Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco not routing to new Firewall

Posted on 2006-07-07
15
Medium Priority
?
333 Views
Last Modified: 2008-03-10
We recently aquired a new Firewall (Netscreen 204) which we configured and prepared to install.  We have a Cisco router on the inside of the LAN managing several VLAN's.  All workstations point to it and it routes outbound traffic to the Firewall which then passes it to a small internet router.

Once the new firewall was configured we removed the old one and powered up the new one with the same IP address the old one had.  A trace route showed traffic stopping at the Cisco.  I checked ARP cache and it seemed to still have the old mac address from the previous firewall.  So I did a clear arp, but had the same issue.  Old Mac address remained.  Finally I just gave the new Firewall a new IP altogether and changed the route in the Cisco to point to it instead of to the old IP.  Unfortunately that failed as well.  ARP table shows 0.0.0.0 0.0.0.0 to the new address with the correct Mac but trace route still shows all traffic stopping at Cisco.

Below is the current config (with the old firewall) that is working.  Any help on this would be greatly appreciated!

KCATA#sh conf            
Using 2368 out of 29688 bytes                            
!
version 12.3            
service timestamps debug datetime msec localtime show-timezone                                                              
service timestamps log datetime msec localtime show-timezone                                                            
service password-encryption                          
!
hostname KCATA              
!
boot-start-marker                
boot-end-marker              
!
logging buffered 51200 debugging                                
enable password 7 0215015819031B                                
!
username adm privilege 15 password 7 105D0C1A171206                                                  
username KCATA privilege 15 password 7 05180F0A2C49401A                                                      
clock timezone America/Chicago -6                                
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00                                                                      
no aaa new-model                
ip subnet-zero              
no ip source-route                  
!
!
ip name-server 10.10.4.5                        
no ip dhcp conflict logging                          
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer                          
no voice hpi capture destination                                
!
!
!
!
!
!
interface Loopback1                  
 no ip address              
!
interface FastEthernet0/0                        
 no ip address              
 logging event subif-link-status                                
 speed auto          
 full-duplex            
!
interface FastEthernet0/0.1                          
 description KCATA VLAN-1                        
 encapsulation dot1Q 1                      
 ip address 10.10.2.30 255.255.254.0                                    
!
interface FastEthernet0/0.2                          
 description TransitMaster VLAN 2                                
 encapsulation dot1Q 2                      
 ip address 10.10.4.1 255.255.254.0                                  
!
interface FastEthernet0/0.3                          
 description Radio Console VLAN 3                                
 encapsulation dot1Q 3                      
 ip address 192.168.3.1 255.255.255.0                                    
!
interface FastEthernet0/0.100                            
 description native VLAN                        
 encapsulation dot1Q 100 native                              
!
interface FastEthernet0/1                        
 no ip address              
 shutdown        
 duplex auto            
 speed auto          
!
router eigrp 2              
 network 10.0.0.0                
 network 192.168.3.0                    
 no auto-summary                
!
ip http server              
ip http authentication local                            
ip classless            
ip route 0.0.0.0 0.0.0.0 10.10.2.1                                  
!
!
logging trap debugging                      
logging 10.10.4.5                
!
snmp-server community public RO                              
snmp-server community ILG RW                            
snmp-server trap-source FastEthernet0/0.2                                        
snmp-server location KCATA                          
snmp-server contact Siemens                          
snmp-server system-shutdown                          
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart                                                                                

snmp-server enable traps tty                            
snmp-server enable traps conf                            
snmp-server enable traps entity                              
snmp-server enable traps envmon                              
snmp-server enable traps rtr                            
snmp-server enable traps syslog                              
snmp-server enable traps vtp                            
snmp-server host 10.10.4.5 ILG                              
snmp-server host 10.10.4.5 public
!
!
!
!
!
banner login ^CThis is a secured device.
Unauthorized use is prohibited by law.

^C
!
line con 0
 password 7 00171A03095E0515
line aux 0
line vty 0 4
 password 7 08354942071C11
 login
!
ntp server 10.10.4.6 prefer
!
!
end
0
Comment
Question by:KCATA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17062725
>interface FastEthernet0/0.1                          
 description KCATA VLAN-1                        
 encapsulation dot1Q 1          

VLAN 1 should not be a sub-interface, it is the native vlan and untagged.
Use the major interface to configure for vlan 1 and only tagged vlans 2+ use subinterface

no interface FastEthernet0/0.1                          
!
interface FastEthernet0/0                        
  ip address 10.10.2.30 255.255.254.0    
!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17063756
How about 'get config' output from netscreen box as well ?

1. Did you try pinging the trust interface of Netscreen (Also assuming that it is configured for ping?)

2. Do you have routes in Netscreen box pointing back to cisco router for all the vlans ?


Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17069519
perhaps clear arp-cache

This is not related to your question but curious are you doing a failover netscreen?

Pentrix2
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17070437
Hey Pentrix,

  Long time, no talk ?

Cheers,
Rajesh
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 17082760
My guess is that one or more of these is the problem:
1. The netscreen doesn't have a route back to the LANs
2. The netscreen policy is not allowing the LANs out because they are not considered inside addresses
3. The 802.1q isn't set up properly on the Netscreen and/or on the router (such as lrmoore's suggestion on the router side)
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17086672
Hiya Rajesh, I know.  Been doing some heavy duty work but now I'm at a job thats a lot less stress.  Noticed you are doing very well with helping others here.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17087871
:-) Guess What I'm with Juniper now..

Cheers,
Rajesh
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17089040
oh my.  that's awesome.  Funny thing is I'm deploying Juniper firewalls and IDPs.  :)

Pentrix2
0
 
LVL 2

Author Comment

by:KCATA
ID: 17089764
Just want to thank those who responded for the excellent advice.  Because we have to shut down internet access to try anything I have to schedule it pretty carefully but will be attempting some of the solutions offered this evening.  Thanks again and I'll let you know how it turns out!
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 17096081
Please let us know, I'm very curious about the outcome.


Pentrix2
0
 
LVL 2

Author Comment

by:KCATA
ID: 17393857
Sorry for the delay on this, I wanted to be sure the problem was resolved before getting back.  Turns out it wasn't in the Cisco after all, but rather was a bad port in the new Firewall itself.  It has 4 ports, Trusted on port 1, DMZ on Port 2 and the Untrusted was configured on port 3.  When I removed the Untrusted from 3 and reconfigured port 4 identically everything worked fine.  So... the firewall was returned and new one RMA'd.  Anyway, just wanted to let you all know the result and thank you again for taking an interest in the problem.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 17765461
PAQed with points refunded (0)

DarthMod
Community Support Moderator
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question