can a 1605 router forward traffic to a different subnet?
I have a site in north carolina, its network infrastructure document is as in the attachment.
I got a disaster from that site. The firewall device PIX5505 was dead totally. The only think I know for that device is its internal IP 10.10.28.6. If I plan to buy another device with the same model, how could I make the configuration.
Also, the following is my understanding of the diagram, is it correct? Expecially about the 1605 router's function. Does it have the ability to receive traffic from 10.10.28.0 network and forward them to 10.10.4.0 network in our headquarter?
From the document I have, I believe the PIX5505 which was dead already had been working as both firewall and gateway. All desktop traffic would be sent to PIX5505 first, then it decided if the traffic would go to the internet through T1 router (provided by Paetec) or should forward to internal router 1605. Also I am not sure how 1605 router forwards internal traffic to Bradford since there is only one cable connects it. The only time it's working by using one cable is the original network and destination network are on the same network. In our case, the network in NC is 10.10.28.0, the one at Bradford is 10.10.4.0. I am not sure if it can achieve it.
I got a disaster from that site. The firewall device PIX5505 was dead totally. The only think I know for that device is its internal IP 10.10.28.6. If I plan to buy another device with the same model, how could I make the configuration.
Also, the following is my understanding of the diagram, is it correct? Expecially about the 1605 router's function. Does it have the ability to receive traffic from 10.10.28.0 network and forward them to 10.10.4.0 network in our headquarter?
From the document I have, I believe the PIX5505 which was dead already had been working as both firewall and gateway. All desktop traffic would be sent to PIX5505 first, then it decided if the traffic would go to the internet through T1 router (provided by Paetec) or should forward to internal router 1605. Also I am not sure how 1605 router forwards internal traffic to Bradford since there is only one cable connects it. The only time it's working by using one cable is the original network and destination network are on the same network. In our case, the network in NC is 10.10.28.0, the one at Bradford is 10.10.4.0. I am not sure if it can achieve it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.
But as far as security or pix config is concerned, cannot comment on that. It will not be wholly replicable in 1605.
Best,
But as far as security or pix config is concerned, cannot comment on that. It will not be wholly replicable in 1605.
Best,
ASKER
hi, all, thank you for your reply.
---------For the first question, to be honest, I don't understand it either. Could I disconnect it without any impact?
"First question, why one ethernet link from Paetec router is going directly to your switch? (the other one is normally going to pix, I understand)"
---------For the second question.
Yes, it's 1605 router. The version information is as follows:
NC-1605>enable
Password:
NC-1605#show version
Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version 12.1(5)T6, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Fri 30-Mar-01 05:03 by ccai
Image text-base: 0x02005000, data-base: 0x02606324
ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T, RELEASE SOFTWARE (fc1)
NC-1605 uptime is 8 hours, 10 minutes
System returned to ROM by power-on
System image file is "flash:c1600-y-mz.121-5.T6
cisco 1605 (68360) processor (revision C) with 12288K/4096K bytes of memory.
Processor board ID 22638291, with hardware revision 00000003
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
System/IO memory with parity disabled
8192K bytes of DRAM onboard 8192K bytes of DRAM on SIMM
System running from RAM
7K bytes of non-volatile configuration memory.
8192K bytes of processor board PCMCIA flash (Read/Write)
Configuration register is 0x2102
NC-1605#
---------------For this site, we have a fail-over setup, we have a T1 provided from Paetec and a DSL provided by another company. When we have T1 problem, we will transfer traffic to the DSL. We achieve this switch by reset routes on both Headquarter's firewall and this 1605 router. If you guys need detail, I can upload the configuration commands here.
Now, the problem for me is I need recover the old settings on the new PIX 5505 firewall. I am not sure if the Pix IP (207.59.155.189 or 207.59.155.190) written on the document is the WAN ip of the old PIX 5505 appliance. Anyone can help me verify this?
thanks.
---------For the first question, to be honest, I don't understand it either. Could I disconnect it without any impact?
"First question, why one ethernet link from Paetec router is going directly to your switch? (the other one is normally going to pix, I understand)"
---------For the second question.
Yes, it's 1605 router. The version information is as follows:
NC-1605>enable
Password:
NC-1605#show version
Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version 12.1(5)T6, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Fri 30-Mar-01 05:03 by ccai
Image text-base: 0x02005000, data-base: 0x02606324
ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T, RELEASE SOFTWARE (fc1)
NC-1605 uptime is 8 hours, 10 minutes
System returned to ROM by power-on
System image file is "flash:c1600-y-mz.121-5.T6
cisco 1605 (68360) processor (revision C) with 12288K/4096K bytes of memory.
Processor board ID 22638291, with hardware revision 00000003
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
System/IO memory with parity disabled
8192K bytes of DRAM onboard 8192K bytes of DRAM on SIMM
System running from RAM
7K bytes of non-volatile configuration memory.
8192K bytes of processor board PCMCIA flash (Read/Write)
Configuration register is 0x2102
NC-1605#
---------------For this site, we have a fail-over setup, we have a T1 provided from Paetec and a DSL provided by another company. When we have T1 problem, we will transfer traffic to the DSL. We achieve this switch by reset routes on both Headquarter's firewall and this 1605 router. If you guys need detail, I can upload the configuration commands here.
Now, the problem for me is I need recover the old settings on the new PIX 5505 firewall. I am not sure if the Pix IP (207.59.155.189 or 207.59.155.190) written on the document is the WAN ip of the old PIX 5505 appliance. Anyone can help me verify this?
thanks.
ASKER
Hi, surbabu140977, I couldn't understand some of your points.
For the 1605 router, there are four posts on it. From the left to right:
1. 10 Base T
2. Ethernet 0
3. Ethernet 1 10 base T
4. Console
Do you mean I need connect Paetec router to E0 and set up WAN IP on E0? Also, I need connect the Lan cable to E1, (do I need set up LAN IP on E1 interface)? thanks.
--------------------------
You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.
For the 1605 router, there are four posts on it. From the left to right:
1. 10 Base T
2. Ethernet 0
3. Ethernet 1 10 base T
4. Console
Do you mean I need connect Paetec router to E0 and set up WAN IP on E0? Also, I need connect the Lan cable to E1, (do I need set up LAN IP on E1 interface)? thanks.
--------------------------
You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.
You have only basic IP IOS image in 1605 router. That might not suit well for your purpose.
From Paetec, yes the second link I think can be disconnected. But again, we can speculate only. But it's upto someone at the site to verify if it's doing any good or not. May be at the switch, the very particular port of that cable might reveal something.
You can forget about the pix because right now there is no way to put that config anywhere. Your router won't support. You said it's down. Is it hard down? How will you recover?
You have 2 ethernet ports. E0 and E1. (both are 10base T). You should be avoiding using those. So in short that router won't serve you any good.
There is one serial wan interface slot. You have to contact paetec if they will support it. (proper cable for T1).
If paetec says yes, then that wan can be used and E0 or E1 can be plugged to your lan. We will help.
But avoid using that router. As said earlier, it's old and hardware not enough for your job. IT will create a big lot of issues.
Do not allow anyone to use that E0 or E1 for WAN.
Best,
From Paetec, yes the second link I think can be disconnected. But again, we can speculate only. But it's upto someone at the site to verify if it's doing any good or not. May be at the switch, the very particular port of that cable might reveal something.
You can forget about the pix because right now there is no way to put that config anywhere. Your router won't support. You said it's down. Is it hard down? How will you recover?
You have 2 ethernet ports. E0 and E1. (both are 10base T). You should be avoiding using those. So in short that router won't serve you any good.
There is one serial wan interface slot. You have to contact paetec if they will support it. (proper cable for T1).
If paetec says yes, then that wan can be used and E0 or E1 can be plugged to your lan. We will help.
But avoid using that router. As said earlier, it's old and hardware not enough for your job. IT will create a big lot of issues.
Do not allow anyone to use that E0 or E1 for WAN.
Best,
ASKER
ok, I purchased a sonicawall TZ215 for that site and configured it as below.
I hope after I ship the appliance to North Carolina , it can work.
the ip address is as follows, could you help me check it?
on my old record file, I saw one line "PIX global 207.59.155.189" and "Pix 207.59.155.190". I got confused by these two ips, don't know which one the old firewall used for the WAN port.
WAN Interface:
Static mode
IP:207.59.155.189
Subnet mast:255.255.255.240
Default Gateway: 207.59.155.177
DNS Server:
66.255.85.8
66.255.85.9
208.67.222.222
4.2.2.2
8.8.8.8
LAN Interface
Static IP Mode
10.10.28.6
255.255.252.0
Default LAN
I hope after I ship the appliance to North Carolina , it can work.
the ip address is as follows, could you help me check it?
on my old record file, I saw one line "PIX global 207.59.155.189" and "Pix 207.59.155.190". I got confused by these two ips, don't know which one the old firewall used for the WAN port.
WAN Interface:
Static mode
IP:207.59.155.189
Subnet mast:255.255.255.240
Default Gateway: 207.59.155.177
DNS Server:
66.255.85.8
66.255.85.9
208.67.222.222
4.2.2.2
8.8.8.8
LAN Interface
Static IP Mode
10.10.28.6
255.255.252.0
Default LAN
Most likely wan ip was 207.59.155.190 and "PIX global 207.59.155.189" was used for NAT/PAT in the Pix. But there is no harm now if you use alternately because you have the full Ip range from 207.59.155.177 - 207.59.155.190 available. You can use anything in between for anything. It's a fresh new config and it's all yours. : )
No need to use separate IP, you can use the WAN IP as global and do the natting.
I think you may have missed the nat config in your firewall. Without it your inside lan will not be able to connect to internet. (did not see you mentioning NAT)
Best,
No need to use separate IP, you can use the WAN IP as global and do the natting.
I think you may have missed the nat config in your firewall. Without it your inside lan will not be able to connect to internet. (did not see you mentioning NAT)
Best,
ASKER
HI, surbabu, I sent out the new sonicwall TZ215 there and installed it well. It is working now.
I will check to see if I need set up proxy on the firewall. We have a proxy linux server at that site, if I want to still use that proxy server, do I need route all internet trafic to that server?
thanks.
I will check to see if I need set up proxy on the firewall. We have a proxy linux server at that site, if I want to still use that proxy server, do I need route all internet trafic to that server?
thanks.
No, Just go into the browser(IE or Firefox) of the PC's and type the proxy IP there.
In Firefox it's under Edit-->Preference-->Advanc
In Internet Explorer, it's under tools-->Internet options-->connection tab.
The proxy server IP should be natted in your firewall, else connections won't go out.
You can also put 207.59.155.xxx IP directly in the server and all lan traffic should get routed through the firewall to the proxy and then again back to firewall for internet, but it's not very best design to route unnecessarily every traffic.
Some people also put a dual NIC and put one lan IP and one wan IP also. It's your choice.
Best,
In Firefox it's under Edit-->Preference-->Advanc
In Internet Explorer, it's under tools-->Internet options-->connection tab.
The proxy server IP should be natted in your firewall, else connections won't go out.
You can also put 207.59.155.xxx IP directly in the server and all lan traffic should get routed through the firewall to the proxy and then again back to firewall for internet, but it's not very best design to route unnecessarily every traffic.
Some people also put a dual NIC and put one lan IP and one wan IP also. It's your choice.
Best,
ASKER
Got it solved, we will implement the proxy control through sonic.
ASKER
Very good reply.
ASKER
NC-network-infrastructure-diagra.pdf