Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

HI Need help in this project.

Hi

I have a project to implement as attached in the diagram.i need u r valueable suggestions.the setup will as follows.

vlan2=management

vlan3=data=192.168.1.0/24

vlan4=data=192.168.2.0/24

vlan5=data=192.168.3.0/24

vlan6=voice=172.16.1.0/24

vlan7=voice=172.16.2.0/24

vlan8=voice=172.16.3.0/24

i will be having a firewall between my 6513 and the internet router.on the firewall nat will be implemented.i am planning to have 2 DMZ's.

one more router will be connecting to my branch office as attached in the diagram.

so as if my users have to go to internet they should go through firewall i understand that but when the traffic is returned where it should hit on 6513.as on 6513 i will be using msfc for intervlan routing and same for my branch office i little bit confused on the routes on PIX and the router through which i am connected to by branc office how should i define them.

waiting for responses.

14 REPLIES

Re: HI Need help in this project.

HI guys i dnot see any replies.

Paresh,Ankur where u guys

Mahmood

Re: HI Need help in this project.

Hi guys

help in this regard.i didnt see any replies.

Thanks

Mahmood

Re: HI Need help in this project.

Hi Friend,

I am not able to vsd on my machine but I what i understand from your description is you are confused with the return traffic.

I presume your setup is something like this

users--cat6k---pix---router---internet

correct me if I am wrong.

What you can do is create one more vlan for PIX (firewall) and connect it to a layer 2 port on cat6k say vlan 10 for an example and create a SVI for vlan 10 on MSFC and assign it with a subnet address which you want you inside interface of PIX to be.

Add one default route on msfc to point to PIX inside interface ip.

Now what will happen is when any one from your network waan hit internet will reach its gateway that is MSFC respective vlan interface and from there it will check the default route and will reach the PIX and PIX will nat it and throw it to internet router and when the reply comes back then you need to assign some static routes on PIX.

You can assign static routes for different user vlans pointing towards the next op which will be SVI 10 on your MSFC and once it reaches MSFC , MSFC will route it to rexpective vlans.

Hope I am clear. If not please revert back with your doubts and if you have the diagramme in work or acrobat reader I can have a look.

Regards,

Ankur

Re: HI Need help in this project.

Hi Ankur

Thanks for u r reply.u got me corectly.

Now so u want me to define static routes on pix and point to the SVI10 as their next hop.hope i have got u .so if thats the case then can i go for a default route and point it towards the SVI for all my subnets.and one more thing how abt the internet router.

u r comments please.

Thanks

Mahmood

Re: HI Need help in this project.

Hi Friend,

I will suggest not to define a default route on PIX but not sure what your PIX configuration is.

What route you have defined on PIX to go to Internet router? I mean once the traffic is natted it should go to internet router to hit internet so you must be having some default route on PIX to throw all internet request on internet router?

Regards,

Ankur

Re: HI Need help in this project.

Hi ankur

thanks for replying.u want me to define static routes on the pix pointing to my individual subnets on MSFC eg 192.168.1.0,192.168.2.0 pointing towards the SVI of the PIX on MSFC.PIX will have a default route pointing towards internet router ethernet interface can i go like this.or should i point it to serial inteface.yeh i am going to configure a default route on pix towards internet router.

Hope this clarifes.

Thanks

Mahmood

Re: HI Need help in this project.

Hi Mahmood,

Yes configure a individual static route for different subnets on MSFC on pix pointing to SVI of PIX on MSFC.

Now talking about a default route on PIX for internet configure a default route pointing towards internet router ethernet interface.

HTH, if yes please rate the post.

Ankur

Re: HI Need help in this project.

Hi thanks ankur

upto now i have got now may the last one on the internet router what should i define for the return traffic.i mean if iam going to define a static route where it should hit i mean on the pix.i mean it should hit on outside interface or inside.i think it should be outside.

thanks

Mahmood

Re: HI Need help in this project.

Hi Mahmood,

Because your traffic for internet will move out via outside interface with natted ip from PIX to internet router you should have a static route on your internet router with an exit interface of the interface of router which is connectd to outside interface of PIX.

Lets say you outside interface of pix is connected to fa0/0 of internet router then static route will be

ip route fa0/0

HTH, if yes please rate the post.

Ankur

Re: HI Need help in this project.

Hi Ankur

i am not able to get u.let me put it

users-cat6k--switch both pix and internet router are connected to this switch.so for going outside it is fine i have to define the default route of internet router ethernet interface as next hop now the confusin is for the return traffic what route i should define on the internet router weather it should be the outside interface of PIX or what.

for eg.

192.168.0.5 pix inside

200.0.0.3 pix outside

200.0.0.1 router ethernet

on msfc i will be having a default route of 192.168.0.5 right then from pix SVI of PIXVLAN with individual subnets right now from PIX to router ethernet and from router to for eg outside world but for return what it should be from router to PIX.

Hope this clarifies.and sorry for u r making u annoyed.

Thanks

Mahmood

Re: HI Need help in this project.

Hi Mahmood,

What is the interface on internet router which is connected to the PIX outside interface? Lets say ethernet 0

Now you can have a static route on your internet router like this

ip route 200.0.0.3 ethernet 0

HTH

Please rate all helpfull post.

Ankur

Re: HI Need help in this project.

Hi Ankur

So u mean to say that i have to point it to the directly connected interface.i.e e0.

Please confrim.

Thanks

Mahmood

Re: HI Need help in this project.

Hi Mahmood,

Yes you got it now.

Rate all helpfull post.

Regards,

Ankur

Re: HI Need help in this project.

thanks Amkur.

So now internet side is over what abt my remote site. can we discuss it if u r free.

Thanks

Mahmood

154
Views
7
Helpful
14
Replies
CreatePlease to create content