cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
707
Views
0
Helpful
5
Replies

Changing IPRoute statement doesn't work

townofnewmarket
Level 1
Level 1

So here's the network:

Lots of local users, 192.168.12.x.  Users are given an IP thru DHCP from a Windoze server  and their default GW is 192.168.12.254.  The 254 addy is a Cisco 3560G  switch.  In the configs of the 3560, we have a line that says

ip route 0.0.0.0 0.0.0.0 192.168.12.253

The 253 is our Cisco ASA 5505.

Now I have setup a Sonicwall to replace the ASA (corp mandate, sorry), and am just doing some  testing.  I assigned an internal IP to the Sonicwall of 192.168.12.252.   If I set up PCs with a def gw of 12.252, everything is fine, they can  surf and all that.  If I reconfigure the Cisco 3560G to say

ip route 0.0.0.0 0.0.0.0 192.168.12.252

I disable the old route first of course.

No one can go anywhere.

Both are plugged into a switch provided by Comcast, since we have 5 static IPs.  I am thinking it is some sort of conflict with the comcast switch?  (ie the ASA is 75.194.36.144 with 255.255.255.248 mask, def gw 75.194.36.150.  The Sonicwall is 75.194.36.145 with same mask and gw). 

Thoughts?

1 Accepted Solution

Accepted Solutions

A traceroute from a PC using the SW as firewall shows the first hop to be Comcast's def gw (instead of the SW??)

The Sonicwall may not show up in a traceroute so that's okay but not going via the 3560 isn't if that is the gateway for the clients. I'm wondering is there is some ICMP redirecting going on because of the clients being on the same subnet as the inside interfaces of the firewalls. Like i say using a dedicated vlan may solve this and would be cleaner anyway. If you did decide to do this you would need to -

create a new vlan on the 3560 in the vlan database eg. vlan 10

create an SVI for vlan 10 on the 3560 eg.

int vlan 10

ip address 192.168.5.1 255.255.255.252

assign 192.168.5.2 255.255.255.252 to the Sonicwall inside interface

add a default on the 3560 pointing to the 192.168.5.2 address

finally on the Sonicwall add a route for the 192.168.12.x network with the next hop of 192.168.5.1

the above may or may not solve the issue so it may be a fair bit of work for nothing but there is definitely something not working properly in your network. 

When you test with the Sonicwall are you shutting down the inside interface of the ASA ?

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

It shouldn't be the comcast switch because if the GW is set to .252 everything works fine.

Your setup is a bit confusing in the sense that traffic from clients to the firewall (ASA or Sonicwall) go via the 3560 but the return traffic goes direct to the clients because they are in the same subnet. This may be causing an issue but i can't see how.

What does a traceroute from a client show when you have the default set to the Sonicwall ?

It may be worth trying to configure a dedicated vlan for the connection between the 3560 and the Sonicwall but this may not solve the issue.

Jon

Thanks Jon.  I am not sure why the setup is this way, but you are right.  All clients point to the 3560G as their def gw, and anything the 3560G can't resolve, he hands off to the Firewall. 

A traceroute from a PC using the SW as firewall and def gw shows the first hop to be Comcast's def gw (instead of the SW??)

A tracerouet from a PC using the 3560G as def gw (and ASA as firewall) shows the first hop is the 3560G, which is what I would expect.

Something doesn't look right...

A traceroute from a PC using the SW as firewall shows the first hop to be Comcast's def gw (instead of the SW??)

The Sonicwall may not show up in a traceroute so that's okay but not going via the 3560 isn't if that is the gateway for the clients. I'm wondering is there is some ICMP redirecting going on because of the clients being on the same subnet as the inside interfaces of the firewalls. Like i say using a dedicated vlan may solve this and would be cleaner anyway. If you did decide to do this you would need to -

create a new vlan on the 3560 in the vlan database eg. vlan 10

create an SVI for vlan 10 on the 3560 eg.

int vlan 10

ip address 192.168.5.1 255.255.255.252

assign 192.168.5.2 255.255.255.252 to the Sonicwall inside interface

add a default on the 3560 pointing to the 192.168.5.2 address

finally on the Sonicwall add a route for the 192.168.12.x network with the next hop of 192.168.5.1

the above may or may not solve the issue so it may be a fair bit of work for nothing but there is definitely something not working properly in your network. 

When you test with the Sonicwall are you shutting down the inside interface of the ASA ?

Jon

When I set a client up to use the Sonicwall for the firewall, I cannot use the 3560G as def gw, as it won't work.  Even if I change the line

ip route 0.0.0.0 0.0.0.0 192.168.12.253   (ASA)

to

ip route 0.0.0.0 0.0.0.0 192.168.12.252  (Sonicwall)

it won't go.  So when I test with a PC using the Sonicwall as firewall, I set the PCs def gw to 252 (the sonicwall).  This seems to work.

When I set a client up to use the Sonicwall for the firewall, I cannot use the 3560G as def gw, as it won't work.  Even if I change the line

I understand that, i was just wondering if it was somehow to do with the traffic path. That's why i suggested using a dedicated vlan because then traffic to and from the Sonicwall would have to via the 3560. As i say, it may not fix the problem but i can't see what else could causing the problem.

Jon

Review Cisco Networking for a $25 gift card