connecting cisco 3550 to pix 515

Hello,
 I have 2 network connecting to centreal switch 3550
first network has switch (2950) at ip 160.16.209.254 mask 255.255.255.0  gateway 160.16.209.1
secound network switch (2950) at ip 160.16.211.254 mask 255.255.255.0  gateway 160.16..211.1

they are both connect to central switch  3550  ip 160.16.218.254 mask 255.255.255.0
switch is set to ip routing

port 1 of 3550 ip set to 160.16.209.1   (wich connect to network1)
port 2 of 3550 ip set to 160.16.211.1   (wich connect to network2)

Now I want to connect pix firewall 515 to 3550 to permit 2 networks to access secure network
(pix inside interface ip of 160.16.218.45 mask 255.255.255.0)
(pix ouside interface ip of 143.139.2.45  mask 255.255.255.192) (uncertain of this ...this is what was given to me)


I am uncertain of what gateway to give to central 3550 switch
in order to direct traffic wich is not destin for 160.16.209. and  160.16.211 to go to firewall

I guess i want to know if i should give gateway of central switch 3550  to ip of firewall and give gateway of inside interface of firewall to ip of central switch


Or do I creat a port on central switch  for example port 3 give it an ip of 160.16.218.1  and connect the firewall to it. give central switch gateway of 160.16.218.1  and also give gateway of firewall inside to 160.16.218.1

Or am I completly lost???

thanks






jerbellAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jerbellAuthor Commented:
Would it also be preferable that I don't assign port on central switch ip   and assign VLAN
Pros and Con???
0
td_milesCommented:
If you do as you say and give PIX inside IP of 160.16.218.45 and the switch has an IP of 160.16.218.254 then it will work fine.

On the PIX create routes to tell it how to get to your other two inside subnets:

route inside 160.16.209.0 255.255.255.0 160.16.218.254
route inside 160.16.211.0 255.255.255.0 160.16.218.254

which means that it will route any traffic for the two inside networks to the switch and then the switch will forward it to the networks.

Set the default route on the switch to be the IP of the PIX (160.16.218.45)

0
jerbellAuthor Commented:
what do I give as the inside gateway?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

td_milesCommented:
do you mean for you two subnets ?

The default gateway for the two subnets is the IP of the L3 switch.

EG.
for devices on subnet 160.16.209.0/24, default gateway is 160.16.209.1
for devices on subnet 160.16.211.0/24, default gateway is 160.16.211.1

So all traffic will get sent to your L3 switch and it will tnhe forward it to the PIX (which is why it needs to have a default route pointing to the PIX IP)
0
jerbellAuthor Commented:
traffic does not seem to flow from my 2 networks into the firewall when trying to access network on outside interface.

Seems like the central switch doesn't want to rout traffic there.

My 2 networks sees each other and sees central switch and can ping firewall

Firewall is connected to  port 24 of central switch.  Should that port be assign an ip?
I just assume if I assign the gateway of central switch to the ip of firewall that all traffic unknown to the central switch would flow into firewall (that is on same ip range as central switch).
0
jerbellAuthor Commented:
here is firewall config ... hope somebody can help
                 
interface ethernet0 auto                        
interface ethernet1 auto                        
nameif ethernet0 outside security0                                  
nameif ethernet1 inside security100                                  
                         
hostname firewall                              
domain-name mydomain            
fixup protocol ftp 21                    
fixup protocol h323 h225 1720                            
fixup protocol h323 ras 1718-1719                                
fixup protocol http 80                      
fixup protocol ils 389                      
fixup protocol rsh 514                      
fixup protocol rtsp 554                      
fixup protocol sip 5060                      
fixup protocol sip udp 5060                          
fixup protocol skinny 2000                          
fixup protocol smtp 25                      
fixup protocol sqlnet 1521                          
names    
name 160.16.209.200 pcnet1                                                            
name 160.16.211.200 pcnet2                                                    
name 143.139.2.200   servertoconnect                      
object-group network pcgroup                                
  description access to server                                                                                                      
  network-object pcnet1 255.255.255.255                                          
  network-object pcnet2 255.255.255.255                                            
access-list inside_access_in remark servertoconnect access                                              
access-list inside_access_in permit tcp object-group pcgroup host servertoconnect                                                            

                   
 eq 102      
access-list inside_access_in remark testing pc rule                                                  
access-list inside_access_in remark testing pc rule                                                  
access-list inside_access_in remark testing pc rule                                                  
access-list inside_access_in remark testing pc rule                                                  
access-list acl_out permit icmp any any                                      
pager lines 24              
mtu outside 1500                
mtu inside 15            
ip address outside 143.139.2.45 255.255.255.192                                              
ip address inside 160.16.218.45 255.255.255.0                                            
ip audit info action alarm                          
ip audit attack action alarm                            
no failover          
failover timeout 0:00:00                        
failover poll 15                
no failover ip address outside                              
no failover ip address inside                            
pdm location 160.16.209.200 255.255.255.255 inside                                                  
pdm location pcnet1 255.255.255.255 inside                                                
pdm location pcnet2 255.255.255.255 inside                                                                                    
pdm location servertoconnect 255.255.255.255 outside                                              
pdm group pcgroup inside                            
pdm history enable                  
arp timeout 14400                
nat (inside) 0 0.0.0.0 0.0.0.0 0 0                                  
access-group acl_out in interface outside
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 160.16.218.254 1
route outside servertoconnect 255.255.255.255 143.139.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 160.16.209.200 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
0
td_milesCommented:
Ok, tests to try:

1. from PC with IP 160.16.209.x
a). ping 160.16.218.45
b). ping 143.139.2.45

2. from PC with IP 160.16.211.x, repeat two above tests

3. From 3550 switch, repeat above two tests.

If you don't get any responses, add the following:

access-list inside_access_in permit ip any any
access-list acl_out permit ip any any

and try again, just to make sure the ACL's aren't getting in the way.
0
jerbellAuthor Commented:
I tried that but nothing seems to go to firewall!
I put a question on how to rout to firewall

Concept of routing and firewall seems so easy but yet a pain to figure out
0
td_milesCommented:
Even when you ping the PIX from 3550 switch you get no response ?

You could try as you suggested earlier and assign a specific port on the 3550 switch and give it an IP address 160.16.218.1. As it already has an IP address in this subnet, I didn't think would have been necessary.

To make sure it is not anything in the PIX config, connect a PC to the same port that the PIX currently is and give it the same IP address of the PIX inside interface (160.16.218.45). Now try pinging this IP address from the switch.

Could you also post your 3550 config, just to have a look over and make sure you have got the routing entered correctly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jerbellAuthor Commented:
thanks td_miles
The problem was in my central switch.
I had the default gateway assign to firewall but I had forgotten to set it up in default routing.
So what I did was set the default routing to point to firewall as well then everything worked.
Still unclear why they both have to be there.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.