Solved

can a 1605 router forward traffic to a different subnet?

Posted on 2013-06-19
12
436 Views
Last Modified: 2013-07-01
I have a site in north carolina, its network infrastructure document is as in the attachment.

I got a disaster from that site. The firewall device PIX5505 was dead totally. The only think I know for that device is its internal IP 10.10.28.6. If I plan to buy another device with the same  model, how could I make the configuration.

Also, the following is my understanding of the diagram, is it correct? Expecially about the 1605 router's function. Does it have the ability to receive traffic from 10.10.28.0 network and forward them to 10.10.4.0 network in our headquarter?

From the document I have, I believe the PIX5505 which was dead already had been working as both firewall and gateway. All desktop traffic would be sent to PIX5505 first, then it decided if the traffic would go to the internet through T1 router (provided by Paetec) or should forward to internal router 1605. Also I am not sure how 1605 router forwards internal traffic to Bradford since there is only one cable connects it. The only time it's working by using one cable is the original network and destination network are on the same network. In our case, the network in NC is 10.10.28.0, the one at  Bradford is 10.10.4.0. I am not sure if it can achieve it.
0
Comment
Question by:Jason Yu
  • 7
  • 5
12 Comments
 

Author Comment

by:Jason Yu
ID: 39260999
sorry, I forgot to attach the diagram.
NC-network-infrastructure-diagra.pdf
0
 
LVL 17

Accepted Solution

by:
surbabu140977 earned 500 total points
ID: 39262149
First question, why one ethernet link from Paetec router is going directly to your switch? (the other one is normally going to pix, I understand)

Second Question, is it a  1605-R series router? What IOS are you having there?

It will be possible to use the 1605 router but security compliance will not be there like pix. This router may or may not support your actual data flow (1605 is not so powerful). But since you are having a T1 so it might not be an issue.

If you do not have any backup config, it will be a fresh startup. Even with the backup of pix, things might look not so simple.

Things will not look good if you ask 1605 router to do internal routing as well as act as the wan gateway with security. You might end up with more problem than solution.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39262176
You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.

But as far as security or pix config is concerned, cannot comment on that. It will not be wholly replicable in 1605.

Best,
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 

Author Comment

by:Jason Yu
ID: 39263756
hi, all, thank you for your reply.

---------For the first question, to be honest, I don't understand it either. Could I disconnect it without any impact?
"First question, why one ethernet link from Paetec router is going directly to your switch? (the other one is normally going to pix, I understand)"


---------For the second question.
Yes, it's 1605 router. The version information is as follows:


NC-1605>enable
Password:
NC-1605#show version
Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version 12.1(5)T6,  RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Fri 30-Mar-01 05:03 by ccai
Image text-base: 0x02005000, data-base: 0x02606324

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T,  RELEASE SOFTWARE (fc1)

NC-1605 uptime is 8 hours, 10 minutes
System returned to ROM by power-on
System image file is "flash:c1600-y-mz.121-5.T6"

cisco 1605 (68360) processor (revision C) with 12288K/4096K bytes of memory.
Processor board ID 22638291, with hardware revision 00000003
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
System/IO memory with parity disabled
8192K bytes of DRAM onboard 8192K bytes of DRAM on SIMM
System running from RAM
7K bytes of non-volatile configuration memory.
8192K bytes of processor board PCMCIA flash (Read/Write)

Configuration register is 0x2102

NC-1605#


---------------For this site, we have a fail-over setup, we have a T1 provided from Paetec and a DSL provided by another company.  When we have T1 problem, we will transfer traffic to the DSL. We achieve this switch by reset routes on both Headquarter's firewall and this 1605 router. If you guys need detail, I can upload the configuration commands here.

Now, the problem for me is I need recover the old settings on the new PIX 5505 firewall. I am not sure if the Pix IP (207.59.155.189 or 207.59.155.190) written on the document is the WAN ip of the old PIX 5505 appliance. Anyone can help me verify this?

thanks.
0
 

Author Comment

by:Jason Yu
ID: 39263927
Hi, surbabu140977, I couldn't understand some of your points.

For the 1605 router, there are four posts on it. From the left to right:

1. 10 Base T
2. Ethernet 0
3. Ethernet 1 10 base T
4. Console

Do you mean I need connect Paetec router to E0 and set up WAN IP on E0? Also, I need connect the Lan cable to E1, (do I need set up LAN IP on E1 interface)? thanks.

------------------------------------------------------------
You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39265029
You have only basic IP IOS image in 1605 router. That might not suit well for your purpose.

From Paetec, yes the second link I think can be disconnected. But again, we can speculate only. But it's upto someone at the site to verify if it's doing any good or not. May be at the switch, the very particular port of that cable might reveal something.

You can forget about the pix because right now there is no way to put that config anywhere. Your router won't support. You said it's down. Is it hard down? How will you recover?

You have 2 ethernet ports. E0 and E1. (both are 10base T). You should be avoiding using those. So in short that router won't serve you any good.

There is one serial wan interface slot. You have to contact paetec if they will support it. (proper cable for T1).

If paetec says yes, then that wan can be used and E0 or E1 can be plugged to your lan. We will help.

But avoid using that router. As said earlier, it's old and hardware not enough for your job. IT will create a big lot of issues.

Do not allow anyone to use that E0 or E1 for WAN.

Best,
0
 

Author Comment

by:Jason Yu
ID: 39270222
ok, I purchased a sonicawall TZ215 for that site and configured it as below.

I hope after I ship the appliance to North Carolina , it can work.

the ip address is as follows, could you help me check it?

on my old record file, I saw one line "PIX global 207.59.155.189" and "Pix 207.59.155.190". I got confused by these two ips, don't know which one the old firewall used for the WAN port.


WAN Interface:
Static mode
IP:207.59.155.189
Subnet mast:255.255.255.240
Default Gateway: 207.59.155.177

DNS Server:
66.255.85.8
66.255.85.9
208.67.222.222
4.2.2.2
8.8.8.8



LAN Interface
Static IP Mode
10.10.28.6
255.255.252.0
Default LAN
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39274864
Most likely wan ip was 207.59.155.190 and  "PIX global 207.59.155.189" was used for NAT/PAT in the Pix. But there is no harm now if you use alternately because you have the full Ip range from 207.59.155.177 - 207.59.155.190 available. You can use anything in between for anything. It's a fresh new config and it's all yours. : )

No need to use separate IP, you can use the WAN IP as global and do the natting.

I think you may have missed the nat config in your firewall. Without it your inside lan will not be able to connect to internet. (did not see you mentioning NAT)

Best,
0
 

Author Comment

by:Jason Yu
ID: 39280547
HI, surbabu, I sent out the new sonicwall TZ215 there and installed it well. It is working now.
I will check to see if I need set up proxy on the firewall. We have a proxy linux server at that site, if I want to still use that proxy server, do I need route all internet trafic to that server?

thanks.
0
 
LVL 17

Expert Comment

by:surbabu140977
ID: 39280565
No, Just go into the browser(IE or Firefox) of the PC's and type the proxy IP there.

In Firefox it's under Edit-->Preference-->Advance-->Network tab.

In Internet Explorer, it's under  tools-->Internet options-->connection tab.

The proxy server IP should be natted in your firewall, else connections won't go out.

You can also put 207.59.155.xxx IP directly in the server and all lan traffic should get routed through the firewall to the proxy and then again back to firewall for internet, but it's not very best design to route unnecessarily every traffic.

Some people also put a dual NIC and put one lan IP and one wan IP also. It's your choice.

Best,
0
 

Author Comment

by:Jason Yu
ID: 39291348
Got it solved, we will implement the proxy control through sonic.
0
 

Author Closing Comment

by:Jason Yu
ID: 39291353
Very good reply.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question