12-21-2010 09:00 AM - edited 03-04-2019 10:51 AM
Hi,
We have a 6509 that was connected to 2 other locations(location A and B) and our local lan (location MAIN). We wanted to move the location A and B to a 3750 switch and only allow the traffic that needed to access our location MAIN to come through the firewall. I got mostly everything to work with help from this forum. The only problem I ran into is that before location A and B were on different interfaces so in the 6509 firewall the routes for traffic to our MAIN location was done by static routes.
I.E.
static (MAIN_intf,A_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0
static (MAIN_intf,B_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0
access-list
access-list A_acc permit tcp 192.1.1.0 255.255.255.0 host 192.1.1.71 eq www
access-list B_acc permit tcp 192.2.2.0 255.255.255.0 host 192.2.2.71 eq www
As shown above the two locations A and B access the same computer on the MAIN location subnet.
We moved A and B to a 3750 switch and setup a vlan 20 routed port between the 6509 and 3750 with ip address of 10.10.10.1 255.255.255.0 and 10.10.10.2 255.255.255.0. I route the traffic from the 3750 to the 6509 by
I.E. config on 3750
ip route 192.1.1.0 255.255.255.0 10.10.10.2
ip route 192.2.2.0 255.255.255.0 10.10.10.2
Everything works except when Location A and B want to access the same computer on MAIN subnet. I can't do
static (MAIN_intf,3750_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0
static (MAIN_intf,3750_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0
because it has a static overlap, which makes sense to me, but my question is how do I configure the network to get this to work? Do I have to reconfigure my network and access-list? Do I need to add more ports between the 6509 and 3750? I'm not sure if this is the best way to do what we want. If something is not clear I'll try my best to explain the setup, but I just took over for our I.T. guy when he left.
I put 10.10.10.72 instead I should have put 10.94.10.72. the routed port is on a different subnet than the computer I'm trying to access. Message was edited by: Mike Lee
12-21-2010 09:48 AM
Mike
Try this -
access-list acl1 permit ip any host 10.10.10.72
access-list acl2 permit ip any host 10.10.10.72
static (MAIN_intf,3750_intf) 192.1.1.72 access-list acl1
static (MAIN_intf,3750_intf) 192.2.2.72 access-list acl2
see also this doc for full details -
Translating multiple public to one private IP
Jon
12-21-2010 10:12 AM
Thanks again Jon. I'll check out the document and get back to you if I have any more questions. And thanks for the quick response.
12-21-2010 03:17 PM
Removed
Message was edited by: Mike Lee
12-22-2010 06:49 AM
Hi Jon,
I tried to add the static command
static (MAIN_intf,3750_intf) 192.1.1.72 access-list acl1
I received an error saying "invalid local IP address access-list"
I had no problem adding the acl1 access-list.
NOTE: I had made a mistake in the ip of the MAIN subnet. It should be 10.94.10.72
so I added
access-list acl1 permit ip any host 10.94.10.72
Any idea why I got this error?
thanks.
Also not sure if this makes a difference but the version of the fwsm is 1.1(3). I know this is outdated but this is what they left me with.
Message was edited by: Mike Lee
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: