Solved: Hi there,It sounds like you

smorrissey88 · ‎05-06-2015

Hi all!

I've got a question about adding a firewall to an existing network infrastructure. More specifically how (or if) you need to change your networks in order to pass traffic outside -> in and inside -> out successfully.

So lets say I have this setup:

Cisco 2811 router that has gi0/0 as the outside interface (nat outside) with the IP of 192.168.1.110
Cisco 2811 router that has gi0/1 as the inside interface (nat inside) with the IP of 10.1.0.1
Cisco 2811 router is the gateway for 2 vlans on gi0/1.10 and gi0/1.20 (10.1.10.1 and 10.1.20.1 -- nat inside) which trunk to a Cisco 3750 stack

I'll then be adding a firewall that has an 'outside' interface of 10.1.0.2 and an Inside interface with 2 virtual interfaces, one on vlan 10 (10.1.10.254) and one on vlan 20 (10.1.20.254).

Here's what I'm thinking I want to do to add the firewall:

take incoming connections to the outside interface of the Router and 'port forward' them to the outside interface on the Firewall.
the firewall will then see "oh, someone is requesting port 80 on my external IP (10.1.0.2:80), this request needs to go to the webserver on vlan 10 through the inside interface"
the webserver will see a request and answer it, sending the data back to the firewalls vlan10 interface (10.1.10.254)
the firewall will see the reply and send it back through it's path to the outside

Does this flow seem correct? The reason I ask is because I've tried to get this setup with 2 different firewalls (PIX and NetScreen) and for one reason or another I can't seem to get the traffic to flow back out to the internet. The request will come in to the router, get sent to the 'outside' interface of the firewall, but no traffic ever flows back in the form of a reply and the connections keep getting closed due to 0 bytes of reply/syn timeout/etc. I'm thinking I'm misunderstanding where the firewall needs to sit, whether it must be the default gateway of each VLAN, etc.

Thanks for any pointers! I've spent quite some time digging into this to get an understanding of how firewalls work for my lab setup.

Seb Rupik · ‎05-07-2015

A firewall should be used to provide segregation between your communities; obviously inside/ outside/ maybe dmz...but do you really need to filter the traffic which could flow between your inside VLANs? If not, then it is perfectly reasonable to position another router (3750 @ L3) behind the firewall to facilitate the inter-VLAN routing.

In this scenario you would place your SVIs on the 3750 and have a single point-to-point uplink to the firewall.

If you wanted to have a separate community on the inside you would configure a second VRF on your switch. This VRF would contain the SVIs for this other community. You would then need a second p-to-p uplink to the firewall, and these VRFs would communicate via the firewall and benefit from the protection it brings.

(see attached diagram).

cheers,

Seb.

Please rate helpful posts :)

View solution in original post

Seb Rupik · ‎05-07-2015

Hi there,

It sounds like you might be doing too much NAT/ port forwarding.

If your router is configured to do the NAT for your entire internal network, then this is the only place you configure the port-forwarding. The NAT'd destination IP should be the actual 10.1.?.? address of your webserver.

The firewall will then only need ACLs to filter traffic.

Of course if your firewall is providing NAT for your internal VLANs, then yes, the router must forward traffic to the firewalls outside interface where it will be NAT'd again.

cheers,

Seb.

smorrissey88 · ‎05-07-2015

Ah ok, this makes sense. I appreciate the reply!

After you posted this I did some more reading and it turns out I was approaching this wrong. It looks like in order to use the firewall in Routing mode it must also be the default gateway for the networks it's servicing -- it isn't enough to just have the firewall have an interface on the pre-existing network VLAN. In order to do that I'd need to put the firewall in Transparent mode, NAT all incoming traffic to the transparent firewall Outside interface, then ACL it from there.

Ideally I'd have my Firewall in Routed mode and create my networks on the firewall itself, however it only has 100Mbps ports which from what I understand would make inter-VLAN routing incredibly slow -- especially if every VLAN is sharing 1 "inside" FastEthernet interface.

I'd like to be able to create my VLANs on my 3750 stack so inter-VLAN routing can utilize the large bandwidth the stack provides however I don't know how/if that'd work at the moment.

Seb Rupik · ‎05-07-2015

A firewall should be used to provide segregation between your communities; obviously inside/ outside/ maybe dmz...but do you really need to filter the traffic which could flow between your inside VLANs? If not, then it is perfectly reasonable to position another router (3750 @ L3) behind the firewall to facilitate the inter-VLAN routing.

In this scenario you would place your SVIs on the 3750 and have a single point-to-point uplink to the firewall.

If you wanted to have a separate community on the inside you would configure a second VRF on your switch. This VRF would contain the SVIs for this other community. You would then need a second p-to-p uplink to the firewall, and these VRFs would communicate via the firewall and benefit from the protection it brings.

(see attached diagram).

cheers,

Seb.

Please rate helpful posts :)

Adding a firewall to existing infrastructure