Hello i have a situation, show in the attached diagram.
I have added default route in RTR-A for the internet.
What would be the additional route on RTR-A so that the PCs behind RTR-B & RTR-C can access the domain controller and file sharing in the network.?
What is the component between the router and the firewall ?? is it a Layer 2 switch ?? if so, how could you configure a different network 192.168.1.0/24 outside the router ?? does it terminate on the firewall DMZ ??
Here you go.. u need to have the following routes on the routers:
Router B - you can have a default route pointing to the next hop serial.. thats it.. no need for any route for 192.168.8.0, since it is a directly connected network..
Router C- default route to the next hop serial
Router A - default route to PIX, no route needed for 192.168.2.0/24 since it is a directly connected route.. one route for 192.168.8.0/25 pointing to 10.1.1.2, route for 192.168.8.128/25 pointing to 10.1.2.2
firewall - default route to router, route back for all the networks towards router A...
Thats it.. this should work fine..
let us know if u need anything else..
I did the configuration i could ping both the side routers ethernet port. But from 192.168.8.0 network i can only reach 192.168.2.2 ethernet of RTR-A and could not ping any of the PCs inside 192.168.2.0/24 network. From RTR-A i can ping inside the the LAN of 192.168.8.0/25 network. 192.168.8.128/25 is not yet connected.
0.0.0.0 0.0.0.0 192.168.2.1
192.168.8.0 255.255.255.0 10.1.1.2
0.0.0.0 0.0.0.0 10.1.1.1
Could you help me in resolving the issue.
For this setup to work the PC's on the segment 192.168.2.0/24 should have their default gateway as 192.168.2.2( router's ethernet interface). If the default gateway of the client on this segment points to 192.168.2.1, then this will not work.
Check the same and revert back
you are right, the default gateway is 192.168.2.1 which is the firewall. so how can we reach PCs with default gateway 192.168.2.1 from 192.168.8.0 network. What changes in the firewall required.? Changing the Gateway is not possible
This is not possible for the following reasons.
As the default gateway on this segment is pointing to the firewall, the hosts on this segment will send the traffic destined to 192.168.8.0 to the firewall.
I hope there will already be a route configured in your firewall for the 192.168.8.0 segments pointing back to your Router 192.168.2.2.
For this scenario to work, the firewall should do a ICMP redirect to inform the hosts on 192.168.2.0/24 segment to use 192.168.2.2 as a default gateway to reach 192.168.8.0 networks.
Generally firewalls will not do ICMP redirects, as ICMP redirects can pose security threats. Hence this will not work.
Even if your firewall supports icmp redirects, it is not advisable to have the network in this manner.
Probably i can give you one workaround for time being.
What are the clients in those segments? Which OS they are running.?
If they are windows clients, you can add a persistent static route in those clients as follows
From the command prompt, issue the following command.
route add 192.168.8.0 mask 255.255.255.0 192.168.2.2 -p
This command will install a static route in the client PC to forward the traffic destined to 192.168.8.0 network to 192.168.2.2.
The last parameter "-p" will make this a permanenent route in the PC. ( Will sustain after a reboot also)
Even if the clients are some other OS, you can do similar task in the client pc to add a static route.
This will be a interim solution only, You may have to redesign your network so that the firewall is located in a separate lan( not in 192.168.2.0/24 network or move the clients in 192.168.2.0/24 to a different physical/logical subnet.
Hope this helps. Kindly rate the post if it was helpful.
Could you plese let us know how the segment 192.168.1.0/24 is connected to your network.
In other words, what & where is the default gateway for 192.168.1.0/24 network?
What is the device which is portrayed between your firewall and router A?
if 192.168.1.0/24 is a segment connected on the router A itself. Then there wont be any additional static routes required, as the segment is a directly connected one.