Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Can I do this?

Not sure if this is possible. Here's the layout.

T1 circuit coming in...I have a 2600 router pushing the traffic to a checkpoint firewall (external interface). From the checkpoint external, it goes to the checkpoint internal interface and on out to the 3750 switch and the vlan that it's on.

My question is this. The IPs for the serial and ethernet interfaces on the router are external to our network. The internal interface IP is on the same network as the switch, etc.

We are using the checkpoint device to tunnel info back towards our main checkpoint device and the data is moving fine. However, we lost SSH access into the router and all of the SNMP data from it are being dropped, as they are not in the new "tunnel".

We have entered the external IP network into the allowable section on the checkpoint, but it is yet being dropped.

What I am wondering is if I can take a port off the switch and maybe connect that to the extra ethernet interface on the router and somehow pull data from that 2nd interface without that interface intefering with the current traffic as it is today.

Can I do this?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Can I do this?

Ya..

you can do this, but i wouldnt recommend. Having an additional interface for management can cause undue security risks, since this path bypasses the firewall. THere is a direct path from internet onto your internal netework, and this isnt advisible. I guess you need to anyhow troubleshoot and see the rules in the checkpoint, and solve this issue rather taking new interfaces... i'm not a checkpoint expert, but the way you should proceed is:

1) check the rules on the firewall and see if there are any logs generated, when you do a SSH or SNMP to the router

2) check if you can do SSH & SNMP from the outside LAN of checkpoint. This makes sure that your ssh and snmp configurations are fine, and u can isolate the problem to the firewall.

3) check if there are any ACL's on the router which is blocking the connection from your inside network.

4) Are you setting this for the first time or was it a working setup ??

Check all these and am sure you can nail down the issue..

Hope this helps. rate replies if found useful.

Raj

1 REPLY

Re: Can I do this?

Ya..

you can do this, but i wouldnt recommend. Having an additional interface for management can cause undue security risks, since this path bypasses the firewall. THere is a direct path from internet onto your internal netework, and this isnt advisible. I guess you need to anyhow troubleshoot and see the rules in the checkpoint, and solve this issue rather taking new interfaces... i'm not a checkpoint expert, but the way you should proceed is:

1) check the rules on the firewall and see if there are any logs generated, when you do a SSH or SNMP to the router

2) check if you can do SSH & SNMP from the outside LAN of checkpoint. This makes sure that your ssh and snmp configurations are fine, and u can isolate the problem to the firewall.

3) check if there are any ACL's on the router which is blocking the connection from your inside network.

4) Are you setting this for the first time or was it a working setup ??

Check all these and am sure you can nail down the issue..

Hope this helps. rate replies if found useful.

Raj

103
Views
0
Helpful
1
Replies
CreatePlease to create content