Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
3
Replies

Intervlan routing

antonios.skoulariotis
Level 1
Level 1

‎03-29-2010 01:28 PM - edited ‎03-06-2019 10:22 AM

I have the following architecture, and I would like to run in by you to see if you can help me.

One Firewall connected to a 3560 switch and that switch is connected to 4 devices/servers.

The firewall is also connected to the Internet router.  So VLANs 1, 2, 3, should be accessible by the internet.

Each server needs to get its own IP address from a separate VLAN  Hence 4 VLANs.

Server 1  = VLAN 1 ip address 192.168.1.1 255.255.255.0

Server 2  = VLAN 2 ip address 192.168.2.1 255.255.255.0

Server 3  = VLAN 3 ip address 192.168.3.1 255.255.255.0

Server 4  = VLAN 4 ip address 192.168.4.1 255.255.255.0

Now lets assume that server 1 is connected to Gig0/2 server 2 to Gig 0/3 server 3 to Gig 0/4 server 4 to Gig 0/5.

The switch is connected to the firewall using interface Gig0/1 trunk mode.

This is how I am thinking of implementing the configuration on the 3560 switch.

config t

interface Vlan1

name Server1-VLAN
ip address 192.168.1.1 255.255.255.0

interface Vlan2

name Server2-VLAN
ip address 192.168.2.1 255.255.255.0

interface Vlan3

name Server3-VLAN
ip address 192.168.3.1 255.255.255.0

interface Vlan4

name Server4-VLAN
ip address 192.168.4.1 255.255.255.0

int Gig0/1

switchport trunk allowed vlan 1-3          ==> Since VLAN 4 is not allowed to get traffic from the internet but needs to go out to the internet.

switchport trunk encapsulation dot1q

int Gig0/2

switchport mode access

switchport access vlan 1

int Gig0/3

switchport mode access

switchport access vlan 2

int Gig0/4

switchport mode access

switchport access vlan 3

int Gig0/5

switchport mode access

switchport access vlan 4

Now having said that this is my issue.  If I am VPNed into the firewall and having an internal IP address from VLAN 1  how can I access server 4 on VLAN 4 which is sitting behind port Gig0/5  Whay type of ACL I need to write to allow me to do this?

Also is I have an IP address from VLAN1 I would like to ping and RDP any device behind VLAN2 and VLAN3.

I would appreciate it if someone can help me out with this.

Am I forgetting something?

Labels:
Preview file
34 KB
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎03-29-2010 02:22 PM

Antonius

Firstly if you want vlan 4 to be able to access the internet then you will have to allow it on the trunk or it won't be able to get to the ASA.

When you VPN in your usually use a separate subnet to any of the internal ones ie. not vlan 1 subnet as you propose but a new subnet that is not used internally.

To allow this subnet to access internal servers then you simply need to

1) set up static translations on the ASA firewalls for the servers

2) allow access via an access-list on the ASA for these servers

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

0 Helpful

antonios.skoulariotis
Level 1
Level 1
In response to Jon Marshall

‎03-30-2010 06:00 AM

Jon thank you for your reply I really appreciate it.  You are correct at the beggining when SQL server sitting behind VLAN 4 needs to speak to the internet for updates patches, and authentication within MSFT.  So my trunk port will include all VLANs.  After i am done with that process I can easily change the trunk port to allow only the 3 VLANs.

Having said that, what types of extended ACLs do you usually see in order to secure such a server?  Can I only allow HTTPS connections?

If so could you please write me a sample of a command?

Lastly.  What are your comments on my sample code?  do you see an issue some place?  I would be more than happy to receive your input.

Thank you and have a great day.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to antonios.skoulariotis

‎03-30-2010 07:02 AM 

antonios.skoulariotis wrote:

Having said that, what types of extended ACLs do you usually see in order to secure such a server?  Can I only allow HTTPS connections?
If so could you please write me a sample of a command?
Lastly.  What are your comments on my sample code?  do you see an issue some place?  I would be more than happy to receive your input.
Thank you and have a great day.

Your config that you posted is fine other than allowing vlan 4 on the trunk which we have already configured.

You would use the ASA to restrict traffic to and from your servers. Are you familiar with configuring an ASA firewall ?

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card