• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 421
  • Last Modified:

Problems connections beetwen firewall and Cisco 1800

Hello

I have a problem beetwen my firewall and my Cisco router 1800, I will try to explain what is
I have a Firewall (SG565  )that has 2 conexions, one conexions is for the Isp and the other is for the network
In the firewall the conexion for the network is giving the next DHCP Range of IP Adressess ( 172.16.0.10-20)
The wireless service has been configured too and is giving for the clients IP adresses from the same range ( 172.16.0.10-20
The Cisco Router is connected to the firewall using a network cable and is the Cisco router is taking the next addresses 172.16.0.20
The Cisco Router is giving the IP adressess for the network 192.168.1. 20-250 ( Servers,Printers, Computers )
I made this tests according to get an idea about the problem  
from the network ( 192.168.1.X ) I cand see, send ping and get connect beetwen my computers and the firewall (172.16.0.15 )
From the Firewall I can see, send ping and get connection beetwen the equipments in the same range  (172.16.0.10-20)
I can send ping to the ip adressess of the Cisco provied by the firewall (172.16.0.20 )

but, if I am connected in the firewall no matter by wireless or network cable I CAN NOT SEE, SEND PING AND GET CONNECTION TO THE NETWORK (192.168.1.20-250 )
I have talking with the firewall support and they are telling me that the problem it is on the Cisco, and I talked with the supplier of Cisco and is telling me that the problem is with the firewall
The question of 64 000 is ¿does any body could tell me where is the problem ? How could i fixed ?
What can i Do it
Regards
0
jmsienrique
Asked:
jmsienrique
  • 4
  • 4
1 Solution
 
Jan SpringerCommented:
If the router is NATing the 172.16 address space as the packet arrives on the ethernet interface, you need to setup an ACL for the NAT statement that specifies 'no nat' between the 172.16 and 192.168 networks.
0
 
jmsienriqueAuthor Commented:
YOu know Ii am sending your answer to the supplier because is not paying soo effort to help me

Regards.
0
 
Jan SpringerCommented:
I'm sorry jmsienrique -- was I not helpful?

Do you need a config example?
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
jmsienriqueAuthor Commented:
Yes please
0
 
Jan SpringerCommented:
I'll give you an example to see if this helps right off.  It could be more accurate if I had a copy of the sanitized config.

1) remove the lines with the comments
2) If your netmask for both the 172.16 and 192.168 network are not 255.255.255.0, then we need to adjust the wildcard bits on the netmasks of the access list.  
3) Be sure that you are not using an access-list numbered 175 or change 175 to some other number not in use.
4) Change the interface with the overload statement to the interface that has 'ip nat outside'
5) The access list presumes that you allow both the 192.168 and 172.16 to be nat'd for outside access

config t

! the next two lines prevent nat between the networks
access-list 175 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 175 deny ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255
! this line allows the 172.16 net to nat
access-list 175 permit ip 172.16.0.0 0.0.0.255 any
! this line allows the 192.168 net to nat
access-list 175 permit ip 192.168.1.0 0.0.0.255 any

route-map nonat permit 10
  match ip address 175
  exit

! if your nat translation list has a pool defined, then this line needs to be modified
! we have to first remove the original line that defines the allowed translations
ip nat inside source route-map nonat interface FastEthernet0/0 overload
0
 
jmsienriqueAuthor Commented:
Hello
Jesper

I really epprecaite your help according to fix this issue, yeterday i talked with the supplier and I told him your comments He gave a explanation that i reaaly did not understand but he prorposided me to do many test according to have a finally colclusion of course the conlcusion was that is Firerall it works correctly, the problem comes from the Cisco Router, there something in the settings of the Cisco that is regecting the packages, or bloking that the IP 172.16.0.X  can reach the 192.168.1 X, therefore i can get any connection it,

Could you mind helping my to take a look of the setting of my cisco 1800

Regards.

show running  -config
Building configuration...

Current configuration : 2404 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname lerma
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$5Ol9$aBATU6xBl83340uX5t65H0
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.2 192.168.1.10
!
ip dhcp pool 0
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 200.33.146.196 200.33.146.202
!
!
ip flow-cache timeout active 1
no ip domain lookup
vpdn enable
!
!
!
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto dynamic-map rtpmap 10
 set transform-set rtpset
 match address 115
!
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
!
bba-group pppoe global
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface ATM0/0/0
 mtu 1492
 no ip address
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
 pvc 8/81
  pppoe-client dial-pool-number 1
 !
!
interface Serial0/1/0
 ip address 192.168.3.2 255.255.255.252
!
interface Dialer1
 mtu 1492
 ip address negotiated previous
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname operatol
 ppp chap password 0 operatol
!
ip route 192.168.2.0 255.255.255.0 192.168.3.1
!
!
ip http server
no ip http secure-server
ip nat inside source list 120 interface FastEthernet0/1 overload
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 deny   ip 192.168.1.0 0.0.0.255 any
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community jade2007 RO
snmp-server ifindex persist
!
route-map nonat permit 10
 match ip address 120
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 password chango
 login
!
scheduler allocate 20000 1000
end

lerma#
Regards

0
 
Jan SpringerCommented:
I am puzzled as to how the router would know how to get to the 172.16 network.  None of the interfaces belong to that net and there is no routing entry.  In fact, I see nothing in the configuration that suggests the existence of that network.  Questions:

1) FE0/0
    -> is this the interface for the printers, etc?
2) FE0/1
    -> what is on this network?
    -> is it getting a dhcp address from the same network that's assigned to FE0/0?
3) S0/1/0
   -> where does this go to?
4) ATM0/0/0
   -> where does this go to?
5) Which interface on the router connects to the firewall?
   -> what is the network block for the router to firewall connection?
0
 
jmsienriqueAuthor Commented:
Sorry to write late

finally i talked with the supplier and he made some changes in the firewall, he configured isolated ports in the firewall nd we connected a cable from the isolated port to my network , and he made some strange settings in the firewall, but now is working,
any way thank¿s a lot for your help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now