Solved

Watchguard - two networks

Posted on 2014-02-14
12
393 Views
Last Modified: 2014-03-11
We have an office shared by two companies. I have  watchguard XTM 26 for our company to be the internet gateway. We are attempting to connect to the other company's network in order to share a printer. Our network(say Company A) is on the 192.168.30.0/24 network and their network (say Comapny B) is at 192.168.20.0/24. I have Port 0 untrusted port setup for our internet connection. Port 1 is for our trusted 30.0 network. I have setup port 2 as optional with a 192.168.20.253 address and is going to company 'B's network switch. I can successfully ping the printer address (192.168.20.101) directly from the Watchguard, but can not get any client stations on the Company A network to get a successful ping to the printer.
 I added "Any" policies  to and from that optional port to our Compnay A network, but still no luck. I can see the log entries for successful sending of the ping, but nothing coming back in. I thought it may be that their (Company B) network not having any routes setup, but then why would the watchguard pings work and not the client stations?
Is it still a policy issue?
0
Comment
Question by:wlamore
  • 6
  • 6
12 Comments
 
LVL 6

Expert Comment

by:aschaef217
ID: 39859729
It sounds like you have it right, they most likely do not have any routes on their network to direct traffic to the 192.168.30.0 network.  You can ping their printer from your watchguard, because the watchguard is using the 192.168.20.253 as the source of the ping and it's on the same subnet as the printer.  They will need to add a route that looks like the following (using Cisco command as an example)

ip route 192.168.30.0 255.255.255.0 192.168.20.253
On their side you want all traffic destined for the Company A subnet 192.168.30.0/24 to be directed to the watchguard gateway address 192.168.20.253.

you will want a similar route on your side where any traffic destined for the Company B subnet 192.168.20.0/24 is directed to the watchguard gateway address 192.168.30.253.
0
 

Author Comment

by:wlamore
ID: 39859901
Thanks for that verification. I thought that was the issue. I'll contact their IT and see if they can add that route for us. I do have that route setup in the watchguard now, so it should be ready to go when they get it added. I might keep this open for a little while longer just to make sure that works.
0
 
LVL 6

Expert Comment

by:aschaef217
ID: 39860500
No problem. Let me know if you have any continued issues, and I'd be happy to assist.
0
 

Author Comment

by:wlamore
ID: 39865620
Well no luck so far. The other company (b) setup the the route to for to 192.168.30.253, but it's not getting through to the client station. They can Ping the (a) watchgaurd port at .253 , but nothing behind.  I'm still thinking it's my policy setup on the watchguard, but I'm not sure. I have the route added as suggested. I have asked them to try and ping the workstation behind our watchguard on network (A) and am awaiting a response.
A tracert from out workstation ends at 192.168.30.1 (our watchguard address/gateway)
0
 
LVL 6

Expert Comment

by:aschaef217
ID: 39865641
Is the second interface to Company B set to "Trusted" as well?
0
 
LVL 6

Expert Comment

by:aschaef217
ID: 39865652
On Company B's side they should have a route that takes all traffic destined for 192.168.30.0/24 and send it to 192.168.20.253 (not 192.168.30.253).  On your side what is the gateway address for the Company A network?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:wlamore
ID: 39865681
I have tried setting up the interface as trusted and as optional, but with the same results. According to Company A, they setup the route:
192.168.30.0 255.255.255.0 192.168.20.253

 On my side I have played with it multiple ways. But right now I have it set to:
192.168.20.0/24  go to gateway 192.168.20.253
0
 
LVL 6

Expert Comment

by:aschaef217
ID: 39865695
I believe it should be set to Trusted.  On your side if the watchguard interface address is 192.168.30.1 then you should have your route setup as everything destined for 192.168.20.0/24 pointed to 192.168.30.1.  If it's 192.168.30.253 then use that instead of 192.168.30.1.
0
 

Author Comment

by:wlamore
ID: 39865837
I have matched all the setup information fro the route. When I look at the logs I can see the ping going out through the ping policy I set.
2014-02-17 15:25:20 Allow 192.168.30.107 192.168.20.101 icmp   1-Trusted 2-Optional-1 Allowed 60 127 (Ping.to.PLDA-00)  proc_id="firewall" rc="100"       Traffic

30.107 is my client station and 20.101 is the printer I'm trying to contacts.
But nothing coming back in. Unfortunately I can't control the other side of the equation and see their logs.
0
 
LVL 6

Accepted Solution

by:
aschaef217 earned 500 total points
ID: 39865962
I did find another Experts Exchange post which may help you out as well.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Watchguard_Firewall/Q_27383210.html

It looks like they got it working by setting both of the internal interfaces to "trusted" and in the policy you would set the from and to addresses to both subnets like so:

From:
192.168.30.0/24
192.168.20.0/24

To:
192.168.30.0/24
192.168.20.0/24
0
 

Author Comment

by:wlamore
ID: 39866045
Got that done. Still no luck. Logs look like they are allowing ping traffic out, but nothing coming back. I have sent off an e-mail to the other company's support to see if they can test a ping from their end, no answer yet
0
 

Author Closing Comment

by:wlamore
ID: 39921830
Although we did not finish with the other company, I think you were correct in all your advice.
 Thanks.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now