I've got one inside interface, one dmz interface and one outside interface on my firewall.
Then the inside interface connects to a 24 ports EMI 3550 switch. The dmz connects to the same switch from its firewall interface. I've used policy based routing to make sure traffic goes out through the proper firewall interface (so inside network through inside interface of firewall, and dmz network through dmz interface of firewall).
Then i used vlan maps on switch. i want to prevent traffic coming from dmz to inside network through the switch, so i used vlan maps to drop all traffic coming from dmz to inside network (so from dmz vlan 20 to inside vlan 10), but then i cannot access the web server in the dmz from inside network anymore. I was under the impression that the traffic was then going to go through firewall to access the web server from inside network and that im only blocking the access from inside to dmz through switch...any thoughts?
Just one question (its always hard to visualize the topology like this):
you have vlan maps blocking traffic from vlan 20 to vlan 10 in the 3550, this will block traffic on layer2 before reaching the router interfaces (or the SVI (int vlan).
Not sure if I got it right, so you're trying to go from vlan 10 to vlan 20 ? and this is being blocked?
Maybe, what is happening is that return traffic from vlan 10 is being blocked by your layer2 filters in vlan 20?
if it does help in any means, please rate this post.
Thanks for post.
Yes, Vlan 20 is DMZ, and VLAN 10 is internal LAN. I dont want packets going from Vlan 20 to Vlan 10 through the switch, but rather move from one to another to the firewall.
Like you said, it's blocking the traffic on layer 2 level. Is there any way for me to block traffic on layer 2 and then let it go through the SVI and routing engine and eventually firewall to the DMZ?
Currently im testing it so what i did is to create access list allowing access from dmz network to internal vlan network and then using vlan access map i dropped all traffic in that access list and then applied it (filter to) to vlan 10.
When you use vlan maps you have to be careful to allow ARP traffic and in multiple switch networks (not relevant in your case) STP traffic. The last vlan map statement if configured will have a default action forward. If not defined or not explicitely allow ARP traffic then I am not suprised you have connectivity issues.
Did you already tried to sniff the network to see what's happening with your packets?
are you sure that your packets get to the firewall and that the firewalls puts the packet in your dmz network?
Did you consider to use a statefull firewall?
Not that you have a problem with your policy based routing on the firewall.
I think that the switch should see the firewall like all other clients on the network. And since everything is layer 2....the mac-addresses in the frames are always the correct ones for the supposed vlan. in vlan 10 you will have the mac from your pc to the gateway and in vlan 20 from the gateway to the server.....so i think there is something else wrong in the network and your switch is working properly....but of course...i could also be wrong :-)
Let me know if there is any new outcome.