Re: Help...?

Sal Robertson · ‎12-20-2013

OK, I feel like a complete prat, but I've been here for close to 15 hours now, and I can't see straight.

Here's the deal:

I have a L2 switch, a router, and a firewall.

L2 Switch --> Router --> Firewall --> Internet

This is stone knives and bearskins, and I am very rusty. The situation is that my office is moving, but some people have to be able to use the old office's connectivity for a few more days. I am substituting a Layer 2 switch and a router for the existing Layer 3 switch.

On the L2 switch, I have several VLANs configured, which I won't go into detail on here. Here is the relevant configuration:

int fa 0/48

descr Link to Router

switchport mode trunk

switchport trunk allowed vlan all

!

int vlan 132

ip addr 10.1.32.2

!

ip default-gateway 10.1.32.9

On the Router:

int fa 0/1

descr Link to Switch

no ip addr

duplex auto

speed auto

!

int fa 0/0

descr Link to Firewall

ip addr 10.1.32.9 255.255.255.0

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.0.0 10.1.32.1

On the Firewall:

int eth 0/0

duplex full

nameif outside

security-level 0

ip address <censored> 255.255.255.224

!

int eth 0/1

nameif inside

security-level 100

ip address 10.1.32.1 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 <censored>

route inside 10.1.32.0 255.255.224.0 10.1.32.2

route inside 10.1.64.0 255.255.224.0 10.1.32.2

route inside 10.10.100.0 255.255.255.0 10.1.32.2

Results:

Router can ping firewall.

Router cannot ping switch.

Firewall can ping router.

Firewall cannot ping switch.

Switch cannot ping either router or firewall.

I have to get the switch to be able to ping the router, and vice-versa, because the router is acting as the switch's default gateway. The move happens Sunday, and some people have to be able to work Monday from the old office. (Don't blame me for the water in the basement that prevented the ISP from bringing the circuits in!!!) I'm about to fall asleep on my keyboard... Any help anyone can provide would be most sincerely appreciated!!!!!!!!

paul driver · ‎12-20-2013

Helllo

You mention a layer 3 switch however your config is setup as the switch being a host switch (basically l2 device) and the router not performing any routing functions for your "several" vlans you mention so at present its doing nothing - Also you didnt mention if the fw is setup to perform this instead

And finally although not stated I assume the fw is performing nat translation for the LAN and is also connecting to your service provider?

Usually I would setup this topology of yours something like below:

1) On the switch:
assign a management IP address and default- gateway ( pointing to the router) and all layer 2 vlans created

2) On the router:
the interface between the router and the firewall assign an ip address and a static route pointing towards the firewalls next hop

On the interface connecting to the switch set it up with subinterfaces pertaining to all the relevant L2 vlans created on the switch.

Int x/x
No shut

Int x/x.135
Description vlan 135
Encapsulation dot1q 135
IP address 10.1.32.1 255 255.255.0

Int x/x.136
Description vlan 136
Encapsulation dot1q 136
IP address 10.1.36.1 255 255.255.0

Etc..

4) On the firewall :
The outside interface (security level 0) assign an ip address in the range of the isp

On the interface connecting to your router (security level 100) assign an IP address within the same ip range of the router fw facing interface

Apply:
static routes pointing back into your LAN network via the router as the next next hop
Nat translation for you LAN hosts
Default route pointing out towards your ISP next hop

Res
Paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul