02-13-2013 02:28 PM - edited 03-07-2019 11:42 AM
I have a cisco 2921. I have 2 networks that has its own router
192.168.1.0 network is connected to watchguard firewall
192.168.9.0 network is connected to the cisco 2921 router.
I want to connect the 2 subnet using one of the interface of the cisco router. Does anyone have any suggestion on how I can get this work? It is not connected via vpn tunnel but we want to have LAN speed when accessing resources on both network. Each network is connected to a dell switch.
I appreciate any input and help.
02-20-2013 04:21 PM
Im currenlty setting up the watchguard for RIP. I am able to ping 1.1.1.2 from the 192.168.9.x subnet but I cant ping anything in the 192.168.1.x network.
when I do a "show Ip protocol" under routing for networks I see
192.168.9.0
1.0.0.0
under routing information sources I see
Gateway 1.1.1.2 distance 120 last update is 4:47
At this point from Cisco network I can only ping 1.1.1.2 which is the IP of the interface on the watchguard. From the Watchguard I can only ping 1.1.1.1 which is the interface in the Cisco router.
02-20-2013 04:38 PM
Hi Joseph,
Sounds like the problem is at the watchguard at the moment.
If you can ping from a host on the 192.168.9.0 subnet to both 1.1.1.1 & 1.1.1.2 then IP routing between subnets is working on the Cisco Side.
Can you ping from a host on the 192.168.1.0 subnet to 1.1.1.1 or 1.1.1.2? If you can the watchguard is also routing and this is an issue with the router & firewall sharing routing tables. If you CANNOT ping 1.1.1.1 or 1.1.1.2 from 192.168.1.0 the issue lies on the watchguard.
Ensure you are advertising your directly connected subnets on the firewall additionally ensure that the firewall is running RIPv2. If th firewall is running V1 this scenario will NOT work as RIPv1 is a classfull protocol and will not know what to do with the /30 subnet of the 1.1.1.0 network. If you still are having issues try reconfiguring the 1.1.1.0 to a /8(255.0.0.0) classfull network. See if this makes a difference.
Additionally check all IP Addresses, advertised subnets & subnet masks. Ensure if you are using a /30(255.255.255.252) on the Cisco side you are also replicating this subnet on the watchguard.
Kind Regards,
Liam
02-21-2013 09:10 AM
Liam,
I cant ping any host on either subnet. The only thing I can ping is both 1.1.1.1 and 1.1.1.2 on both 9.x and 1.x network. So from the watchguard network 192.168.1.x i can ping 1.1.1.1 which is on the cisco interface. Also, from the cisco network 192.168.9.x I can ping 1.1.1.2 which is on the watchguard interface. I cant ping any host on the 1.x network from 9.x nor from 9.x to the 1.x network.
02-22-2013 01:47 AM
Hi Joseph,
Sorry about the late reply, to get a better mental picture if I give you a list of source to destination addresses to ping.
So if you just confirm yes/no that the ping is successful.
E.g. 192.168.1.1 > 192.168.9.1 = No
1.1.1.1 > 1.1.1.2 = Yes
So if you can confirm the following
Is the following pings successful?
192.168.9.X(Host) > 1.1.1.1(Cisco interface) Yes/No
192.168.9.X(Host) > 1.1.1.2(watchguard interface) Yes/No
1.1.1.1(Cisco) > 1.1.1.2(Watchguard) Yes/No
1.1.1.1(Cisco) > 192.168.1.X(Host) Yes/No
1.1.1.2(watchguard) >192.168.1.X(Host) Yes/No
And just to confirm...
the 192.168.1.X/24 subnet is directly connected to the watchguard & the 192.168.9.X is directly connected to the Cisco.
Finally can you ensure the firewall allows communication between its own interfaces... for example a Cisco Firewall(ASA) will not allow its e0/1 interface to talk to e0/2 interface even though they are trusted(inside) interfaces until you specify they can communicate. Again I don't know enough about watchguard.
To summarize
Define what can ping what.
ensure that the watchguard is not restricting communication between interfaces.
ensure the firewall(watchguard) is allowing dynamic routing protocol information between interfaces.
Note:- The Cisco will not restrict any of this information by default, so I have a feeling the issue lays somewhere on the watchguard.
finally can I have a 'show run' of the 2921(feel free to omit any sensitive data) along with a 'show ip route' & finally a 'sh ip int br'
Additionally if thier is any GUI or output so I can see what is going on with the watchguard(Again feel free to omit sensitive data)
Kind Regards,
Liam
02-22-2013 09:27 AM
Thanks Liam. Its working now. Thank you for all your help.
02-22-2013 10:01 AM
Hi Joseph,
No problem at all, glad it is finallly working!
If you dont mind me asking what was the issue in the end?
Kind Regards,
Liam
02-22-2013 10:24 AM
There was some missing configuration on the watchguard and the bovpn has a gateway in the 9.x subnet which needed to be taken down.
02-22-2013 10:31 AM
Hi Joseph,
Thank you for the reply, much appreciated.
Glad all is working as required.
Kind Regards,
Liam
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide