Cisco Support Community
Community Member


OK, I feel like a complete prat, but I've been here for close to 15 hours now, and I can't see straight.

Here's the deal:

I have a L2 switch, a router, and a firewall.

L2 Switch --> Router --> Firewall --> Internet

This is stone knives and bearskins, and I am very rusty. The situation is that my office is moving, but some people have to be able to use the old office's connectivity for a few more days. I am substituting a Layer 2 switch and a router for the existing Layer 3 switch.

On the L2 switch, I have several VLANs configured, which I won't go into detail on here. Here is the relevant configuration:

int fa 0/48

  descr Link to Router

  switchport mode trunk

  switchport trunk allowed vlan all


int vlan 132

  ip addr


ip default-gateway

On the Router:

int fa 0/1

descr Link to Switch

no ip addr

duplex auto

speed auto


int fa 0/0

  descr Link to Firewall

  ip addr

  duplex auto

  speed auto


ip route

On the Firewall:

int eth 0/0

  duplex full

  nameif outside

  security-level 0

  ip address <censored>


int eth 0/1

  nameif inside

  security-level 100

  ip address


route outside <censored>

route inside

route inside

route inside


Router can ping firewall.

Router cannot ping switch.

Firewall can ping router.

Firewall cannot ping switch.

Switch cannot ping either router or firewall.

I have to get the switch to be able to ping the router, and vice-versa, because the router is acting as the switch's default gateway. The move happens Sunday, and some people have to be able to work Monday from the old office. (Don't blame me for the water in the basement that prevented the ISP from bringing the circuits in!!!) I'm about to fall asleep on my keyboard... Any help anyone can provide would be most sincerely appreciated!!!!!!!!

VIP Purple

Re: Help...?


You mention a layer 3 switch however your config is setup as the switch being a host switch (basically l2 device) and the router not performing any routing functions for your "several" vlans you mention so at present its doing nothing - Also you didnt mention if the fw is setup to perform this instead

And finally although not stated I assume the fw is performing nat translation for the LAN and is also connecting to your service provider?

Usually I would setup this topology of yours something like below:

1) On the switch:
assign a management IP address and default- gateway ( pointing to the router) and all layer 2 vlans created

2) On the router:
the interface between the router and the firewall assign an ip address and a static route pointing towards the firewalls next hop

On the interface connecting to the switch set it up with subinterfaces pertaining to all the relevant L2 vlans created on the switch.

Int x/x
No shut

Int x/x.135
Description vlan 135
Encapsulation dot1q 135
IP address 255 255.255.0

Int x/x.136
Description vlan 136
Encapsulation dot1q 136
IP address 255 255.255.0


4) On the firewall :
The outside interface (security level 0) assign an ip address in the range of the isp

On the interface connecting to your router (security level 100) assign an IP address within the same ip range of the router fw facing interface

static routes pointing back into your LAN network via the router as the next next hop
Nat translation for you LAN hosts
Default route pointing out towards your ISP next hop


Sent from Cisco Technical Support iPad App

Please don't forget to rate any posts that have been helpful. Thanks.
CreatePlease to create content