Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
685
Views
0
Helpful
4
Replies

6509 fwsm multiple subnets routed on one port from 3750

hustler0002
Level 1
Level 1

‎12-21-2010 09:00 AM - edited ‎03-04-2019 10:51 AM

Hi,

We have a 6509 that was connected to 2 other locations(location A and B) and our local lan (location MAIN).  We wanted to move the location A and B to a 3750 switch and only allow the traffic that needed to access our location MAIN to come through the firewall.  I got mostly everything to work with help from this forum.  The only problem I ran into is that before location A and B were on different interfaces so in the 6509 firewall the routes for traffic to our MAIN location was done by static routes.

I.E.

static (MAIN_intf,A_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0

static (MAIN_intf,B_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0

access-list

access-list A_acc permit tcp 192.1.1.0 255.255.255.0 host 192.1.1.71 eq www

access-list B_acc permit tcp 192.2.2.0 255.255.255.0 host 192.2.2.71 eq www

As shown above the two locations A and B access the same computer on the MAIN location subnet.

We moved A and B to a 3750 switch and setup a vlan 20 routed port between the 6509 and 3750 with ip address of 10.10.10.1 255.255.255.0 and 10.10.10.2 255.255.255.0.  I route the traffic from the 3750 to the 6509 by

I.E. config on 3750

ip route 192.1.1.0 255.255.255.0 10.10.10.2

ip route 192.2.2.0 255.255.255.0 10.10.10.2

Everything works except when Location A and B want to access the same computer on MAIN subnet.  I can't do

static (MAIN_intf,3750_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0

static (MAIN_intf,3750_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0

because it has a static overlap, which makes sense to me, but my question is how do I configure the network to get this to work?  Do I have to reconfigure my network and access-list?  Do I need to add more ports between the 6509 and 3750?  I'm not sure if this is the best way to do what we want. If something is not clear I'll try my best to explain the setup, but I just took over for our I.T. guy when he left.

I put 10.10.10.72 instead I should have put 10.94.10.72. the routed port is on a different subnet than the computer I'm trying to access. Message was edited by: Mike Lee

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎12-21-2010 09:48 AM

Mike

Try this -

access-list acl1 permit ip any host 10.10.10.72

access-list acl2 permit ip any host 10.10.10.72

static (MAIN_intf,3750_intf) 192.1.1.72 access-list acl1

static (MAIN_intf,3750_intf) 192.2.2.72 access-list acl2

see also this doc for full details -

Translating multiple public to one private IP

Jon

0 Helpful

hustler0002
Level 1
Level 1
In response to Jon Marshall

‎12-21-2010 10:12 AM

Thanks again Jon. I'll check out the document and get back to you if I have any more questions.  And thanks for the quick response.

0 Helpful

hustler0002
Level 1
Level 1
In response to hustler0002

‎12-21-2010 03:17 PM

Removed

Message was edited by: Mike Lee

0 Helpful

hustler0002
Level 1
Level 1
In response to Jon Marshall

‎12-22-2010 06:49 AM

Hi Jon,

I tried to add the static command

static (MAIN_intf,3750_intf) 192.1.1.72 access-list acl1

I received an error saying "invalid local IP address access-list"

I had no problem adding the acl1 access-list.

NOTE: I had made a mistake in the ip of the MAIN subnet. It should be 10.94.10.72

so I added

access-list acl1 permit ip any host 10.94.10.72

Any idea why I got this error?

thanks.

Also not sure if this makes a difference but the version of the fwsm is 1.1(3). I know this is outdated but this is what they left me with.

Message was edited by: Mike Lee

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card