11-20-2013 07:56 AM - edited 03-07-2019 04:41 PM
So here's the network:
Lots of local users, 192.168.12.x. Users are given an IP thru DHCP from a Windoze server and their default GW is 192.168.12.254. The 254 addy is a Cisco 3560G switch. In the configs of the 3560, we have a line that says
ip route 0.0.0.0 0.0.0.0 192.168.12.253
The 253 is our Cisco ASA 5505.
Now I have setup a Sonicwall to replace the ASA (corp mandate, sorry), and am just doing some testing. I assigned an internal IP to the Sonicwall of 192.168.12.252. If I set up PCs with a def gw of 12.252, everything is fine, they can surf and all that. If I reconfigure the Cisco 3560G to say
ip route 0.0.0.0 0.0.0.0 192.168.12.252
I disable the old route first of course.
No one can go anywhere.
Both are plugged into a switch provided by Comcast, since we have 5 static IPs. I am thinking it is some sort of conflict with the comcast switch? (ie the ASA is 75.194.36.144 with 255.255.255.248 mask, def gw 75.194.36.150. The Sonicwall is 75.194.36.145 with same mask and gw).
Thoughts?
Solved! Go to Solution.
11-20-2013 10:11 AM
A traceroute from a PC using the SW as firewall shows the first hop to be Comcast's def gw (instead of the SW??)
The Sonicwall may not show up in a traceroute so that's okay but not going via the 3560 isn't if that is the gateway for the clients. I'm wondering is there is some ICMP redirecting going on because of the clients being on the same subnet as the inside interfaces of the firewalls. Like i say using a dedicated vlan may solve this and would be cleaner anyway. If you did decide to do this you would need to -
create a new vlan on the 3560 in the vlan database eg. vlan 10
create an SVI for vlan 10 on the 3560 eg.
int vlan 10
ip address 192.168.5.1 255.255.255.252
assign 192.168.5.2 255.255.255.252 to the Sonicwall inside interface
add a default on the 3560 pointing to the 192.168.5.2 address
finally on the Sonicwall add a route for the 192.168.12.x network with the next hop of 192.168.5.1
the above may or may not solve the issue so it may be a fair bit of work for nothing but there is definitely something not working properly in your network.
When you test with the Sonicwall are you shutting down the inside interface of the ASA ?
Jon
11-20-2013 08:15 AM
It shouldn't be the comcast switch because if the GW is set to .252 everything works fine.
Your setup is a bit confusing in the sense that traffic from clients to the firewall (ASA or Sonicwall) go via the 3560 but the return traffic goes direct to the clients because they are in the same subnet. This may be causing an issue but i can't see how.
What does a traceroute from a client show when you have the default set to the Sonicwall ?
It may be worth trying to configure a dedicated vlan for the connection between the 3560 and the Sonicwall but this may not solve the issue.
Jon
11-20-2013 10:04 AM
Thanks Jon. I am not sure why the setup is this way, but you are right. All clients point to the 3560G as their def gw, and anything the 3560G can't resolve, he hands off to the Firewall.
A traceroute from a PC using the SW as firewall and def gw shows the first hop to be Comcast's def gw (instead of the SW??)
A tracerouet from a PC using the 3560G as def gw (and ASA as firewall) shows the first hop is the 3560G, which is what I would expect.
Something doesn't look right...
11-20-2013 10:11 AM
A traceroute from a PC using the SW as firewall shows the first hop to be Comcast's def gw (instead of the SW??)
The Sonicwall may not show up in a traceroute so that's okay but not going via the 3560 isn't if that is the gateway for the clients. I'm wondering is there is some ICMP redirecting going on because of the clients being on the same subnet as the inside interfaces of the firewalls. Like i say using a dedicated vlan may solve this and would be cleaner anyway. If you did decide to do this you would need to -
create a new vlan on the 3560 in the vlan database eg. vlan 10
create an SVI for vlan 10 on the 3560 eg.
int vlan 10
ip address 192.168.5.1 255.255.255.252
assign 192.168.5.2 255.255.255.252 to the Sonicwall inside interface
add a default on the 3560 pointing to the 192.168.5.2 address
finally on the Sonicwall add a route for the 192.168.12.x network with the next hop of 192.168.5.1
the above may or may not solve the issue so it may be a fair bit of work for nothing but there is definitely something not working properly in your network.
When you test with the Sonicwall are you shutting down the inside interface of the ASA ?
Jon
11-20-2013 10:44 AM
When I set a client up to use the Sonicwall for the firewall, I cannot use the 3560G as def gw, as it won't work. Even if I change the line
ip route 0.0.0.0 0.0.0.0 192.168.12.253 (ASA)
to
ip route 0.0.0.0 0.0.0.0 192.168.12.252 (Sonicwall)
it won't go. So when I test with a PC using the Sonicwall as firewall, I set the PCs def gw to 252 (the sonicwall). This seems to work.
11-20-2013 10:50 AM
When I set a client up to use the Sonicwall for the firewall, I cannot use the 3560G as def gw, as it won't work. Even if I change the line
I understand that, i was just wondering if it was somehow to do with the traffic path. That's why i suggested using a dedicated vlan because then traffic to and from the Sonicwall would have to via the 3560. As i say, it may not fix the problem but i can't see what else could causing the problem.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide