transparent firewall and 4503 switch

Unanswered Question
Oct 4th, 2007

I have a connection coming in via Fiber with a block of ip addresses given to me. I need to have my PIX setup in transparent mode in order to use these addresses on my internal network and still filter traffic.

Is it possible to send the traffic out from GBIC to the outside interface of my PIX in transparent mode and come back from the inside interface into my 4503 so all the traffic is then filtered on the same vlan.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 10/04/2007 - 12:30

Hi

Hope i have understood correctly.

Presumably the fiber connects into the 4503 switch ?

If so you would

1) Create a layer 2 vlan without a L3 SVI on the 4503

2) Create another layer 2 vlan but give this a L3 SVI

3) Connect the outside of the firewall to the L2 vlan and the inside of the firewall to the L2 vlan with the L3 interface.

HTH

Jon

dlandriscinaclg Thu, 10/04/2007 - 12:44

right now due to my contraints (attempting to upgrade infrastructure on a running network) , im stuck within a single vlan (vlan1). so i was planning on putting the fiber and outside interface on a separate vlan (vlan2) and the inside on vlan1 which the entire network is residing on.

I'm a lil unclear on the SVI configs, please help for Vlan1 and Vlan2.

Jon Marshall Thu, 10/04/2007 - 12:49

Hi

Okay, that sounds fine. So if you do

"sh vlan" on the 4500 you should see vlan 1 and vlan 2. These are showing vlans at layer 2.

If you then do a

"sh ip int br" on the 4500 it should show you (amongst other things) any L3 interfaces for vlans eg you should see

vlan1 "ip address"

If you do vlan 1 needs to be on the inside of your firewall.

You should not see

vlan2 "ip address"

If you do you need to delete it, otherwise the 4500 will route between vlan 1 & 2 ie. it won't go through your firewall.

if you do have a vlan 2 L3 interface please ensure if you are deleting it that nothing is using it. By the sounds of what you say there shouldn't be.

HTH, please come back if not clear

Jon

dlandriscinaclg Thu, 10/04/2007 - 13:04

thanks for your help john.. unfortunately i am not at the switch until tomorrow but if i got this right let me know?

vlan 1 - has an ip address

example:

Interface Vlan1, ip address 10.0.0.1 255.255.255.0)

vlan 2 - add through vlan database but not assigned an interface or ip address.

(example:

do not put:

Interface Vlan2

no ip address

shutdown

Gbic - switchport access vlan 2

interface to pix outside - switchport access vlan 2

interface to pix inside - leave on vlan1

and the 4503 will NOT route between vlan1 and 2 because vlan2 has no ip address or interface ?

Actions

This Discussion