Solved

Cisco not routing to new Firewall

Posted on 2006-07-07
15
322 Views
Last Modified: 2008-03-10
We recently aquired a new Firewall (Netscreen 204) which we configured and prepared to install.  We have a Cisco router on the inside of the LAN managing several VLAN's.  All workstations point to it and it routes outbound traffic to the Firewall which then passes it to a small internet router.

Once the new firewall was configured we removed the old one and powered up the new one with the same IP address the old one had.  A trace route showed traffic stopping at the Cisco.  I checked ARP cache and it seemed to still have the old mac address from the previous firewall.  So I did a clear arp, but had the same issue.  Old Mac address remained.  Finally I just gave the new Firewall a new IP altogether and changed the route in the Cisco to point to it instead of to the old IP.  Unfortunately that failed as well.  ARP table shows 0.0.0.0 0.0.0.0 to the new address with the correct Mac but trace route still shows all traffic stopping at Cisco.

Below is the current config (with the old firewall) that is working.  Any help on this would be greatly appreciated!

KCATA#sh conf            
Using 2368 out of 29688 bytes                            
!
version 12.3            
service timestamps debug datetime msec localtime show-timezone                                                              
service timestamps log datetime msec localtime show-timezone                                                            
service password-encryption                          
!
hostname KCATA              
!
boot-start-marker                
boot-end-marker              
!
logging buffered 51200 debugging                                
enable password 7 0215015819031B                                
!
username adm privilege 15 password 7 105D0C1A171206                                                  
username KCATA privilege 15 password 7 05180F0A2C49401A                                                      
clock timezone America/Chicago -6                                
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00                                                                      
no aaa new-model                
ip subnet-zero              
no ip source-route                  
!
!
ip name-server 10.10.4.5                        
no ip dhcp conflict logging                          
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer                          
no voice hpi capture destination                                
!
!
!
!
!
!
interface Loopback1                  
 no ip address              
!
interface FastEthernet0/0                        
 no ip address              
 logging event subif-link-status                                
 speed auto          
 full-duplex            
!
interface FastEthernet0/0.1                          
 description KCATA VLAN-1                        
 encapsulation dot1Q 1                      
 ip address 10.10.2.30 255.255.254.0                                    
!
interface FastEthernet0/0.2                          
 description TransitMaster VLAN 2                                
 encapsulation dot1Q 2                      
 ip address 10.10.4.1 255.255.254.0                                  
!
interface FastEthernet0/0.3                          
 description Radio Console VLAN 3                                
 encapsulation dot1Q 3                      
 ip address 192.168.3.1 255.255.255.0                                    
!
interface FastEthernet0/0.100                            
 description native VLAN                        
 encapsulation dot1Q 100 native                              
!
interface FastEthernet0/1                        
 no ip address              
 shutdown        
 duplex auto            
 speed auto          
!
router eigrp 2              
 network 10.0.0.0                
 network 192.168.3.0                    
 no auto-summary                
!
ip http server              
ip http authentication local                            
ip classless            
ip route 0.0.0.0 0.0.0.0 10.10.2.1                                  
!
!
logging trap debugging                      
logging 10.10.4.5                
!
snmp-server community public RO                              
snmp-server community ILG RW                            
snmp-server trap-source FastEthernet0/0.2                                        
snmp-server location KCATA                          
snmp-server contact Siemens                          
snmp-server system-shutdown                          
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart                                                                                

snmp-server enable traps tty                            
snmp-server enable traps conf                            
snmp-server enable traps entity                              
snmp-server enable traps envmon                              
snmp-server enable traps rtr                            
snmp-server enable traps syslog                              
snmp-server enable traps vtp                            
snmp-server host 10.10.4.5 ILG                              
snmp-server host 10.10.4.5 public
!
!
!
!
!
banner login ^CThis is a secured device.
Unauthorized use is prohibited by law.

^C
!
line con 0
 password 7 00171A03095E0515
line aux 0
line vty 0 4
 password 7 08354942071C11
 login
!
ntp server 10.10.4.6 prefer
!
!
end
0
Comment
Question by:KCATA
  • 4
  • 3
  • 2
  • +3
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17062725
>interface FastEthernet0/0.1                          
 description KCATA VLAN-1                        
 encapsulation dot1Q 1          

VLAN 1 should not be a sub-interface, it is the native vlan and untagged.
Use the major interface to configure for vlan 1 and only tagged vlans 2+ use subinterface

no interface FastEthernet0/0.1                          
!
interface FastEthernet0/0                        
  ip address 10.10.2.30 255.255.254.0    
!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17063756
How about 'get config' output from netscreen box as well ?

1. Did you try pinging the trust interface of Netscreen (Also assuming that it is configured for ping?)

2. Do you have routes in Netscreen box pointing back to cisco router for all the vlans ?


Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17069519
perhaps clear arp-cache

This is not related to your question but curious are you doing a failover netscreen?

Pentrix2
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17070437
Hey Pentrix,

  Long time, no talk ?

Cheers,
Rajesh
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 17082760
My guess is that one or more of these is the problem:
1. The netscreen doesn't have a route back to the LANs
2. The netscreen policy is not allowing the LANs out because they are not considered inside addresses
3. The 802.1q isn't set up properly on the Netscreen and/or on the router (such as lrmoore's suggestion on the router side)
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17086672
Hiya Rajesh, I know.  Been doing some heavy duty work but now I'm at a job thats a lot less stress.  Noticed you are doing very well with helping others here.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17087871
:-) Guess What I'm with Juniper now..

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17089040
oh my.  that's awesome.  Funny thing is I'm deploying Juniper firewalls and IDPs.  :)

Pentrix2
0
 
LVL 2

Author Comment

by:KCATA
ID: 17089764
Just want to thank those who responded for the excellent advice.  Because we have to shut down internet access to try anything I have to schedule it pretty carefully but will be attempting some of the solutions offered this evening.  Thanks again and I'll let you know how it turns out!
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17096081
Please let us know, I'm very curious about the outcome.


Pentrix2
0
 
LVL 2

Author Comment

by:KCATA
ID: 17393857
Sorry for the delay on this, I wanted to be sure the problem was resolved before getting back.  Turns out it wasn't in the Cisco after all, but rather was a bad port in the new Firewall itself.  It has 4 ports, Trusted on port 1, DMZ on Port 2 and the Untrusted was configured on port 3.  When I removed the Untrusted from 3 and reconfigured port 4 identically everything worked fine.  So... the firewall was returned and new one RMA'd.  Anyway, just wanted to let you all know the result and thank you again for taking an interest in the problem.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 17765461
PAQed with points refunded (0)

DarthMod
Community Support Moderator
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VLANs - Cisco switch and Netgear router 3 52
pfSense IP Helper 4 92
Cisco iWAN 8 47
EIGRP Multicast vs Unicast 7 44
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now