Routing between two networks?

Hi,

I have two networks configured and plugged directly to Watchguard X20e firewall.

int 1 - 192.168.111.10/24 - users on this LAN
int 2 - 10.12.0.1/23 -  connected to MPLS

the 192.168.x.x is the current LAN users are on and the 10.12.x.x is the new network MPLS. I want users to be able to go over MPLS from 192.168.x.x.

I know I can put users on this new network and the problem is solved but this is not an option at this moment.

do I need to enable something  for both interfaces to talk to each other, i.e. bridging or NAT? see attached pic

Thanks
11.PNG
12.PNG
badabing1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
Add a static route option, telling traffic on INT1 to route 10.12.0.1/23 traffic to INT2 (usually input by the router IP of that section, presumably 10.21.0.1). Obvioiusly the router on INT has to be configured to route it back (but your MPLS provider probably did it already).
0
badabing1Author Commented:
no go am afraid, I tried that before.  see attached is this correct?  .20 ip is HSRP address and I can ping that fine from other sites.

I just don't know why I cant get traffic to talk over the two interfaces on the same firewall?

Thanks
13.PNG
0
KimputerCommented:
You only set a route once. In your picture, you have two routes, which doesn't make sense and it's a wonder the firewall didn't blow up by itself.
So, one route, one gateway.
Now you have TWO 10.12.0.0/24 entries.
On top of that, the 192. route makes no sense either. Please remove it.
If the 10.12.0.20 is really the router from your MPLS provider, then leave only the first line.

Another possibility is that if the gateways are already input on the interfaces pages, then a route is not the way to go. A policy allowing both directions to flow to each other is the way to go then.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

badabing1Author Commented:
still no go, if you see my first pictures both interfaces have no gateway and are configured as trusted. see attached re routes.

.20 is the MPLS router and I can ping from a remote site but seem to be struggling to get out from the local site.

once again 192.x is the current LAN users are connected to and this is plugged directly into watchguard firewall and 10.x is the new MPLS that is also connected directly into the firewall. (both INT on the firewall are configured as trusted)

could it be bridging that I need to enable? looking for ideas as im losing my mind trying to figure this out.

Thanks
14.PNG
0
KimputerCommented:
You still need to check if there's a policy that says that both Trusted interfaces can communicate with each other.
Also, set the gateway for the 10.12.0.0 network (then the route isn't needed).
0
Felicia KingCommented:
An X20e is an extremely old unit and is way past end of life. It will not run any current Fireware. I suggest you use the trade-up program to get a T30 to replace it.
Static routes are almost never required. Simply pay attention to whether the security zone for the interfaces/subnets that you want to talk to each other are both listed as Trusted. If they are, then the Firebox sets up the route for you as well as the security policies by default.
If you need to, you can create a policy called TrustedComms. Source = Trusted, Destination = Trusted.
You can use "Any TCP-UDP" as the associated port collection.

I always create a custom TrustedComms port collection and associate that with the TrustedComms policy. In that way, you are not allowing just anything and everything to flow between the trusted subnets. You are only allowing the communications that you know to be associated with valid ports and protocols between Trusted subnets then.
0
badabing1Author Commented:
Hi

this is really strange, if I change the 10.12.0.1 interface to External, I can then ping 10.12.0.20 (MPLS Router HSRP IP) from 192.168.111.0 (current LAN users are on) but it cant go any further than that i.e to remote site over MPLS. But I can ping from remote site to this site?

if I change it back to Trusted I can only ping the IP of the int 10.12.0.1 (LAN side) and cant ping 10.12.0.20 its like it cant route traffic to .20 ? Confused!

@Felicia what do you mean security zone? see attached firewall policy as well please?

Thanks
11.PNG
0
Felicia KingCommented:
A security zone built into the Firebox is Trusted, Optional, External, Custom. Your ancient firebox probably does not have Custom as an option.
If you are using 10.0.0.0 networks on the external interface, that is going to mess up dynamic NAT.

10.x.x.x is an internal network space, not external.

If you want your setup to work, you need to get an a Firebox with current Fireware and work with a WatchGuard certified expert or use their tech support.
0
badabing1Author Commented:
Ok both interfaces are set to Trusted and the policy also set correctly so they can talk to each other?

I know 10.x.x.x is an internal network space, I was just making you guys aware of this change which to a point did go a step further, BUT I do agree that it should not be set to external and it isn't now but now am gone one step back i.e I cant ping 10.12.0.20 ip anymore?

Getting a firebox with current fireware is not an option at this moment in time, because its old its not supported anymore hence seeking help from you experts!
0
Felicia KingCommented:
I am considered the top WatchGuard architect in the Midwest. This forum is not the right option for support for your needs on this issue. Your request here is more complicated and requires knowledge of much more information than what can be presented on this forum.

To me, the only thing that could be a barrier to getting an appropriate perimeter security appliance in place is lack of willingness to spend the money on a functional and supported device. I expect that is the same barrier to paying for qualified network engineering support.

A new Firebox has functionality, features, and support that you cannot achieve with that device that is likely 10-15 years old. With what you are trying to do, it is likely that any qualified expert you talk to is going to need the functionality available in today's units in order to solve the problem.

You would be best off to get a T30, T50, or the W versions of either and then work with WatchGuard support if your budget is pinched.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.