From what I can understand you have a PIX firewall (or a pair in active-standby) and then on the outside there is a 2950 (should have two for adequate redundancy) and this is connected to the ISP's routers (or Multilayer switches). The ISP has HSRP configured so that your firewall just points to the HSRP address as the default gateway. If this is the configuration we are talking about then the provider is just pointing routes to all these subnets with your firewall as the next-hop. There is no need for separate VLANs at the provider side or the outside of your firewall.

If you do not have a redundant setup (2 firewalls and 2 2950s) then I recommend you look along those lines unless you have cold standby equipment and you can tolerate some downtime.

By the way if I did not understand your topology correctly then please explain it as vlad has requested.

thanks for the help. and yes you understood.

I have a diagram of our topology from the ISP,

and from what I can understand, is that the "config" of the HSRP "might" be done in the OUTSIDE 2950.

So, the 515E's outside is connected to the OUTSIDE 2950.

I suspect, dont' know for sure, that the HSRP "config" is also setup on this same 2950.

They won't give me the config of the switch: its theirs. SO, I have to put mine in, and i'm a bit concerned.

I don't know how to use HSRP yet, if I have 2 ports connecting physically into the switch, then it's most likely that HSRP is configured on that 2950.

Is it "easy" to configure HSRP on the switch, if all that I have is the IP's of the 2 individual ports?

First of all the HSRP must be on a router or multilayer switch after the 2950 as the 2950s are Layer-2 switches only.

Secondly, what is your concern? The ISP is just routing all packets destined to any of your subnets using your firewall as the next hop. The only thing that you should be concerned about in this setup is the single points of failures and in order to identify all of those we will need to look at the topology diagram.

Ahhh, so, the HSRP is setup NOT on the 2950, but on the "next hop" switch they have setup. The 2950 only has 1 IP, which is the gateway to the internet for both the 2950 and my firewall...

one last question: if I have several subnets, do I have to enter in some kind of "routing" to get all of them to point to my firewall IP? or is this done automatically by the switch?

Thanks

Will

I think you misunderstood me. From what I understand the gateway of your firewall is (and should be) the HSRP virtual IP address configured on a pair of devices in front of the 2950. The 2950 probably has no ip configured on it and even if it does then it is purely for managing the switch and nothing else.

Routing to all your subnets is being done from the provider by pointing to your firewall outside interface IP address as the next hop.

One thing I want to make clear is that I am basing all this on 'usual' designs and your design might be different. If you have a topology diagram then that will clarify things a lot and we can confirm if we are on the right track. By the way do you have the exact model number of the 2950?

I just found out from our ISP, that the HSRP is configured elsewhere, NOT on the 2950. So I do appreciate your confirming this!. Here I am, thinking I have to setup vlans, etc for the outside switch!

Again, thanks!

No problem. I am glad things are clear for you now. By the way please do not forget to rate helpful posts.