Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

routing question

Status
Not open for further replies.
spivy66

spivy66

MIS
Nov 8, 2002
150
US
i have a problem.

i have a cisco 2600
fasteth0 172.17.1.10
fasteth1 172.17.2.0

the last resort gateway points to my firewall ( trusted 172.17.1.1)

my problem is everytime my firewall crashes my users on my 172.17.2.0/24 network cannot see anyone on the 172.17.1.0/24 network.

the firewall does have a route statement 172.17.2.0/24 ---> 172.17.1.10...which means all traffic from 172.17.2.0 goes to the fasteth0 inter. do i have this setup right.. is there a way i can add another route so all my 172.17.2.0/24 traffice does not need to pass through the firewall to get to 172.17.1.0/24...I also need the 172.17.2.0/24 to get to the net.here is my config

interface FastEthernet0/0
ip address 172.17.1.10 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 172.17.2.2 255.255.255.0
speed 100
full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.1.1
ip http server
ip http authentication local
ip pim bidir-enable
 
Sort by date Sort by votes
How exactly does the topology go, and why is the 2600 even there if it's not doing any routing?

Usually, a router would be the edge device, followed by the firewall...

Burt
 
Upvote 0 Downvote
ok.. this is all trusted behind the firewall

i have a trusted network 172.17.1.0/24 ( i ran out of ip addresses so i added a new trusted network 172.17.2.0/24...for both of theses network to talk i needed a router hence the 2600. no routing is needed right now i know.

the gateway for the 172.17.1.0/24 is 172.17.1.1 ( my firewall)

the gateway for my 172.17.2.0/24 is 172.17.2.2 ( fasteth1)..

i have a default route to route all traffic to 172.17.1.1 on the cisco router.( do i need this for my 172.17.2.0/24

the interfaces on the cisco router is
fasteth0 172.17.1.10
fasteth1 172.17.2.2

with all of this said i need a route on my firewall so all the 172.17.2.0/24 traffic passing through right?
so i have network 172.17.2.0/24----->172.17.1.10 (fasteth0)


basily what i'm trying to do is have my 172.17.2.0/24 network be able to talk to my 172.17.1.0/24 with my firewall 172.17.1.1 is down. right now this is not the case.it seems the traffic is routing though the firewall first.


thanks for your help
 
Upvote 0 Downvote
Change

interface FastEthernet0/0
ip address 172.17.1.10 255.255.255.0


to

interface FastEthernet0/0
ip address 172.17.1.1 255.255.255.0

And then make your firewall 172.17.1.10.
 
Upvote 0 Downvote
Yes---The default routes should both be in the router, not one in the router and one in the PIX.

Burt
 
Upvote 0 Downvote
how would that work tho?.... first thing is all user's on the 172.17.1.0/24 have static ip's with the gateway of 172.17.1.1..so they would all be pointing to fasteth0/0.. ok i understand that ...what would my default route be on on cisco 2600 then..if i made this change like you said i would have the default route would be 172.17.1.1 do i need to change this to 172.17.1.10...or should i had another route i'm confussed??
so this is what i'm going to have after the change

fasteth0/0 172.17.1.1
fasteth0/1 172.17.2.2



and the firewall 172.17.1.10 ( plus you said remove this route?)..




thanks for all your help
 
Upvote 0 Downvote
Burt thanks for your quick reply , and your still saying remove the route on my firewall and not add a new one?

So basily the gateway to al my user's on the 172.17.1.0/24 network should not be the firewall but fasteth0/0 and the reason why i'm making the change brianinms said is so i dont need to go around to all my users and change the default gateway??


 
Upvote 0 Downvote
Correct---the gateway of all the users should be fastethernet in the router, not the firewall. If the firewall goes down, then the users on 1.0 have no gateway, and can therefore not get to the 2.0 network. Changing two IP addresses in the firewall and router is much easier than changing the gateway on all the users---to attain this goal. If the router goes down, then none of the users would get anywhere anyway, no matter what they use for the gateway.

Burt
 
Upvote 0 Downvote
====---=-=-=---====
interface FastEthernet0/0
ip address 172.17.1.10 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 172.17.2.2 255.255.255.0
speed 100
full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.1.1
ip http server
ip http authentication local
ip pim bidir-enable
====---=-=-=---====
!You can allow add a DHCP on the routing configuration.
!
ip dhcp excluded-address 172.17.2.0 172.17.2.200
!
ip dhcp pool mydhcppool2
network 172.17.2.0 255.255.255.0
dns-server 4.2.2.1 4.2.2.2
default-router 172.17.2.2
netbios-name-server 172.17.1.108
lease 0 1
====---=-=-=---====

spivy66,

I basically have the same setup.

Your above setup seems correct. However, what is the default gateway for the users on the 172.17.2.0/24 subnet?

When you do an ipconfig/all on a machine in the 172.17.2.0/24 subnet, their default gateway should be 172.17.2.2… NOT 172.17.1.1. I made this mistake. It worked, until the firewall went down. And with firewall down no one can get out to the internet.

In the router configuration, the ip route "0.0.0.0 0.0.0.0 172.17.1.1" should be your internet. Same as the firewall.

The routing table in my WatchGuard is the following:
Route To: 172.17.2.0
Gateway: 172.17.1.10

I hopes this helps.
 
Upvote 0 Downvote
That's what we said---except the gateway for the 1.0 subnet needs to be that of the router, NOT the firewall. He already has the gateway of the 2.0 nw as 2.2 (fa of the router). It would be easier for him to change the firewall interface connecting to the router to 1.10 and the fa interface in the router to 1.1, because all the hosts on the 1.0 nw list their gateway as 1.1, which is currently the firewall. If he leaves it the way it is, he will have problems like you describe as having had before, except not with the 2.0 nw, but the 1.0 nw.

Burt
 
Upvote 0 Downvote
Burt, ok thanks for clearing this up. But do i also need to create a route on my firewall
172.17.2.0/24 --->172.17.1.1 ( so 172.17.2.0/24 users can get to the net.)
this is of course after I make the change?

joopdog,
thats pretty scary how your config is like mine. And yes i do have the gateway to point to 172.17.2.2 for the 172.17.2.0/24 users.

thanks again
 
Upvote 0 Downvote
yes it does nat and it's a watchguard .scary that joopdog has the same fw too uh?.lol
 
Upvote 0 Downvote
Great, thanks for your help I really apresheate it.I will be making this change next week on xmas week so that i dont impact the users. I will let you know how I made out.. thanks again!!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
338
Pankaj88
Pankaj88
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
332
Zero6
Zero6
mikey789
  • Locked
  • Question
Can 4000-M Routing VLANs ?
Replies
0
Views
204
mikey789
mikey789
Mogles49
  • Locked
  • Question
Firewall ACL question
Replies
1
Views
272
burtsbees
burtsbees
azrael2000
  • Locked
  • Question
quick question...re layer 3 with routing
Replies
1
Views
252
chieftan
chieftan

Part and Inventory Search

Sponsor

Back
Top