Routing between 2 networks and 2 routers

Question

I have a WatchGuard XTM33 and a Cisco ASA 5505, current network is running off of the Cisco and I want to eventually migrate over to the WatchGuard using new IP scheme.

ASA 192.168.111.1/24

WG 10.0.0.1/23

If I setup the WG and configure one of the interfaces as external, set default gw to 192.168.111.1, traffic going outbound from WG works from a machine in 10.0.0.0/23 range however if I am on a machine in the 192.168.111.0/24 range, I am unable to reach 10.0.0.1 (ping, tcp ping on open port,etc).

What could i be missing?

Can you explain your setup in more detail? It sounds like you have configured the Watchguard external interface in the 192.168.111.0/24 network - that won't work very well because NAT will be involved (the Watchguard will be trying to treat it like an internet connection and hiding all the 10.0.0.x machines behind itself). — TessellatingHeckler, Nov 13 '14 at 00:06

Ray · Answer 1 · 2014-11-12T22:06:01.513

1

You need a route statement in the ASA to point to the 10.x.x.x network. Assuming you have an interface called 'inside' and that the Watchguard / ASA have interfaces on the same subnet:

ip route inside 10.0.0.0 255.255.254.0 <watchguard ip>

Also, you should not configure the Watchguard to NAT traffic from 10.0.0.0/23 to 192.168.111.0/24.

edited Nov 12 '14 at 22:06

answered Nov 12 '14 at 21:13

Ray

111
6

Can you give me example? I am a bit lost after all of these changes I've tried – nGX Nov 12 '14 at 21:55

score 1 · Answer 2 · answered Nov 13 '14 at 00:29

  Easy Setup               What it sounds like you have
  ----------               ----------------------------

  Internet                     Internet
  |     |                        |
Cisco  Watchguard              Cisco
  |     /                        |
   192...                      192...
   10...                         |
                               Watchguard
                                 |
                               10...

Go for the first design.

Have:

Cisco WAN: {Internet IP}
Cisco LAN: 192.168.111.1/24
Cisco LAN Secondary IP: 10.0.0.2/23 (a connection into the Watchguard subnet)

Watchguard WAN: {Spare Internet IP - assuming you have one}
Watchguard LAN: 10.0.0.1/23
Watchguard LAN Secondary IP: 192.168.111.2/24 (a connection into the Cisco subnet)

Now each device has an internet connection, a local connection on its main subnet, and a secondary IP giving it a leg into the other device's main subnet.

Then add a route on each device crossing the two networks over (Cisco -> Watchguard's secondary. Watchguard -> Cisco secondary), e.g.

Watchguard route: 192.168.111.0/24 via gateway 10.0.0.2
Cisco route: 10.0.0.0/23 via gateway 192.168.111.2

Your computers will send to their default gateway. If the traffic is for the other LAN subnet, it will hop between the two devices. Either device can send to the internet. Firewall rules are completely separate.

If you can't do this design because you don't have a spare public IP on your internet connection, then you will have more problems and need a more complicated setup.

Routing between 2 networks and 2 routers

2 Answers2