cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1218
Views
0
Helpful
5
Replies

wan connection - fw

dave dave
Level 1
Level 1

hi! we've the below setup currently, and we are moving to internet site to site vpn because of downsizing.

2x L3 Switches running HRSRP>connected to a router that has a point to point lease line connection to our HQ.

The lease line will be replaced by an internet line, and a new FW. Below is the new setup.

2x L3 Switches running HSRP>connected to a router>FW that do site to site vpn.

With both the existing L3 switches and router in the branch office running ospf, what static route (not going to run ospf in fw)  is required in the FW for this to work, and what changes is required in the branch router below. Please advise. Thanks.

interface FastEthernet0/1/0

description Connection to L3 sw1

ip address 10.10.31.242 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1/1

description connection to L3 sw2

ip address 10.10.31.246 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/0/0

description  (This interface will be used to connect to the new FW LAN interface)

ip address 10.10.25.122 255.255.255.252

duplex auto

speed auto

!

router ospf 8

network 10.10.25.122 0.0.0.0 area 0 (Can this line be removed?)

network 10.10.31.242 0.0.0.0 area 0

network 10.10.31.246 0.0.0.0 area 0

!

!

ip route 0.0.0.0 0.0.0.0 10.10.25.121 (10.10.25.121 is the LAN interface of the fw).

================================================================

Additional route Info on the L3 Switches

L3 SW1

------------

router ospf 8

log-adjacency-changes

redistribute static subnets

network 10.253.31.241 0.0.0.0 area 0 (Interface connected to the branch router interface f0/1/0 above)

network 10.253.16.0 0.0.15.255 area 0 (To cover the internal L3 Vlans)

L3 SW2

-----------

router ospf 8

log-adjacency-changes

redistribute static subnets

network 10.253.15.245 0.0.0.0 area 0 (Interface connected to the brannch router interface f01/1)

network 10.253.16.0 0.0.15.255 area  0 (To cover the internal L3 Vlans)

2 Accepted Solutions

Accepted Solutions

2) If you have default routes pointing to the internal router and the next hop ISP router  how does the firewall know which one to use ?  You may well end up creating a routing loop ie. the internal router sends a packet destined for the internet to the firewall and the firewall using one of the default routes pointing back to the internal router sends it back.

So you need a default route on the firewall pointing to the next hop ISP router and then specific routes for the L3 subnets.

Note this point may be academic. If the firewall is an ASA then it will not support having multiple default routes out of different interfaces and you definitely want your default route pointing to the outside interface for internet traffic.

3)  The above 2) takes care of traffic returning from the firewall to the L3 vlans.  What it doesn't take care of is the /30 links between the L3 switches and the router. Internet connectivity will work fine for your clients even if you don't add in the /30s. I was just saying that if you want to be able to ping the /30s from the firewall or vice versa you would need routes on the firewall for those as well eg.

from the L3 switch you want to ping the inside interface of the firewall. The L3 switch will use a source IP of 10.10.31.241, for example. If the firewall does not have a route for this subnet it will not be able to send a return packet.

Like i say, this will not affect internet connectivity for your clients, it's just in case you want to do connectivity tests from the L3 switches/firewall.

Jon

View solution in original post

One last question, if i've static route that covered 10.10.26.0/20 (L3 switch vlans) which inclusive of the 10.10.31.240/30 & 1010.31.244/30 in the FW. Do i still need to add those static routes to the /30 network used for connecting the router to the L3 switches into the FW?

No, you'll be fine with just the 10.10.26.0/20 static route.

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

On the firewall you need  -

1) a default route pointing to the ISP next hop

2) static routes for all the L3 switch vlans/IP subnets pointing to the outside interface of the router.

3) If you want to be able ping between the L3 switches and the inside interface of the firewall you will also need static routes on the firewall for the /30 subnets connecting the L3 switches to the router.

You already have a default route on the router pointing to the firewall.

One last point. Assuming the L3 switches are responsible for inter vlan routing (which i have been) you could, if you wanted,  just remove the router and connect the firewall to the L3 switches in a common vlan. The firewall would still need routes to the L3 switch subnets and the L3 switches would just have a default route to the inside LAN interface of the firewall.

Jon

dave dave
Level 1
Level 1

hi! Thanks for the info. I've a few questions about the item 2,3.

2) What's the different between have a static route to the outside interface of the branch router vs a default route just to the internal interface (the branch router port that connects to the L3 SW)? eg. below.

ip route 0.0.0.0 0.0.0.0 GigabitEthernet6/1 10.10.31.242

ip route 0.0.0.0 0.0.0.0 GigabitEthernet6/1 10.10.31.246

I believe it will work if i've a default route from the L3 SW thru the internal interface of the branch router from both the L3 switches with the command above + the default route in the branch router (ip route 0.0.0.0 0.0.0.0 10.10.25.121 (10.10.25.121 is the LAN interface of the fw).) Correct me if i'm wrong.


3) In addition to the 2 routes, do i need to have aother static route to the vlans within the L3 switch? I believe this is for the return traffic from outside to the internal right? The next hop in this case, can be the outside interface(10.10.25.122) of the branch router right? eg. ip route 10.253.16.0 255.255.240.0 10.10.25.122.

Thanks.

2) If you have default routes pointing to the internal router and the next hop ISP router  how does the firewall know which one to use ?  You may well end up creating a routing loop ie. the internal router sends a packet destined for the internet to the firewall and the firewall using one of the default routes pointing back to the internal router sends it back.

So you need a default route on the firewall pointing to the next hop ISP router and then specific routes for the L3 subnets.

Note this point may be academic. If the firewall is an ASA then it will not support having multiple default routes out of different interfaces and you definitely want your default route pointing to the outside interface for internet traffic.

3)  The above 2) takes care of traffic returning from the firewall to the L3 vlans.  What it doesn't take care of is the /30 links between the L3 switches and the router. Internet connectivity will work fine for your clients even if you don't add in the /30s. I was just saying that if you want to be able to ping the /30s from the firewall or vice versa you would need routes on the firewall for those as well eg.

from the L3 switch you want to ping the inside interface of the firewall. The L3 switch will use a source IP of 10.10.31.241, for example. If the firewall does not have a route for this subnet it will not be able to send a return packet.

Like i say, this will not affect internet connectivity for your clients, it's just in case you want to do connectivity tests from the L3 switches/firewall.

Jon

hi! For item 2, i think i interpreted it incorrectly. I was thinking that the route was required in the L3 switch instead of the FW. Thanks.

      

One last question, if i've static route that covered 10.10.26.0/20 (L3 switch vlans) which inclusive of the 10.10.31.240/30 & 1010.31.244/30 in the FW. Do i still need to add those static routes to the /30 network used for connecting the router to the L3 switches into the FW?

One last question, if i've static route that covered 10.10.26.0/20 (L3 switch vlans) which inclusive of the 10.10.31.240/30 & 1010.31.244/30 in the FW. Do i still need to add those static routes to the /30 network used for connecting the router to the L3 switches into the FW?

No, you'll be fine with just the 10.10.26.0/20 static route.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco