Solved

connecting cisco 3550 to pix 515

Posted on 2003-10-29
10
893 Views
Last Modified: 2013-11-16
Hello,
 I have 2 network connecting to centreal switch 3550
first network has switch (2950) at ip 160.16.209.254 mask 255.255.255.0  gateway 160.16.209.1
secound network switch (2950) at ip 160.16.211.254 mask 255.255.255.0  gateway 160.16..211.1

they are both connect to central switch  3550  ip 160.16.218.254 mask 255.255.255.0
switch is set to ip routing

port 1 of 3550 ip set to 160.16.209.1   (wich connect to network1)
port 2 of 3550 ip set to 160.16.211.1   (wich connect to network2)

Now I want to connect pix firewall 515 to 3550 to permit 2 networks to access secure network
(pix inside interface ip of 160.16.218.45 mask 255.255.255.0)
(pix ouside interface ip of 143.139.2.45  mask 255.255.255.192) (uncertain of this ...this is what was given to me)


I am uncertain of what gateway to give to central 3550 switch
in order to direct traffic wich is not destin for 160.16.209. and  160.16.211 to go to firewall

I guess i want to know if i should give gateway of central switch 3550  to ip of firewall and give gateway of inside interface of firewall to ip of central switch


Or do I creat a port on central switch  for example port 3 give it an ip of 160.16.218.1  and connect the firewall to it. give central switch gateway of 160.16.218.1  and also give gateway of firewall inside to 160.16.218.1

Or am I completly lost???

thanks






0
Comment
Question by:jerbell
  • 6
  • 4
10 Comments
 

Author Comment

by:jerbell
Comment Utility
Would it also be preferable that I don't assign port on central switch ip   and assign VLAN
Pros and Con???
0
 
LVL 13

Expert Comment

by:td_miles
Comment Utility
If you do as you say and give PIX inside IP of 160.16.218.45 and the switch has an IP of 160.16.218.254 then it will work fine.

On the PIX create routes to tell it how to get to your other two inside subnets:

route inside 160.16.209.0 255.255.255.0 160.16.218.254
route inside 160.16.211.0 255.255.255.0 160.16.218.254

which means that it will route any traffic for the two inside networks to the switch and then the switch will forward it to the networks.

Set the default route on the switch to be the IP of the PIX (160.16.218.45)

0
 

Author Comment

by:jerbell
Comment Utility
what do I give as the inside gateway?
0
 
LVL 13

Expert Comment

by:td_miles
Comment Utility
do you mean for you two subnets ?

The default gateway for the two subnets is the IP of the L3 switch.

EG.
for devices on subnet 160.16.209.0/24, default gateway is 160.16.209.1
for devices on subnet 160.16.211.0/24, default gateway is 160.16.211.1

So all traffic will get sent to your L3 switch and it will tnhe forward it to the PIX (which is why it needs to have a default route pointing to the PIX IP)
0
 

Author Comment

by:jerbell
Comment Utility
traffic does not seem to flow from my 2 networks into the firewall when trying to access network on outside interface.

Seems like the central switch doesn't want to rout traffic there.

My 2 networks sees each other and sees central switch and can ping firewall

Firewall is connected to  port 24 of central switch.  Should that port be assign an ip?
I just assume if I assign the gateway of central switch to the ip of firewall that all traffic unknown to the central switch would flow into firewall (that is on same ip range as central switch).
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:jerbell
Comment Utility
here is firewall config ... hope somebody can help
                 
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
                         
hostname firewall                              
domain-name mydomain            
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
names    
name 160.16.209.200 pcnet1                                                            
name 160.16.211.200 pcnet2                                                    
name 143.139.2.200   servertoconnect                      
object-group network pcgroup                                
  description access to server                                                                                                      
  network-object pcnet1 255.255.255.255                                          
  network-object pcnet2 255.255.255.255                                            
access-list inside_access_in remark servertoconnect access                                              
access-list inside_access_in permit tcp object-group pcgroup host servertoconnect                                                            

                   
 eq 102      
access-list inside_access_in remark testing pc rule                                                  
access-list inside_access_in remark testing pc rule                                                  
access-list inside_access_in remark testing pc rule                                                  
access-list inside_access_in remark testing pc rule                                                  
access-list acl_out permit icmp any any                                      
pager lines 24              
mtu outside 1500                
mtu inside 15            
ip address outside 143.139.2.45 255.255.255.192                                              
ip address inside 160.16.218.45 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
no failover          
failover timeout 0:00:00                        
failover poll 15                
no failover ip address outside                              
no failover ip address inside                            
pdm location 160.16.209.200 255.255.255.255 inside                                                  
pdm location pcnet1 255.255.255.255 inside                                                
pdm location pcnet2 255.255.255.255 inside                                                                                    
pdm location servertoconnect 255.255.255.255 outside                                              
pdm group pcgroup inside                            
pdm history enable                  
arp timeout 14400                
nat (inside) 0 0.0.0.0 0.0.0.0 0 0                                  
access-group acl_out in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 160.16.218.254 1
route outside servertoconnect 255.255.255.255 143.139.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 160.16.209.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
 
LVL 13

Expert Comment

by:td_miles
Comment Utility
Ok, tests to try:

1. from PC with IP 160.16.209.x
a). ping 160.16.218.45
b). ping 143.139.2.45

2. from PC with IP 160.16.211.x, repeat two above tests

3. From 3550 switch, repeat above two tests.

If you don't get any responses, add the following:

access-list inside_access_in permit ip any any
access-list acl_out permit ip any any

and try again, just to make sure the ACL's aren't getting in the way.
0
 

Author Comment

by:jerbell
Comment Utility
I tried that but nothing seems to go to firewall!
I put a question on how to rout to firewall

Concept of routing and firewall seems so easy but yet a pain to figure out
0
 
LVL 13

Accepted Solution

by:
td_miles earned 500 total points
Comment Utility
Even when you ping the PIX from 3550 switch you get no response ?

You could try as you suggested earlier and assign a specific port on the 3550 switch and give it an IP address 160.16.218.1. As it already has an IP address in this subnet, I didn't think would have been necessary.

To make sure it is not anything in the PIX config, connect a PC to the same port that the PIX currently is and give it the same IP address of the PIX inside interface (160.16.218.45). Now try pinging this IP address from the switch.

Could you also post your 3550 config, just to have a look over and make sure you have got the routing entered correctly.
0
 

Author Comment

by:jerbell
Comment Utility
thanks td_miles
The problem was in my central switch.
I had the default gateway assign to firewall but I had forgotten to set it up in default routing.
So what I did was set the default routing to point to firewall as well then everything worked.
Still unclear why they both have to be there.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now