default gateway on switch

Answered Question
Jan 10th, 2008
User Badges:

Hi,

Is the default gateway on a switch the outside interface of firewall or the Ethernet interface on the router, which connects to the outside int of the firewall?

Correct Answer by Jon Marshall about 9 years 2 months ago

Said


Default-gateway of switch should be the ip address of the inside interface on the ASA that the switch connects into.


You cannot make it the outside interface of the ASA because the IP address of the ASA outside interface would not be in the same subnet as the switch IP address.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 01/10/2008 - 13:34
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


Just to clarify, you are talking about a switch that is on the outside of the pix firewall that connects the pix and the internet router ?


If so i would make the firewall the default-gateway. Reason for this is that it makes it more difficult for anyone to try and connect to the switch from the Internet. If the switch had a default-gateway pointing to the Internet router then potentially someone could connect to the switch from the Internet.


As a further point - a lot of people advise making the switch on the outside of the firewall unmanaged ie. it has no ip address and default-gateway for security reasons.


If you do need to manage it lock access to it down from an address inside your network.


HTH


Jon

saidfrh Thu, 01/10/2008 - 13:59
User Badges:

Jon,

The Cisco Cat 2950 switch is connected to one of seven inside ports of an ASA5505 firewall. There is only one VLAN on the switch and firewall. So is the switch's default gateway the ASA5505's outside interface, public IP address?

Thanks.

Said

Jon Marshall Thu, 01/10/2008 - 14:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


Need to be careful here as the wroing advice may be a security problem for you.


You have a switch that is connected to one of the inside ports on the ASA.


Where is the router in relation to the ASA and the switch and what does the router do.


Jon

saidfrh Thu, 01/10/2008 - 14:22
User Badges:

Jon,

The perimeter router's Eth int is connected to the ASA's 0 interface/Public IP.

ISP router>perimeter router>ASA>switch. At a later date the MPLS router will connect to the switch.

Correct Answer
Jon Marshall Thu, 01/10/2008 - 14:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Said


Default-gateway of switch should be the ip address of the inside interface on the ASA that the switch connects into.


You cannot make it the outside interface of the ASA because the IP address of the ASA outside interface would not be in the same subnet as the switch IP address.


Jon

saidfrh Thu, 01/10/2008 - 19:11
User Badges:

Jon,

You had mentioned about redirecting packets from a switch to the ASA firewall, and back to a port on the switch connecting to a MPLS router. You called it "hairpinning". Do you the correct statement for configuring static routes in the ASA firewall to redirect packets to the port in the switch that links to the MPLS router?

Thanks.

Said

Actions

This Discussion