1 IPS between 2 Firewalls and 2 DMZ Switches

ABDUL MAJID KHAN · ‎05-15-2009

Dear All,

I connected one IPS (4240) inline between 2 Firewalls and 2 DMZ switches as following;

FW1 e1---IPS 0/1, FW2 e1---IPS 0/3,

DMZ1 Switch1 fa0/1---IPS 0/0, DMZ2 Switch2 fa0/1---IPS 0/2.

I made 2 Pairs;

PAIR 1: Gig 0/0,0/1, PAIR 2: Gig 0/2,0/3.

I assigned both Pairs to VS0.

On the Switches i configured the Interfaces Fa0/1 as trunk. But at the Firewall end i havnt' change the existing configuration.

The configuration seems to be correct, but still i can't access dmz services from user. Also from the FW can't ping DMZ and DMZ can't ping FW.

IPS CANNOT PING FW AS WELL AS DMZ SWITCH.

I even unchecked all the actions that may drop the Packets..

The firewall is old Pix 525 (not sure exactly), so does the type of cable b/w FW and IPS matter as well?

Kindly suggest. I need to provide solution soon...

rhermes · ‎05-15-2009

I hope these are not reduntant firewalls, otherwise you've added a single point of failure to your network.

I think your problem is that you made your switch interfaces a trunk, but no other interfaces on the IPS or Firewall are set to trunk.

The physical in-line pair you created will pass VLAN tags intact. but if your firewall isn;t configured to trunk, you're sunk.

ABDUL MAJID KHAN · ‎05-17-2009

Firewalls are redundant and this is the only availible option with me to have single point of failure.

Kindly tell me the solution. The scenario is that i have to connect this IPS (4240) between 2 firewalls and 2 DMZ switches.

Should i configure the interfaces on DMZ switches as access port or trunk ports.

Also the Firewalls are old firewalls, do i need to connect them to the IPS through cross-over cable.