Watchguard - two networks
We have an office shared by two companies. I have watchguard XTM 26 for our company to be the internet gateway. We are attempting to connect to the other company's network in order to share a printer. Our network(say Company A) is on the 192.168.30.0/24 network and their network (say Comapny B) is at 192.168.20.0/24. I have Port 0 untrusted port setup for our internet connection. Port 1 is for our trusted 30.0 network. I have setup port 2 as optional with a 192.168.20.253 address and is going to company 'B's network switch. I can successfully ping the printer address (192.168.20.101) directly from the Watchguard, but can not get any client stations on the Company A network to get a successful ping to the printer.
I added "Any" policies to and from that optional port to our Compnay A network, but still no luck. I can see the log entries for successful sending of the ping, but nothing coming back in. I thought it may be that their (Company B) network not having any routes setup, but then why would the watchguard pings work and not the client stations?
Is it still a policy issue?
I added "Any" policies to and from that optional port to our Compnay A network, but still no luck. I can see the log entries for successful sending of the ping, but nothing coming back in. I thought it may be that their (Company B) network not having any routes setup, but then why would the watchguard pings work and not the client stations?
Is it still a policy issue?
ASKER
Thanks for that verification. I thought that was the issue. I'll contact their IT and see if they can add that route for us. I do have that route setup in the watchguard now, so it should be ready to go when they get it added. I might keep this open for a little while longer just to make sure that works.
No problem. Let me know if you have any continued issues, and I'd be happy to assist.
ASKER
Well no luck so far. The other company (b) setup the the route to for to 192.168.30.253, but it's not getting through to the client station. They can Ping the (a) watchgaurd port at .253 , but nothing behind. I'm still thinking it's my policy setup on the watchguard, but I'm not sure. I have the route added as suggested. I have asked them to try and ping the workstation behind our watchguard on network (A) and am awaiting a response.
A tracert from out workstation ends at 192.168.30.1 (our watchguard address/gateway)
A tracert from out workstation ends at 192.168.30.1 (our watchguard address/gateway)
Is the second interface to Company B set to "Trusted" as well?
On Company B's side they should have a route that takes all traffic destined for 192.168.30.0/24 and send it to 192.168.20.253 (not 192.168.30.253). On your side what is the gateway address for the Company A network?
ASKER
I have tried setting up the interface as trusted and as optional, but with the same results. According to Company A, they setup the route:
192.168.30.0 255.255.255.0 192.168.20.253
On my side I have played with it multiple ways. But right now I have it set to:
192.168.20.0/24 go to gateway 192.168.20.253
192.168.30.0 255.255.255.0 192.168.20.253
On my side I have played with it multiple ways. But right now I have it set to:
192.168.20.0/24 go to gateway 192.168.20.253
I believe it should be set to Trusted. On your side if the watchguard interface address is 192.168.30.1 then you should have your route setup as everything destined for 192.168.20.0/24 pointed to 192.168.30.1. If it's 192.168.30.253 then use that instead of 192.168.30.1.
ASKER
I have matched all the setup information fro the route. When I look at the logs I can see the ping going out through the ping policy I set.
2014-02-17 15:25:20 Allow 192.168.30.107 192.168.20.101 icmp 1-Trusted 2-Optional-1 Allowed 60 127 (Ping.to.PLDA-00) proc_id="firewall" rc="100" Traffic
30.107 is my client station and 20.101 is the printer I'm trying to contacts.
But nothing coming back in. Unfortunately I can't control the other side of the equation and see their logs.
2014-02-17 15:25:20 Allow 192.168.30.107 192.168.20.101 icmp 1-Trusted 2-Optional-1 Allowed 60 127 (Ping.to.PLDA-00) proc_id="firewall" rc="100" Traffic
30.107 is my client station and 20.101 is the printer I'm trying to contacts.
But nothing coming back in. Unfortunately I can't control the other side of the equation and see their logs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Got that done. Still no luck. Logs look like they are allowing ping traffic out, but nothing coming back. I have sent off an e-mail to the other company's support to see if they can test a ping from their end, no answer yet
ASKER
Although we did not finish with the other company, I think you were correct in all your advice.
Thanks.
Thanks.
ip route 192.168.30.0 255.255.255.0 192.168.20.253
On their side you want all traffic destined for the Company A subnet 192.168.30.0/24 to be directed to the watchguard gateway address 192.168.20.253.
you will want a similar route on your side where any traffic destined for the Company B subnet 192.168.20.0/24 is directed to the watchguard gateway address 192.168.30.253.