I have a task to setup a port forward from the internet (which is on it's own Vlan) to a device on an internal vlan.
My switches are 6513's with Dual SUP720's. Although I do not have a NAM module or a firewall module on theses switches.
So how can I acheive this?
terminates to a switchport on the 6500 on a specific vlan, although the firewall has a link onto the same vlan.
But the thing is I dont want the firewall in the mix, I simply need to portforword to a specific internal IP on a specific vlan...
Is that possible at all?
Without compromising security it's really hard to achieve. If you say you do not want to use firewall for portforwarding then you will have to use routing function of the MSFC on your sup720. With the routing function you will have a backdoor to your internal network bypassing your firewall and this is a not a good thing. Would not recommend that. IMHO, you are really should look into forwarding ports on the firewall, although you can portforward on MSFC...
I was just trying to figure out how to do it without the firewall having ACL's on it for this setup as the ACL's reside on the vlan interface...
So im unsure what to do....
Nelson, It would help if you can explain little more on the topology and VLANs used for your internet connectivity as well as the reasons for you not wanting to use firewall for portfrowarding. Looks like you do use the MSFC but it's not clear what it's role is.
Small diagram would help too..
Our firewalls are fortigates.
Currently, they do the inter-vlan routing.
I want that task to be brought down to the CORE switch instead, and leave the firewall to do firewall tasks...
The problem is that I have to do this 1 step at a time.
So I have created a new QA Vlan QA2 (vlan 172). Setup the VLAN interface on both core switches with a .2 and .3 and setup HSRP to have a .1 as a gateway for this VLAN.
The Firewall has 1 physical interface onto each other vlan as a gateway .1
I no loguer have any intefraces on the firewalls.
So I need to figure out a way to setup the firewall as a default gateway, but do the ACLs on the CORE switch for intervlan routing....
Hope this make a litle bit more sence
This whole network is REALY badely designed, and I was tasked to implement vlan routing on the switches instead of the firewalls.
It makes more sense now, but still not sure about forwarding...
While I'm not a big fan of having ACLs on the VLAN interfaces, it's up to you if you want to have traffic control function on your firewalls and 6500s. Normally, because your LAN is considered trusted you do not need any ACLs on the VLANs. Again, you can have ACLs if this is a business/security requirement.
Going back to migration... you should have a clear end-state design and then plan your steps. For example if your firewall will be just a front end gate to your network on the internet you will have to step by step replace all the firewall interfaces with Vlan interfaces on MSFC and have a transit VLAN between the firewall and the MSFC with no users on it. That transit vlan will be used to route traffic to and from the internet...this is where you setup your default route on the MSFC. This is just an example. I think you understand that it's really hard to comment on the migration strategy in this forum but we can answer specific questions.
hope that helps.
Here is a detail diagram that shows what I want to do.
Notice that the .1 gateways are basically the product of having HSRP run on both interface vlan on both core switches (SW1 and SW2).
The ACLS would be applied to the vlan interfaces because some VLAN are not allowed to talk to others. So that's how I want to controll access.
Hope this helps more to see what Im trying to accomplish...
Thanks for the diagram, pretty standard setup (as it should be)... If you are not sure how to start the migration subnets here is one option you can consider:
Pick a first VLAN to be migrated, create VLAN interfaces on your switches. You will assign IPs and HSRP at the time of migration. The firewall interface will become part of the transit VLAN for your
10.98.201.0/30 subnet. You will need to create this VLAN and VLAN interface and assign IP address to it.
At the time of migration you will move the firewall interface to the transit VLAN and assign new IP to the firewall interface. Do not forget you will need a static route (for migrated subnet) on the firewall and default on your router pointing to the FW. Once you moved your firewall off the first VLAN - you can assign HSRP address to the VLAN interface. Hosts will use the same default gateway I'm guessing, so after that you should have connectivity to the migrated VLAN.....
That's what I had the intention of doing, but wasnt sure if this could be done whitout a interim network between the firewall and switch.
So I will task the firewall tech to setup a new port with this interim 201.0 network so I can strat moving some vlans....
In this case the ACL's would reside on the Switches, so no need to do ACL's on the FW anymore, correct?
Nelson, ACLs on the switches provide very basic traffic filtering, they are not statefull, give you very basic logging and control They can not protect you from serious attacks on your network. If you want to use them for basic VLAN isolation, this is probably fine, keeping in mind what what I mentioned above. I assume you keeping firewalls as a front-end perimeter security protection of your LAN from the Internet.