syong88
asked on
Unable to browse the 10 network from 192 network
Hello:
I am new to the subnet world. I need to know is it possible for 10 network to be able to share files with the 192 network with a Fortigate 60 router between them. I have no problems with the 10 network talking to the 192 network but the 192 network is unable to browse the 10 network. I am able to ping the 10 network from the 192 network but I am unable to map a drive to do backup. Can someone please help me with this problem? Thanks.
I am new to the subnet world. I need to know is it possible for 10 network to be able to share files with the 192 network with a Fortigate 60 router between them. I have no problems with the 10 network talking to the 192 network but the 192 network is unable to browse the 10 network. I am able to ping the 10 network from the 192 network but I am unable to map a drive to do backup. Can someone please help me with this problem? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It sounds like the "router" is doing exactly what they said it would do, "route" your 10* traffic to the 192* traffic. But like lrmoore stated above its a firewall and without a lot of configuration the 192 network won't be able to browse or ping to the 10* network.
That depends. Normally, we use a regular router for dividing a network, unless you want/need the sucurity between them.
1. Make sure the router can transfer data to two networks.
2. If you running AD, make sure two subnets join the same domain.
3. use the \\computer_name to access the machine in another subnet, not the network neighborhood.
2. If you running AD, make sure two subnets join the same domain.
3. use the \\computer_name to access the machine in another subnet, not the network neighborhood.
ASKER
I don't need any security between the 10 network and the 192 network. They are both behind a firewall already. As for Mazaraat, yes, I am able to ping from 192 to 10 but I cannot map a drive from 192.
I think I get it...
Main network 192.x.x.x <----->Fortigate 60 <----- new "10.x.x.x network
The 10 network should be able do things like browse web services on the 192.x.x.x network, use ftp and other standard IP services, but not the other way 'round, nor will it be able to browse useing network neighborhood, map drives, or anything else like that with the Fortigate in between, without removing almost all security rules.
Main network 192.x.x.x <----->Fortigate 60 <----- new "10.x.x.x network
The 10 network should be able do things like browse web services on the 192.x.x.x network, use ftp and other standard IP services, but not the other way 'round, nor will it be able to browse useing network neighborhood, map drives, or anything else like that with the Fortigate in between, without removing almost all security rules.
ASKER
I am running Windows 2003 domain with the DNS on the 192 network. I have a member server on the 10 network which has successfully joined to the 192 domain. AD has the server listed on the Computers portions and DNS is able to see the server on the 10 network. I have even added the subnet, 10.x.x.x, to the DNS record.
ASKER
But how do I actually clear all the security rules on the Fortigate. I haven't added any rules at all. I have checked the access list on the Fortigate and it didn't have the ports for netbios, ie. 137, 138 and 139. So added those ports but it still doesn't work. ??????
I don't know what you paid for that Fortigate, but I'd send it back to the vendor and buy a real router. Sounds like you don't need anything real fancy, so you might look at Allied Telesyn or Netgear, their a little cheaper than Cisco. That's just my thought.
Mark
Mark
I'm looking at all these comments and they are all correct - but as I stand back, I think I see a white elephant in the room which everyone is either ignoring or missing. So I'm going to ask the question I would if I were consulting here. The *stated* goal is to subnet the existing 192..n.n.n network. Since you are discussing 10.n.n.n, my further assumption is that the 192 network is actually 192.168.n.n (RFC 1918, I think). So, the obvious question. 192.168.n.n is class C space, *PERFECT* for subdividing into natural subnets of 192.168.0.0, whereas 10 is class A space and subnetting that is adding complexity where none is needed (IE, don't do it unless ya gotta). Why are you considering 10.n.n.n networking, and what routing protocol is going to be used down the line?
And then we can go back to the contention over the Fortisgate firewall :)
And then we can go back to the contention over the Fortisgate firewall :)
ASKER
We want to slowly subnet our network to 10 network. So this is our first stage. At the moment we are at 192.9.x.x network with subnet mask 255.255.255.0. We thought a router would have the capabilities to route between different subnets without any problem. Do you think it is a subnet problem too?
>We thought a router would have the capabilities to route between different subnets without any problem
Your assumption is correct, but as I said in my first post - the Fortigate ain't a router, it's a firewall.
It's not a subnet problem.
Your assumption is correct, but as I said in my first post - the Fortigate ain't a router, it's a firewall.
It's not a subnet problem.
ASKER
Irmoore, please excuse my ignorance, but according to the brochure it mentioned that it has the capabilities to "route between zones". Does "zones" mean "subnets"? or are they speaking a different subject? The Fortigate has two modes, transparent and NAT/Route Modes.
http://www.fortinet.com/doc/FGT60DS.pdf
http://www.fortinet.com/doc/FGT60DS.pdf
The only reference to "routing" in that entire document is "route between zones *"
I would expect that in this context, "zones" refers to interfaces - DMZ and inside. There is one DMZ interface.
Since I don't have a Fortinet account login, I can't get to the user manual to help you figure out how to turn it into a plain old router.... Its whole purpose in life is to protect the "inside" from the "outside" not join the two together in one happy domain.
If your 192.x.x.x subnet is off the DMZ interface, and not one of the WAN ports, you might have a better chance at routing between these two zones.
You might have the best chances for success if you can find any old Cisco router, with one Ethernet interface, and use two ip addresses (primary and secondary) on the Ethernet interface for a "router on a stick".
I would expect that in this context, "zones" refers to interfaces - DMZ and inside. There is one DMZ interface.
Since I don't have a Fortinet account login, I can't get to the user manual to help you figure out how to turn it into a plain old router.... Its whole purpose in life is to protect the "inside" from the "outside" not join the two together in one happy domain.
If your 192.x.x.x subnet is off the DMZ interface, and not one of the WAN ports, you might have a better chance at routing between these two zones.
You might have the best chances for success if you can find any old Cisco router, with one Ethernet interface, and use two ip addresses (primary and secondary) on the Ethernet interface for a "router on a stick".
syong88, I see I was mistaken with the addressing, you are converting a live address to a private one, not prom one private to another. I still think converting to 10.n.n.n is not that good an idea but I'll shut up about it :) I don't have much of value to add, other than to say that the information lrmoore, mark-wa, danielwpc, and Mazaraat is very useful and correct stuff. I'll add that the Fortigate 60 really is the wrong device to be using for your purposes and you should get a plain old router. Get a cheap one to start with until you get more comfortable with nets and subnets and maybe routing protocols.
I almost never disagree with lrmoore cause it's a waste of time (he's too good :)) but I will say that I don't like the "router on a stick" idea, I've seen the conceptual trouble it can cause on occassion.
I almost never disagree with lrmoore cause it's a waste of time (he's too good :)) but I will say that I don't like the "router on a stick" idea, I've seen the conceptual trouble it can cause on occassion.
> syong88, I see I was mistaken with the addressing, you are converting a live address to a private one, not prom one private
> to another.
I think I've seen 192.9.x.x used on at least two other networks in the ERRONEOUS belief that it was somehow a private range. They may be a third instance, trying to correct this error.
My normal assumption would be that they were missing a route somewhere, but if ping works then routing in both directions must be working. So that only leaves the firewall blocking the ports needed for CIFS, NetBIOS, etc. Without a requirement for security restrictions between the two subnets (and with the apparent intention of introducing additional subnets), I'd say a firewall is probably the wrong tool for the job.
> to another.
I think I've seen 192.9.x.x used on at least two other networks in the ERRONEOUS belief that it was somehow a private range. They may be a third instance, trying to correct this error.
My normal assumption would be that they were missing a route somewhere, but if ping works then routing in both directions must be working. So that only leaves the firewall blocking the ports needed for CIFS, NetBIOS, etc. Without a requirement for security restrictions between the two subnets (and with the apparent intention of introducing additional subnets), I'd say a firewall is probably the wrong tool for the job.
Just had a thought, if you CAN ping both directions, as PennGwyn stated, then routing is actually working. I wonder what would happen if you added the DNS and WINS server entries in the configuration? Could you try that and post back?
If that doesn't work, I'd say that PennGwyn and everyone else is correct in stating this is the Firewall just doing it's job and this really isn't the right tool for the job.
Mark
If that doesn't work, I'd say that PennGwyn and everyone else is correct in stating this is the Firewall just doing it's job and this really isn't the right tool for the job.
Mark
ASKER
First of all, thank you very much for everybody comments.
I think all of you are correct on the matter. I have the vendor coming in this morning to see what we can do with the problem. They had me using Virtual IP so I can access the server on the 10 network. So now, I am looking into another router. What do you guys think of the 3com 3226?
http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3CR17500-91
Oh, by the way, I have the vendor mentioning that the problem with our Fortigate might be related to our present firewall. I don't see how our present firewall has anything to do with the inability to map a drive to the 10 network.????
I think all of you are correct on the matter. I have the vendor coming in this morning to see what we can do with the problem. They had me using Virtual IP so I can access the server on the 10 network. So now, I am looking into another router. What do you guys think of the 3com 3226?
http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3CR17500-91
Oh, by the way, I have the vendor mentioning that the problem with our Fortigate might be related to our present firewall. I don't see how our present firewall has anything to do with the inability to map a drive to the 10 network.????
> I don't see how our present firewall has anything to do with the inability to map a drive to the 10 network.????
This is a tough one to explain, but yes it can. It has to do with how firewalls use proxy arp. If it is a PIX firewall, you can turn off proxy arp on the inside interface.
Is that firewall your default gateway? Does it have a static route to the 10. network pointing to the Fortigate?
I try to stay as far away from 3com products as I can, but a L3 switch is a very good choice.
This is a tough one to explain, but yes it can. It has to do with how firewalls use proxy arp. If it is a PIX firewall, you can turn off proxy arp on the inside interface.
Is that firewall your default gateway? Does it have a static route to the 10. network pointing to the Fortigate?
I try to stay as far away from 3com products as I can, but a L3 switch is a very good choice.
ASKER
Irmoore, yes, our firewall is our default gateway. And no it does not have the static route 10 network on it. We are going to keep the fortigate but we are running out of time to play with it at this moment.
Can you please elaborate more on the firewall and how it can effect the fortigate?
internet -------> firewall <---------> 192.x.x.x <------------->HP J5308xl<------>Fortigate 60 <---------->10.x.x.x.
I have the static route table on the HP J5308xl. Does the 192.x.x.x need to go outside the present firewall before redirect back to the 10 network?
Can you please elaborate more on the firewall and how it can effect the fortigate?
internet -------> firewall <---------> 192.x.x.x <------------->HP J5308xl<------>Fortigate 60 <---------->10.x.x.x.
I have the static route table on the HP J5308xl. Does the 192.x.x.x need to go outside the present firewall before redirect back to the 10 network?
If the firewall is the default gateway, then you have two issues:
1. Being the default gateway, it needs to know how to get to the 10.x.x.x subnet, else it throws it out its own default.
2. Being a firewall, it may not redirect the client to the Fortigate.
If the HP is a layer 3 switch, try making IT the default gateway for the network.
1. Being the default gateway, it needs to know how to get to the 10.x.x.x subnet, else it throws it out its own default.
2. Being a firewall, it may not redirect the client to the Fortigate.
If the HP is a layer 3 switch, try making IT the default gateway for the network.
ASKER
<If the firewall is the default gateway, then you have two issues:
<1. Being the default gateway, it needs to know how to get to the 10.x.x.x subnet, else it throws it out its own default.
So, you are telling me that on the Firewall, I should put the static route on it. In addition, I should also put the new subnet on the ARP table?
<If the HP is a layer 3 switch, try making IT the default gateway for the network.
On which network? the 192 or the 10 network?
Thank you in advance.
<1. Being the default gateway, it needs to know how to get to the 10.x.x.x subnet, else it throws it out its own default.
So, you are telling me that on the Firewall, I should put the static route on it. In addition, I should also put the new subnet on the ARP table?
<If the HP is a layer 3 switch, try making IT the default gateway for the network.
On which network? the 192 or the 10 network?
Thank you in advance.
Yes, you should put a static route entry on the firewall, but it might not do any good - what kind of firewall is it?
No need to put anything in the arp table
The switch is only on the 192. network, so it should be the default gateway for the 192 network. It will have a default pointing to your firewall, and a static route entry for the 10. pointing to the Fortigate.
No need to put anything in the arp table
The switch is only on the 192. network, so it should be the default gateway for the 192 network. It will have a default pointing to your firewall, and a static route entry for the 10. pointing to the Fortigate.
ASKER
It's call SecurIT firewall. Not many people heard of it. It runs on a unix box.
The default gateway for 192, as you have mentioned, will not be appliable on our network at this point. So I guess I have to concentrate on the firewall.
The default gateway for 192, as you have mentioned, will not be appliable on our network at this point. So I guess I have to concentrate on the firewall.
ASKER