PDA

View Full Version : Needed help with this topology



aeonpoon
2010-11-01, 20:35
Hi to all, I have a question here which is I have given this topology I have done the connections and give the address to each interface and done ping from router to switch and realise

http://i367.photobucket.com/albums/oo117/aeonpoon/give_topplogy.jpg

1)router can only ping to 10.2.2.1/30 not 10.2.2.2/30.

2)checkpoint firewall ping to router is able to but to gateway 10.3.3.1/30 is not able.

3)gateway ping to checkpoint is able to get response from 10.2.2.1/30 but not 10.1.1.2/30

4)switch is only able to ping 10.3.3.1 not 10.2.2.2

I have open the rules to from any to any, did routing tables too but still cannot get it to work, I suspect that the checkpoint do not know how to pass the packets to, I think there might be a command to do so, I wish if anyone can guide me through. Thanks so much in advance to all, I really appreciate.


http://i367.photobucket.com/albums/oo117/aeonpoon/CheckpointFirewallroutingtable.png
Checkpoint routing table UTM-1 570

http://i367.photobucket.com/albums/oo117/aeonpoon/capture_28102010_093959.jpg
Juniper gateway SSG 550

alienbaby
2010-11-01, 21:27
If the diagram is your goal, then the follow configuration should be removed/modified.

1. Juniper should have a gateway for 10.1.1.0/30 to 10.2.2.1
2. The UTM should have a gateway for 10.3.3.0/30 to 10.2.2.2

Looks like the gear has been told to ARP for these networks, instead of route.

I bet the switch doesn't have a route to the 10.2.2.0/30 subnet.

aeonpoon
2010-11-02, 02:51
Alright roughly I get what you mean, I have been configuring for a week but still cannot get it up so I have remove the gateway and tried to configure for try and error, so here is the topology

http://i367.photobucket.com/albums/oo117/aeonpoon/give_topplogy_2.jpg

The router static route I configured 10.2.2.0 255.255.255.252 10.1.1.1

The checkpoint firewall I have configured any to any policy and also put route 10.2.2.0 on 10.2.2.1

The switch I have configured a vlan and give an ip of 10.2.2.2, also ip route 10.1.1.0 on 10.2.2.2

So now the problems is Cisco router could not get reply from Cisco switch and vice versa, but I tried to use checkpoint to ping it can get reply. So I wonder which routing I have not put in the checkpoint firewall. Thanks for the quick reply, really need your help ~~ Apperciate

northlandboy
2010-11-02, 05:14
So now the problems is Cisco router could not get reply from Cisco switch and vice versa, but I tried to use checkpoint to ping it can get reply. So I wonder which routing I have not put in the checkpoint firewall. Thanks for the quick reply, really need your help ~~ Apperciate

If the Firewall can see both the router and the switch, but the router and switch can't see each other, then it's a routing misconfiguration on either the router, the switch, or both. (Assuming you have a working firewall policy of course...)

You can check the route table on both the router and the switch. You can also run tcpdump on both sides of the firewall, to watch to see if there is a packet traversing the firewall, and a reply packet coming back.

aeonpoon
2010-11-02, 05:26
If the Firewall can see both the router and the switch, but the router and switch can't see each other, then it's a routing misconfiguration on either the router, the switch, or both. (Assuming you have a working firewall policy of course...)

You can check the route table on both the router and the switch. You can also run tcpdump on both sides of the firewall, to watch to see if there is a packet traversing the firewall, and a reply packet coming back.

Thanks for the reply, I tried tcpdump command on Cisco router and switch but there is no such command. I have ip route on router which is 10.2.2.0 255.255.255.252 10.1.1.1, the switch is 10.1.1.0 255.255.255.252 10.2.2.2, but is there a need to configure routes or the checkpoint firewall ?

Barry J. Stiefel
2010-11-02, 17:08
Are you using a really early beta version of Visio?

I'm just sayin'.

alienbaby
2010-11-02, 18:19
The router static route I configured 10.2.2.0 255.255.255.252 10.1.1.1

The switch I have configured a vlan and give an ip of 10.2.2.2, also ip route 10.1.1.0 on 10.2.2.2

The next hop route should be another device, that will help get the packet to the destination.
In the 'router static route I configured 10.2.2.0 255.255.255.252 10.1.1.1', 10.1.1.1 is on the router. You created a circle within the router.
Don't route to itself. Route to the next device. In this case, the CheckPoint box.

On the router 'ip route 10.2.2.0 255.255.255.252 10.1.1.2'.
On the switch 'ip route 10.1.1.0 255.255.255.252 10.2.2.1'.

aeonpoon
2010-11-02, 20:23
Are you using a really early beta version of Visio?

I'm just sayin'.

No I am not using visio !

aeonpoon
2010-11-02, 20:24
The next hop route should be another device, that will help get the packet to the destination.
In the 'router static route I configured 10.2.2.0 255.255.255.252 10.1.1.1', 10.1.1.1 is on the router. You created a circle within the router.
Don't route to itself. Route to the next device. In this case, the CheckPoint box.

On the router 'ip route 10.2.2.0 255.255.255.252 10.1.1.2'.
On the switch 'ip route 10.1.1.0 255.255.255.252 10.2.2.1'.

Thanks got it ! Thank you so much ~

dbrown3611
2010-11-02, 21:13
Are you using a really early beta version of Visio?

I'm just sayin'.

Analog Visio, used heavily back in the overhead projector days if memory serves correctly.

northlandboy
2010-11-03, 00:26
Analog Visio, used heavily back in the overhead projector days if memory serves correctly.

Looks a bit like some scratchings I've got on the whiteboard here at work. Can't imagine it would score too highly at Rate My Network Diagram (http://www.ratemynetworkdiagram.com/) though...

aeonpoon
2010-11-04, 04:27
Looks a bit like some scratchings I've got on the whiteboard here at work. Can't imagine it would score too highly at Rate My Network Diagram (http://www.ratemynetworkdiagram.com/) though...

haha yeah ! need to change my pattern of drawing

Barry J. Stiefel
2010-11-04, 21:36
haha yeah ! need to change my pattern of drawingI was just teasing. I've solved a lot of problems with a hand-drawn diagram. Also, Excel can work really well for a network diagram if you're willing to learn how to use merge cell and cell boundaries.

If it's a clear and accurate diagram, I'm for it, however it was drawn.