Cisco Switch 3560 Configuration Question

Hello All-

I currently have a content filter (St. Bernard's Iprism) outside my firewall with a public IP address. My goal is to put the iprism inside my firewall with a private address so I can connect it to my DC and have users authenticate to the iprism. Currently thats not possible because it sits outside my firewall. Here is my current network layout:

Cisco 3660 (www)
      |
      |
Content Filter (Iprism)
      |
      |
Firewall (Fortigate Appliance) Also does my Natting, VLANs, ACLs
      |
      |
MDF (Alcatel 5022)


I purchased a Cisco Switch 3560 which has layer 3 capabilities to place in between the MDF and Firewall. So it would now look like:

Cisco 3660
      |
Firewall
      |
Content Filter
      |
Cisco 3560 Switch
      |
MDF


Here is the config (with different IP addresses) I tried on the switch but couldnt get it to work


Building configuration...

Current configuration : 2947 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5
!
no aaa new-model
ip subnet-zero
!
!
password encryption aes
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1 (connected to internal port on iprism with crossover)
 switchport access vlan 9
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 8
 switchport mode access
!
interface FastEthernet0/4
 switchport mode access
!


!
interface Vlan1
 ip address 10.x.40.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan2
 ip address 10.x.24.254 255.255.255.0
 ip helper-address 10.x.24.101
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan8
 ip address 10.x.30.254 255.255.255.0
 ip helper-address 10.x.30.5
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan9
 ip address 10.x.50.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.x.50.2
ip http server
!

!

!
!
control-plane
!
!
!
end




So basically interface 0/1 on the switch is plugged into internal port of the iprism. The iprism external port is plugged into a port on the fortigate (Firewall). All of these ports are on the same subnet (10.x.50.0).

When I plugged back into my network everything seemed to work fine. I could ping my DCs. I could ping my gateway. I could ping fe 0/1, but I couldnt ping the Iprism or the fortigate. I also couldnt ping anything on VLAN 8 or visa versa depending on witch VLAN I was plugged into. I tried using ACLs to permit all traffic into the interfaces for testing purposes and still nothing. But when consoled into the Cisco switch I could ping everyone. Servers on both VLANs, the Iprism and the fortigate.

Sorry if I left anything out. I appreciate any help and feedback.  Thanks in advance!!
LVL 1
ejaramilloAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Freya28Connect With a Mentor Commented:
iinstead of acl's to permit all traffic just type in "ip routing"  this will let the vlans communicate.  also, does the iprism have a default gateway setting?  if that is not available or cdoes not hava correct entry, then the iprism will not be able to cmmunicate with any other netwrok than the one that it is on
0
 
ejaramilloAuthor Commented:
I do have an "ip route" statement in my config to it's next hop. ip route 0.0.0.0 0.0.0.0 10.x.50.2
Or are you refering to something else? The iprism does have default gateway settings, I believe they're correct. It also has settings for static routes back into the switch.
0
 
lrmooreConnect With a Mentor Commented:
Why not use the iPrism in Proxy mode and just give its internal interface an IP address on the same subnet/vlan as the rest of the network?

>connected to internal port on iprism with crossover
Should be a straight-through regular patch cable

Else, put the firewall inside interface and the iPrism outside interface on their own 2-port VLAN with no layer 3 vlan interface with IP address and put the inside interface of the iPrism on the vlan with the rest of the inside LAN subnet.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
ejaramilloAuthor Commented:
I've thought about putting the iprism in proxy mode, but I have a lot of users with laptops who take them home. I've used wpad to use auto detect proxy but it didn't work too well so I just stopped using it. Plus my users didn't like waiting an extra minute for it to auto detect. ;)

I'm not sure what you mean by your second paragraph... Can you elaborate a bit more?
Thanks for all your help and comments!!
0
 
Jan SpringerCommented:
I agree with Freya28.  In the global config turn on routing by typing "ip routing'.

And with the change in LAN segments, verify that the next-hop IP address is the gateway on that respective piece of equipment.
0
 
lrmooreCommented:
Create a vlan:
vlan 5
vlan 6
interface fast 0/1
 description Firewall inside interface
 switchport access vlan 6
interface fast 0/2
 description iPrism outside interface
 switchport access vlan 6

All other ports can be in vlan 1

 interface fast 0/3
   description iPrism inside interface
 interface fast 0/4
   description iPrism management interface
   switchport access vlan 5
 interface vlan 5
  ip address 172.16.99.1 255.255.255.0
interface vlan 1
  ip address  10.x.40.1 255.255.255.0

iPrism management interface IP address 172.16.99.2

0
 
ejaramilloAuthor Commented:
I'm going to try these suggestions in a bit. I'll get back to you guys tonight or tomorrow morning. Thanks again for your help!
0
 
ejaramilloAuthor Commented:
Finally got it to work. It was a little bit of everything from static routes from the firewall and iprims back to all my subnets to DNS issues. Go figure...
One last question: Here is the config I finally ended up using. Can you please help me come up with a secure ACL. I don't want VLAN 8 to access VLAN 2 and also want to prevent certain port outbound. I only want them them to have access to ports 80,443,110,25 etc outbound. Also, what ACL should I have coming back into that interface (ACL in).

Thanks again for all your help!!


Current configuration : 3848 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Switch
!
enable secret 5
!
no aaa new-model
ip subnet-zero
ip routing
!
!
password encryption aes
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
 switchport access vlan 9
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 2
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 8
 switchport mode access
!
interface FastEthernet0/4
!
interface FastEthernet0/5
 switchport access vlan 10
 switchport mode access
 speed 100
 duplex full
!

!
interface Vlan1
 ip address 10.101.24.1 255.255.254.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan2
 ip address 10.229.24.254 255.255.248.0
 ip helper-address 10.229.24.101
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan8
 ip address 10.101.30.254 255.255.252.0
 ip helper-address 10.101.30.5
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan9
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan10
 ip address 10.101.33.254 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.101.33.2
ip http server
!

!

!
!
control-plane
!
!
line con 0
line vty 0 4
 password
 login
line vty 5
 password
 login
!
end

Switch#
0
 
Jim_CoyneConnect With a Mentor Commented:
ip domain-name MYDOMAIN.COM
crypto key gen rsa
[1024]
ip ssh version 2
ip ssh port 22
ip ssh logging
!
line vty 0 4
access-class LIMIT
transport input ssh
transport output ssh
!
line vty 5
access-class LIMIT
transport input ssh
transport output ssh
!
ip access-list standard LIMIT
permit x.x.x.x 255.255.255.255 <----x.x.x.x = Management Station
!
vlan access-map RESTRICT 1
 action drop
 match ip address VLAN8
!
ip access-list standard VLAN8
permit x.x.x.x 255.255.255.0
!
vlan filter RESTRICT vlan-list 2

0
All Courses

From novice to tech pro — start learning today.