Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to access an Optional network from a Watchguard to a Netscreen

Posted on 2009-05-11
8
Medium Priority
?
744 Views
Last Modified: 2013-12-21
Hi, I have the following scenario:

Watchguard  Firebox Edge X55e
Version:10.1
              May 19 2008
              build 178688

This is the main Router/Firewall. It is configured with the the Subnet of 10.0.1.0/24. It handles are T1 and all the LAN access. Now attached to the Optional port on this router is our VoIP system, which is just a private network from our location in Burbank to our location in Mexico. The devices on that network use the IP's of 192.168.0.100, 101, 200, 201. There was no device on that network that did any routing whatsoever. We have a RAD RIC E1/T1 Converter one on each end of the Point-toPoint T1. There is Also a Quintum Tenor DX boxes on each end. Now what I want to do is very simple. I just want to be able to Telnet from anywhere to the Quintum box located at 192.168.0.101.

Now I worked with Watchguard and they told me it will not work since the 192.168.0.0 side does not have a Router. The Watchguard is able to see the devices in the ARP table but not ping them. So I a hooked up our old Juniper Networks NS5GT, and basically dumbed it down. I configured it with an IP of 192.168.0.110 and plugged a switch up to it and then plugged in the VoIP devices to it. I also added routes to the 10.0.1.0 network.

So right now I have a rule on the Watchguard to allow port 23 incoming to Optional network IP 192.168.0.110. Right now the only thing I can ping from the 10.0.1.0 network is the Netscreen box located at 192.168.0.110

I'm quite sure I'm doing something wrong, maybe even trying something that cannot be done, I'm not to sure. My only other thought why it doesn't work is because I need to configure the "WAN" port on the netscreen with the Private IP side....not sure...

Please help.

--Steve
0
Comment
Question by:Steve Marin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24363714
As I understand the setup is:
Internet------FB--------Optional--------------------------Netscreen [Untrust]--------------Trust[??]
                    |           192.168.0.110/24                      192.168.0.x/24
               Trusted (10.0.1.0/24)
There is no need to add a route for 192.168.0.x network as it is defined on a physical interface of the FB. Also, if you would always send traffic originating from Trusted to Optional then there is no need for a policy; however, if traffic originates from optional bound to trusted then policy would be needed.

Reading the post, you can access Netscreen untrust interface from 10.0.1.x machines.

Few questions:
Is netscreen in L3 or L2 mode?
I am not fully understanding the need for putting Netscreen in the first place.
What is the subnet on the Trust interface on Netscreen, also, have you created policies on netscreen to accept incoming traffic from untrust to trust.

Please advice.

Thank you.
0
 
LVL 1

Author Comment

by:Steve Marin
ID: 24366257
I'm not using the Untrust on the netscreen. I'm just using the Trust side which is 192.168.0.0/24. I believe it is L3 right now. I was told by watchguard that since there was no router on the 192.168.0.0 side with the VoIP equipment was the reason I could not telnet to it. That they did not have a way to route packets back to the 10.0.1.0/24 side.

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24372774
If the Quintum box has IP as 192.168.0.101 with default gateway 192.168.0.110; then optional interface should be able to send traffic and receive back too.
Router would be required if behind Quintum there is some another subnet say, 172,168.x.y and FB needs to send traffic to that subnet and receive traffic too. Still in this case if Quintum box can support this routing then that would be it.
IF the setup is:
Internet------FB--------Optional---------------------Quintum----------------------Mexico Box [192.168.0.102]
                    |           192.168.0.110/24                 192.168.0.101/24 [with default GW: 192.168.0.110]
               Trusted (10.0.1.0/24)
Then there is no need for any router; the traffic between the two Quintum boxes is not going through FB any which way.
If needed we can add route on FB optional interface for all traffic for 192.168.0.102 to be sent to 192.168.0.101.
For any traffic from trusted interface to go to Quintums you can configure policies [this is allowed by default policy Outgoing though]; also for incoming traffic originated from Quintum's you can create another policy [if a requirement].

I think this should work without any router's in place.

Thank you.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:Steve Marin
ID: 24414460
Problem with the Quintum box is you cannot set the default gateway to the FB optional GW.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24414524
If the Quintum box does not talk on any other subnet other than 192.168.0.x then we dont need default gateway.

If you cannot set DG I dont think that even netscreen would be of much help here.

Thank you.
0
 
LVL 1

Accepted Solution

by:
Steve Marin earned 0 total points
ID: 25408959
This never worked. I had to just create a PPTP connection to the Watchguard and access it that way.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 25410169
Thank you for the update; good to know the problem is resolved.
0
 
LVL 1

Author Comment

by:Steve Marin
ID: 25608168
This just fixed itself, I have a feeling that BIS had something going on that day.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question