Watchguard - two networks

We have an office shared by two companies. I have  watchguard XTM 26 for our company to be the internet gateway. We are attempting to connect to the other company's network in order to share a printer. Our network(say Company A) is on the 192.168.30.0/24 network and their network (say Comapny B) is at 192.168.20.0/24. I have Port 0 untrusted port setup for our internet connection. Port 1 is for our trusted 30.0 network. I have setup port 2 as optional with a 192.168.20.253 address and is going to company 'B's network switch. I can successfully ping the printer address (192.168.20.101) directly from the Watchguard, but can not get any client stations on the Company A network to get a successful ping to the printer.
 I added "Any" policies  to and from that optional port to our Compnay A network, but still no luck. I can see the log entries for successful sending of the ping, but nothing coming back in. I thought it may be that their (Company B) network not having any routes setup, but then why would the watchguard pings work and not the client stations?
Is it still a policy issue?
wlamoreAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
aschaef217Connect With a Mentor Commented:
I did find another Experts Exchange post which may help you out as well.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Watchguard_Firewall/Q_27383210.html

It looks like they got it working by setting both of the internal interfaces to "trusted" and in the policy you would set the from and to addresses to both subnets like so:

From:
192.168.30.0/24
192.168.20.0/24

To:
192.168.30.0/24
192.168.20.0/24
0
 
aschaef217Commented:
It sounds like you have it right, they most likely do not have any routes on their network to direct traffic to the 192.168.30.0 network.  You can ping their printer from your watchguard, because the watchguard is using the 192.168.20.253 as the source of the ping and it's on the same subnet as the printer.  They will need to add a route that looks like the following (using Cisco command as an example)

ip route 192.168.30.0 255.255.255.0 192.168.20.253
On their side you want all traffic destined for the Company A subnet 192.168.30.0/24 to be directed to the watchguard gateway address 192.168.20.253.

you will want a similar route on your side where any traffic destined for the Company B subnet 192.168.20.0/24 is directed to the watchguard gateway address 192.168.30.253.
0
 
wlamoreAuthor Commented:
Thanks for that verification. I thought that was the issue. I'll contact their IT and see if they can add that route for us. I do have that route setup in the watchguard now, so it should be ready to go when they get it added. I might keep this open for a little while longer just to make sure that works.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
aschaef217Commented:
No problem. Let me know if you have any continued issues, and I'd be happy to assist.
0
 
wlamoreAuthor Commented:
Well no luck so far. The other company (b) setup the the route to for to 192.168.30.253, but it's not getting through to the client station. They can Ping the (a) watchgaurd port at .253 , but nothing behind.  I'm still thinking it's my policy setup on the watchguard, but I'm not sure. I have the route added as suggested. I have asked them to try and ping the workstation behind our watchguard on network (A) and am awaiting a response.
A tracert from out workstation ends at 192.168.30.1 (our watchguard address/gateway)
0
 
aschaef217Commented:
Is the second interface to Company B set to "Trusted" as well?
0
 
aschaef217Commented:
On Company B's side they should have a route that takes all traffic destined for 192.168.30.0/24 and send it to 192.168.20.253 (not 192.168.30.253).  On your side what is the gateway address for the Company A network?
0
 
wlamoreAuthor Commented:
I have tried setting up the interface as trusted and as optional, but with the same results. According to Company A, they setup the route:
192.168.30.0 255.255.255.0 192.168.20.253

 On my side I have played with it multiple ways. But right now I have it set to:
192.168.20.0/24  go to gateway 192.168.20.253
0
 
aschaef217Commented:
I believe it should be set to Trusted.  On your side if the watchguard interface address is 192.168.30.1 then you should have your route setup as everything destined for 192.168.20.0/24 pointed to 192.168.30.1.  If it's 192.168.30.253 then use that instead of 192.168.30.1.
0
 
wlamoreAuthor Commented:
I have matched all the setup information fro the route. When I look at the logs I can see the ping going out through the ping policy I set.
2014-02-17 15:25:20 Allow 192.168.30.107 192.168.20.101 icmp   1-Trusted 2-Optional-1 Allowed 60 127 (Ping.to.PLDA-00)  proc_id="firewall" rc="100"       Traffic

30.107 is my client station and 20.101 is the printer I'm trying to contacts.
But nothing coming back in. Unfortunately I can't control the other side of the equation and see their logs.
0
 
wlamoreAuthor Commented:
Got that done. Still no luck. Logs look like they are allowing ping traffic out, but nothing coming back. I have sent off an e-mail to the other company's support to see if they can test a ping from their end, no answer yet
0
 
wlamoreAuthor Commented:
Although we did not finish with the other company, I think you were correct in all your advice.
 Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.