Solved: VLAN REACHABLITY THROUGH FIREWALL

pramod · ‎07-14-2010

Hi,

I have a requirement like this

L3 switch connected to PIX that PIX connected to othernetworks.

TOPOLOGY

--------------------

Switch--->PIX--->Othernetworks

I have created L3 vlans on switch ( 3 vlans created and assigned 3 different subnet)

my requirement says all vlans must ping with pix gateway and also all vlans must reach the othernetworks as well,
Even traffic must flow two way

It would be great if experts can help me with sample commands, how to put route for reachablity etc.

Thanks,
Pramod KG

Nagaraja Thanthry · ‎07-14-2010

Hello,

Assume that the 3 VLAN IP addresses are 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 with the firewall being in 192.168.1.x subnet. Let the switch SVI address be 192.168.1.1 and PIX address be 192.168.1.2. Let the remote network be 172.16.x.x

On the Switch:

interface vlan 1

ip address 192.168.1.1 255.255.255.0

exit

interface vlan 2

ip address 192.168.2.1 255.255.255.0

exit

interface vlan 3

ip address 192.168.3.1 255.255.255.0

exit

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.1.2

On the firewall:

interface Ethernet0

nameif outside

security-level 0

ip address 172.16.1.1 255.255.255.0

exit

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

exit

route inside 192.168.2.0 255.255.255.0 192.168.1.1

route inside 192.168.3.0 255.255.255.0 192.168.1.1

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0

access-group outside_permit_in in interface outside

In the above example, both 172.16.x.x and 192.168.x.x can communicate seamlessly. If you want to restrict the communication, you can change the access-list rules accordingly.

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎07-14-2010

Hello,

The static statement is called identity NAT. It will instruct the firewall to pass 192.168.1.0 traffic from inside interface to outside interface without any change (i.e. no nat). It will also instruct the firewall to allow connections originated on the outside interface to the hosts belonging to 192.168.1.x subnet (bi-directional traffic). So, in other words, with that configuration, the hosts on the outside subnet will be able to see the actual IP of the inside VLAN hosts and they will be able to initiate connections to those devices.

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#SIN1

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎07-14-2010

Hello,

Assume that the 3 VLAN IP addresses are 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 with the firewall being in 192.168.1.x subnet. Let the switch SVI address be 192.168.1.1 and PIX address be 192.168.1.2. Let the remote network be 172.16.x.x

On the Switch:

interface vlan 1

ip address 192.168.1.1 255.255.255.0

exit

interface vlan 2

ip address 192.168.2.1 255.255.255.0

exit

interface vlan 3

ip address 192.168.3.1 255.255.255.0

exit

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.1.2

On the firewall:

interface Ethernet0

nameif outside

security-level 0

ip address 172.16.1.1 255.255.255.0

exit

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

exit

route inside 192.168.2.0 255.255.255.0 192.168.1.1

route inside 192.168.3.0 255.255.255.0 192.168.1.1

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0

access-list outside_permit_in permit ip 172.16.0.0 255.255.0.0 192.168.3.0 255.255.255.0

access-group outside_permit_in in interface outside

In the above example, both 172.16.x.x and 192.168.x.x can communicate seamlessly. If you want to restrict the communication, you can change the access-list rules accordingly.

Hope this helps.

Regards,

NT

pramod · ‎07-14-2010

Thanks a lot Naga for your excellent reply!

I have a doubt ?

static (inside,outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

Can you please explain the above cmd what exactly do ?

why the subnet is same for both inside and outside ?

Nagaraja Thanthry · ‎07-14-2010

Hello,

The static statement is called identity NAT. It will instruct the firewall to pass 192.168.1.0 traffic from inside interface to outside interface without any change (i.e. no nat). It will also instruct the firewall to allow connections originated on the outside interface to the hosts belonging to 192.168.1.x subnet (bi-directional traffic). So, in other words, with that configuration, the hosts on the outside subnet will be able to see the actual IP of the inside VLAN hosts and they will be able to initiate connections to those devices.

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#SIN1

Hope this helps.

Regards,

NT

pramod · ‎07-15-2010

Thanks much for your excellent support