cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
1946
Views
0
Helpful
22
Replies
jlabitag0510
Beginner

connecting 2 subnets using cisco 2921

I have a cisco 2921. I have 2 networks that has its own router

192.168.1.0 network is connected to watchguard firewall

192.168.9.0 network is connected to the cisco 2921 router.

I want to connect the 2 subnet using one of the interface of the cisco router. Does anyone have any suggestion on how I can get this work? It is not connected via vpn tunnel but we want to have LAN speed when accessing resources on both network. Each network is connected to a dell switch.

I appreciate any input and help.                  

22 REPLIES 22

Im currenlty setting up the watchguard for RIP. I am able to ping 1.1.1.2 from the 192.168.9.x subnet but I cant ping anything in the 192.168.1.x network.

when I do a "show Ip protocol" under routing for networks I see

192.168.9.0

1.0.0.0

under routing information sources I see

Gateway 1.1.1.2 distance 120 last update is 4:47

At this point from Cisco network I can only ping 1.1.1.2 which is the IP of the interface on the watchguard. From the Watchguard I can only ping 1.1.1.1 which is the interface in the Cisco router.

Hi Joseph,

Sounds like the problem is at the watchguard at the moment.

If you can ping from a host on the 192.168.9.0 subnet to both 1.1.1.1 & 1.1.1.2 then IP routing between subnets is working on the Cisco Side.

Can you ping from a host on the 192.168.1.0 subnet to 1.1.1.1 or 1.1.1.2? If you can the watchguard is also routing and this is an issue with the router & firewall sharing routing tables. If you CANNOT ping 1.1.1.1 or 1.1.1.2 from 192.168.1.0 the issue lies on the watchguard.

Ensure you are advertising your directly connected subnets on the firewall additionally ensure that the firewall is running RIPv2. If th firewall is running V1 this scenario will NOT work as RIPv1 is a classfull protocol and will not know what to do with the /30 subnet of the 1.1.1.0 network. If you still are having issues try reconfiguring the 1.1.1.0 to a /8(255.0.0.0) classfull network. See if this makes a difference.

Additionally check all IP Addresses, advertised subnets & subnet masks. Ensure if you are using a /30(255.255.255.252) on the Cisco side you are also replicating this subnet on the watchguard.

Kind Regards,

Liam

Liam,

I cant ping any host on either subnet. The only thing I can ping is both 1.1.1.1 and 1.1.1.2 on both 9.x and 1.x network. So from the watchguard network 192.168.1.x i can ping 1.1.1.1 which is on the cisco interface. Also, from the cisco network 192.168.9.x I can ping 1.1.1.2 which is on the watchguard interface. I cant ping any host on the 1.x network from 9.x nor from 9.x to the 1.x network.

Hi Joseph,

Sorry about the late reply, to get a better mental picture if I give you a list of source to destination addresses to ping.

So if you just confirm yes/no that the ping is successful.

E.g. 192.168.1.1 > 192.168.9.1 = No

       1.1.1.1 > 1.1.1.2 = Yes

So if you can confirm the following

Is the following pings successful?

192.168.9.X(Host) > 1.1.1.1(Cisco interface) Yes/No

192.168.9.X(Host) > 1.1.1.2(watchguard interface) Yes/No

1.1.1.1(Cisco) > 1.1.1.2(Watchguard) Yes/No

1.1.1.1(Cisco) > 192.168.1.X(Host) Yes/No

1.1.1.2(watchguard) >192.168.1.X(Host) Yes/No

And just to confirm...

the 192.168.1.X/24 subnet is directly connected to the watchguard & the 192.168.9.X is directly connected to the Cisco.

Finally can you ensure the firewall allows communication between its own interfaces... for example a Cisco Firewall(ASA) will not allow its e0/1 interface to talk to e0/2 interface even though they are trusted(inside) interfaces until you specify they can communicate. Again I don't know enough about watchguard.

To summarize

Define what can ping what.

ensure that the watchguard is not restricting communication between interfaces.

ensure the firewall(watchguard) is allowing dynamic routing protocol information between interfaces.

Note:- The Cisco will not restrict any of this information by default, so I have a feeling the issue lays somewhere on the watchguard.

finally can I have a 'show run' of the 2921(feel free to omit any sensitive data) along with  a 'show ip route' & finally a 'sh ip int br'

Additionally if thier is any GUI or output so I can see what is going on with the watchguard(Again feel free to omit sensitive data)

Kind Regards,

Liam

Thanks Liam. Its working now. Thank you for all your help.

Hi Joseph,

No problem at all, glad it is finallly working!

If you dont mind me asking what was the issue in the end?

Kind Regards,

Liam

There was some missing configuration on the watchguard and the bovpn has a gateway in the 9.x subnet which needed to be taken down.

Hi Joseph,

Thank you for the reply, much appreciated.

Glad all is working as required.

Kind Regards,

Liam