[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1126
  • Last Modified:

Cisco 2800 Router bonded T1's and Watchguard Firebox config

This is a follow up to a question I asked yesterday regarding a Cisco 2800 w/ bonded T1's (new ISP for us). The previous questions was answered correctly, but I'm needing more help.

 When I connect to my new 2800 with just one test workstation via a 3com switch, I can browse the web. When I try to connect my network to the 2800 via my Firebox we cant surf. I have configured the Firebox to use my new address scheme. Basically everything in my new Firebox config is as it was, just with the new IP addresses for each service and NAT (get it?). I have a IP set of 64.181.96.240/29 with the router being .241

Under "Network Configuration" in my Watchguard policy manager I have the Firebox interface as static w/ i.p. address 64.181.96.242/29 and default gateway 64.181.96.241

I was pretty confident this would work but apparently something isn't quite right. Here is a snippet from my Firebox config file:

networking.domain_suffix: g*******y
networking.dynamicip: 0
networking.ethernet.00: eth0 64.181.96.242 64.181.96.240 255.255.255.248 64.181.96.241
networking.ethernet.01: eth1 64.181.96.242 64.181.96.240 255.255.255.248 none
networking.ethernet.02: eth2 64.181.96.242 64.181.96.240 255.255.255.248 none
networking.ethernet.03: eth1:0 10.10.10.5 10.0.0.0 255.0.0.0 none
networking.ethernet.speed.00: auto
networking.ethernet.speed.01: auto
networking.ethernet.speed.02: auto
networking.external: eth0
networking.external.ip_aliases: 64.181.96.243 64.181.96.244 64.181.96.245 64.181.96.246
0
chawness
Asked:
chawness
  • 12
  • 11
3 Solutions
 
JFrederick29Commented:
You removed the NAT config from the router, right?
0
 
chawnessAuthor Commented:
No. How do I go about it?

I thought about that as I was typing up the last question. I remember you said something about it yesterday. I told the ISP who set the router up (or tried) that I didn't want it to do any NAT because my Firewall did all that.
0
 
JFrederick29Commented:
You can remove it from the interfaces.

int f0/0
no ip nat inside

int multilink1
no ip nat outside

You can also remove the "ip nat inside source list ...." command.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
chawnessAuthor Commented:
If I remove the outside nat will that disconnect my router from the ISP's?

How do I run the "ip nat inside source list ...." command. Like I said I no nothing about this router.
0
 
JFrederick29Commented:
No, it won't disconnect you from your ISP.  It simply removes the NAT functionality from the interface.

conf t

int f0/0
no ip nat inside

int multilink1
no ip nat outside

no ip nat inside source list 100 interface Multilink1 overload

no access-list 100
0
 
chawnessAuthor Commented:
I've completed all that. No dice. I can still connect with the test station.

0
 
JFrederick29Commented:
The test station has one of the 64.181.96.x IP 's with a default gateway of 64.181.96.241, right?  If so, the router config is fine and the problem is with the Firewall.  You are certain the Firewall is NAT'ing traffic to an IP in the 64.181.96.240/29 subnet?  Is it NAT'ing to the outside interface?  What DNS servers are configured on your internal clients?  If internal DNS servers, what Forwarders are setup on the internal DNS servers?
0
 
chawnessAuthor Commented:
Yes on the workstation.

Here is all the NAT'ing I see on my firebox:

Dynamic NAT
192.168.0.0/16-external
172.16.0.0/12-external
10.0.0.0/8-external

1-to-1 NAT
external 64.181.96.243 to 10.10.10.12
external 64.181.96.244 to 10.0.0.241
external 64.181.96.245 to 10.10.10.8
external 64.181.96.246 to 10.10.10.13

there are other "service based" NAT's, like for exchange etc.

OTHER firebox config INFO:

Interfaces
configuration: static  
i.p. address: 64.181.96.242/29
default gateway: 64.181.96.241

Aliases:
64.181.96.243
64.181.96.244
64.181.96.245
64.181.96.246

secondary networks:
10.10.10.5/8 trusted

Thats really all there is in my firebox config other than all my individual services.

I noticed in my current router (still connecting us to our old ISP) has some static routes:

dest. network            mask                                  next gateway
0.0.0.0                       0.0.0.0                               24.75.64.85
24.75.66.82               255.255.255.248               24.75.66.84
24.75.66.81               255.255.255.248               24.75.64.85

the 24.75.66.82 is my current exchange server
the 24.75.64.85 is the ISP?

there is no NAT'ing in the old router (netopia t1) that I can see.
0
 
chawnessAuthor Commented:
My clients point to internal DNS servers, which are in turn setup with forwarders to my old and new ISP's DNS servers.
0
 
JFrederick29Commented:
The forwarders are these, right?

66.109.175.210
216.30.255.3

From a PC behind the Firebox, can you do the following:

ping www.google.com
ping 74.125.95.104
telnet 74.125.95.104 80
0
 
chawnessAuthor Commented:
Ok. I just happen to have a second Firebox setting on the shelf for a backup. I put that in my test network just like it would be on the real thing. Router, Firebox, Switch then Workstation. I have everything configured just like my LAN. In the firebox traffic monitor I can see the workstation going out using the DNS proxy. On that workstation I have the 66.109.175.210 DNS server entered in the tcp/ip properties. I cant ping anything not even the router (I can ping the firebox of course). When I ping the router I see the ping going out on the traffic monitor but get a "destination host unreachable".

In fact I cant ping the new router from outside the network either...
0
 
JFrederick29Commented:
You have the default gateway properly set on the workstation, right?  The LAN interface IP address on the Firebox?  It is normal that you are unable to ping your router from the outside as the access-list is denying it.
0
 
chawnessAuthor Commented:
As I was beating my head against the wall in the server room, I noticed the link light isn't lit on the fe0/0 the other 2 lights are lit (fdx & 100).  ?!?!?!?

If I plug cable directly from the router to the switch, the link light is lit. If I go from the router to the external port on the firebox, it's not lit.

I have the firebox set as the gateway for the workstation.
0
 
JFrederick29Commented:
Ahh, okay, try using a crossover cable.
0
 
JFrederick29Commented:
Sorry, to clarify, try using a crossover cable between the router and the Firebox.
0
 
JFrederick29Commented:
Or if you don't have a crossover cable handy, put a switch in between the router f0/0 interface and the Firebox external.
0
 
chawnessAuthor Commented:
I tried the crossover cable and it worked. For the love of God, it WORKED!!!! LOL and crying too...
0
 
JFrederick29Commented:
Sweet.  Gotta love the layer1 issues.
0
 
chawnessAuthor Commented:
So I'm guessing the cable going from my old netopia router to the firebox is not a crossover. Because I just unplugged from the netopia and plugged into the 2800.
0
 
JFrederick29Commented:
Correct, the difference is the Netopia probably supports auto-MDI/MDIX (auto crossover).
0
 
chawnessAuthor Commented:
Yep, you're right. I just tested the cable and its not a crossover. Oh well I least I had my Firebox config right, funny how the simple things get you.

Thanks again for all your time and help.
0
 
JFrederick29Commented:
You're welcome.
0
 
chawnessAuthor Commented:
IOU
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 12
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now