Solved

Unable to browse the 10 network from 192 network

Posted on 2004-10-11
25
1,486 Views
Last Modified: 2012-08-13
Hello:
I am new to the subnet world.  I need to know is it possible for 10 network to be able to share files with the 192 network with a Fortigate 60 router between them.  I have no problems with the 10 network talking to the 192 network but the 192 network is unable to browse the 10 network.  I am able to ping the 10 network from the 192 network but I am unable to map a drive to do backup.  Can someone please help me with this problem?  Thanks.
0
Comment
Question by:syong88
  • 10
  • 8
  • 2
  • +4
25 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
The first problem as I see it is that the Fortigate 60 is a firewall. It is not a router. Firewalls are designed for one purpose- to prevent networks from talking to each other unless and until you expressly tell it to.

We need more information on your network setup. Which side of the Fortigate is the 10 network, which side is the 192 network.. etc. If one is "inside" and the other is "outside" then you will most likely never be able to browse the network using Microsoft network neighborhood...
0
 

Author Comment

by:syong88
Comment Utility
Well, the 192 is our main network.  We want to subnet divide our network.  So we are starting at the 10 network with the Fortigate 60 in front of the 10 network.  We have given a subnet mask of 255.255.255.0 on the 10 network.  According to the vendor who sold us the Fortigate 60 unit, they had mentioned that it can do what we want it to do.  The capability to route to the main network.  Did they sell us the wrong unit?
0
 
LVL 12

Expert Comment

by:Mazaraat
Comment Utility
It sounds like the "router" is doing exactly what they said it would do, "route" your 10* traffic to the 192* traffic.  But like lrmoore stated above its a firewall and without a lot of configuration the 192 network won't be able to browse or ping to the 10* network.  
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
That depends. Normally, we use a regular router for dividing a network, unless you want/need the sucurity between them.
0
 
LVL 2

Expert Comment

by:danielwpc
Comment Utility
1. Make sure the router can transfer data to two networks.
2. If you running AD, make sure two subnets join the same domain.
3. use the \\computer_name to access the machine in another subnet, not the network neighborhood.
0
 

Author Comment

by:syong88
Comment Utility
I don't need any security between the 10 network and the 192 network.  They are both behind a firewall already.  As for Mazaraat, yes, I am able to ping from 192 to 10 but I cannot map a drive from 192.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I think I get it...

Main network 192.x.x.x <----->Fortigate 60 <----- new "10.x.x.x network

The 10 network should be able do things like browse web services on the 192.x.x.x network, use ftp and other standard IP services, but not the other way 'round, nor will it be able to browse useing network neighborhood, map drives, or anything else like that with the Fortigate in between, without removing almost all security rules.

0
 

Author Comment

by:syong88
Comment Utility
I am running Windows 2003 domain with the DNS on the 192 network.  I have a member server on the 10 network which has successfully joined to the 192 domain.  AD has the server listed on the Computers portions and DNS is able to see the server on the 10 network.  I have even added the subnet, 10.x.x.x, to the DNS record.
0
 

Author Comment

by:syong88
Comment Utility
But how do I actually clear all the security rules on the Fortigate.  I haven't added any rules at all.  I have checked the access list on the Fortigate and it didn't have the ports for netbios, ie. 137, 138 and 139.  So added those ports but it still doesn't work.  ??????
0
 
LVL 13

Expert Comment

by:mark-wa
Comment Utility
I don't know what you paid for that Fortigate, but I'd send it back to the vendor and buy a real router.  Sounds like you don't need anything real fancy, so you might look at Allied Telesyn or Netgear, their a little cheaper than Cisco.  That's just my thought.

Mark
0
 
LVL 4

Expert Comment

by:JonSh
Comment Utility
I'm looking at all these comments and they are all correct -  but as I stand back, I think I see a white elephant in the room which everyone is either ignoring or missing.  So I'm going to ask the question I would if I were consulting here.  The *stated* goal is to subnet the existing 192..n.n.n network.  Since you are discussing 10.n.n.n, my further assumption is that the 192 network is actually 192.168.n.n (RFC 1918, I think).  So, the obvious question.  192.168.n.n is class C space, *PERFECT* for subdividing into natural subnets of 192.168.0.0, whereas 10 is class A space and subnetting that is adding complexity where none is needed (IE, don't do it unless ya gotta).  Why are you considering 10.n.n.n networking, and what routing protocol is going to be used down the line?

And then we can go back to the contention over the Fortisgate firewall :)

0
 

Author Comment

by:syong88
Comment Utility
We want to slowly subnet our network to 10 network. So this is our first stage.  At the moment we are at 192.9.x.x network with subnet mask 255.255.255.0.  We thought a router would have the capabilities to route between different subnets without any problem.  Do you think it is a subnet problem too?  
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>We thought a router would have the capabilities to route between different subnets without any problem
Your assumption is correct, but as I said in my first post - the Fortigate ain't a router, it's a firewall.
It's not a subnet problem.
0
 

Author Comment

by:syong88
Comment Utility
Irmoore, please excuse my ignorance, but according to the brochure it mentioned that it has the capabilities to "route between zones".  Does "zones" mean "subnets"?  or are they speaking a different subject?  The Fortigate has two modes, transparent and NAT/Route Modes.

http://www.fortinet.com/doc/FGT60DS.pdf

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The only reference to "routing" in that entire document is "route between zones   *"
I would expect that in this context, "zones" refers to interfaces - DMZ and inside. There is one DMZ interface.
Since I don't have a Fortinet account login, I can't get to the user manual to help you figure out how to turn it into a plain old router.... Its whole purpose in life is to protect the "inside" from the "outside" not join the two together in one happy domain.
If your 192.x.x.x subnet is off the DMZ interface, and not one of the WAN ports, you might have a better chance at routing between these two zones.

You might have the best chances for success if you can find any old Cisco router, with one Ethernet interface, and use two ip addresses (primary and secondary) on the Ethernet interface for a "router on a stick".
0
 
LVL 4

Expert Comment

by:JonSh
Comment Utility
syong88, I see I was mistaken with the addressing, you are converting a live address to a private one, not prom one private to another.  I still think converting to 10.n.n.n is not that good an idea but I'll shut up about it :)  I don't have much of value to add, other than to say that the information lrmoore, mark-wa, danielwpc, and Mazaraat is very useful and correct stuff.  I'll add that the Fortigate 60 really is the wrong device to be using for your purposes and you should get a plain old router.  Get a cheap one to start with until you get more comfortable with nets and subnets and maybe routing protocols.  

I almost never disagree with lrmoore cause it's a waste of time (he's too good :)) but I will say that I don't like the "router on a stick" idea, I've seen the conceptual trouble it can cause on occassion.
0
 
LVL 11

Expert Comment

by:PennGwyn
Comment Utility
> syong88, I see I was mistaken with the addressing, you are converting a live address to a private one, not prom one private
> to another.

I think I've seen 192.9.x.x used on at least two other networks in the ERRONEOUS belief that it was somehow a private range.  They may be a third instance, trying to correct this error.

My normal assumption would be that they were missing a route somewhere, but if ping works then routing in both directions must be working.  So that only leaves the firewall blocking the ports needed for CIFS, NetBIOS, etc.  Without a requirement for security restrictions between the two subnets (and with the apparent intention of introducing additional subnets), I'd say a firewall is probably the wrong tool for the job.

0
 
LVL 13

Expert Comment

by:mark-wa
Comment Utility
Just had a thought, if you CAN ping both directions, as PennGwyn stated, then routing is actually working.  I wonder what would happen if you added the DNS and WINS server entries in the configuration?  Could you try that and post back?

If that doesn't work, I'd say that PennGwyn and everyone else is correct in stating this is the Firewall just doing it's job and this really isn't the right tool for the job.

Mark
0
 

Author Comment

by:syong88
Comment Utility
First of all, thank you very much for everybody comments.  

I think all of you are correct on the matter.  I have the vendor coming in this morning to see what we can do with the problem.  They had me using Virtual IP so I can access the server on the 10 network.  So now, I am looking into another router.  What do you guys think of the 3com 3226?  

http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3CR17500-91

Oh, by the way, I have the vendor mentioning that the problem with our Fortigate might be related to our present firewall.  I don't see how our present firewall has anything to do with the inability to map a drive to the 10 network.????
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
> I don't see how our present firewall has anything to do with the inability to map a drive to the 10 network.????

This is a tough one to explain, but yes it can. It has to do with how firewalls use proxy arp. If it is a PIX firewall, you can turn off proxy arp on the inside interface.

Is that firewall your default gateway? Does it have a static route to the 10. network pointing to the Fortigate?

I try to stay as far away from 3com products as I can, but a L3 switch is a very good choice.
0
 

Author Comment

by:syong88
Comment Utility
Irmoore, yes, our firewall is our default gateway.  And no it does not have the static route 10 network on it.   We are going to keep the fortigate but we are running out of time to play with it at this moment.

Can you please elaborate more on the firewall and how it can effect the fortigate?

internet -------> firewall <---------> 192.x.x.x <------------->HP J5308xl<------>Fortigate 60 <---------->10.x.x.x.

I have the static route table on the HP J5308xl.  Does the 192.x.x.x need to go outside the present firewall before redirect back to the 10 network?

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If the firewall is the default gateway, then you have two issues:
1. Being the default gateway, it needs to know how to get to the 10.x.x.x subnet, else it throws it out its own default.
2. Being a firewall, it may not redirect the client to the Fortigate.

If the HP is a layer 3 switch, try making IT the default gateway for the network.

0
 

Author Comment

by:syong88
Comment Utility
<If the firewall is the default gateway, then you have two issues:
<1. Being the default gateway, it needs to know how to get to the 10.x.x.x subnet, else it throws it out its own default.

So, you are telling me that on the Firewall, I should put the static route on it.  In addition, I should also put the new subnet on the ARP table?

<If the HP is a layer 3 switch, try making IT the default gateway for the network.
On which network?  the 192 or the 10 network?

Thank you in advance.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes, you should put a static route entry on the firewall, but it might not do any good - what kind of firewall is it?
No need to put anything in the arp table

The switch is only on the 192. network, so it should be the default gateway for the 192 network. It will have a default pointing to your firewall, and a static route entry for the 10. pointing to the Fortigate.
0
 

Author Comment

by:syong88
Comment Utility
It's call SecurIT firewall.  Not many people heard of it.  It runs on a unix box.

The default gateway for 192, as you have mentioned, will not be appliable on our network at this point.  So I guess I have to concentrate on the firewall.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now