Best Practice when Firebox is not default gateway

Hi, I'm having trouble to set up my Fireboxes.

The problem is we cannot remodel the default gateway to the firecluster as its part of a managed WAN company system. So i configured a new gateway for the firecluster, but have absolutely no idea how to setup my routing. I mean for internet routing going through the firebox i suppose to work with a local install proxy server. But if i connect through ssl vpn from outside i get an ip adress 192.168.113.x and can ping the default gateway 11.237.46.11 but no other devices in the network.

I am not the routing expert, but does anybody have an idea about it how to set it up to work this way? or any best practices for that.

Setup: 2xM470 as firecluster.
server lan: 11.237.46.0/24
default gateway: 11.237.46.1
gateway of firecluster: 11.237.46.11

switches are all cisco.
thanks in advance.

Comments

  • Someplace in your existing setup, you need to add a Route for 192.168.113.0/24 pointing to 11.237.46.11.
    If your Cisco switches are layer 3/routing switches, it could be done there.
    If not, it could be done on 11.237.46.1

  • @Bruce_Briggs said:
    Someplace in your existing setup, you need to add a Route for 192.168.113.0/24 pointing to 11.237.46.11.
    If your Cisco switches are layer 3/routing switches, it could be done there.
    If not, it could be done on 11.237.46.1

    I was able to solve it with a NAT rule with source 11.237.46.11, that worked.
    Will take your route idea for my internet routing, but that will be later.

  • I am curious if you work for the US DoD because that 11.237.46.11 IP is registered to the DoD.

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Greggmh123 They've been reallocating IPs as of late, so it's possible ARIN just hasn't caught up.

    -James Carson
    WatchGuard Customer Support

  • Sorry for my late replay, didnt get a notification about the posts. No I'm not working for the DoD, i have used fake ip adresses to not spread internal informations in the world :-)

    btw I have setup NAT in the meantime and i am able to reach all my subnets. But i am not satified as the avaya one-x agent for ip telephony is not connectiong fully to our TK system, seems that it has an issue with NATed adresses.

    I have added the route to our switches as you suggested, but its not working, as our gateway seems to be on VRF on the router (which is not managed by myself)
    So i am looking for a way to work around it :-)

Sign In to comment.