Solved

Unable to ping/connect cisco router when behind Watchguard Firewall

Posted on 2010-11-17
13
1,661 Views
Last Modified: 2012-05-10
We just purchased a new Cisco 2901 ISR for our network at work, something we desperately needed.  Before that we had used our Watchguard x700 as not only our firewall but our router/nat etc.  I installed the cisco router and everything went smoothly with that after I figured out the commanfd line for the device.  The firebox x700 was  abit unhappy when I switched it out of routed mode and into drop in mode.  

I have attached a visual image of our network as I think it will give you a better idea of our setup.  Currently the router has two interfaces.  One for pur public ip's (lets pretend they are 192.168.1.1/27) and one for our internal network (10.0.0.1/24 - our LAN and 10.0.10.1/29 Our DMZ per se).  

Interface 0 on the cisco is our "public interface"
IP address(es): 192.168.1.22 - primary
192.168.1.3 - secondary
192.168.1.4 - secondary
192.168.1.5 - secondary
192.168.1.23 - secondary

Interface 1 - Private network
IP address(es) 10.0.0.1 - Primary
10.0.10.1 - Secondary

From our interface 1 I connected a switch which has two VLAN's on it.
10.0.0.1/24 and 10.0.10.1/24
The IP's for the switch are:
10.0.0.2
10.0.10.2

From the switch I have our firebox connected with an IP of 10.0.0.3 and two video conference units plus one public server (10.0.10.3-10.0.10.5)

My problem is that I can not connect or ping the router when I am behind the firewall.  If I plug directly into the switch and assing an IP address to myself staticly I can ping and connect to the router.  However when I am behind the firewall I can not.  

I have my rules set to allow ping either direction.  What is very annoying is that with the firewall itself I can not run a ping test.

One thing that my drawing does not include is that I have my router plugged into the external interface and my lan plugged into my trusted interface.  

Any idea as to why this is the case would be greatly appreciated.  I can upload the cisco config file if you want.

thanks!

Network Diagram Image
0
Comment
Question by:Prolumina
  • 7
  • 5
13 Comments
 
LVL 16

Expert Comment

by:SteveJ
ID: 34166401
You probably need to make interface one on the Cisco box a trunk.

Good luck,
SteveJ
0
 

Author Comment

by:Prolumina
ID: 34166419
What do you mean by that?  While this sounds like something I would do on the cisco it doesnt make sense as I can connect/ping the cisco when I am not behind the firewall.  Could you please explain what you meant?
0
 

Author Comment

by:Prolumina
ID: 34166465
I dont think that is right.  I looked up what it was and that is not the issue at hand.

Basically when I am connected to the trusted/optional interfaces on the watchguard firebox that is configured in drop-in mode I can not ping ANYTHING that is connected to the external interface UNLESS it is outside i.e not  a private IP.  I mean I am going out but I can not ping ANYTHING between the external interface RJ-45 port until I hit the external inteface of the cisco router.  I have a managed switch at 10.0.0.2 that i can not ping or connect to and I have the cisco inteface at 10.0.0.1 that I can not ping or connect to.  This has to be a rule issue I just do not know what the rule is.  

I need access to the area between the external interface and the WAN if that makes sense.
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 34166497
You have two different VLANs on the Cisco interface, right? How do you route between those VLANs? Is Switch 1 a layer 2 or layer 2/3 switch? Do you have an SVI configured on the switch?

So do you know if the ping reaches the Cisco box when you are behind the firewall or does it reach the Cisco router but not get back to you?

Good luck,
SteveJ
0
 

Author Comment

by:Prolumina
ID: 34166853
Okay I see where you are going.  The configuration I have on the cisco router is rather basic i.e. I have not setup the ability to route between the VLAN's.  My logic though is that when I connect to the network in any other location but behind the firewall I have the ability to ping and connect to the router.  It does not matter which subnet as the router has addresses on both subnets 10.0.0.1 and 10.0.10.1.  

What are your thoughts on this?  I attached another image to see if this makes more sense.  THe areas in green are where I can connect to the router.  The areas in red I can not connect/ping it.  The purpose of the pink dot is demonstrate that I can connect to the router even from RIGHT NEXT TO THE FIREWALL.  If I put a small unmanaged 8 port switch between the cable from the switch I have to the firewall i can ping/connect to router when I go in through that 9port switch but again not when I am behind the firewall.

It is almost as if the firewall refuses to see anything between the wan and its external interface.  I again think it must be some strange rule in the firebox but I cant for the life of me find more info on this.  Its almost as if most people dont use drop in mode though I can figure out why as I believe a cisco does a better job as a router than a firewall.  

Anyhow let me know your thoughts.

Where I can and cant connect
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 34167925
Not at all familiar with the Watchguard product . . . I didn't realize that you appear to have the same network on both sides of the firewall (10.0.0.0/24) which is confusing to me. Because I didn't look closely enough I thought you might simply have a routing issue. Sorry.

So you have everyone in the pink circle connected to a switch which is cabled to the firewall which is cabled to the switch in the green circle? And that forces all traffic from the pink circle to traverse the firewall? So it's like the 2 switches are trunked with a firewall in the middle of the trunk. OK.

Well, without knowing how far the ping gets, I have no idea whats happening. Im too lazy to read back thru the post, but can you ping from the Cisco to a workstation in the pink circle? ( you'd likely need to ping from a specific source address on the cisco router: ping 10.0.0.x source 10.0.0.1)

Good luck,
SteveJ


0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Prolumina
ID: 34168755
Wow here is what is interesting.  I did the test as you said and ran "ping 10.0.0.3 (Watchguard) source 10.0.0.1"  100% FAILURE

However if I use an ip address that has my public ip as the source it works.  For example:

ping 10.0.0.3 source xx.xx.xx.22 = 100% Success

Somehow the stupid firebox/watchguard is blocking all traffic from the interface on the cisco with an ip of 10.0.0.1 up to the external interface of the firebox watchguard itself.  

Short answer I can not ping a workstation using the touter.  That is expected as I blocked incoming ping request from getting past the firewall.  However what is annoying is that i cant ping the firewall itself when using the 10.0.0.1 ip address as a source.  Only when I use the public IP can I ping the firewall.
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 34168913
Hahahaha . . . well, at least you're getting somewhere.

Good luck,
SteveJ
0
 

Author Comment

by:Prolumina
ID: 34175071
No one has any thoughts at all?  Clearly this must be an issue with the frebox any insight on the firebox in drop-in mode would be greatly appreciated.
0
 
LVL 1

Accepted Solution

by:
YvesLacombe earned 250 total points
ID: 34175320
Maybe you need to setup a NAT for those IPs behind the firebox?  I had the same thing with an F5 Big IP load balancer and setting up the NAT fixed it for me.
0
 

Author Comment

by:Prolumina
ID: 34175370
I have NAT setup.  Here are my NAT rules from the CISCO router:

ip nat pool ovrldIP x.x.x.23 x.x.x.23 netmask 255.255.255.224
ip nat inside source list 1 pool ovrldIP overload
ip nat inside source static 10.0.10.3 x.x.x.3      !!!!-This is a static nat rule for "DMZ"
ip nat inside source static 10.0.10.4 x.x.x.4      !!!!-This is a static nat rule for "DMZ"
ip nat inside source static 10.0.0.3 x.x.x.22      ! - Static nat for internal server
ip route 0.0.0.0 0.0.0.0 x.x.x.1
!
access-list 1 permit 10.0.0.0 0.0.0.255

So NAT appears to be setup.  

I am hoping someone has some firebox/watchguard experience.  I am to the poiint of wanting to ditch the device and go all cisco
0
 
LVL 16

Assisted Solution

by:SteveJ
SteveJ earned 250 total points
ID: 34177482
. . . and you've applied NAT to an interface, right? Anyway, if you ping the router from within your own LAN, your NAT rules would never get applied. You might try setting up a loopback and pinging the loopback interface . . . I don't use physical interfaces for management, I use loopbacks. In this instance, if your NAT stuff is applied to the WAN facing interface it still won't work because NAT would never be applied. If your NAT stuff is applied to the inside (10.0.0.0 and 10.0.10.0) interface your ping would work provided you were pinging the loopback.

Steve
0
 

Author Closing Comment

by:Prolumina
ID: 34189961
I wanted to thank both of you for the help trouble shooting this issue.  I am currently still struggling with it but have discovered, thanks to your help, a ton of useful tools to work through itt on the cisco router.  Thanks again.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now