Basic Small LAN Config Changes

slevinbkelevra · ‎08-29-2014

I have a few questions on setting up (re-configuraing) a small business LAN. The network consists of 2 core switches, both cisco 3750G and a Microsoft Threat Management Gateway as the router / firewall. The TMG has 3 NIC, DMz, Internal LAN, and External. The 2 3750G's are in two separate rooms connected via trunked VTP. I have a number of vlan's: vlan 9 (DMz) int ip192.168.0.2 | vlan10 (INT_LAN) int ip 10.0.10.2 | vlan20 (vMotion) int ip 10.0.20.2 | vlan30 (iSCSI) int ip 10.0.30.2. ip routing is enabled on switch. I do not have ip default-gateway set.

Threat Management Gateway (TMG) Server NIC Config: DMz, IP: 192.168.0.9 connected to gi1/0/x switchport access vlan9. INT_LAN, IP: 10.0.10.1 connected to gi/1/0/x switchport access vlan10. Ext, IP: Public connected to ISP. All internal servers / workstations use the TMG INT_LAN IP as their gateway. Internal AD DNS server forwards to DMz DNS 192.168.0.9. DMz DNS forwards to External Public for all external resolution.

With the above configuration, I'm noticing SYN_PACKET_DROPPED error in the TMG firewall logs. I've come across some information that might relate to having the gateway set as the TMG instead of the VLAN those servers / workstations are in, vlan10. i.e. their gateway should be set to 10.0.10.2 with a route to the TMG INT_LAN IP. My question being what is the best way to go about configuring this? Since the TMG is essentially a router, should / can I change it's INT_LAN IP to say 10.0.1.1 and set ip default-gateway to 10.0.1.1? -or- would adding a route like 10.0.10.0 255.255.255.0 10.0.1.1 work -or- 0.0.0.0 0.0.0.0 10.0.1.1. What would the port settings for the TMG NIC INT_LAN be? Would it be a routed port or still remain a switchport in a vlan i.e. vlan1 10.0.1.2?

Any assistance would be greatly appreciated with this configration. Thank you!

-SK

acampbell · ‎08-29-2014

Hi SK

To me there is no right/wrong answer about the main router.
If you want to keep the TMG as the router that should be ok.

Before you go changing default gateways.

Lets try diabling proxy arp in the 3750 ip interfaces.

!
int vlan 9
no ip proxy-arp
!
!
int vlan 10
no ip proxy-arp
!
!
int vlan 20
no ip proxy-arp
!
!
int vlan 30
no ip proxy-arp
!

Then retest

Let us know the outcome

Regards
Alex

Regards, Alex. Please rate useful posts.

slevinbkelevra · ‎08-30-2014

Ok, I've made the changes no ip proxy-arp on all the vlan interfaces. I will test and see if the logs are still showing TCP_SYN_PACKET_DROP and how internet browsing is. I'm posting this message from a system in the internal LAN so that's good.

With the firewall being at 10.0.10.1, would it be beneficial to put it on's it own VLAN in it's own subnet? Thanks for the help thus far.

-SK

slevinbkelevra · ‎09-15-2014

I've made the changes noted and I'm still experiencing a wrath of SYN_PACKET_DROPPED in the firewall logs still. I have to constantly refresh or press enter in the address bar of internet sites I'm trying to visit from clients in the Internal VLAN 10.

I think I need to have the TMG act as the router so-to-speak in the environment. What I'm trying to figure out is how to configure my core switch in this situation. What I'm thinking is configuring one of the interfaces on the 3750 as layer 3, no switch port. assigning it an IP address of say 201.1.1.2 with SN 255.255.255.248 Configuring the INT_LAN NIC of the TMG as IP 200.1.1.1 255.255.255.248 Would I need to add a route 0.0.0.0 0.0.0.0 200.1.1.1 on the 3750 for all internet traffic to end up at the TMG INT_LAN interface and most likely have the TMG routing set properly for the 200.1.1.x and 10.0.10.x subnets as part of the INT_LAN?

If the above scenario is taken, do I have to make any changes on the 2nd 3750? I have 3 VLAN's only. Management, VLAN 10, and VLAN 5. could the ip default-gateway of the 2nd 3750 be the management interface IP address with the core1 3750 having the static 0.0.0.0 route, or do both switches need a static route to the TMG 200.1.1.1 IP? Thanks.

-SK