Solved

can a 1605 router forward traffic to a different subnet?

Posted on 2013-06-19
12
432 Views
Last Modified: 2013-07-01
I have a site in north carolina, its network infrastructure document is as in the attachment.

I got a disaster from that site. The firewall device PIX5505 was dead totally. The only think I know for that device is its internal IP 10.10.28.6. If I plan to buy another device with the same  model, how could I make the configuration.

Also, the following is my understanding of the diagram, is it correct? Expecially about the 1605 router's function. Does it have the ability to receive traffic from 10.10.28.0 network and forward them to 10.10.4.0 network in our headquarter?

From the document I have, I believe the PIX5505 which was dead already had been working as both firewall and gateway. All desktop traffic would be sent to PIX5505 first, then it decided if the traffic would go to the internet through T1 router (provided by Paetec) or should forward to internal router 1605. Also I am not sure how 1605 router forwards internal traffic to Bradford since there is only one cable connects it. The only time it's working by using one cable is the original network and destination network are on the same network. In our case, the network in NC is 10.10.28.0, the one at  Bradford is 10.10.4.0. I am not sure if it can achieve it.
0
Comment
Question by:Jason Yu
  • 7
  • 5
12 Comments
 

Author Comment

by:Jason Yu
Comment Utility
sorry, I forgot to attach the diagram.
NC-network-infrastructure-diagra.pdf
0
 
LVL 17

Accepted Solution

by:
surbabu140977 earned 500 total points
Comment Utility
First question, why one ethernet link from Paetec router is going directly to your switch? (the other one is normally going to pix, I understand)

Second Question, is it a  1605-R series router? What IOS are you having there?

It will be possible to use the 1605 router but security compliance will not be there like pix. This router may or may not support your actual data flow (1605 is not so powerful). But since you are having a T1 so it might not be an issue.

If you do not have any backup config, it will be a fresh startup. Even with the backup of pix, things might look not so simple.

Things will not look good if you ask 1605 router to do internal routing as well as act as the wan gateway with security. You might end up with more problem than solution.

Best,
0
 
LVL 17

Expert Comment

by:surbabu140977
Comment Utility
You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.

But as far as security or pix config is concerned, cannot comment on that. It will not be wholly replicable in 1605.

Best,
0
 

Author Comment

by:Jason Yu
Comment Utility
hi, all, thank you for your reply.

---------For the first question, to be honest, I don't understand it either. Could I disconnect it without any impact?
"First question, why one ethernet link from Paetec router is going directly to your switch? (the other one is normally going to pix, I understand)"


---------For the second question.
Yes, it's 1605 router. The version information is as follows:


NC-1605>enable
Password:
NC-1605#show version
Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version 12.1(5)T6,  RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/cgi-bin/ibld/view.pl?i=support
Copyright (c) 1986-2001 by cisco Systems, Inc.
Compiled Fri 30-Mar-01 05:03 by ccai
Image text-base: 0x02005000, data-base: 0x02606324

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T,  RELEASE SOFTWARE (fc1)

NC-1605 uptime is 8 hours, 10 minutes
System returned to ROM by power-on
System image file is "flash:c1600-y-mz.121-5.T6"

cisco 1605 (68360) processor (revision C) with 12288K/4096K bytes of memory.
Processor board ID 22638291, with hardware revision 00000003
Bridging software.
X.25 software, Version 3.0.0.
2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
WIC T1-DSU
System/IO memory with parity disabled
8192K bytes of DRAM onboard 8192K bytes of DRAM on SIMM
System running from RAM
7K bytes of non-volatile configuration memory.
8192K bytes of processor board PCMCIA flash (Read/Write)

Configuration register is 0x2102

NC-1605#


---------------For this site, we have a fail-over setup, we have a T1 provided from Paetec and a DSL provided by another company.  When we have T1 problem, we will transfer traffic to the DSL. We achieve this switch by reset routes on both Headquarter's firewall and this 1605 router. If you guys need detail, I can upload the configuration commands here.

Now, the problem for me is I need recover the old settings on the new PIX 5505 firewall. I am not sure if the Pix IP (207.59.155.189 or 207.59.155.190) written on the document is the WAN ip of the old PIX 5505 appliance. Anyone can help me verify this?

thanks.
0
 

Author Comment

by:Jason Yu
Comment Utility
Hi, surbabu140977, I couldn't understand some of your points.

For the 1605 router, there are four posts on it. From the left to right:

1. 10 Base T
2. Ethernet 0
3. Ethernet 1 10 base T
4. Console

Do you mean I need connect Paetec router to E0 and set up WAN IP on E0? Also, I need connect the Lan cable to E1, (do I need set up LAN IP on E1 interface)? thanks.

------------------------------------------------------------
You need to put Ethernet cable from Paetec router to E0 of 1605. Configure the WAN IP in E0. Put the lan cable to E1 and attach it to switch(the cable which was going to pix). Switch should be able to ping WAN of 1605. That's all. You should be up and running.
0
 
LVL 17

Expert Comment

by:surbabu140977
Comment Utility
You have only basic IP IOS image in 1605 router. That might not suit well for your purpose.

From Paetec, yes the second link I think can be disconnected. But again, we can speculate only. But it's upto someone at the site to verify if it's doing any good or not. May be at the switch, the very particular port of that cable might reveal something.

You can forget about the pix because right now there is no way to put that config anywhere. Your router won't support. You said it's down. Is it hard down? How will you recover?

You have 2 ethernet ports. E0 and E1. (both are 10base T). You should be avoiding using those. So in short that router won't serve you any good.

There is one serial wan interface slot. You have to contact paetec if they will support it. (proper cable for T1).

If paetec says yes, then that wan can be used and E0 or E1 can be plugged to your lan. We will help.

But avoid using that router. As said earlier, it's old and hardware not enough for your job. IT will create a big lot of issues.

Do not allow anyone to use that E0 or E1 for WAN.

Best,
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Jason Yu
Comment Utility
ok, I purchased a sonicawall TZ215 for that site and configured it as below.

I hope after I ship the appliance to North Carolina , it can work.

the ip address is as follows, could you help me check it?

on my old record file, I saw one line "PIX global 207.59.155.189" and "Pix 207.59.155.190". I got confused by these two ips, don't know which one the old firewall used for the WAN port.


WAN Interface:
Static mode
IP:207.59.155.189
Subnet mast:255.255.255.240
Default Gateway: 207.59.155.177

DNS Server:
66.255.85.8
66.255.85.9
208.67.222.222
4.2.2.2
8.8.8.8



LAN Interface
Static IP Mode
10.10.28.6
255.255.252.0
Default LAN
0
 
LVL 17

Expert Comment

by:surbabu140977
Comment Utility
Most likely wan ip was 207.59.155.190 and  "PIX global 207.59.155.189" was used for NAT/PAT in the Pix. But there is no harm now if you use alternately because you have the full Ip range from 207.59.155.177 - 207.59.155.190 available. You can use anything in between for anything. It's a fresh new config and it's all yours. : )

No need to use separate IP, you can use the WAN IP as global and do the natting.

I think you may have missed the nat config in your firewall. Without it your inside lan will not be able to connect to internet. (did not see you mentioning NAT)

Best,
0
 

Author Comment

by:Jason Yu
Comment Utility
HI, surbabu, I sent out the new sonicwall TZ215 there and installed it well. It is working now.
I will check to see if I need set up proxy on the firewall. We have a proxy linux server at that site, if I want to still use that proxy server, do I need route all internet trafic to that server?

thanks.
0
 
LVL 17

Expert Comment

by:surbabu140977
Comment Utility
No, Just go into the browser(IE or Firefox) of the PC's and type the proxy IP there.

In Firefox it's under Edit-->Preference-->Advance-->Network tab.

In Internet Explorer, it's under  tools-->Internet options-->connection tab.

The proxy server IP should be natted in your firewall, else connections won't go out.

You can also put 207.59.155.xxx IP directly in the server and all lan traffic should get routed through the firewall to the proxy and then again back to firewall for internet, but it's not very best design to route unnecessarily every traffic.

Some people also put a dual NIC and put one lan IP and one wan IP also. It's your choice.

Best,
0
 

Author Comment

by:Jason Yu
Comment Utility
Got it solved, we will implement the proxy control through sonic.
0
 

Author Closing Comment

by:Jason Yu
Comment Utility
Very good reply.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now