Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unable to route to new Firewall

Status
Not open for further replies.
BDietz72

BDietz72

MIS
Joined
Oct 28, 2003
Messages
3
Location
US
We recently aquired a new Firewall (Netscreen 204) which we configured and prepared to install. We have a Cisco router on the inside of the LAN managing several VLAN's. All workstations point to it and it routes outbound traffic to the Firewall which then passes it to a small internet router.

Once the new firewall was configured we removed the old one and powered up the new one with the same IP address the old one had. A trace route showed traffic stopping at the Cisco. I checked ARP cache and it seemed to still have the old mac address from the previous firewall. So I did a clear arp, but had the same issue. Old Mac address remained. Finally I just gave the new Firewall a new IP altogether and changed the route in the Cisco to point to it instead of to the old IP. Unfortunately that failed as well. ARP table shows 0.0.0.0 0.0.0.0 to the new address with the correct Mac but trace route still shows all traffic stopping at Cisco.

Any help on this would be greatly appreciated!
 
Sort by date Sort by votes
Not sure if this will help or not, but below is the current working config on the Cisco (using the old Firewall).

KCATA#sh conf
Using 2368 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname KCATA
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable password 7 0215015819031B
!
username adm privilege 15 password 7 105D0C1A171206
username KCATA privilege 15 password 7 05180F0A2C49401A
clock timezone America/Chicago -6
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip name-server 10.10.4.5
no ip dhcp conflict logging
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
no ip address
logging event subif-link-status
speed auto
full-duplex
!
interface FastEthernet0/0.1
description KCATA VLAN-1
encapsulation dot1Q 1
ip address 10.10.2.30 255.255.254.0
!
interface FastEthernet0/0.2
description TransitMaster VLAN 2
encapsulation dot1Q 2
ip address 10.10.4.1 255.255.254.0
!
interface FastEthernet0/0.3
description Radio Console VLAN 3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0.100
description native VLAN
encapsulation dot1Q 100 native
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router eigrp 2
network 10.0.0.0
network 192.168.3.0
no auto-summary
!
ip http server
ip http authentication local
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.2.1
!
!
logging trap debugging
logging 10.10.4.5
!
snmp-server community public RO
snmp-server community ILG RW
snmp-server trap-source FastEthernet0/0.2
snmp-server location KCATA
snmp-server contact Siemens
snmp-server system-shutdown
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps tty
snmp-server enable traps conf
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server host 10.10.4.5 ILG
snmp-server host 10.10.4.5 public
!
!
!
!
!
banner login ^CThis is a secured device.
Unauthorized use is prohibited by law.

^C
!
line con 0
password 7 00171A03095E0515
line aux 0
line vty 0 4
password 7 08354942071C11
login
!
ntp server 10.10.4.6 prefer
!
!
end
 
Upvote 0 Downvote
This could be a routing issue, arp issue, or a firewall issue. Is the firewall address the 10.10.2.1 as well as your default gateway?

If that is the case you should have an APR statement for that address if your ping. If the firewall isn't answering ARP requests, which may be by design, you will have to put in a static arp entry for your new firewall.

In the physical topology how does the router connect to the firewall? If you are getting a trace route and seeing a response from the router, it is most likely the next hop causing the issue, is the firewall set up correctly and will it respond to ICMP?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
417
badwolf1686
B
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
574
CPM86
CPM86
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
587
Luzbel
Luzbel
Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
342
Blackybear
Blackybear
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
809
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top