I did think on the same lines,  but there is no PBR on that router.

We can see the arp of netscreen firewall on the 3845 as well as the servers arp. gateway for servers is the 3845.

Static route exist on the 3845 towards the destination 200.200.1.1 .

ip route 81.200.201.149 255.255.255.255 10.96.0.2

Apart from that the router is running eigrp,

router eigrp 21

redistribute static metric 10000 100 255 1 1500

network 10.0.0.0

no auto-summary

Appreciate all help!

Yes the new juniper srx will take its place. However the physical connections for the new firewall will be as described in the network diagram.the new firewall will be using 10.96.0.50 the same ip subnet as the existing netscreen.

we tried this way and changed the route accordingly, but it doesnt work.

The server still routes via the netscreen firewall and if the netscreen is disconnected, the connection doesnt work at all.

Appreciate all help

So I understood you correctly,

1. 3750 is default gateway for servers??

2. Then on 3750 default route points to 3845??

3. And from 3845 route to 200.200.1.1 points toward netscreen firewall (this one you want to replace with Juniper)?

4. Is there any routes configured on servers?

My suggestion was: connect juniper to switch then give it IP from the same range as netscreen(not 10.96.0.50) and point to it from 3845.

And I don't still get why there is unmanaged switch between 3750 and firewall/3845. Is there any goal for that?

Hope it will help.

Appreciate your reply Abzal and here are the answers:-

1. No, 3845 router is the servers default gateway, i can see the servers arp in 3845 learned via ethernet0 port which is connected to the unmanaged switch , shown towards down side in the diagram

2. Yes , 3750 has default route towards 3845 for the internet destinations in consideration

3. Yes,  from 3845 route to 200.200.1.1 points to netscreen firewall and this is the one which will eventually be replaced with juniper

4. No routes , as per my knowledge

I got your suggestion, correct me if am wrong.

I did connect the juniper to the unmanaged switch ( as shown in diagram with red mark  connections ) and was given the same range ip as Netscreen. Netscreen currently is holding the IP in the range of 10.96.0.X.

So Juniper was connected and configured with the same range IP

I understand the curiosity about the unmanaged switch between the 3750 & 3845. but even am not sure why is it in place.

It was there for long time since this network was setup , i have so far not known the reason for it.

Appreciate your valuable inputs on this!

Ok, then

Can you show output of these commands?

3845:

sh run

sh ip route

3750:

sh run

Are servers and firewalls/3845 on separate subnet? Can you tell their IP addresses?

Hope it will help.

Best regards,
Abzal

Below are the outputs, however i have truncated the outputs to keep it minimum due to the sensitivity. My apologies.

3845 sh run:

!

interface Dialer4

no ip address

no cdp enable

!

router eigrp 11

redistribute static metric 10000 100 255 1 1500

network 10.0.0.0

no auto-summary

!

ip classless

ip route 75.66.51.21 255.255.255.255 "netscreen IP"

ip route 177.148.25.41 255.255.255.255 "netscreen IP"

ip route 200.200.1.1 255.255.255.255 "netscreen IP"

!

bridge 1 protocol dec

========================

3845 Sh ip route:-

S       202.76.4.2 [1/0] via "netscreen IP"

     158.13.0.0/32 is subnetted, 2 subnets

S       158.13.71.241 [1/0] via "netscreen IP"

S       200.200.1.1 [1/0] via "netscreen IP"

========================

3750 Sh run:-

aaa session-id common

system mtu routing 1500

vtp domain xxx

vtp mode transparent

authentication mac-move permit

udld aggressive

ip subnet-zero

no ip source-route

ip routing

ip domain-name xxx

ip name-server 10.96.0.98

!

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree etherchannel guard misconfig

spanning-tree extend system-id

spanning-tree vlan 1,2,50 root primary

spanning-tree vlan 99 root secondary

!

vlan internal allocation policy ascending

!

Vlan 1

Name starting-Lan

!

vlan 2

name Management

!

vlan 50

name Sector

!

ip telnet source-interface Loopback0

ip ftp source-interface Loopback0

ip tftp source-interface Loopback0

!

ip ssh time-out 60

ip ssh version 2

!

ip rcmd source-interface Loopback0

!

interface Loopback0

ip address 10.96.5.254 255.255.255.255

!

interface Port-channel1

description portchannel GE0/47,GE0/48

switchport trunk encapsulation dot1q

switchport mode trunk

interface GigabitEthernet0/45

description  Provider Router

no switchport

ip address 172.54.65.1 255.255.255.248

interface Vlan1

description starting-Lan

ip address 10.96.0.239 255.255.255.0

ip helper-address 10.96.0.77

no shut

!

interface Vlan2

description Management

ip address 10.96.7.61 255.255.255.192

ip helper-address 10.96.0.77

no shut

!

interface Vlan50

description Sector

ip address 10.96.1.253 255.255.255.0

ip helper-address 10.96.0.77

no shut

!

ip routing

!

router eigrp 11

network 10.0.0.0

network 172.54.0.0

eigrp router-id 10.96.5.254

no eigrp log-neighbor-changes

!

ip classless

no ip http server

ip http secure-server

!

ip tacacs source-interface Loopback0

!

===================================

Servers ip address are 10.96.0.91,10.96.0.95

Netscreen ip is 10.96.0.50

Juniper to be assigned an ip in 10.96.0.X range

3845 ip is 10.96.0.13

Appreciate all help. Thanks!

Sometimes companies add the unmanaged switches to connect firewalls and routers to them directly for the outside world I guess so I understand that or to span the ports for monitoring purposes.  I don't like the idea to do it like this however and have single point of failure.

Also why put an ASA and then add another Juniper SRX behind it, I'm curious about the design ?

Ok, a few things but it's better to test off hours if these changes are critical to the business. And I suppose Juniper is configured and connected. Is EIGRP or any routing protocol configured on Juniper?

Something to check:

What is IP address of default gateway configured on servers? Is it 10.96.0.239? Subnet mask is it /24.

Best regards,
Abzal

Mohammad,

The ASA has another critical server directly connected to it and it was actually meant to act as the first level firewall, as i learnt from the folks.

Juniper is now to be put in behind ASA to act as the second layer  firewall and to decomission the Netscreen.

Even, am curious on this , but am not getting any definitive answers from the people here, so i left it at that.

Abzal,

Juniper is not connected. It was when we tested it last time, but due to the problems described above during testing, it was removed later on. Only static routing is running on Juniper.

Default gateway on the servers that i found was 10.96.0.13, which is the 3845's address. Yes the mask on server is /24.

Thanks and really appreciate all help!

I think you can safely remove redistribution of static routes and leaving just static routes.

on 3845:

router eigrp 11

no redistribute static metric 10000 100 255 1 1500

ip route 75.66.51.21 255.255.255.255 "Juniper IP"

ip route 177.148.25.41 255.255.255.255 "Juniper IP"

ip route 200.200.1.1 255.255.255.255 "Juniper IP"

And traceroute from 3845 with destination 200.200.1.1.

Have a look on one of the server that you're testing from routing table just to make sure.

route print

Then you could try above commands when you will be able to.

Hope it will help.

Best regards,
Abzal

There are certain other devices also connected to this network , another pair of firewalls on the unmanaged switch.

however, they are used for some other business entity and are used for specific destinations not involved in our case.

Will removing the static redistribution cause any seen issues. Just keen to understand how removing the redistribution here would help.

Thanks again!

If there is any other EIGRP talking peers except of 3845/3750 and Juniper will be using only static routes you should leave it without changes as it is. Because I don't see the whole picture of your network but it's OK. I just thought Juniper will be running EIGRP too.

Hope it will help.

Best regards,
Abzal