transparent firewall and 4503 switch

Unanswered Question
Oct 4th, 2007
User Badges:

I have a connection coming in via Fiber with a block of ip addresses given to me. I need to have my PIX setup in transparent mode in order to use these addresses on my internal network and still filter traffic.


Is it possible to send the traffic out from GBIC to the outside interface of my PIX in transparent mode and come back from the inside interface into my 4503 so all the traffic is then filtered on the same vlan.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 10/04/2007 - 12:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Hope i have understood correctly.


Presumably the fiber connects into the 4503 switch ?


If so you would


1) Create a layer 2 vlan without a L3 SVI on the 4503

2) Create another layer 2 vlan but give this a L3 SVI

3) Connect the outside of the firewall to the L2 vlan and the inside of the firewall to the L2 vlan with the L3 interface.


HTH


Jon

dlandriscinaclg Thu, 10/04/2007 - 12:44
User Badges:

right now due to my contraints (attempting to upgrade infrastructure on a running network) , im stuck within a single vlan (vlan1). so i was planning on putting the fiber and outside interface on a separate vlan (vlan2) and the inside on vlan1 which the entire network is residing on.


I'm a lil unclear on the SVI configs, please help for Vlan1 and Vlan2.

Jon Marshall Thu, 10/04/2007 - 12:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Okay, that sounds fine. So if you do


"sh vlan" on the 4500 you should see vlan 1 and vlan 2. These are showing vlans at layer 2.


If you then do a


"sh ip int br" on the 4500 it should show you (amongst other things) any L3 interfaces for vlans eg you should see


vlan1 "ip address"


If you do vlan 1 needs to be on the inside of your firewall.


You should not see


vlan2 "ip address"


If you do you need to delete it, otherwise the 4500 will route between vlan 1 & 2 ie. it won't go through your firewall.


if you do have a vlan 2 L3 interface please ensure if you are deleting it that nothing is using it. By the sounds of what you say there shouldn't be.


HTH, please come back if not clear


Jon

dlandriscinaclg Thu, 10/04/2007 - 13:04
User Badges:

thanks for your help john.. unfortunately i am not at the switch until tomorrow but if i got this right let me know?


vlan 1 - has an ip address


example:

Interface Vlan1, ip address 10.0.0.1 255.255.255.0)


vlan 2 - add through vlan database but not assigned an interface or ip address.


(example:


do not put:


Interface Vlan2

no ip address

shutdown


Gbic - switchport access vlan 2

interface to pix outside - switchport access vlan 2

interface to pix inside - leave on vlan1


and the 4503 will NOT route between vlan1 and 2 because vlan2 has no ip address or interface ?

Jon Marshall Thu, 10/04/2007 - 21:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes, you have understood it perfectly.


Let me know how you get on.


Jon

Actions

This Discussion