I have a few questions on setting up (re-configuraing) a small business LAN. The network consists of 2 core switches, both cisco 3750G and a Microsoft Threat Management Gateway as the router / firewall. The TMG has 3 NIC, DMz, Internal LAN, and External. The 2 3750G's are in two separate rooms connected via trunked VTP. I have a number of vlan's: vlan 9 (DMz) int ip192.168.0.2 | vlan10 (INT_LAN) int ip 10.0.10.2 | vlan20 (vMotion) int ip 10.0.20.2 | vlan30 (iSCSI) int ip 10.0.30.2. ip routing is enabled on switch. I do not have ip default-gateway set.
Threat Management Gateway (TMG) Server NIC Config: DMz, IP: 192.168.0.9 connected to gi1/0/x switchport access vlan9. INT_LAN, IP: 10.0.10.1 connected to gi/1/0/x switchport access vlan10. Ext, IP: Public connected to ISP. All internal servers / workstations use the TMG INT_LAN IP as their gateway. Internal AD DNS server forwards to DMz DNS 192.168.0.9. DMz DNS forwards to External Public for all external resolution.
With the above configuration, I'm noticing SYN_PACKET_DROPPED error in the TMG firewall logs. I've come across some information that might relate to having the gateway set as the TMG instead of the VLAN those servers / workstations are in, vlan10. i.e. their gateway should be set to 10.0.10.2 with a route to the TMG INT_LAN IP. My question being what is the best way to go about configuring this? Since the TMG is essentially a router, should / can I change it's INT_LAN IP to say 10.0.1.1 and set ip default-gateway to 10.0.1.1? -or- would adding a route like 10.0.10.0 255.255.255.0 10.0.1.1 work -or- 0.0.0.0 0.0.0.0 10.0.1.1. What would the port settings for the TMG NIC INT_LAN be? Would it be a routed port or still remain a switchport in a vlan i.e. vlan1 10.0.1.2?
Any assistance would be greatly appreciated with this configration. Thank you!
Ok, I've made the changes no ip proxy-arp on all the vlan interfaces. I will test and see if the logs are still showing TCP_SYN_PACKET_DROP and how internet browsing is. I'm posting this message from a system in the internal LAN so that's good.
With the firewall being at 10.0.10.1, would it be beneficial to put it on's it own VLAN in it's own subnet? Thanks for the help thus far.
I've made the changes noted and I'm still experiencing a wrath of SYN_PACKET_DROPPED in the firewall logs still. I have to constantly refresh or press enter in the address bar of internet sites I'm trying to visit from clients in the Internal VLAN 10.
I think I need to have the TMG act as the router so-to-speak in the environment. What I'm trying to figure out is how to configure my core switch in this situation. What I'm thinking is configuring one of the interfaces on the 3750 as layer 3, no switch port. assigning it an IP address of say 126.96.36.199 with SN 255.255.255.248 Configuring the INT_LAN NIC of the TMG as IP 188.8.131.52 255.255.255.248 Would I need to add a route 0.0.0.0 0.0.0.0 184.108.40.206 on the 3750 for all internet traffic to end up at the TMG INT_LAN interface and most likely have the TMG routing set properly for the 200.1.1.x and 10.0.10.x subnets as part of the INT_LAN?
If the above scenario is taken, do I have to make any changes on the 2nd 3750? I have 3 VLAN's only. Management, VLAN 10, and VLAN 5. could the ip default-gateway of the 2nd 3750 be the management interface IP address with the core1 3750 having the static 0.0.0.0 route, or do both switches need a static route to the TMG 220.127.116.11 IP? Thanks.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...