Solved

Catalyst and PiX firewall Access-lists

Posted on 2008-10-23
3
339 Views
Last Modified: 2012-05-05
Hello guys;
Please take a look at the layout first then read my reak question.
As you see, i have multiple vlans that are routed by a catalyst 4006 switch. As a gateway to internet i have a Pix firewall and an ISA 2004 proxy server. What ièm trying to do, is to force eveyone on the employess, clients and wireless vlans to go to internet through the ISA 2004 firewall, equally, everyone on the servers and directors vlan through the PIX firewall.
Presently everyone on the employess, clients and wireless vlans have isa firewall client installed or are web proxy clients, so they are already using the isa server for internet requests (because they have protocol based restricted access to internet), but my catalyst layer 3 switch is cinfigured to route everything to the pix firewall, so if they disable the firewall client, they will go directly to the net through the pix firewall. My main goal is to force them (employees, clients and wireless)to go through the isa server even if they disable the firewall client or clear out the proxy configuration.
Now i know i can do that on my pix firewal by simly adding an access-list deny rule for those segments to go to the net, but i'm trying to configure that on the layer 3 module. Is that possible and how? Do not forget, the L3 module is routing eveything bound to the internet to my pix firewall, and i can not change that cause i need my directors and server to go through the PIX firewall at all times.
Drawing1.jpg
0
Comment
Question by:isaman07
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 150 total points
ID: 22792883
have you looked at doing route-maps on the switch?  can combine it with acls so that certain vlans use the pix and others use the ISA.
its the first thing that came my mind anyway.
0
 
LVL 14

Accepted Solution

by:
isaman07 earned 0 total points
ID: 22792932
How can i do that? route-maps, any links?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 22800332
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question