VLAN Configuration

Our Cisco Catalyst 3560G switch has 4 VLANs created on it.  2 of those VLANs have a port connection to the 2 available interfaces on our Cisco PIX515e FW ("Inside" & "DMZ").

Does that mean members of the other VLANs on the switch can't have Internet access since none of the ports that are members of those VLANs connect to the perimeter FW?
dealvisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BBRazzCommented:
That will be correct.

Unless a client port has access to the vlan that has connection to the vlan with a connection to the INSIDE of the PIX, there will be no internet access.

-BBRazz
0
Ken BooneNetwork ConsultantCommented:
So there are 2 different vlans that have direct connections to your PIX firewall.  There are 2 additional vlans configured on the switch.  You can provide Internet access to the other 2 vlans.  I am assuming that these other 2 vlans would be considered "inside" networks.  There are a few ways you can do this.  Do you have a router on the inside of your firewall where these 2 other vlans use as their default gateway.  If you do you can add a default route in the router to point to the inside ip address of the PIX.  Then you would have to add a static route on the pix to reach these two networks.   In addition you would have to make sure your NAT rule on the firewall allows all networks or else you could add these two additional networks.  

If you do not have a router on the inside of your network, the 3560 switch is a layer 3 switch and is capable of routing between all the vlans.  In this case you would need to create layer 3 interfaces on the 3560, turn on IP routing, and add a default route to the inside ip address of the firewall.  

If you can provide more details as to how the networks are configured on the switch I can provide you with more details on what to configure.
0
dealvisAuthor Commented:
Our Cisco Catalyst 3560 Switch VLANs...

VLAN 1 -  (Default Mgmt VLAN)

VLAN 2 -  Internal LAN where employee workstations are, has connection to PIX FW "Inside" interface [192.168.0.1] Internet is accessible from any host in this VLAN.  Works great - had for long time.

VLAN 3 - DMZ subnet [209.43.17.64/26], connection to PIX FW "Middle" interface [209.43.17.65], home for servers providing services to external hosts such as email, FTP, Streaming Media, etc.  Internet is also accessible from hosts located in this VLAN.  Works great, have used for long time.

VLAN 4 - NEW - No connection to PIX.  No router installed. 10.0.0.0/8 static IP assignments.  Created to isolate IP based Audio & Video control equipment (i.e. projectors, sound mixers, computers, etc) within separate broadcast domain/separate IP subnet.  Creative Dir wants Internet access for his computers in VLAN 4 but I don't know how to configure the Catalyst 3560 switch to provide it?

Would it be easier to add a router or configure the Catalyst 3560 switch to perform inter-VLAN routing?
THANK YOU FOR RESPONDING & THANKS FOR ANY HELP YOU CAN PROVIDE!
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Ken BooneNetwork ConsultantCommented:
Configure the 3560 to route this traffic.  
Config t
ip routing
int vlan4
ip address 10.x.x.x 255.0.0.0    <-- make this the default gateway for vlan 4 devices
no shut

int vlan2
ip address 192.168.0.x 255.255.255.0
no shut

ip route 0.0.0.0 0.0.0.0 192.168.0.1

Configure PIX:
config t
route inside 10.0.0.0 255.0.0.0  192.168.0.x  <--whatever you used on the 3560

Now the pix should have a route to the vlan4

Also we need to look at your NAT statement.

It should look something like:

nat (inside) 1 0.0.0.0 0.0.0.0

If that is what it is you are in good shape if not we will have to add entries for the 10.x network.

Thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dealvisAuthor Commented:
Clarification please related to these config commands...
int vlan2
ip address 192.168.0.X 255.255.255.0

So locate an unused IP address within the internal LAN's 192.168.0.0 network & use it where you placed the X, correct?
0
Ken BooneNetwork ConsultantCommented:
That is correct.  You already have a layer 2 vlan established as vlan 2.  What we are doing now is creating the layer 3 vlan 2 interface.  Use a free vlan 2 ip address on this interface.  You should be able to ping the firewall from this address once you have it created to make sure you have the basic connectivity.
0
dealvisAuthor Commented:
Allright, I will locate a free IP address and reserve it on the DHCP server for this purpose but I do not understand how to "ping the FW from this address"?  (DoYou mean just make sure I can ping the PIX Inside interface [192.168.0.1] from the Catalyst switch CLI? after making these config additions?)
0
Ken BooneNetwork ConsultantCommented:
Yes that is what I mean.
0
dealvisAuthor Commented:
Excellent, accurate information.  Application of clearly defined configuration commands Ken provided produced the desired result on first attempt. VLAN 4 members now have internet access also!

P.S. The NAT statement on our PIX FW did not need modified as it was exactly as you said it should look (i.e. NAT (INSIDE) 1 0.0.0.0 0.0.0.0)
Thank you very, very much for your assistance!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.