Zywall 30w problem connecting

[Guest]

Archived from groups: comp.security.firewalls (More info?)

My company has just bought a Zywall 30w, which is plugged into a Cisco
837 ADSL router (which is permanently on) through the WAN port, and then
into a switch from the LAN port. All the addresses on the network are
static on a range of 80.x.x.x with a subnet 255.255.255.192

The router is set as the default gateway on 80.x.x.129 on all the PCs.
I've plugged the 30W in, set the encapsulation to Ethernet, turned the
firewall off in SMT, turned off DHCP on the firewall, and tried entering
various addresses as the WAN and LAN IPs. Whatever I do, I can't see out
of the internal network, even to ping something. Zyxel are no help, so
can anyone suggest what addresses I should be using, or what else I
could try just to get the basic internet access working - I'll sort out
the firewall later!

Why can't I just allocate one of my 'spare' static IPs to both LAN and
WAN ports, as the only thing that Demon check is hostname, login and
password which are all supplied by the router before anything reaches
the firewall?

Oh, yes, the ISP is Demon Internet (Thus), who supplied the router.



TIA for any help.
--
Jasper

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 29 Jul 2004 10:18:50 +0100, Alun Bell <Alun@justwise.com>
wrote:
>
>My company has just bought a Zywall 30w, which is plugged into a Cisco
>837 ADSL router (which is permanently on) through the WAN port, and then
>into a switch from the LAN port. All the addresses on the network are
>static on a range of 80.x.x.x with a subnet 255.255.255.192
>

Why would you want public IP addresses on your network? Your internal,
private network should be using private IP addresses.

>
>The router is set as the default gateway on 80.x.x.129 on all the PCs.
>

So, the LAN side of the router is configured to have 80.x.x.129 as IP
address, right?

>
>I've plugged the 30W in, set the encapsulation to Ethernet, turned the
>firewall off in SMT, turned off DHCP on the firewall, and tried entering
>various addresses as the WAN and LAN IPs.
>

Well, that's the wrong way to go about it. The zywall should go
between the router and your internal network. This network is usually
called the DMZ and should have public IP addresses.

>
>Whatever I do, I can't see out of the internal network, even to ping
>something. Zyxel are no help, so can anyone suggest what addresses
>I should be using, or what else I could try just to get the basic internet
>access working - I'll sort out the firewall later!
>

You should configure your internal machines to act as DHCP clients and
the ZyWALL as DHCP server. By default, the ZyWALL will assign
addresses in the range of 192.168.1.x with mask 255.255.255.0, if I'm
not mistaken.

>
>Why can't I just allocate one of my 'spare' static IPs to both LAN and
>WAN ports, as the only thing that Demon check is hostname, login and
>password which are all supplied by the router before anything reaches
>the firewall?
>

'Cause that's not the way the IP routing protocol works.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In message <1o5ig0hh6k1thopuotmhkgd200k9agrvit@4ax.com>, shopping.
nowthor. com <nospam@shopping.nowthor.com> writes
>On Thu, 29 Jul 2004 10:18:50 +0100, Alun Bell <Alun@justwise.com>
>wrote:
>>
>>My company has just bought a Zywall 30w, which is plugged into a Cisco
>>837 ADSL router (which is permanently on) through the WAN port, and then
>>into a switch from the LAN port. All the addresses on the network are
>>static on a range of 80.x.x.x with a subnet 255.255.255.192
>>
>
>Why would you want public IP addresses on your network? Your internal,
>private network should be using private IP addresses.
>

Because somebody else set up a ton of connections based on our public
IPs, plus the router and a VPN, and will throw a major tantrum if we
change anything on our internal network - it's not my choice here, I'm
just trying to get it to work!

>>
>>The router is set as the default gateway on 80.x.x.129 on all the PCs.
>>
>
>So, the LAN side of the router is configured to have 80.x.x.129 as IP
>address, right?
>

Correct.

>>
>>I've plugged the 30W in, set the encapsulation to Ethernet, turned the
>>firewall off in SMT, turned off DHCP on the firewall, and tried entering
>>various addresses as the WAN and LAN IPs.
>>
>
>Well, that's the wrong way to go about it. The zywall should go
>between the router and your internal network. This network is usually
>called the DMZ and should have public IP addresses.
>

It IS between the router and private network. I've set the router and
zywall to have two of public IPs and the same subnet (x.x.x.129 and
x.x.x.185, with 255.255.255.192 subnet)


>>
>>Whatever I do, I can't see out of the internal network, even to ping
>>something. Zyxel are no help, so can anyone suggest what addresses
>>I should be using, or what else I could try just to get the basic internet
>>access working - I'll sort out the firewall later!
>>
>
>You should configure your internal machines to act as DHCP clients and
>the ZyWALL as DHCP server. By default, the ZyWALL will assign
>addresses in the range of 192.168.1.x with mask 255.255.255.0, if I'm
>not mistaken.
>

See above comment - we CANNOT use DHCP internally, although that would
make life a lot easier for setting this up - ten minutes at best I would
think You're right about the DHCP address range of course.

>>
>>Why can't I just allocate one of my 'spare' static IPs to both LAN and
>>WAN ports, as the only thing that Demon check is hostname, login and
>>password which are all supplied by the router before anything reaches
>>the firewall?
>>
>
>'Cause that's not the way the IP routing protocol works.
>
>

I need to get this to work somehow, and I have a really difficult
political situation if I try to change anything else on the network, so
I think I'm stuffed here!

But many thanks for your comments, I appreciate it when technically
savvy people spend the time to answer queries.
--
Jasper

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 29 Jul 2004 16:51:48 +0100, Alun Bell <Alun@justwise.com>
wrote:
>
>>
>>Why would you want public IP addresses on your network? Your internal,
>>private network should be using private IP addresses.
>>
>
>Because somebody else set up a ton of connections based on our public
>IPs, plus the router and a VPN, and will throw a major tantrum if we
>change anything on our internal network - it's not my choice here, I'm
>just trying to get it to work!
>

Out of curiosity, what kind of connections? I still think renumbering
would be a better longer term option.

>
>>Well, that's the wrong way to go about it. The zywall should go
>>between the router and your internal network. This network is usually
>>called the DMZ and should have public IP addresses.
>>
>
>It IS between the router and private network. I've set the router and
>zywall to have two of public IPs and the same subnet (x.x.x.129 and
>x.x.x.185, with 255.255.255.192 subnet)
>

If you want to use that range on your internal network, we cannot use
the same range on your internal network. You need to select two
different network ranges, one for your DMZ (which contains the LAN
side of the Cisco router and the WAN side of the ZyWALL) and another
for your internal LAN. If you really, REALLY, need to use the 80.x.x.x
on your internal network then you could use 172.16.x.x/255.255.255.0
on your DMZ. However, this is exactly the reverse what OUGHT to be
done.

>
>>
>>'Cause that's not the way the IP routing protocol works.
>
>I need to get this to work somehow, and I have a really difficult
>political situation if I try to change anything else on the network, so
>I think I'm stuffed here!
>

If that's the case, convince people to do the right thing. Hacks
usually come back to bit people in the ass somewhere down the road.