Link to home
Start Free TrialLog in
Avatar of Prolumina
ProluminaFlag for United States of America

asked on

Unable to ping/connect cisco router when behind Watchguard Firewall

We just purchased a new Cisco 2901 ISR for our network at work, something we desperately needed.  Before that we had used our Watchguard x700 as not only our firewall but our router/nat etc.  I installed the cisco router and everything went smoothly with that after I figured out the commanfd line for the device.  The firebox x700 was  abit unhappy when I switched it out of routed mode and into drop in mode.  

I have attached a visual image of our network as I think it will give you a better idea of our setup.  Currently the router has two interfaces.  One for pur public ip's (lets pretend they are 192.168.1.1/27) and one for our internal network (10.0.0.1/24 - our LAN and 10.0.10.1/29 Our DMZ per se).  

Interface 0 on the cisco is our "public interface"
IP address(es): 192.168.1.22 - primary
192.168.1.3 - secondary
192.168.1.4 - secondary
192.168.1.5 - secondary
192.168.1.23 - secondary

Interface 1 - Private network
IP address(es) 10.0.0.1 - Primary
10.0.10.1 - Secondary

From our interface 1 I connected a switch which has two VLAN's on it.
10.0.0.1/24 and 10.0.10.1/24
The IP's for the switch are:
10.0.0.2
10.0.10.2

From the switch I have our firebox connected with an IP of 10.0.0.3 and two video conference units plus one public server (10.0.10.3-10.0.10.5)

My problem is that I can not connect or ping the router when I am behind the firewall.  If I plug directly into the switch and assing an IP address to myself staticly I can ping and connect to the router.  However when I am behind the firewall I can not.  

I have my rules set to allow ping either direction.  What is very annoying is that with the firewall itself I can not run a ping test.

One thing that my drawing does not include is that I have my router plugged into the external interface and my lan plugged into my trusted interface.  

Any idea as to why this is the case would be greatly appreciated.  I can upload the cisco config file if you want.

thanks!

User generated image
Avatar of Steve Jennings
Steve Jennings

You probably need to make interface one on the Cisco box a trunk.

Good luck,
SteveJ
Avatar of Prolumina

ASKER

What do you mean by that?  While this sounds like something I would do on the cisco it doesnt make sense as I can connect/ping the cisco when I am not behind the firewall.  Could you please explain what you meant?
I dont think that is right.  I looked up what it was and that is not the issue at hand.

Basically when I am connected to the trusted/optional interfaces on the watchguard firebox that is configured in drop-in mode I can not ping ANYTHING that is connected to the external interface UNLESS it is outside i.e not  a private IP.  I mean I am going out but I can not ping ANYTHING between the external interface RJ-45 port until I hit the external inteface of the cisco router.  I have a managed switch at 10.0.0.2 that i can not ping or connect to and I have the cisco inteface at 10.0.0.1 that I can not ping or connect to.  This has to be a rule issue I just do not know what the rule is.  

I need access to the area between the external interface and the WAN if that makes sense.
You have two different VLANs on the Cisco interface, right? How do you route between those VLANs? Is Switch 1 a layer 2 or layer 2/3 switch? Do you have an SVI configured on the switch?

So do you know if the ping reaches the Cisco box when you are behind the firewall or does it reach the Cisco router but not get back to you?

Good luck,
SteveJ
Okay I see where you are going.  The configuration I have on the cisco router is rather basic i.e. I have not setup the ability to route between the VLAN's.  My logic though is that when I connect to the network in any other location but behind the firewall I have the ability to ping and connect to the router.  It does not matter which subnet as the router has addresses on both subnets 10.0.0.1 and 10.0.10.1.  

What are your thoughts on this?  I attached another image to see if this makes more sense.  THe areas in green are where I can connect to the router.  The areas in red I can not connect/ping it.  The purpose of the pink dot is demonstrate that I can connect to the router even from RIGHT NEXT TO THE FIREWALL.  If I put a small unmanaged 8 port switch between the cable from the switch I have to the firewall i can ping/connect to router when I go in through that 9port switch but again not when I am behind the firewall.

It is almost as if the firewall refuses to see anything between the wan and its external interface.  I again think it must be some strange rule in the firebox but I cant for the life of me find more info on this.  Its almost as if most people dont use drop in mode though I can figure out why as I believe a cisco does a better job as a router than a firewall.  

Anyhow let me know your thoughts.

User generated image
Not at all familiar with the Watchguard product . . . I didn't realize that you appear to have the same network on both sides of the firewall (10.0.0.0/24) which is confusing to me. Because I didn't look closely enough I thought you might simply have a routing issue. Sorry.

So you have everyone in the pink circle connected to a switch which is cabled to the firewall which is cabled to the switch in the green circle? And that forces all traffic from the pink circle to traverse the firewall? So it's like the 2 switches are trunked with a firewall in the middle of the trunk. OK.

Well, without knowing how far the ping gets, I have no idea whats happening. Im too lazy to read back thru the post, but can you ping from the Cisco to a workstation in the pink circle? ( you'd likely need to ping from a specific source address on the cisco router: ping 10.0.0.x source 10.0.0.1)

Good luck,
SteveJ


Wow here is what is interesting.  I did the test as you said and ran "ping 10.0.0.3 (Watchguard) source 10.0.0.1"  100% FAILURE

However if I use an ip address that has my public ip as the source it works.  For example:

ping 10.0.0.3 source xx.xx.xx.22 = 100% Success

Somehow the stupid firebox/watchguard is blocking all traffic from the interface on the cisco with an ip of 10.0.0.1 up to the external interface of the firebox watchguard itself.  

Short answer I can not ping a workstation using the touter.  That is expected as I blocked incoming ping request from getting past the firewall.  However what is annoying is that i cant ping the firewall itself when using the 10.0.0.1 ip address as a source.  Only when I use the public IP can I ping the firewall.
Hahahaha . . . well, at least you're getting somewhere.

Good luck,
SteveJ
No one has any thoughts at all?  Clearly this must be an issue with the frebox any insight on the firebox in drop-in mode would be greatly appreciated.
ASKER CERTIFIED SOLUTION
Avatar of YvesLacombe
YvesLacombe
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I have NAT setup.  Here are my NAT rules from the CISCO router:

ip nat pool ovrldIP x.x.x.23 x.x.x.23 netmask 255.255.255.224
ip nat inside source list 1 pool ovrldIP overload
ip nat inside source static 10.0.10.3 x.x.x.3      !!!!-This is a static nat rule for "DMZ"
ip nat inside source static 10.0.10.4 x.x.x.4      !!!!-This is a static nat rule for "DMZ"
ip nat inside source static 10.0.0.3 x.x.x.22      ! - Static nat for internal server
ip route 0.0.0.0 0.0.0.0 x.x.x.1
!
access-list 1 permit 10.0.0.0 0.0.0.255

So NAT appears to be setup.  

I am hoping someone has some firebox/watchguard experience.  I am to the poiint of wanting to ditch the device and go all cisco
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I wanted to thank both of you for the help trouble shooting this issue.  I am currently still struggling with it but have discovered, thanks to your help, a ton of useful tools to work through itt on the cisco router.  Thanks again.