cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1671
Views
0
Helpful
5
Replies

Configure Switch outside the firewall

cting1974
Level 1
Level 1

We have a Cisco 2950 managable switch. It's sitting between our ISP router and our own firewall. It's configured with its own private IP network. We want to be able to manage it from behind our firewall. Is this possible? Please show me the directions to it. Thanks

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

It depends on how your firewall is set up and how tight you want seurity to be. Your options range from:

1. configure via console port only. requires physical access; to

2. configure via a terminal server on your internal network connected to console port of that external router (and any other such restricted access device(s)); to

3. configure via VTY (recommend ssh in lieu of telnet as the transport protocol). Your firewall needs to pass ssh, preferably via a plug-proxy instead of simple packet filtering. The external router should have an acl restricting ssh to the firewall's address; to

4. Let the device be configured via browser (e.g., "ip http server"), If you do that this, you should still use an acl to restrict it from being browsed from other than the authorized systems.

1-4 range from most secure to least secure. Number three would be my recommendation for a DMZ zone router in a commercial setting. There are, of course, other combinations and permutations of these options.

You should also follow best practices for locking it down pretty austerely.

Hope this helps, please rate helpful posts.

Thanks for your response. I plugged the Cisco switch console into one of the internal PC. I can hyperterminal it. Sorry. I think I didn't make my question clear. My question is the switch has a private IP 10.0.100.1/29 and my network is 172.18.4.0/29. How to configure my network to see the switch's IP (10.0.100.1), so we can configure SNMP traps from your internal network to that switch? I tried to add static route on our firewall to that switch, but it didn't work.

A static route would only work if there were no further router hops from the firewall to the target trap host. Does the switch have the fw as the default gateway? That would also be necessary if I understand your setup correctly.

Have you considered NATing the 10.0.100.1/29 on the fw to translate it for follow on transport to your internal network management host?

Hi Mklemovitch,

I configured the switch's default gateway using my FW's IP, I also added a static route to the switch in the firewall. But it's still not working yet. I cannot ping the switch from internal network. The switch I have is a Ciso Catalyst 2950 layer 2 switch. I heard I would need a layer 3 switch to do what I ask for? Please confirm.

Do you have an access list applied on the outside interface of the PIX that's blocking ICMP echo-reply?

You need to explicity allow ICMP echo-replies from the switch coming back to your inside network. ICMP is not a stateful protocol like TCP/UDP and hence, you need to do this.

Pls. rate all helpful posts.

Sundar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco