have its default gateway as the router.  e.g 192.168.0.1 for the 192.168.0.0/24 network and 192.168.1.1 for the 192.168.1.0/24 network.  The second way to do this is to use a 23 bit mask to create a larger subnet where no routing will occur between hosts.

One big subnet:
If you want to add more than 254 ip addresses without routing, using the 23-bit mask as you suggested will work.  From the Solarwinds subnet calculator:

Subnet            Mask            Subnet Size                    Host Range                          Broadcast
192.168.0.0  255.255.254.0      510      192.168.0.1  to  192.168.1.254      192.168.1.255

I would set the gateway to the first address as a general practice - 192.168.0.1.  Assuming that you are using DHCP to dynamically assign IP addresses, set up your DHCP scope for the entire IP range above and exclude maybe the first 50 addresses for statically assigned devices like printers and network equipment.  So your DHCP assigned addresses would start at 192.168.0.50 and end at 192.168.1.254.  Each host gets an ip address plus a subnet mask of 255.255.254.0, a default gateway/router of 192.168.0.1 and also DNS addresses.

Whataver device is your gateway needs to be configured your to have a static inside address of 192.168.0.1 - assuming that this will be your gateway address.  Configure your outside to static or dynamic depending on what kind of service you have from your ISP.  If you have a static IP address for the ISP interface, you will need to add a static/default route to your ISP's router (next hop).  I think Watchguard has a startup wizard to help you with this.

If you have a Windows server in your network, I would recommend using this for DNS and DHCP particularly if it is W2K or W2K3.

Are you talking about a Cisco router + Watchguard or just using the Watchguard?  What model?  If you are going with the routing, you need to have the performance to handle the load.  Also, if you opt for the larger subnet, it is possible that you may have excessive broadcasts.

How many hosts are on your network?  What protocols will be loaded?

Hope this gets you started.
0
 

Author Comment

by:danielrlm
Comment Utility
OK, thanks. Here's a little more info on the network itself...

Router - Cisco 2600 series
Firewall - Watchguard Firebox II (I think)
Switches - Mostly HP, 1 managed with static IP address
Servers - 3x Windows Server 2003, 1x Windows 2000 Advanced Server
Workstations - Approx. 60 being assigned IP addresses with reservations
Printers - Several Canon network printers with static IP addresses

Services running on our network:
* Web (HTTP)
* MS Exchange (POP3 & SMTP)

Services I will be adding soon:
* Streaming Audio (Windows Media Services)

It may not seem like enough to justify 510 addresses, and honestly it's not. But our web guy insists on using a ton of IP's for IIS, so I've easly got 20+ IP's going into just the web site and they're just coming from wherever in the IP scheme. I want to split things up so that we have some kind of an understandable scheme.

Thanks for the answer so far, hopefully this information helps.
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
The "one big subnet solution" should work fine unless you have a need to route or add another VLAN.  Are the web servers for Internet or Intranet?  Does your firebox have  a DMZ segment that you will be using?

No matter which direction you head, organizing your IP address structure is a good thing.  Carve out ranges for printers, network gear, servers, etc.

Are you really using reservations for all of your PCs?  Why?
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
Is this your proposed network diagram

pc--switch--firewall--router--ISP
         |
pc--switch
         |
pc--switch
0
 

Author Comment

by:danielrlm
Comment Utility
     ISP
       |
      Router
       |
      Firewall
     /          \
  Switch   Switch
(trusted) (external)
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
Is this network already in place as you describe above?

What is the WAN connection:  adsl, T1, cable?  Is it up and running?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:danielrlm
Comment Utility
Basically, yes. I currently do not have anything running on the DMZ side of things, but I will be adding a new server in October.

That WAN connection is currently a T1. I also have a wireless T1 that is lying dormant, ready to go if needed.
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
Ok.  With 60-80 network devices I wuld go ahead and do the single subnet with the 255.255.254.0 subnet mask allowing 510 hosts.  This should be defined in your DHCP server and your Watchguard exactly the same.  If at a later date you need to segment your network you should be able to do layer 3 switching on your HP switches (if L3 capable) or by adding a layer 3 switch for interVLAN routing.  I would stay away from trying to have your Watchguard do this work.

I am assuming that you have a small network defined between you Watchguard and router.  A normal mask here would be 255.255.255.252 allowing exactly two hosts (router and Watchguard).

On your WAN Watchguard interface I am guessing that you have mask like 255.255.255.248 (6 hosts) or 255.255.255.240 (14 hosts)?
0
 

Author Comment

by:danielrlm
Comment Utility
No. Actually I have just recently become the network guy at my workplace. The initial setup was actually done under the guidance of a former Cisco employee, but your suggestions never came to my attention. I see exactly what you mean. Any more details I may be missing? =)
0
 
LVL 5

Expert Comment

by:netspec01
Comment Utility
Not right now, other than the suggestions mentioned above.  Just be diligent in applying your network configurations and configuring your firewall.  Watchguard has a pretty decent GUI an I don't think that you should have much difficulty in getting it going.  ALso, theri tech support is helpful.  

When you add your DMZ hosts make sure that you identify protocols/ports and limit access to no more than you need.  Use NMAP or other scanner to test your network from the outside for weaknesses.
0
 
LVL 5

Accepted Solution

by:
netspec01 earned 250 total points
Comment Utility
Are you still working on this?  Do you need more assistance?  Can you close out this question?  Thanks!
0
 

Author Comment

by:danielrlm
Comment Utility
Hopefully I will know this week... Then I will close the question. :)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now