Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to access an Optional network from a Watchguard to a Netscreen

Posted on 2009-05-11
8
Medium Priority
?
747 Views
Last Modified: 2013-12-21
Hi, I have the following scenario:

Watchguard  Firebox Edge X55e
Version:10.1
              May 19 2008
              build 178688

This is the main Router/Firewall. It is configured with the the Subnet of 10.0.1.0/24. It handles are T1 and all the LAN access. Now attached to the Optional port on this router is our VoIP system, which is just a private network from our location in Burbank to our location in Mexico. The devices on that network use the IP's of 192.168.0.100, 101, 200, 201. There was no device on that network that did any routing whatsoever. We have a RAD RIC E1/T1 Converter one on each end of the Point-toPoint T1. There is Also a Quintum Tenor DX boxes on each end. Now what I want to do is very simple. I just want to be able to Telnet from anywhere to the Quintum box located at 192.168.0.101.

Now I worked with Watchguard and they told me it will not work since the 192.168.0.0 side does not have a Router. The Watchguard is able to see the devices in the ARP table but not ping them. So I a hooked up our old Juniper Networks NS5GT, and basically dumbed it down. I configured it with an IP of 192.168.0.110 and plugged a switch up to it and then plugged in the VoIP devices to it. I also added routes to the 10.0.1.0 network.

So right now I have a rule on the Watchguard to allow port 23 incoming to Optional network IP 192.168.0.110. Right now the only thing I can ping from the 10.0.1.0 network is the Netscreen box located at 192.168.0.110

I'm quite sure I'm doing something wrong, maybe even trying something that cannot be done, I'm not to sure. My only other thought why it doesn't work is because I need to configure the "WAN" port on the netscreen with the Private IP side....not sure...

Please help.

--Steve
0
Comment
Question by:Steve Marin
  • 4
  • 4
8 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24363714
As I understand the setup is:
Internet------FB--------Optional--------------------------Netscreen [Untrust]--------------Trust[??]
                    |           192.168.0.110/24                      192.168.0.x/24
               Trusted (10.0.1.0/24)
There is no need to add a route for 192.168.0.x network as it is defined on a physical interface of the FB. Also, if you would always send traffic originating from Trusted to Optional then there is no need for a policy; however, if traffic originates from optional bound to trusted then policy would be needed.

Reading the post, you can access Netscreen untrust interface from 10.0.1.x machines.

Few questions:
Is netscreen in L3 or L2 mode?
I am not fully understanding the need for putting Netscreen in the first place.
What is the subnet on the Trust interface on Netscreen, also, have you created policies on netscreen to accept incoming traffic from untrust to trust.

Please advice.

Thank you.
0
 
LVL 1

Author Comment

by:Steve Marin
ID: 24366257
I'm not using the Untrust on the netscreen. I'm just using the Trust side which is 192.168.0.0/24. I believe it is L3 right now. I was told by watchguard that since there was no router on the 192.168.0.0 side with the VoIP equipment was the reason I could not telnet to it. That they did not have a way to route packets back to the 10.0.1.0/24 side.

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24372774
If the Quintum box has IP as 192.168.0.101 with default gateway 192.168.0.110; then optional interface should be able to send traffic and receive back too.
Router would be required if behind Quintum there is some another subnet say, 172,168.x.y and FB needs to send traffic to that subnet and receive traffic too. Still in this case if Quintum box can support this routing then that would be it.
IF the setup is:
Internet------FB--------Optional---------------------Quintum----------------------Mexico Box [192.168.0.102]
                    |           192.168.0.110/24                 192.168.0.101/24 [with default GW: 192.168.0.110]
               Trusted (10.0.1.0/24)
Then there is no need for any router; the traffic between the two Quintum boxes is not going through FB any which way.
If needed we can add route on FB optional interface for all traffic for 192.168.0.102 to be sent to 192.168.0.101.
For any traffic from trusted interface to go to Quintums you can configure policies [this is allowed by default policy Outgoing though]; also for incoming traffic originated from Quintum's you can create another policy [if a requirement].

I think this should work without any router's in place.

Thank you.
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 1

Author Comment

by:Steve Marin
ID: 24414460
Problem with the Quintum box is you cannot set the default gateway to the FB optional GW.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24414524
If the Quintum box does not talk on any other subnet other than 192.168.0.x then we dont need default gateway.

If you cannot set DG I dont think that even netscreen would be of much help here.

Thank you.
0
 
LVL 1

Accepted Solution

by:
Steve Marin earned 0 total points
ID: 25408959
This never worked. I had to just create a PPTP connection to the Watchguard and access it that way.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 25410169
Thank you for the update; good to know the problem is resolved.
0
 
LVL 1

Author Comment

by:Steve Marin
ID: 25608168
This just fixed itself, I have a feeling that BIS had something going on that day.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently purchased a Bluetooth headset called the Music Jogger (model BSH10). The control buttons on it look like this: One of my goals is to use it as the microphone and speakers for Skype calls. In that respect, it works well. However, I …
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question