cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
940
Views
0
Helpful
3
Replies

Cisco 5525 with Outside Internet Connection (Design)

I have a design question:

Currently, we are running out internet connection from provider to our network core (via Vlan99). Then it gets connected to our Firewall via vlan 99..

This is the flow:

ISP Provider
Switch Stack Port G1/0/25 switchport access vlan 99
Firewall connected to our Switch Stack via Trunk (trunk allowed vlan 99)
Firewall Interface G0/7 IP x.x.x.x Subnet x.x.x.x Vlan99 Logical Type.

Our Firewall (Cisco ASA5525), has an interface setup for that connection (Vlan99), with a name of outside, and our External IP Address. (Logical Type Interface).

I would like to move our connection from the core to the firewall, (I don't want the internet to run thru the switch first, then the firewall).

Would it be safe to say that I could physically move the connection to the firewall, and that's all? The firewall has an outside routing of 0.0.0.0 0.0.0.0 with gateway of our G0/7 Firewall Interface.

Or is there more to this than meets the eye?

Sorry for the noob question, but I want to understand this a little better, and my feeling says that moving the connection from core to the firewall would be sufficient enough, but then again im not an expert at firewalls much.

Thanks....

1 Accepted Solution

Accepted Solutions

Yes, that's right.

Your core switch defaults to route out via the firewall inside interface. No change in that regard.

The firewall applies security policy and performs network address translation to public IP address space.

The firewall defaults to route out to the ISP interface facing you. No change there either.

As I noted, if your firewall interface configuration currently has a vlan statement that will no longer be necessary since you won't have a trunk port with VLAN tagging.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

I'm not sure why you would have the current firewall-switch link setup as a trunk since it should only ever have traffic for the single VLAN 99. An access mode port would seem more appropriate.

If you move the physical connection to directly inot your ISP router, you would not need (and should not use) the VLAN tagging anymore.

Re the routing, you must mean the default route is to the ISP router address. You shouldn't default route the firewall to itself. If you are, it should be changed to the ISP router.

The route is from the firewall. The firewall itself has a static route on the outside interface.

Static Routes:

Interface Outside

IP Address 0.0.0.0

Netmask 0.0.0.0

Gateway IP (our external IP)

 

If im moving the physical connection from the switch to the firewall, that route should stay in the firewall, correct? 

Our switch default route is 
0.0.0.0 0.0.0.0 IP of Firewall

 

Is there a change I need to do to the switch core?

Is there a change I need to do to the firewall?

 

Thanks...

Yes, that's right.

Your core switch defaults to route out via the firewall inside interface. No change in that regard.

The firewall applies security policy and performs network address translation to public IP address space.

The firewall defaults to route out to the ISP interface facing you. No change there either.

As I noted, if your firewall interface configuration currently has a vlan statement that will no longer be necessary since you won't have a trunk port with VLAN tagging.

Review Cisco Networking for a $25 gift card