Solved: INTERNET ACCESS

soumik1979 · ‎11-04-2010

Dear all

I am a network admin of a small comp.We have around 100 users.Right now we have flat network off all unmanaged switches.We have web serever, database server and file server.Users use web applications and file servers.We have an asa 5510 and a cyberoam .The some users have internet and mail access.Others dont.All the normal internet users have the default gateway address is the address of the cyberom where internet access policy was imposed.Some high end user and the servers has the address of ASA 5510 as the gateway.Now we are shifting to a new office.I have planned vlan with layer2 and layer 3 switch.My question is that if I create VLAN for each dept., then each department will have a difference IP scheme.Now how I can configure the internet access of the users.I dont want to use proxy becoze outlook is not working with proxy.

Please help me with the suggestions.

Soumik Mondal

Ganesh Hariharan · ‎11-07-2010

I am providing my VLAN diagram.Now my questionis that,My fire wall or UTM device will have the IP address of 192.168.9.X/24.Diffrent users will be there in different VLAN.Now if I give the default gateway of the internet users as 192.168.9.X/24,it will not work Then how it can be done.

Please Help

Soumik,

As per the diagram i can suggest two type of network design

1) Making 3750 l3 switch as gateway for different depat.

2) Making firewall as default gateway for different depat.

what i see is 2960 l2 switches are connected with 3750 L3 switch which in tunrs connected with firewall and then internet router for outside world.If yes then kindly clarify that :-

All the vlans required internet access or only specific let say HR dept and where is the natting configuration is done in firewall or in router ?

If natting is done in router then i would suggest create different vlan for different depat in 2960 switches which are in turn connected with 3750 switch with trunk mode configured on these ports so that vlan can be travel till 3750 switch.

Then create multiple SVIin 3750 for acting as gateways for different depat and for inter dept routing and communication and then create a point to point subnet connectivity between firewall and l3 switch for internet access on different vlan and drop a default route towards firewall and reverse route towards l3 switch for your local lan subnet.

With the above case depat which wants to go for internet will travel through firewall with natting done at either firewall or router for internet connectivity.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Ganesh Hariharan · ‎11-09-2010

Dear Ganesh

Thanks for your reply.

Internal Lan (2960)-------------->3750----------->Cyberoam UTM--------->Cisco 500(Existing switch)---------->Internet Router

^

| |

| V

--------------------------------------------- Asa 5510

Natting will be done in cyberoam and asa 5510 .Some users in all dept will access internet .Not particular dept.As our company has strict internet access policy.So user traffic must go through UTM where internet access policy has been enforced.Now kindly help me regadring the design.

Soumik

Soumik,

If i understand the data flow from the above feedback traffic is going to internet via ASA 5510 cyberoam ..if yes then i would suggest do natting in one device that is ASA 5510 which is enough for internet traffic,As cyberoam is also a firewall where you can restrict inter zone department restriction and drop a default route towards ASA and do natting for host based so that specfic host can go to internet.

Check out the below link for ASA natting

http://ezinearticles.com/?Basic-Configuration-Tutorial-For-the-Cisco-ASA-5510-Firewall&id=1888320

Hope to Help !!

Ganesh.H

View solution in original post

raviragmail · ‎11-13-2010

define ip default gateway in each of the vlans, command:

ip default gateway 192.168.0.100

View solution in original post

mohamedtag · ‎11-27-2010

Dear Soumek ,

We are having a Similar Design and we Performed the following:

A -

For Each Dept. a Dedicated VLAN:

HR - VLAN 10 ( 192.168.1.0 / 24 ).

SALES - VLAN 20 ( 192.168.2.0 / 24 )

IT - VLAN 30 ( 192.168.3.0 / 24 )

Servers - VLAN 40 ( 192.168.4.0 / 24 )

-The 2960 L2 Switches FasEthernet Ports shall be configured with the L2 VLANS according to the Memeber of the Ports.

-The Trunk Ports between the L2 2960 & L3 3750 shall be configured as Trunks allowing All the above mentioned 4 Vlans on both Uplink Ports.

B -

Over the 3750 L3 Switch 4 Intrerface Vlans will be configured:

192.168.1.1 VLAN 10

192.168.2.1 VLAN 20

192.168.3.1 VLAN 30

192.168.4.1 VLAN 40

These also are the Default Gateway for the Vlans Hosts.

View solution in original post

Ganesh Hariharan · ‎11-04-2010

Dear all

I am a network admin of a small comp.We have around 100 users.Right now we have flat network off all unmanaged switches.We have web serever, database server and file server.Users use web applications and file servers.We have an asa 5510 and a cyberoam .The some users have internet and mail access.Others dont.All the normal internet users have the default gateway address is the address of the cyberom where internet access policy was imposed.Some high end user and the servers has the address of ASA 5510 as the gateway.Now we are shifting to a new office.I have planned vlan with layer2 and layer 3 switch.My question is that if I create VLAN for each dept., then each department will have a difference IP scheme.Now how I can configure the internet access of the users.I dont want to use proxy becoze outlook is not working with proxy.

Please help me with the suggestions.

Soumik Mondal

Hi Soumik,

In order to make a network efficeint and proficient it should be segragated into different vlan segment to have different broadcast domain.Now with different ip scehma you can make natting configuration with respected acl match to for internet using ASA or in router.

Check out the below link on natting

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

and if possible just let us know the diagramatic representation with your queries related to network,so that we can help you out more for making network with stable environment.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

soumik1979 · ‎11-07-2010

I am providing my VLAN diagram.Now my questionis that,My fire wall or UTM device will have the IP address of 192.168.9.X/24.Diffrent users will be there in different VLAN.Now if I give the default gateway of the internet users as 192.168.9.X/24,it will not work Then how it can be done.

Please Help

Ganesh Hariharan · ‎11-07-2010

I am providing my VLAN diagram.Now my questionis that,My fire wall or UTM device will have the IP address of 192.168.9.X/24.Diffrent users will be there in different VLAN.Now if I give the default gateway of the internet users as 192.168.9.X/24,it will not work Then how it can be done.

Please Help

Soumik,

As per the diagram i can suggest two type of network design

1) Making 3750 l3 switch as gateway for different depat.

2) Making firewall as default gateway for different depat.

what i see is 2960 l2 switches are connected with 3750 L3 switch which in tunrs connected with firewall and then internet router for outside world.If yes then kindly clarify that :-

All the vlans required internet access or only specific let say HR dept and where is the natting configuration is done in firewall or in router ?

If natting is done in router then i would suggest create different vlan for different depat in 2960 switches which are in turn connected with 3750 switch with trunk mode configured on these ports so that vlan can be travel till 3750 switch.

Then create multiple SVIin 3750 for acting as gateways for different depat and for inter dept routing and communication and then create a point to point subnet connectivity between firewall and l3 switch for internet access on different vlan and drop a default route towards firewall and reverse route towards l3 switch for your local lan subnet.

With the above case depat which wants to go for internet will travel through firewall with natting done at either firewall or router for internet connectivity.

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

soumik1979 · ‎11-07-2010

Dear Ganesh

Thanks for your reply.

Internal Lan (2960)-------------->3750----------->Cyberoam UTM--------->Cisco 500(Existing switch)---------->Internet Router

^

| |

| V

--------------------------------------------- Asa 5510

Natting will be done in cyberoam and asa 5510 .Some users in all dept will access internet .Not particular dept.As our company has strict internet access policy.So user traffic must go through UTM where internet access policy has been enforced.Now kindly help me regadring the design.

Soumik

Ganesh Hariharan · ‎11-09-2010

Dear Ganesh

Thanks for your reply.

Internal Lan (2960)-------------->3750----------->Cyberoam UTM--------->Cisco 500(Existing switch)---------->Internet Router

^

| |

| V

--------------------------------------------- Asa 5510

Natting will be done in cyberoam and asa 5510 .Some users in all dept will access internet .Not particular dept.As our company has strict internet access policy.So user traffic must go through UTM where internet access policy has been enforced.Now kindly help me regadring the design.

Soumik

Soumik,

If i understand the data flow from the above feedback traffic is going to internet via ASA 5510 cyberoam ..if yes then i would suggest do natting in one device that is ASA 5510 which is enough for internet traffic,As cyberoam is also a firewall where you can restrict inter zone department restriction and drop a default route towards ASA and do natting for host based so that specfic host can go to internet.

Check out the below link for ASA natting

http://ezinearticles.com/?Basic-Configuration-Tutorial-For-the-Cisco-ASA-5510-Firewall&id=1888320

Hope to Help !!

Ganesh.H

soumik1979 · ‎11-12-2010

My problem is not natting.Nat is already there .....

So for the internet users, our network diagram is

User (IP 192.168.0.91,Default gateway 192.168.0.100)--------Cyberoam(Private IP 192.168.0.100/ Public IP 202.111.222.333)------------Router-----------Internet

As the network is flat and no VLAN .So I can give default gateway as 192.168.0.100 for the internet user.But if there are VLANs then the IP addressing scheme will be

VLAN 1 192.168.1.0/24

VLAN 2 192.168.2.0/24 This are the departmental vlan

VLAN 3 192.168.3.0/24

VLAN 4 192.168.4.0 Thia the vlan for the servers.

Now with our presnt scenario the ip of the cyberoam will be 192.168.4.100.So how the users of VLAN 1, VLAN 2 and VLAN 3 can access the internet with default gatewa through cyberoam.My question is that.I am using 2960 and 3750 for my network....

Please advice

Soumik

raviragmail · ‎11-13-2010

define ip default gateway in each of the vlans, command:

ip default gateway 192.168.0.100

mohamedtag · ‎11-27-2010

Dear Soumek ,

We are having a Similar Design and we Performed the following:

A -

For Each Dept. a Dedicated VLAN:

HR - VLAN 10 ( 192.168.1.0 / 24 ).

SALES - VLAN 20 ( 192.168.2.0 / 24 )

IT - VLAN 30 ( 192.168.3.0 / 24 )

Servers - VLAN 40 ( 192.168.4.0 / 24 )

-The 2960 L2 Switches FasEthernet Ports shall be configured with the L2 VLANS according to the Memeber of the Ports.

-The Trunk Ports between the L2 2960 & L3 3750 shall be configured as Trunks allowing All the above mentioned 4 Vlans on both Uplink Ports.

B -

Over the 3750 L3 Switch 4 Intrerface Vlans will be configured:

192.168.1.1 VLAN 10

192.168.2.1 VLAN 20

192.168.3.1 VLAN 30

192.168.4.1 VLAN 40

These also are the Default Gateway for the Vlans Hosts.

soumik1979 · ‎11-28-2010

Thanks for your reply. As per your design, all hosts in the HR vlan will have the default gateway 192.168.1.1.Sales VLAn will be 192.168.2.1 ...But the ip address of the cyberoam will be 192.168.4.100/24.So if it is possible can you please tell me some more about your design and conf. .

mohamedtag · ‎11-29-2010

Dear Soumik , If you enabled the Command " ip routing " over the Cisco 3750 , then i assume that All VLANS will be able to reach each other , If this is the Case , What about adding a Default Route to the CyberOam IP Address :

ip route 0.0.0.0 0.0.0.0 192.168.4.100 255.255.255.255

What do you think ??

soumik1979 · ‎11-29-2010

Ok.Please clear some of my doubts.

Suupose My ASA havs IP address of 192.168.4.100 and cyberoam 192.168.4.200

1) I have to give default gateway in each of the hosts machine where internet access is given???????

2)I donot want the servers internet access through cyberoam or any restriction .

3)I have to to give permision to some users without any restriction(President of the company), Lounge room, Head IT etc.

4)If I gave the default gateway as 192.168.4.200/24, then how the servers and high end users will have the access through ASA.Is it possible to give two default gateway ....