?
Solved

two VLANs end two  different PIXs as gateway

Posted on 2006-04-05
5
Medium Priority
?
291 Views
Last Modified: 2010-03-19
My LAN network is composed of 1 3560G catalyst switch used as a distribution where my routers, servers are connected and a 2950 catalyst switch used as access switch for computers and printers. A new company, composed of only 5 people, will soon merge with us but, as our internal policy, they will have to use a different gateway (PIX firewall) to go out internet. Both PIX firewall are connected to the 3560G but in two different VLANs. So the network will have:
VLAN1 192.168.150.0    gatway1/PIX1  IP: 192.168.150.1
VLAN2 192.168.160.0    gatway2/PIX2  IP: 192.168.160.1
My internal DNS is on VLAN1 (192.168.150.6)  , how can I configure PIX2 to resolve the domain-name using my internal DNS ? Do you think it`s better using the 3560G switch as L3 to route between the two VLANs or  the PIX works just fine for that? In case I use the PIX as L3, does it need to have two internal interfaces (besides the external to internet) on two different VLANs in order to route?

Thank you for help!!!!      
                           
                   
0
Comment
Question by:ggmisadmin
  • 2
3 Comments
 
LVL 3

Accepted Solution

by:
Bennoo earned 1000 total points
ID: 16389074
Pix's have issues routing back internally.
you are better off enabling IP routing on the 3560
but be specific and only allow routes to the internal dns
if you do not want both vlans to be fully meshed
0
 

Author Comment

by:ggmisadmin
ID: 16391578
Thank you for your replay.
Does it means that people on Vlan2 need to have  vlan2 interface's  IP as default gateway? In that case how the switch know how to forward internet traffic to the PIX whose IP is 192.168.160.1 ?
Do I need to create an ACL such as: "access-list 100 permit udp any host 192.168.150.6 eq 53" and apply this on Vlan2 interface?  Is that enought for allowing DNS-traffic?  

     
Thank you!
0
 
LVL 3

Expert Comment

by:Bennoo
ID: 16396395
yes you will need to enter the default gateways
routing will take care of the traffic.
there is no need for access-lists.

However if you wish to increase security
once traffic is routing correctly, add access-lists to limit the connectivity.

0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question