03-29-2010 01:28 PM - edited 03-06-2019 10:22 AM
I have the following architecture, and I would like to run in by you to see if you can help me.
One Firewall connected to a 3560 switch and that switch is connected to 4 devices/servers.
The firewall is also connected to the Internet router. So VLANs 1, 2, 3, should be accessible by the internet.
Each server needs to get its own IP address from a separate VLAN Hence 4 VLANs.
Server 1 = VLAN 1 ip address 192.168.1.1 255.255.255.0
Server 2 = VLAN 2 ip address 192.168.2.1 255.255.255.0
Server 3 = VLAN 3 ip address 192.168.3.1 255.255.255.0
Server 4 = VLAN 4 ip address 192.168.4.1 255.255.255.0
Now lets assume that server 1 is connected to Gig0/2 server 2 to Gig 0/3 server 3 to Gig 0/4 server 4 to Gig 0/5.
The switch is connected to the firewall using interface Gig0/1 trunk mode.
This is how I am thinking of implementing the configuration on the 3560 switch.
config t
interface Vlan1
name Server1-VLAN
ip address 192.168.1.1 255.255.255.0
interface Vlan2
name Server2-VLAN
ip address 192.168.2.1 255.255.255.0
interface Vlan3
name Server3-VLAN
ip address 192.168.3.1 255.255.255.0
interface Vlan4
name Server4-VLAN
ip address 192.168.4.1 255.255.255.0
int Gig0/1
switchport trunk allowed vlan 1-3 ==> Since VLAN 4 is not allowed to get traffic from the internet but needs to go out to the internet.
switchport trunk encapsulation dot1q
int Gig0/2
switchport mode access
switchport access vlan 1
int Gig0/3
switchport mode access
switchport access vlan 2
int Gig0/4
switchport mode access
switchport access vlan 3
int Gig0/5
switchport mode access
switchport access vlan 4
Now having said that this is my issue. If I am VPNed into the firewall and having an internal IP address from VLAN 1 how can I access server 4 on VLAN 4 which is sitting behind port Gig0/5 Whay type of ACL I need to write to allow me to do this?
Also is I have an IP address from VLAN1 I would like to ping and RDP any device behind VLAN2 and VLAN3.
I would appreciate it if someone can help me out with this.
Am I forgetting something?
03-29-2010 02:22 PM
Antonius
Firstly if you want vlan 4 to be able to access the internet then you will have to allow it on the trunk or it won't be able to get to the ASA.
When you VPN in your usually use a separate subnet to any of the internal ones ie. not vlan 1 subnet as you propose but a new subnet that is not used internally.
To allow this subnet to access internal servers then you simply need to
1) set up static translations on the ASA firewalls for the servers
2) allow access via an access-list on the ASA for these servers
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
03-30-2010 06:00 AM
Jon thank you for your reply I really appreciate it. You are correct at the beggining when SQL server sitting behind VLAN 4 needs to speak to the internet for updates patches, and authentication within MSFT. So my trunk port will include all VLANs. After i am done with that process I can easily change the trunk port to allow only the 3 VLANs.
Having said that, what types of extended ACLs do you usually see in order to secure such a server? Can I only allow HTTPS connections?
If so could you please write me a sample of a command?
Lastly. What are your comments on my sample code? do you see an issue some place? I would be more than happy to receive your input.
Thank you and have a great day.
03-30-2010 07:02 AM
antonios.skoulariotis wrote:
Having said that, what types of extended ACLs do you usually see in order to secure such a server? Can I only allow HTTPS connections?
If so could you please write me a sample of a command?
Lastly. What are your comments on my sample code? do you see an issue some place? I would be more than happy to receive your input.
Thank you and have a great day.
Your config that you posted is fine other than allowing vlan 4 on the trunk which we have already configured.
You would use the ASA to restrict traffic to and from your servers. Are you familiar with configuring an ASA firewall ?
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: