Routing with FireBox 700

[yhchooi]

Hi

I have the following query

PC--> Firebox 700 --> segment 1, 2, 3 --> segment X
Optional Port same location 60km away


The Firebox 700 is configured as drop-in mode. I have a PC connected to the Firebox 700. I can ping to segment 1, 2 and 3. However I cannot ping to segment X, which is a separate office around 60km away, connected via a microwave leaseline.

Have been working on this problem almost one month. Anyone who can provide some help is very much appreciated.


Thks
YH
Best Regards
YH Chooi

 

[Ntr0P]

Where are segments 1,2 and 3 connecting and where is segment X connecting on the firebox? Are they all going through a router which is connected to the external interface?

Also what rule(s) do you have set up for Ping'ing?

 

[yhchooi]

Segment 1,2,3 are in the same location with the Firebox. The Trusted port of the Firebox is connected to segment 1. Segment 1 is connected to Segment 2 & 3 via a Cisco 2948G-L3. Segment X is connected to Segment 1 via a micro-wave leaseline using Cisco 2610 router.

In brief: -
PC to Firebox Optional port
Firebox Trusted port connect to Segment 1
Segment 1 to Segment 2 & 3 via Cisco 2948G-L3
Segment 1 to Segment X via Cisco 2610
(Any chance of attaching a diagram in this forum?)

Rules for ping
Incoming - From Optional to Optional and Trusted
Outgoing - From Any to Any





Best Regards
YH Chooi

 

[Ntr0P]

Sounds like you have everything set up correctly on the FB. Have you entered a route to segment X in the FB as well? It sounds like it could either be a routing issue either at the FB or the Cisco router for segment X.

Have you seen any deny messages in you logs from the FB? If you do a traceroute, what do you see? Does other traffic pass OK to segment X or is it just a ping problem?

 

[rjs]

Can you ping from a PC on Segment 1 to Segment X? Does the Cisco 2610 connecting segments X and 1 have a route back to the optional port segment. I believe the optional port on the 700 constitutes another segment (segment Y) and is not actually part of segment 1.

 

[yhchooi]

After a further check, it seem to be some routing issue.When I did a traceroute, it stopped at the router at segment 1, just before the segment X. So far, I have only tested with the ping command. We did try with static route on the router but it still didn't work.

To make thing complicated, segment 1 is running EIGRP and segment X is RIP. The router at segment X is also doing the conversion from EIGRP to RIP.

Segment 1 (EIGRP) ------> Segment X (RIP)







Best Regards
YH Chooi

 

[Ntr0P]

A static route from segment 1's router to segment x still doesn't get you to segment x? Can you ping from the router on segment 1 to the router on segment x (interface to interface)?

As long as there is a route to each network in each router and they are verified connected - there shouldn't be an issue. Sounds like one of three things: 1) incorrect or no route on one or both routers 2) no connection between routers or 3) router hardware/software problem.

 

[yhchooi]

1. From optional port ping to the first router at segment X - no problem (with static route)

2. From optional port ping to the servers in segment X - its up for 10min, went down the next 10min, then up again and down again.

3. From segment 1 ping to router and server in segment X - no problem

The servers in segment X are running Unix and having 2 share-storage.

Best Regards
YH Chooi

 

[Ntr0P]

So the short version is that you can always ping the segment X router, but have limited success pinging the servers on segment x when pinging from the optional port on the firewall.

Are there any deny messages in the FB log (I doubt there are, but it is worth asking)? If the problem is only occuring when pinging the servers in segment x from the optional port - what do the route tables on the segment x servers look like? Perhaps there is a conflicting route on the server causing the problem.