Solved: LAN design help and question

Eric Boadu · ‎06-28-2010

I have been instructed to put firewall in front of servers that connected to LAN switch. I do not manage this switch it manages by another team. All four servers are connected to separate VLAN on the switch with 1Gig speed. Server A: 10.10.5.x. Server B: 10.10.10.x. Server C: 10.10.15.x. Server D: 10.10.20.x

Does anyone configure this scenario before?

I don’t see how I can make this work by putting firewall in-between.

Current design:

ISP router/firewall>>>LAN switch>>>Servers. This looks fine to me.

Propose requirement:

ISP router/firewall>>LAN switch>>firewall>>>switch>>>Servers.

How can I make this work? Please this is not a joke and need your advice.

I don’t think it is possible.

Thanks,

Eric

manish arora · ‎06-28-2010

All right ! here how it should be done ( hopefully ) , you can create a trunk link from the 6509 ( carring all of your needed vlans ) and have it connect to the the firewall interface- outside ( create multiple subinterfaces on the this firewall interface to handle all the vlans { http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html } . Create another interface -- inside with same multiple sub interface and then trunk it to the 3500 series switch. you can the firewall yourself using the inside and outside interface access-lists.

Let me know if this doesnt sounds right to you.

get more help on the forums by searching "

how to create trunk port with ASA 5520 "

Thanks

Manish

View solution in original post

manish arora · ‎06-28-2010

What kind of firewall it is ? is it a cisco asa 5500 series ( mention model pl ) ?

Eric Boadu · ‎06-28-2010

Yes Cisco 5520 and can not change the IP address assigned to the servers. I have to incoporated into firewall design.

thx,

Eric

manish arora · ‎06-28-2010

You can configure this firewall as an transparent firewall. If you are going to use it in a non-transparent firewall , i would need to see the network diagram with ip's. But for sure ! there isnt a term call not possible . Now , i do not understand the part when you say isp>>switch>> firewall>>switch>> server !!

Please elaborate more on this , is there two switches ? where are you doing routing or natting ?

manish arora · ‎06-28-2010

Sorry , i didnot read the whole reply of your's. But in case you cannot change a

lot of things then please configure the firewall as an transparent firewall. read on how you can configure transparent asa on cisco.com.

Eric Boadu · ‎06-28-2010

Thanks Anisharora and will look into trensparent level for possible solutions.

Eric Boadu · ‎06-28-2010

4 to 12 servers are part of campus LAN switch. We manage 8 servers and wanted to put firewall between them and connect servers to 3750 switch.Example: campus LAN switch Cisco 6500 with 4 VLAN segments. campus switch>>>firewall 5520>>Cisco 3750 switch>>servers.

Thanks

manish arora · ‎06-28-2010

All right ! here how it should be done ( hopefully ) , you can create a trunk link from the 6509 ( carring all of your needed vlans ) and have it connect to the the firewall interface- outside ( create multiple subinterfaces on the this firewall interface to handle all the vlans { http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html } . Create another interface -- inside with same multiple sub interface and then trunk it to the 3500 series switch. you can the firewall yourself using the inside and outside interface access-lists.

Let me know if this doesnt sounds right to you.

get more help on the forums by searching "

how to create trunk port with ASA 5520 "

Thanks

Manish

Eric Boadu · ‎06-29-2010

Thanks you Anisharora. This is exactly what I was looking for. I will test this in the lab before putting into production. This also include failover so I have lot of work and config to do. I will confirm once I success tested at work lab. Thanks as always!

Eric Boadu · ‎07-01-2010

Hi, Are you refering to transparent firewall mode or routed mode? Please advise I can not apply the same IP address on the inside interface. any advice

Mohamed Sobair · ‎06-29-2010

Hi,

Although it a kind of starnge design , however, it should be workable using the following approaches:

1- using te 1st firewall as transparent firewall for the servers inside.

2- using both firewall without transparent firewalling feature.

Applying the first Scenario:

create multiple vlans on the server farm switch (Server's Vlans) , trunk it out towards the firewall, create similar vlan on the upstream switch , trunk it to the second firewall (premiter firewall behing the ISP router). This firewall now is actually the gateway for all servers. configure necessary firewall rules/nat , access-list and policies and forward traffic towards the upstream (gateway router).

Applying the second Scenario:

create multiple vlans on the server farm switch , trunk it to the 1st firwall, configure necessary subinterfaces Or Vlan interfaces on the firewalls for those vlans with all necessary security rules and levels. create a second vlan (Access Vlan) for the firewall outside Interface connecting with the (Premiter Internet router) with the same vlan. and forward the traffic normally.

In both cases, you will need to make sure the firewall is allowing traffic back by checking filters , access list and Nat.

HTH

Mohamed

Eric Boadu · ‎06-29-2010

Thank you Mohamed I will go with 802.1Q design than

Transparent firewall mode level. I will include failover, another inside private VLAN and additional connection that will be use for remote access. Trensparent can not support all this unless there is another way of config. Yes this is very strange request.