Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 5525 with Outside Internet Connection (Design)

I have a design question:

Currently, we are running out internet connection from provider to our network core (via Vlan99). Then it gets connected to our Firewall via vlan 99..

This is the flow:

ISP Provider
Switch Stack Port G1/0/25 switchport access vlan 99
Firewall connected to our Switch Stack via Trunk (trunk allowed vlan 99)
Firewall Interface G0/7 IP x.x.x.x Subnet x.x.x.x Vlan99 Logical Type.

Our Firewall (Cisco ASA5525), has an interface setup for that connection (Vlan99), with a name of outside, and our External IP Address. (Logical Type Interface).

I would like to move our connection from the core to the firewall, (I don't want the internet to run thru the switch first, then the firewall).

Would it be safe to say that I could physically move the connection to the firewall, and that's all? The firewall has an outside routing of 0.0.0.0 0.0.0.0 with gateway of our G0/7 Firewall Interface.

Or is there more to this than meets the eye?

Sorry for the noob question, but I want to understand this a little better, and my feeling says that moving the connection from core to the firewall would be sufficient enough, but then again im not an expert at firewalls much.

Thanks....

  • Firewalling
Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Yes, that's right.Your core

Yes, that's right.

Your core switch defaults to route out via the firewall inside interface. No change in that regard.

The firewall applies security policy and performs network address translation to public IP address space.

The firewall defaults to route out to the ISP interface facing you. No change there either.

As I noted, if your firewall interface configuration currently has a vlan statement that will no longer be necessary since you won't have a trunk port with VLAN tagging.

3 REPLIES
Hall of Fame Super Silver

I'm not sure why you would

I'm not sure why you would have the current firewall-switch link setup as a trunk since it should only ever have traffic for the single VLAN 99. An access mode port would seem more appropriate.

If you move the physical connection to directly inot your ISP router, you would not need (and should not use) the VLAN tagging anymore.

Re the routing, you must mean the default route is to the ISP router address. You shouldn't default route the firewall to itself. If you are, it should be changed to the ISP router.

New Member

The route is from the

The route is from the firewall. The firewall itself has a static route on the outside interface.

Static Routes:

Interface Outside

IP Address 0.0.0.0

Netmask 0.0.0.0

Gateway IP (our external IP)

 

If im moving the physical connection from the switch to the firewall, that route should stay in the firewall, correct? 

Our switch default route is 
0.0.0.0 0.0.0.0 IP of Firewall

 

Is there a change I need to do to the switch core?

Is there a change I need to do to the firewall?

 

Thanks...

Hall of Fame Super Silver

Yes, that's right.Your core

Yes, that's right.

Your core switch defaults to route out via the firewall inside interface. No change in that regard.

The firewall applies security policy and performs network address translation to public IP address space.

The firewall defaults to route out to the ISP interface facing you. No change there either.

As I noted, if your firewall interface configuration currently has a vlan statement that will no longer be necessary since you won't have a trunk port with VLAN tagging.

207
Views
0
Helpful
3
Replies
This widget could not be displayed.