Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Configure Switch outside the firewall

We have a Cisco 2950 managable switch. It's sitting between our ISP router and our own firewall. It's configured with its own private IP network. We want to be able to manage it from behind our firewall. Is this possible? Please show me the directions to it. Thanks

Hall of Fame Super Silver

Re: Configure Switch outside the firewall

It depends on how your firewall is set up and how tight you want seurity to be. Your options range from:

1. configure via console port only. requires physical access; to

2. configure via a terminal server on your internal network connected to console port of that external router (and any other such restricted access device(s)); to

3. configure via VTY (recommend ssh in lieu of telnet as the transport protocol). Your firewall needs to pass ssh, preferably via a plug-proxy instead of simple packet filtering. The external router should have an acl restricting ssh to the firewall's address; to

4. Let the device be configured via browser (e.g., "ip http server"), If you do that this, you should still use an acl to restrict it from being browsed from other than the authorized systems.

1-4 range from most secure to least secure. Number three would be my recommendation for a DMZ zone router in a commercial setting. There are, of course, other combinations and permutations of these options.

You should also follow best practices for locking it down pretty austerely.

Hope this helps, please rate helpful posts.

New Member

Re: Configure Switch outside the firewall

Thanks for your response. I plugged the Cisco switch console into one of the internal PC. I can hyperterminal it. Sorry. I think I didn't make my question clear. My question is the switch has a private IP and my network is How to configure my network to see the switch's IP (, so we can configure SNMP traps from your internal network to that switch? I tried to add static route on our firewall to that switch, but it didn't work.

Hall of Fame Super Silver

Re: Configure Switch outside the firewall

A static route would only work if there were no further router hops from the firewall to the target trap host. Does the switch have the fw as the default gateway? That would also be necessary if I understand your setup correctly.

Have you considered NATing the on the fw to translate it for follow on transport to your internal network management host?

New Member

Re: Configure Switch outside the firewall

Hi Mklemovitch,

I configured the switch's default gateway using my FW's IP, I also added a static route to the switch in the firewall. But it's still not working yet. I cannot ping the switch from internal network. The switch I have is a Ciso Catalyst 2950 layer 2 switch. I heard I would need a layer 3 switch to do what I ask for? Please confirm.

Re: Configure Switch outside the firewall

Do you have an access list applied on the outside interface of the PIX that's blocking ICMP echo-reply?

You need to explicity allow ICMP echo-replies from the switch coming back to your inside network. ICMP is not a stateful protocol like TCP/UDP and hence, you need to do this.

Pls. rate all helpful posts.


CreatePlease to create content