Cisco 2600 router with WatchGuard 1000 firebox

Posted on 2006-04-01
Medium Priority
Last Modified: 2013-11-29
I have received great responses before and I appreciate all the great help! I would like to hookup a 2600 router ahead of our firebox for QoS purposes. Our link is a T1 and we do video conferencing. I'm comfortable setting up the QoS parameters but I having difficulty in getting the router and firebox to talk to each other. Here is the configuration.

Internal trusted: 192.168.100.x
Externa Interface: 69.x.x.122
Optional Interface: 172.16.168.x
Nat is turned on for the 192.168.100 network.

Cisco 2600 Router:
2 Fa interfaces.

Note: I do have another external IP address available from the ISP. 69.x.x.124

Thanks for the help.

Question by:rclaxton1
  • 3
  • 2
LVL 79

Expert Comment

ID: 16350412
>Our link is a T1
>Cisco 2600 Router:
    2 Fa interfaces.

Don't you want to terminate the T1 directly into the router? Or do you want:
 T1/Router --> 2600 --> Firebox
              Traffic control only

You would need multiple public IP subnets, or split the one in half that is between the T1 router and the Firebox.
For example:

 T1 Router
   Serial interface
     ip address a.b.c.d
  Ethernet interface
      ip address 69.xx.121

---> slip in the 2600 here
      interface Fast 0/0
        description facing T1
        ip address 69.xx.124

      interface Fast 0/1
        descript facing Firebox
         ip address 69.x.x.  <== here's the dilema. This interface *must* be on a different IP subnet than the outside

     outside interface 69.x.x.122  <== now your not on the same IP subnet as the 2600....

>Note: I do have another external IP address available from the ISP. 69.x.x.124
If you only have one more IP address, and not another address block, you simply can't get there from here, unless you terminate the T1 directly onto the 2600...


Author Comment

ID: 16351210
Thank you very much lrmoore. So...it's messy and certainly not optimal. If I got a T-1 Wan module for the router, what would the connection look like then? --thanks, Rob.
LVL 79

Expert Comment

ID: 16351647
If you have a T1 module, it is much simpler:

<depending on T1 encapsulation, of course, this is basic>
 interface serial 0/0
   descript WAN to ISP
    ip address a.b.c.d

 interface Fast 0/0
  descript facing Firebox
  ip add 69.x.x.121

No changes to Firebox, Firebox simply points default gateway to .121


Author Comment

ID: 16351778
thanks one last question before awarding points.  Would the T1 address still need to be on a different subnet mask or could I use the 69.x.x .124 address of the mask?
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 16351819
Each physical interface must be on a separate IP subnet.
However, you *could* use IP unnumbered:

interface serial 0/0
  ip unnumbered fast 0/0

interface fast 0/0
 ip add 69.x.x.121

ip route serial0/0


Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question