We have a Cisco 2950 managable switch. It's sitting between our ISP router and our own firewall. It's configured with its own private IP network. We want to be able to manage it from behind our firewall. Is this possible? Please show me the directions to it. Thanks
It depends on how your firewall is set up and how tight you want seurity to be. Your options range from:
1. configure via console port only. requires physical access; to
2. configure via a terminal server on your internal network connected to console port of that external router (and any other such restricted access device(s)); to
3. configure via VTY (recommend ssh in lieu of telnet as the transport protocol). Your firewall needs to pass ssh, preferably via a plug-proxy instead of simple packet filtering. The external router should have an acl restricting ssh to the firewall's address; to
4. Let the device be configured via browser (e.g., "ip http server"), If you do that this, you should still use an acl to restrict it from being browsed from other than the authorized systems.
1-4 range from most secure to least secure. Number three would be my recommendation for a DMZ zone router in a commercial setting. There are, of course, other combinations and permutations of these options.
You should also follow best practices for locking it down pretty austerely.
Thanks for your response. I plugged the Cisco switch console into one of the internal PC. I can hyperterminal it. Sorry. I think I didn't make my question clear. My question is the switch has a private IP 10.0.100.1/29 and my network is 172.18.4.0/29. How to configure my network to see the switch's IP (10.0.100.1), so we can configure SNMP traps from your internal network to that switch? I tried to add static route on our firewall to that switch, but it didn't work.
A static route would only work if there were no further router hops from the firewall to the target trap host. Does the switch have the fw as the default gateway? That would also be necessary if I understand your setup correctly.
Have you considered NATing the 10.0.100.1/29 on the fw to translate it for follow on transport to your internal network management host?
I configured the switch's default gateway using my FW's IP, I also added a static route to the switch in the firewall. But it's still not working yet. I cannot ping the switch from internal network. The switch I have is a Ciso Catalyst 2950 layer 2 switch. I heard I would need a layer 3 switch to do what I ask for? Please confirm.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...