[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 676
  • Last Modified:

Router-Switch-Firewall configuration

Hi I am back

Let me explain my design again, with some extra explanations.

An L2 switch with the network 10.250.249.0/24
is connected to the 3550 switch.The Websense  server for the PIX is connected to this L2 switch .All ports in the L2 switch is in VLAN 1.

The other 2 connections on the 3550 switch has to be as routing ports.

One comes from an ATM  router (which has an ATM interface with many point to point  ATM subinterfaces from the company branches).The router interface is 192.168.249.1/24 and the 3550 switch interface is 192.168.249.254/24. EIGRP 200 has to run between the 3550 switch and the router.

10.250.x.0/24 (please do not confuse it with the 10.250.249.0 network on the L2 switch connected to the 3550 switch ) is the network at the company branches at different location which is  connected to the ATM router at the main branch as subinterfaces   through the ATM subinterface IP addresses 10.29.x.x/30 .My aim is to connect the 10.250.x.0/24 network in the branch locations to the internet through the ATM router, 3550 switch and the PIX firewall  in the main office.

Static routes have been set on the ATM router towards the store routers and route-map has been set on the routers at the branch sites for the routes in the opposite direction to the ATM routers corresponding ATM subinterface .

The  other routing port on the 3550 switch is to be connected to the PIX.The PIX inside interface is 192.168.248.1/24 and the 3550 switch interface is 192.168.248.254/24.

The PIX is connected to the internet through the default gateway 199.59.112.254/24.
The outside interface of the PIX is 199.59.112.15/24.

What else should be done to complete this configuration.

 What should be configured between the 3550 switch and the PIX. If I need a default route on the switch where should I point it to?. Or should I configure   static routes on the 3550 switch.


Is there anything left on the ATM router to do other than setting static route towards the branch location router and an EIGRP between the ATM router and the 3550 switch.




0
Kevin_J
Asked:
Kevin_J
  • 10
  • 7
  • 3
1 Solution
 
Dr-IPCommented:
In theory if you add the route “ip route 0.0.0.0 0.0.0.0  <The IP address of PIX>” to the 3550 and have “redistribute static” in its EIGRP config that should send all non local network traffic to the PIX. Assuming the PIX is properly configured otherwise, you will need to point its inside route to the 3550 in the PIX’s config “route inside 0.0.0.0 0.0.0.0 <the IP address of the 3550>”. Also make sure if there is already an inside route in the PIX to remove the old one. At that point it should hopefully all be working.


0
 
Kevin_JAuthor Commented:
I have given route inside 10.0.0.0 0.0.0.255 <ip of the switch> in the PIX.
There is just one inside route and it is this one.I didnt understand what u said by removing the old inside route.
0
 
Dr-IPCommented:
That if there was another inside route in the PIX already pointing to some other address, that you should remove it. As you shouldn’t have two default inside routes at the same time since that could lead to some unexpended results.    

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
lrmooreCommented:
You need default routes all along the path.
On the ATM router, have a default pointing to the 3550:
   ip route 0.0.0.0 0.0.0.0 192.168.249.254

On the 3550, point the default to the PIX:
    ip route 0.0.0.0 0.0.0.0 192.168.248.1

On the PIX, since it does not do EIGRP....
>route inside 10.0.0.0 0.0.0.255 <ip of the switch>
Wrong mask...
  route inside 10.0.0.0 255.0.0.0 192.168.248.254

PIX also needs a route to the other 192.168.249.0 network:
   route inside 192.168.249.0 192.168.248.254
0
 
Dr-IPCommented:
<On the ATM router, have a default pointing to the 3550>

>>EIGRP 200 has to run between the 3550 switch and the router<<

With EIRP running between the ATM router and the 3550, so long as the 3550 has redistribute static in its EIGRP config there should be no need for the ATM router to have a static route pointing to the 3550.    



0
 
Kevin_JAuthor Commented:
Thank You to both of U. To be honest I didnt understand why we have to give redistribute static on the 3550 .Which static route will be redistributed by this command?

There is no static route set on the 3550 . There are static routes set on the ATM router but that is pointing towards the branch site routers. There are route-maps set on the branch site routers towards the ATM router.
0
 
Kevin_JAuthor Commented:
Now I think I know what u meant. Give a default route on 3550 pointing towards the PIX and  give the redistribute static command in its EIGRP .But will it give the same result as giving a default route on the ATM router pointing towards 3550 ?

There are two static route on the PIX  towards the inside interface.

   route inside 10.0.0.0 255.0.0.0 192.168.248.254

   route inside 192.168.249.0 255.255.255.0 192.168.248.254

 Will there be any conflict because of this ?
0
 
lrmooreCommented:
No, there will not be any conflicts because the PIX will not participate in EIGRP, so you have to make them static.
Unless, of course, you want to setup OSPF between the 3550 and the PIX, have the pix advertise default, then redistribute OSPF into EIGRP...
As simple as your network is, I would stick with the static default on the 3550 and the statics on the PIX.
0
 
Kevin_JAuthor Commented:
Sorry for the delay in replying. My whole design  is set up and configured with all your help.Thanks to that. Except for the ATM connection to the ATM router the rest of the connections are done and right now I am testing the connectivity between the ATM router,3550 and the PIX

There is EIGRP between the ATM router and the 3550 and there is a default route from the 3550 to the PIX.  I wanted to ask whether we need to give redistribute static in the ATM routers EIGRP because else how will the PIX know about the static routes configured on the ATM router pointing towards the branch site routers

I still have a doubt regarding what all networks have to be published in the EIGRP of the 3550 considering EIGRP is running between the ATM router and the 3550.Today I gave all the 3 interfaces on the 3550 in the EIGRP and then I  could see the EIGRP routes in the routing table of the 3550. When I didnt give the 192.168.248.0 (the interface on the 3550 to PIX) it wasnt showing any EIGRP route in the routing table of the 3550.

Do we need to give 10.0.0.0 network(L2 switch) to the 3550's  EIGRP considering the fact that , this network is only intended to go to the PIX from the L2 switch and the EIGRP is configured between the 3550 and the ATM  router.

I am confused now which all networks have to be configured in the EIGRP of the 3550 and also whether we need redistribute static in the ATM routers EIGRP. Please help

0
 
Kevin_JAuthor Commented:
In the second last paragraph when I mentioned that the 10.0.0.0 network goes to the PIX I meant that it goes from the L2 switch to the 3550 and then to the PIX.
0
 
lrmooreCommented:
Here's the deal, Kevin..
3550 -- ATM router = EIGRP
   3550 has static default route pointing to PIX
   3550 redistributes that static via EIGRP to ATM router.
   3550 lists "networks" that include the interfaces that attach to something that participates in EIGRP (expecting a neighbor on that interface)
   3550 lists "redistribute connected" to send a route to the 192.168.249.0 subnet between it and the PIX that nobody else knows about yet
      ATM router now knows that its default gateway is the 3550
      ATM router now knows about the subnet between the PIX and the 3550
      ATM router tells the 3550 what other subnets it knows about
    3550 now knows about ALL subnets and the default
3550 -- PIX = static routes
   3550 has static default route to PIX
   PIX has static default route to internet router
   PIX has to have static routes for the subnets behind the 3550, pointing back to the 3550

Again, if you want to enable OSPF instead, it makes things a whole lot easier because the PIX also does OSPF. It does not participate in EIGRP.
0
 
Kevin_JAuthor Commented:
Thank You so much.

Just like we give redistribute static in the EIGRP of 3550 so that the ATM router knows about the static default from 3550 to PIX, dont we have to give redistribute static in the EIGRP of the ATM router so that the 3550 knows about the static routes from the ATM router to the branch routers ?
0
 
lrmooreCommented:
The whole idea of using any dynamic routing protocol is to NOT have any static routes anywhere with the possible exception of a single default, but that assumes that you have the same routing protocol everywhere. Isn't the ATM router using EIGRP between it and the remotes? If so, then you should not have any static routes to the remotes. But, as long as you do have them on the ATM router, then of course, in the ATM router's EIGRP config you will have it redistribute statics back to the 3550...
If it is not using EIGRP between the ATM router and the remotes, then why are you being restricted to using it between the ATM router and the 3550? You are shooting yourself in the foot to save your hand....


0
 
Kevin_JAuthor Commented:
Actually the thing is that right now the remote sites access the internet through another ATM router in the main office. But right now I have to shift VLAN 100  in every remote site to access the internet through a differnet ATM router.So I just have to copy that corresponding static route to the new ATM router.

That is the reason why I am not running EIGRP between the new ATM router and the remote sites. The remote sites had route-maps pointing to the old ATM router, which will now point to the new ATM router.


Right now I am able to ping to the inside interface of the PIX to both the interfaces of the 3550 and the ATM router but I am not able to ping to the outside interface of the PIX from the 3550 or the ATM router.

Also if u remember the scenario there is an L2 switch connected to the 3550.I can ping to that interface of 3550 (10.250.249.254) from the ATM router and the inside interface of PIX but i cant ping to a host connected on that  L2 switch(10.250.249.6) which has the websense server.

What do u think might be the reason for it ?
0
 
lrmooreCommented:
> but I am not able to ping to the outside interface of the PIX from the 3550 or the ATM router.
You never will be able to. This is a "feature" of the pix.

The L2 switch is connected to your vlan 1 if I  remember correctly. Is that L2 switch possibly set up with VLAN's?
0
 
lrmooreCommented:
Also, what is that host's default gateway that is attached to the L2 switch? It has to be 10.250.249.254
0
 
Kevin_JAuthor Commented:
Since I am working on my VPN connection at the moment, I will continue with this question in 1 or 2 days. Thanks
0
 
Kevin_JAuthor Commented:
Thanks you so much for all your help.
0
 
lrmooreCommented:
Another problem bites the dust...

Glad to help!

0
 
Kevin_JAuthor Commented:
hey lrmoore can u respond to my other question soon please. its urgent
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 10
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now