05-23-2007 09:59 PM - edited 03-05-2019 04:15 PM
Hi
I'm going to put a switch in our DMZ, so all it does is allow switching within the DMZ. It isn't going to have any direct links into the internal network. Now I've hit a snag in this plan.
Basically the DMZ has public ip addresses and are in VLAN 130,131,132. My question is if I create an interface for vlan 130 on the switch and then give it an ip address, its going to need a public ip address for me to be able to reach it from my internal vlan. BTW the dmz and internal zones are separated via a pix 515e firewall.
My question is if I give the vlan 130 interface a private ip e.g 192.168.2.1 will I still be able to reach it, if say I put a route on the firewall to say 192.168.2.0 lies in the interface which has vlan130?
I hope this describes the situation in a clear way. Any further question please just ask.
The switch is a 3560-G series switch.
Thanks in advance
Dan
05-23-2007 10:10 PM
Dan,
You dont need a public IP on these switches to manage it from your internal vlans. You have to either use staic NAT from the inside interface to DMZ interface for 192.168.2.0 ip range or do a self static for the same IP range on Pix DMZ interface. You have to use ACL's and routes on PIX to allow the traffic from the DMZ to the inside vlans and you should be able to get an access to the switch.
HTH,Please rate if it does.
-amit singh
05-23-2007 11:53 PM
Hi
Thanks for your reply. It seems to have helped focus me. My internal vlan has the 10.0.0.0/8 range while the new ip's I want to use on the switch are 192.168.2.1 and 192.168.2.2 on vlan 130.
Any chance you could please give me an example of the static command I need to use?
Many Thanks
Dan
05-23-2007 11:40 PM
Hi Dan It's a bit unclear what you mean by "Basically the DMZ has public ip addresses and are in VLAN 130,131,132"
Do you have 3 separate DMZ interfaces on your pix firewall \then.
Amit is right in that you don't need to use a public ip address. You could use a private address but you would need to add an interface on your pix in that same subnet range to be able to access it if that makes sense.
If you can't do this then yes you will need a public IP address on the switch interface.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide