Routing between multiple firewalls behind single router

My scenario is that I have two firewalls behind one DSL router.  Attached to one firewall in the DMZ is a camera system.  If I do a tracert from the network that doesn't have the camera attached to it the route goes from the firewall to the router then stops, as opposed to going directly to the camera or to the router then back to the camera.

Router
IP xxx.xxx.xxx.101

Site A
Firewall LAN IP 192.168.206.1
Firewall WAN IP xxx.xxx.xxx.106
WAN  Gateway xxx.xxx.xxx.101

Site B
Firewall LAN IP 192.168.200.1
Firewall WAN IP xxx.xxx.xxx.102
WAN Gateway xxx.xxx.xxx.101

Camera attached to Site B DMZ
IP address xxx.xxx.xxx.104

I can get to the camera from the LAN on Site B and from the internet but not from the LAN at Site A.  I'm not sure if there's something I have to add to the DSL router, unfortunately it's owned by the ISP, but I may be able to get them to add something if it will help.  Any hints as to an easier way to get the traffic destined for xxx.xxx.xxx.104 from Site A to make it there?

Thanks
TudAsked:
Who is Participating?
 
fixnixCommented:
Ahhh....yup, sounds like you've got it!

Good Deal.
0
 
fixnixCommented:
Sounds like all you need to do is punch a hole in the Site B firewall to allow the appropriate traffic from Site A.  The specifics of course depend on your firewall and the ports/traffic you need to allow.  You shouldn't have to change anything on the ISP-owned DSL router.
0
 
TudAuthor Commented:
The camera can be reached via the internet, which makes me think the appropriate ports are open from teh WAN to the DMZ.  When doing a trace route, should the packet go from the SIte A firewall to the router?  
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
fixnixCommented:
Sorry, I misread a line in the original question...thought the traceroute stopped at the firewall for site B, not the router....let me think a bit before I post again to make sure I'm getting it right ;)...
0
 
fixnixCommented:
If you're referencing the external IP of the cams from site A, then the packets would hit the router.  Can you access the cam via the 192.168.200.x IP instead of the world-visible IP?
0
 
fixnixCommented:
nevermind...didn't think it out enough again....grrr.  will be back after another cup of coffee lol.  sorry again
0
 
TudAuthor Commented:
Thanks for trying.  I've thought about routing all internet traffic through the firewalls so that everything from site B goes through site A, since the local site A systems can see the camera, unfortunately the support people for the firewall say that this can only be done with a second router, which didn't make sense to me but I'm sure there's a reason.  The whole thing seems like a routing issue to me, just not sure how to clear it up.  The WAN IP for both firewalls, the router gateway IP and the camera are all on the same subnet.
0
 
fixnixCommented:
Okay...If I'm understanding your setup correctly, Site B's firewall has multiple WAN IP's...x.x.x.102 and x.x.x.104 (and possibly others).  I've run a similar setup at home...32 world-visible IP's and multiple firewalls and DMZ's.  I used to run off SDSL, then upgraded to a T1, and never had a problem hitting the webservers or other machines from behind one firewall to one fo the other DMZ's using the world-visible IP's or names...traffic behaved just as if it were all on the LAN.

I just shelled in and did a traceroute from one DMZ to another and it failed at the first firewall, although pinging the other DMZ firewall worked fine.  I wouldn't worry about the traceroute stopping at the router.

Can you ping Site B's firewall from Site A?  (Assuming site B firewall is configured to reply to pings)
0
 
TudAuthor Commented:
Yes, we've got 32 world-visable IP's behind our DSL router.  1 is assigned to the router and is used as the gateway IP address for everything else.  One is assigned to the firewall at Site A, one for the firewall at Site B and 1 for the camera system.  If I move the camera system outside the DMZ and basically in the same subnet as the firewalls and the router, I get the same results.

The firewalls are not setup to reply to pings.  I can ping the camera from the LAN at Site B, ( also, Site A and B are connected via a VPN tunnel) but not from the LAN, or the firewall, at Site A.
0
 
fixnixCommented:
Can you use the LAN address and connect to the camera from site A via the VPN?  If the VPN tunnel is brought down, is the camera accessable from site A then?

0
 
TudAuthor Commented:
I haven't tried it with the VPN tunnel down, although I have tried it with the VPN tunnel set to terminate at the LAN and DMZ.  I'll try shutting it down after hours to see if it makes a difference.
0
 
fixnixCommented:
How is the VPN configured?  Is it a Net to Net VPN from the 2 firewall boxes or something different?  The reason I ask is that the VPN obviously works...which means a connection from one WAN IP on site A is able to get to a WAN IP on site B unless you've got some other setup physically separate from the DSL router.  If the VPN is established from one WAN IP to another, then it's almost certain the cam problem is a routing issue one a box you control.  However, if bringing the VPN down doesn't change anything, then it seems to be a WAN IP to WAN IP routing issue on the DSL router.

I'm leaning towards the problem being on a box you control tho....what are you using for the firewall, routing, and VPN on sites A and B?
0
 
TudAuthor Commented:
The VPN is configured for Net to Net.  I can ping all teh IP addresses on one LAN from the other.  You are right, they are configured from one WAN IP address to the other, which, as you suggest, likely means that it isn't an issue with the router but perhaps one of the boxes.  The firewalls are Sonicwalls, a Pro 200 and a SOHO 3, using the build in VPN capabilities.  The router is an ISP provided Cisco 800 (or 803).

I just tried turning on the option to response to pings on the firewalls and neither firewall can ping the others IP address.  I'm beginning to wonder why the VPN connection works. :-)
0
 
fixnixCommented:
I'm not familiar w/ sonicwalls so I don't know the commands, but can you post the routing tables from them?  At this point I'd guess it's routing related while the VPN is up (and would venture to guess that if you take the VPN down after hours, the cam would be accessible from site A no problems).  It'd also be worth checking the firewall rules to be sure traffic originating from your /27 isn't being blocked.

You could also try firing up a sniffer on a computer and plug it into an unused port of the 803's LAN Hub then try to hit the cam from Site A.  Since we know tracert at least makes it as far as the router, there should be something there to sniff...packets might be making it to the other firewall but aren't getting ACK'd...or are getting ACK'd but the ACK's are being rejected back at the other sonicwall.  

What kind of logging does the sonicwall have?  Can you try to hit the cam from A then grep the firewall logs on Site B for Site A's WAN IP?
0
 
TudAuthor Commented:
I found my problem (I think, the camera has been taken offline temporarily making it hard to test).  

On the Sonicwall I have there is a tab under teh Advanced options called "Intranet."

Under this tab there are three options, only one can be selected via a radio button:

1.  SonicWALL's WAN link is connected directly to the Internet router.
2.  Specified address ranges are attached to the LAN link.
3.  Specified address ranges are attached to the WAN link.

Since it's connected to the internet router I had thought this was the appropriate option.  I decided to change this to the third option and put in the IP range for our public IP range as the specified address range.  This seemed to do the trick, and while I can't fully test it yet, I was able to see other devices in the same subnet.  I haven't seen any ill effects from this change, I can still access systems via the VPN and I can still get to web sites on the internet.  I'll have to take a look at the ins and outs of these options.

0
 
TudAuthor Commented:
Thanks for the tips along the way, figure since you're the only respondant I dropped all the points on you, hope I did it right.  Thanks again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.