altheb_5@hotmail.com Mon, 07/12/2010 - 03:43

yes it’s possible if you have L3 Switch before the Firewall

so give me how many Vlan you need to create it and model for L3 you have it

and i will provide you all configuration

Ganesh Hariharan Mon, 07/12/2010 - 04:12

Hi All,


Is it possible that the firewall will be your gateway but you have inter vlan routing as well?

How will i configure the L3 switch to do that situation?

Hi,


If you are doing intervlan routing first and then firewall is coming into picture better recommednation is to have the gateway as svi of the vlan configured in switch and if you want firewall to be the gateway for the user make firewall ports to be the member of those vlans and then configure gateway for each users in vlan to be firewall.


http://cisco.biz/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

nelba_aldovino Mon, 07/12/2010 - 17:34

Hi All,


but in my situation firewall first before the L3  switch.

Is it possible that the firewall will be the gateway for  that situation?

My L3 switch will be the cisco catalyst 3750.

Nagaraja Thanthry Mon, 07/12/2010 - 17:45

Hello,


If the firewall is connected to internet and you want all the internet traffic to reach the firewall, the better way is to configure the switch as the default gateway and on the switch, configure firewall as default gateway. But if the firewall is sitting right in-between the VLANs i.e.one interface of the firewall is in one VLAN and the other on the second VLAN and you would like all traffic between those VLANs to go through the firewall, then, turn off the layer 3 interface for one of the VLANs and make the firewall as the default gateway for that VLAN.


Hope this helps.


Regards,


NT

nelba_aldovino Mon, 07/12/2010 - 17:56

How will i do that?

My firewall will be connceted to the internet.

Your first line of words fit to what i'am planning to make.

See below for your reference

Nagaraja Thanthry Mon, 07/12/2010 - 18:08

Hello,


In your case, making L3 switch as the default gateway for all VLANs will be the best way. In this way, all traffic destined to local LAN will be handled by the switch and only the internet traffic will go to the firewall. If you want other VLANs also to access internet, you can do that with this implementation. Make sure that your default gateway on the switch is pointing to the firewall.


ip route 0.0.0.0 0.0.0.0


If you want VLAN 3 and VLAN 4 to access internet via the firewall, then on the firewall, have static routes configured for those subnets.


route inside

route inside


Hope this helps.


Regards,


NT

nelba_aldovino Mon, 07/12/2010 - 18:20

Hi Nagaraja Thanthry,


Can you give me example on how will i do vlan 3 and vlan 4 to access internet via the firewall?

for example:


vlan 2 ip = 192.168.1.1/24

vlan 3 ip = 192.168.2.1/24

vlan 4 ip = 192.168.3.1/24


so i will do this command on my firewall:

for vlan 3:


route inside 255.255.255.0 192.168.1.1


for vlan 4:


route inside 255.255.255.0 192.168.1.1


am i right?


thank you!

Ganesh Hariharan Mon, 07/12/2010 - 23:15

Hi Nagaraja Thanthry,


Can you give me example on how will i do vlan 3 and vlan 4 to access internet via the firewall?

for example:


vlan 2 ip = 192.168.1.1/24

vlan 3 ip = 192.168.2.1/24

vlan 4 ip = 192.168.3.1/24


so i will do this command on my firewall:

for vlan 3:


route inside 255.255.255.0 192.168.1.1


for vlan 4:


route inside 255.255.255.0 192.168.1.1


am i right?


thank you!


Hi,


Create a NAT rule in firewall for vlan subnet and then try to access the inetrnet from specified vlans.


https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

altheb_5@hotmail.com Mon, 07/12/2010 - 23:29

Hi

its very easy ,


L3 confugration :

ip routing

inter vlan 2

ip address 192.168.1.1 255.255.255.0

ip helper-address { DHCP ip address } if you use DHCP

inter vlan 3

ip address 192.168.2.1 255.255.255.0

ip helper-address { DHCP ip address } if you use DHCP

inter vlan 4

ip address 192.168.3.1 255.255.255.0

ip helper-address { DHCP ip address } if you use DHCP

ip route 0.0.0.0 0.0.0.0 { Fierwall IP address }

do trunk beteween any to switches

know all all vlans can comencate withe eache other and internet work fine

the defualt gateway for users is the same IP for vlan interface in L3 Switch

the defualt route meen any packet withe known distenation (internet) will send it to Fierwall

nelba_aldovino Tue, 07/13/2010 - 01:15

what if not all member of that vlan will be given internet connection?

Only choosen person will be given conncetion to the net.

will it be possible?

And not all vlan required to communicate with each other.

here is the situation to clarify my problem.

Catalyst 3750 consist of ACL and inter vlan routing

what if i want one of the pc in vlan 3 to have internet connection and the rest will not have net connection?

how will i configure it?



altheb_5@hotmail.com Tue, 07/13/2010 - 01:42

Give me reason to use ACL in core switch?

And the routing between vlan if you enable IP Routing it will do it for all, is that not required for you 

About internet from firewall you can control hoe are can access internet (what firewall you used)


nelba_aldovino Tue, 07/13/2010 - 17:57

We need ACL because it is not required that all vlan should see each other.

But All vlan should see the servers or the vlan 2 in the figure.

And vlan 2 should see all the vlan (vlan 3 and 4)

Vlan 3 and 4 should not see ech other.

Only selected users in vlan 3 and 4 will be given access to the net.


Our firewall is ASA 5510

Nagaraja Thanthry Tue, 07/13/2010 - 18:11

Hello,


In that case, you need to play around with the access-lists:


On the firewall:


route inside 192.168.2.0 255.255.255.0 192.168.2.1

route inside 192.168.3.0 255.255.255.0 192.168.2.1


global (outside) 1 interface


nat (inside) 1 192.168.2.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0


On the Switch:


ip routing

ip route 0.0.0.0 0.0.0.0 192.168.1.2 (Firewalls IP)


access-list 103 permit ip host

ip access-group 102 in

exit


Hope this helps.


Regards,


NT

Nagaraja Thanthry Tue, 07/13/2010 - 07:15

Hello,


In order to allow certain hosts from VLAN3/4 to access internet via the firewall, please try the following configuration:


On the firewall:


route inside 192.168.3.0 255.255.255.0 192.168.2.1

route inside 192.168.4.0 255.255.255.0 192.168.2.1


global (outside) 1 interface

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.4.0 255.255.255.0


On the Switch:


ip routing

ip route 0.0.0.0 0.0.0.0 192.168.2.2 (Firewalls IP)


access-list 103 permit ip host any

access-list 103 permit ip host any

access-list 103 permit ip any 192.168.0.0 0.0.255.255

access-list 103 deny ip any any


access-list 104 permit ip host any

access-list 104 permit ip host any

access-list 104 permit ip any 192.168.0.0 0.0.255.255

access-list 104 deny ip any any


interface VLAN 3

ip access-group 103 in

exit


interface VLAN 4

ip access-group 104 in

exit


In the above example, the firewall is allowing only certain hosts (IP1, IP2) to access internet and everybody else is blocked from internet access. You can add additional lines as necessary.


Hope this helps.


Regards,


NT

nelba_aldovino Tue, 07/13/2010 - 19:00

Hi All,


I'll try all your recommendations.

Just another question, do you know any software that i may use to

try the configuration and connection of my figure.

Since packet tracer has no ASA devices only switches, routers, hubs, etc.

There is no ASA or other firewall devices.


thank you so much to all.

Nagaraja Thanthry Wed, 07/14/2010 - 18:02

Hello,


Glad that we could help. If your issues are addressed, can you please mark the question as answered in the forum so that other users can use it.


Thanks,


NT

Actions

This Discussion