Here is my scenario.
Business with two locations.
*Firebox Watchguard X700
*Public IP on Cisco Ser
*Privite Ip 172.28.159.1 on Cisco eth0/0
*X700 also has a pub ip assigned to it
as well as a priv ip
*X700 is where I have my VPN set up to
allow the two networks to communicate.
*Router/Modem provided by local ISP
*Firebox Watchguard Edge
*Watchguard is also set up for VPN
*Watchguard has a public ip as well
as a private IP 172.28.158.1
When I try to ping the 172.28.158.0 network, I can watch the logs on my X700 and see that it is passing the traffic through, but it is comming back as unreachable.
I'm pretty sure I need to configure a route in my 2811 to allow traffic from the local 172.28.159.0/24 net work to the 172.28.158.0/24 net work, but not sure how.
I have my vpn setup so that the pub IP on my X700 is pointing to the pub IP on my Edge. And each devices trusted network is allowed on each.
Any help would be greatly appriciated.
I'm sorry I was wrong about the X700, It does not have a Private IP assigned to it. Only one of my Public IP's. Will that still work?
The tunnel is terminating in the X700, correct ?
Can you explain the external connection between the 2811 and the X700 ?
Can the 2811 reach the X700 via IP ? If so, what IP addressing is used for this connection ?
If they are reachable, then that's the gateway that needs to be used in the ip route statement I posted before.
Yes, the tunnel is from my Edge at Location 2 using its pub IP to my X700 Pub IP.
Here at Location one I have a T1 that comes in to my Adtran, then to my 2811. My 2811 plugs into a 3Com switch(I have cisco switches on the way) My X700 also plugs into that 3Com switch.
I can ping my Pub IP on both the X700 and the 2811.
You use the IP address of the interface of the X700 that connects into your 3com switch because this is the interface that the 2811 should be able to reach.
eg ip route 172.28.158.0 255.255.255.0 "X700 IP address of interface connected to 3com"
Thanks for all of your help. But this is kicking my butt.
When I look at my X700 it as an Ext Port which has a pub IP assigned to and is plugged into the 3Com. It also has a trusted eth1 port which is also plugged into the 3Com switch. When I check that port via the Watchguard System Manager I show that has 172.28.159.1 (which is my router).
I'm starting to think that I might not get out of here at noon today...
I have determined the the IP for my X700 172.28.159.254 but...
I can ping that IP from my workstation just fine, but I can not ping it from inside the 2811.
Now I am really stumped.
If you can ping the X700(172.28.159.254) from your workstations, then make sure the LAN interface with ip 172.28.159.x that is assigned in the 2811 is connected in the same broadcast domain as the X700.
The plot thickens.
I just ran a show ip route
22.214.171.124/28 is subnetted, 1 subnets
C 70.xxx.xxx.xxx is directly connected,
126.96.36.199/30 is subnetted, 1 subnets
C 65.xx.xx.xx is directly connected,
S* 0.0.0.0/0 [1/0] via 65.xx.xx.xx
So it seems that 172.28.159.1 is actually the IP of the trusted interface on my X700.
Do I need to plug into my FastEthernet0/1 and configure that as 172.28.159.1
The 2811 is your public router and plays no part of the tunnel configuration. No need to change anything there.
As for assistance on the X700 and how to route between these 2 networks, I don't think I can help since I'm not familiar with that product.
So does this sound correct....
Right now in my current configuration my X700 is handling all of my network traffic. When someone on my network uses the internet or whatever, the X700 directs them out of its Ext Port(which has the Public IP Assigned to it), to the routers FastEthernet port which has a public Ip, to the Ser port, and then out to the cloud.
And if this is the case, I dont need to configure anything on the router to allow information bound for 172.28.158.0 from 70.xx.xx.xx(X700)
This may be a whole other topic, but is there a better way to configure the topology of this network.
Thank you once again for ALL of your help.
This is by far the best forum out there when it comes to Cisco Networking.
That's correct. The X700 is your default gateway. You need to configure it in such a way that when packets from 172.28.159.0/24 network are going to the 172.28.158.0/24 network, they should go via the IPSec tunnel and not out to the internet.
The 2811 Router is not playing part on this tunnel and should be left alone.
Your topology is fine and you need to find out how to configure the X700 properly so it can handle the traffic going out to the internet and the traffic going out via the IPSec tunnel.
I'm attaching your network topology, let me know if I missed something.