Solved

How to access an Optional network from a Watchguard to a Netscreen

Posted on 2009-05-11
8
702 Views
Last Modified: 2013-12-21
Hi, I have the following scenario:

Watchguard  Firebox Edge X55e
Version:10.1
              May 19 2008
              build 178688

This is the main Router/Firewall. It is configured with the the Subnet of 10.0.1.0/24. It handles are T1 and all the LAN access. Now attached to the Optional port on this router is our VoIP system, which is just a private network from our location in Burbank to our location in Mexico. The devices on that network use the IP's of 192.168.0.100, 101, 200, 201. There was no device on that network that did any routing whatsoever. We have a RAD RIC E1/T1 Converter one on each end of the Point-toPoint T1. There is Also a Quintum Tenor DX boxes on each end. Now what I want to do is very simple. I just want to be able to Telnet from anywhere to the Quintum box located at 192.168.0.101.

Now I worked with Watchguard and they told me it will not work since the 192.168.0.0 side does not have a Router. The Watchguard is able to see the devices in the ARP table but not ping them. So I a hooked up our old Juniper Networks NS5GT, and basically dumbed it down. I configured it with an IP of 192.168.0.110 and plugged a switch up to it and then plugged in the VoIP devices to it. I also added routes to the 10.0.1.0 network.

So right now I have a rule on the Watchguard to allow port 23 incoming to Optional network IP 192.168.0.110. Right now the only thing I can ping from the 10.0.1.0 network is the Netscreen box located at 192.168.0.110

I'm quite sure I'm doing something wrong, maybe even trying something that cannot be done, I'm not to sure. My only other thought why it doesn't work is because I need to configure the "WAN" port on the netscreen with the Private IP side....not sure...

Please help.

--Steve
0
Comment
Question by:smarin820
  • 4
  • 4
8 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24363714
As I understand the setup is:
Internet------FB--------Optional--------------------------Netscreen [Untrust]--------------Trust[??]
                    |           192.168.0.110/24                      192.168.0.x/24
               Trusted (10.0.1.0/24)
There is no need to add a route for 192.168.0.x network as it is defined on a physical interface of the FB. Also, if you would always send traffic originating from Trusted to Optional then there is no need for a policy; however, if traffic originates from optional bound to trusted then policy would be needed.

Reading the post, you can access Netscreen untrust interface from 10.0.1.x machines.

Few questions:
Is netscreen in L3 or L2 mode?
I am not fully understanding the need for putting Netscreen in the first place.
What is the subnet on the Trust interface on Netscreen, also, have you created policies on netscreen to accept incoming traffic from untrust to trust.

Please advice.

Thank you.
0
 

Author Comment

by:smarin820
ID: 24366257
I'm not using the Untrust on the netscreen. I'm just using the Trust side which is 192.168.0.0/24. I believe it is L3 right now. I was told by watchguard that since there was no router on the 192.168.0.0 side with the VoIP equipment was the reason I could not telnet to it. That they did not have a way to route packets back to the 10.0.1.0/24 side.

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24372774
If the Quintum box has IP as 192.168.0.101 with default gateway 192.168.0.110; then optional interface should be able to send traffic and receive back too.
Router would be required if behind Quintum there is some another subnet say, 172,168.x.y and FB needs to send traffic to that subnet and receive traffic too. Still in this case if Quintum box can support this routing then that would be it.
IF the setup is:
Internet------FB--------Optional---------------------Quintum----------------------Mexico Box [192.168.0.102]
                    |           192.168.0.110/24                 192.168.0.101/24 [with default GW: 192.168.0.110]
               Trusted (10.0.1.0/24)
Then there is no need for any router; the traffic between the two Quintum boxes is not going through FB any which way.
If needed we can add route on FB optional interface for all traffic for 192.168.0.102 to be sent to 192.168.0.101.
For any traffic from trusted interface to go to Quintums you can configure policies [this is allowed by default policy Outgoing though]; also for incoming traffic originated from Quintum's you can create another policy [if a requirement].

I think this should work without any router's in place.

Thank you.
0
 

Author Comment

by:smarin820
ID: 24414460
Problem with the Quintum box is you cannot set the default gateway to the FB optional GW.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 32

Expert Comment

by:dpk_wal
ID: 24414524
If the Quintum box does not talk on any other subnet other than 192.168.0.x then we dont need default gateway.

If you cannot set DG I dont think that even netscreen would be of much help here.

Thank you.
0
 

Accepted Solution

by:
smarin820 earned 0 total points
ID: 25408959
This never worked. I had to just create a PPTP connection to the Watchguard and access it that way.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 25410169
Thank you for the update; good to know the problem is resolved.
0
 

Author Comment

by:smarin820
ID: 25608168
This just fixed itself, I have a feeling that BIS had something going on that day.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

There are times where you would like to have access to information that is only available from a different network. This network could be down the hall, or across country. If each of the network sites have access to the internet, you can create a ne…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now