cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6648
Views
14
Helpful
19
Replies

Firewall as the gateway

nelba_aldovino
Level 1
Level 1

Hi All,

Is it possible that the firewall will be your gateway but you have inter vlan routing as well?

How will i configure the L3 switch to do that situation?

19 Replies 19

altheb_5
Level 1
Level 1

yes it’s possible if you have L3 Switch before the Firewall

so give me how many Vlan you need to create it and model for L3 you have it

and i will provide you all configuration

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi All,

Is it possible that the firewall will be your gateway but you have inter vlan routing as well?

How will i configure the L3 switch to do that situation?

Hi,

If you are doing intervlan routing first and then firewall is coming into picture better recommednation is to have the gateway as svi of the vlan configured in switch and if you want firewall to be the gateway for the user make firewall ports to be the member of those vlans and then configure gateway for each users in vlan to be firewall.

http://cisco.biz/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Hi All,

but in my situation firewall first before the L3  switch.

Is it possible that the firewall will be the gateway for  that situation?

My L3 switch will be the cisco catalyst 3750.

Hello,

If the firewall is connected to internet and you want all the internet traffic to reach the firewall, the better way is to configure the switch as the default gateway and on the switch, configure firewall as default gateway. But if the firewall is sitting right in-between the VLANs i.e.one interface of the firewall is in one VLAN and the other on the second VLAN and you would like all traffic between those VLANs to go through the firewall, then, turn off the layer 3 interface for one of the VLANs and make the firewall as the default gateway for that VLAN.

Hope this helps.

Regards,

NT

How will i do that?

My firewall will be connceted to the internet.

Your first line of words fit to what i'am planning to make.

See below for your reference

Another thing, I will be using ACL on layer 3 instead of inter vlan routing.

Hello,

In your case, making L3 switch as the default gateway for all VLANs will be the best way. In this way, all traffic destined to local LAN will be handled by the switch and only the internet traffic will go to the firewall. If you want other VLANs also to access internet, you can do that with this implementation. Make sure that your default gateway on the switch is pointing to the firewall.

ip route 0.0.0.0 0.0.0.0

If you want VLAN 3 and VLAN 4 to access internet via the firewall, then on the firewall, have static routes configured for those subnets.

route inside

route inside

Hope this helps.

Regards,

NT

Hi Nagaraja Thanthry,

Can you give me example on how will i do vlan 3 and vlan 4 to access internet via the firewall?

for example:

vlan 2 ip = 192.168.1.1/24

vlan 3 ip = 192.168.2.1/24

vlan 4 ip = 192.168.3.1/24

so i will do this command on my firewall:

for vlan 3:

route inside 255.255.255.0 192.168.1.1

for vlan 4:

route inside 255.255.255.0 192.168.1.1

am i right?

thank you!

Hi Nagaraja Thanthry,

Can you give me example on how will i do vlan 3 and vlan 4 to access internet via the firewall?

for example:

vlan 2 ip = 192.168.1.1/24

vlan 3 ip = 192.168.2.1/24

vlan 4 ip = 192.168.3.1/24

so i will do this command on my firewall:

for vlan 3:

route inside 255.255.255.0 192.168.1.1

for vlan 4:

route inside 255.255.255.0 192.168.1.1

am i right?

thank you!

Hi,

Create a NAT rule in firewall for vlan subnet and then try to access the inetrnet from specified vlans.

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#s11

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Hi

its very easy ,

L3 confugration :

ip routing

inter vlan 2

ip address 192.168.1.1 255.255.255.0

ip helper-address { DHCP ip address } if you use DHCP

inter vlan 3

ip address 192.168.2.1 255.255.255.0

ip helper-address { DHCP ip address } if you use DHCP

inter vlan 4

ip address 192.168.3.1 255.255.255.0

ip helper-address { DHCP ip address } if you use DHCP

ip route 0.0.0.0 0.0.0.0 { Fierwall IP address }

do trunk beteween any to switches

know all all vlans can comencate withe eache other and internet work fine

the defualt gateway for users is the same IP for vlan interface in L3 Switch

the defualt route meen any packet withe known distenation (internet) will send it to Fierwall

what if not all member of that vlan will be given internet connection?

Only choosen person will be given conncetion to the net.

will it be possible?

And not all vlan required to communicate with each other.

here is the situation to clarify my problem.

Catalyst 3750 consist of ACL and inter vlan routing

what if i want one of the pc in vlan 3 to have internet connection and the rest will not have net connection?

how will i configure it?

Give me reason to use ACL in core switch?

And the routing between vlan if you enable IP Routing it will do it for all, is that not required for you 

About internet from firewall you can control hoe are can access internet (what firewall you used)

We need ACL because it is not required that all vlan should see each other.

But All vlan should see the servers or the vlan 2 in the figure.

And vlan 2 should see all the vlan (vlan 3 and 4)

Vlan 3 and 4 should not see ech other.

Only selected users in vlan 3 and 4 will be given access to the net.

Our firewall is ASA 5510

Hello,

In that case, you need to play around with the access-lists:

On the firewall:

route inside 192.168.2.0 255.255.255.0 192.168.2.1

route inside 192.168.3.0 255.255.255.0 192.168.2.1

global (outside) 1 interface

nat (inside) 1 192.168.2.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

On the Switch:

ip routing

ip route 0.0.0.0 0.0.0.0 192.168.1.2 (Firewalls IP)

access-list 103 permit ip host

ip access-group 102 in

exit

Hope this helps.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco