Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22919
Views
46
Helpful
22
Replies

Connecting Core switch to firewall

Matthew Lucas
Level 1
Level 1

‎04-14-2013 06:57 AM - edited ‎03-07-2019 12:48 PM

Hi guys,

I have a 3750X four-switch stack acting as the core of a fairly simple LAN. All I need to achieve (and this seems inordinately hard, but it is entirely likely that I'm just being dense) is to get access to the internet through my core switch, through the firewall and out through my VSAT. I've spoken at some length with the firewall providers (Cyberoam) and they tell me all I need to do when I migrate onto my new system (Cyberoam is currently in place at the entrance to our existing LAN) is change the local IP address of the Firewall, plug in the new switch to the LAN port, and away I go. Tried that, didn't work, so obviously I'm missing something.

This is my running-config from the Core Switch:

CSW01#sh run

Building configuration...

Current configuration : 20866 bytes

!

! Last configuration change at 08:57:30 UTC Wed Mar 30 2011 by mlucas

! NVRAM config last updated at 03:52:46 UTC Wed Mar 30 2011 by mlucas

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CSW01

!

boot-start-marker

boot-end-marker

!

enable secret 4 5fpDlu4LdCozFYxrLimWlqRSZLorgqR1LnuU34XhHaE

!

username xxxx password 7 041158280870421D5A2B43

username xxxx password 7 083B43430B1000

username xxxx password 7 013B07165F59015C351D405B

username xxxx password 7 000A120F17530A265D711D1F

username xxxx password 7 15382B5D557A686569

no aaa new-model

!

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

switch 3 provision ws-c3750x-24s

switch 4 provision ws-c3750x-24s

system mtu routing 1500

ip routing

!

!

ip domain-name sierra-rutile.local

!

stack-power stack RUTILE

mode redundant

!

stack-power switch 1

stack RUTILE

switch mode: standalone

stack-power switch 2

stack RUTILE

switch mode: standalone

stack-power switch 3

stack RUTILE

switch mode: standalone

stack-power switch 4

stack RUTILE

switch mode: standalone

!

!

crypto pki trustpoint TP-self-signed-2811275648

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2811275648

revocation-check none

rsakeypair TP-self-signed-2811275648

!

!

crypto pki certificate chain TP-self-signed-2811275648

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32383131 32373536 3438301E 170D3131 30333330 30313332

32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313132

37353634 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

810091BF D55B206B 2ED83C32 F1B0B97D 3FFEE5BE F15F64BD 08D4CAFF 02BBEB57

82D4EBDB 212EED5A A7904B01 2BD2F12B 0E285E27 E833BCA1 AB762E26 845B0C31

148FA85E 72E4ED35 B644A4D6 31C49654 823FD036 9BA2D68D 7F089049 D3D0A7F2

2E939D11 2C88A1AC 15C1BED9 403B6470 48AD92BE 3E7DB911 F152C6F3 CFE913A7

4DFD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14315F38 70E5F759 FBFF17EC C5307B18 0ACE9ED7 0D301D06

03551D0E 04160414 315F3870 E5F759FB FF17ECC5 307B180A CE9ED70D 300D0609

2A864886 F70D0101 05050003 81810012 7A89EEC5 1DC1C480 1B49982E 45C48261

28D82235 8AFE6CF6 218C6F61 6CF35D00 6FA84538 B67C4CBD 1F3C76CB 50E45664

D5CA35BC 407C2FC5 F7E49938 037A4C5B 97AFDE5E E0E1DD23 32043BE1 DD3D9E66

1CA6C49C 2ED6DE4F 38AA2EF8 6821FF7F EC2C6F67 DF616DDF 4F05FC66 2A8BF096

3C19DBF5 DFE1F2E5 33BCDF86 5684BF

quit

!

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

spanning-tree vlan 1-1024 priority 24576

!

!

vlan internal allocation policy ascending

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

no ip route-cache

!

interface GigabitEthernet1/0/1

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet1/0/2

switchport access vlan 4

switchport mode access

!

Redacted

!

interface GigabitEthernet1/0/48

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet1/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet2/0/1

switchport access vlan 8

switchport mode access

power inline auto max 15400

!

Redacted

!

interface GigabitEthernet2/0/48

switchport access vlan 8

switchport mode access

power inline auto max 15400

!

interface GigabitEthernet2/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

Redacted

!

interface GigabitEthernet3/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet3/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet3/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

Redacted

!

interface GigabitEthernet4/0/24

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet4/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet4/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!       

interface TenGigabitEthernet4/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

ip address 10.0.0.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan4

ip address 10.0.4.10 255.255.252.0

!

interface Vlan8

ip address 10.0.8.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan16

ip address 10.0.16.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan20

ip address 10.0.20.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan24

ip address 10.0.24.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan28

ip address 10.0.28.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan32

ip address 10.0.32.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan36

ip address 10.0.36.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan244

ip address 192.168.0.254 255.255.255.0

ip access-group 101 in

!

interface Vlan248

ip address 192.168.10.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan252

ip address 10.0.252.10 255.255.252.0

!

ip default-gateway 10.0.4.1

no ip http server

no ip http secure-server

!

access-list 101 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

!

line con 0

login local

line vty 0 1

login local

transport input ssh

line vty 2 4

login

transport input none

line vty 5 15

login

transport input none

!

end

Cyberoam tell me only that the port on the switch connecting to the LAN port on the Cyberoam needs to be a trunk port. Current LAN-side IP of the Cyberoam is 10.10.10.4, planned new is 10.0.4.1, in line with the rest of my infrastructure. Just plugging in and making it a trunk port meant that I couldn't even ping the Cyberoam from the switch. I'm guessing (hoping) that there's a standard way of configuring the switch to connect to a firewall, but I just don't know what it is. Can anyone help, please?

Thanks in advance,

Matt

Labels:
0 Helpful
22 Replies 22

Matthew Lucas
Level 1
Level 1
In response to Bilal Nawaz

‎04-15-2013 11:45 AM

Ok, so have set:

no switchport

ip address 10.1.1.1 255.255.255.252

ip routing is enabled.

ip default-gateway is removed

The port is no shutdown.

The core switch can ping the FW no problems at all, but nothing else can. I've plugged in a client into one of the VLAN 8 ports, which picks up a VLAN 8 IP, but that can't ping 10.1.1.1 (nor can it access the internet). None of the other access switches can ping 10.1.1.1 either.

Here is the show running-config from the Core Switch:

CSW01#sh run

Building configuration...

Current configuration : 22137 bytes

!

! Last configuration change at 02:20:57 UTC Fri Apr 1 2011 by xxxx

! NVRAM config last updated at 02:09:59 UTC Fri Apr 1 2011 by xxxx

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname CSW01

!

boot-start-marker

boot-end-marker

!

enable secret 4 5fpDlu4LdCozFYxrLimWlqRSZLorgqR1LnuU34XhHaE

!

username xxxx password 7 041158280870421D5A2B43

no aaa new-model

switch 1 provision ws-c3750x-48p

switch 2 provision ws-c3750x-48p

switch 3 provision ws-c3750x-24s

switch 4 provision ws-c3750x-24s

system mtu routing 1500

ip routing

!

!

ip domain-name xxxx

!

stack-power stack RUTILE

mode redundant

!

stack-power switch 1

stack RUTILE

switch mode: standalone

stack-power switch 2

stack RUTILE

switch mode: standalone

stack-power switch 3

stack RUTILE

switch mode: standalone

stack-power switch 4

stack RUTILE

switch mode: standalone

!

!

!

crypto pki trustpoint TP-self-signed-2811275648

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2811275648

revocation-check none

rsakeypair TP-self-signed-2811275648

!

!

crypto pki certificate chain TP-self-signed-2811275648

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32383131 32373536 3438301E 170D3131 30333330 30313332

  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38313132

  37353634 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  810091BF D55B206B 2ED83C32 F1B0B97D 3FFEE5BE F15F64BD 08D4CAFF 02BBEB57

  82D4EBDB 212EED5A A7904B01 2BD2F12B 0E285E27 E833BCA1 AB762E26 845B0C31

  148FA85E 72E4ED35 B644A4D6 31C49654 823FD036 9BA2D68D 7F089049 D3D0A7F2

  2E939D11 2C88A1AC 15C1BED9 403B6470 48AD92BE 3E7DB911 F152C6F3 CFE913A7

  4DFD0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14315F38 70E5F759 FBFF17EC C5307B18 0ACE9ED7 0D301D06

  03551D0E 04160414 315F3870 E5F759FB FF17ECC5 307B180A CE9ED70D 300D0609

  2A864886 F70D0101 05050003 81810012 7A89EEC5 1DC1C480 1B49982E 45C48261

  28D82235 8AFE6CF6 218C6F61 6CF35D00 6FA84538 B67C4CBD 1F3C76CB 50E45664

  D5CA35BC 407C2FC5 F7E49938 037A4C5B 97AFDE5E E0E1DD23 32043BE1 DD3D9E66

  1CA6C49C 2ED6DE4F 38AA2EF8 6821FF7F EC2C6F67 DF616DDF 4F05FC66 2A8BF096

  3C19DBF5 DFE1F2E5 33BCDF86 5684BF

        quit

!

!

!

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

spanning-tree vlan 1-1024 priority 24576

!

vlan internal allocation policy ascending

!

interface FastEthernet0

no ip address

no ip route-cache

!

interface GigabitEthernet1/0/1

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet1/0/2

switchport access vlan 4

switchport mode access

!

output redacted

!

interface GigabitEthernet1/0/47

switchport access vlan 4

switchport mode access

!

interface GigabitEthernet1/0/48

description UPLINK TO CYBEROAM

no switchport

ip address 10.1.1.2 255.255.255.252

!

interface GigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/3

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet1/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

output redacted

!

interface GigabitEthernet4/1/4

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet4/1/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface TenGigabitEthernet4/1/2

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Vlan1

ip address 10.0.0.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan4

ip address 10.0.4.10 255.255.252.0

!

interface Vlan8

ip address 10.0.8.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan16

ip address 10.0.16.10 255.255.252.0

ip helper-address 10.0.4.130

ip helper-address 10.0.4.129

!

interface Vlan20

ip address 10.0.20.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan24

ip address 10.0.24.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan28

ip address 10.0.28.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan32

ip address 10.0.32.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan36

ip address 10.0.36.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan244

ip address 192.168.0.254 255.255.255.0

ip access-group 101 in

!

interface Vlan248

ip address 192.168.10.10 255.255.252.0

ip helper-address 10.0.4.129

ip helper-address 10.0.4.130

!

interface Vlan252

ip address 10.0.252.10 255.255.252.0

!

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 10.1.1.1

!

access-list 101 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

!

line con 0

login local

line vty 0 1

login local

transport input ssh

line vty 2 4

login

transport input none

line vty 5 15

login

transport input none

!

ntp master

ntp server 176.31.45.66

ntp server 195.140.254.217

end

Have I missed something?

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Matthew Lucas

‎04-15-2013 12:38 PM

Your config looks good I think.

What do your firewall rules look like, they might be blocking?

Also your firewall needs routes back to your networks, otherwise how else will it know where to route traffic? It knows about the 10.1.1.0/30 network because its a connected interface - thats why you are able to ping, but it doesnt know about other networks.

When a packet gets sent from a PC for example out to the internet (4.4.4.4).... on a particuar vlan, lets say from vlan 8. It sends that to the core because that is its default gateway. Then the switch doesn't know how to get to 4.4.4.4 so it sends it to the firewall, which is its default gateway. Gets to the FW and it goes out to the internet. When it comes back from the internet to the firewall, it says, 'oh i need to return it to that PC (in vlan 8) - BUT where does it live?? [Not in routing table]'

and then the packets get dropped.

On the firewall, id put two routes in.

ip route 10.0.0.0 255.0.0.0 10.1.1.2

ip route 192.168.0.0 255.255.0.0 10.1.1.2

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Matthew Lucas
Level 1
Level 1
In response to Bilal Nawaz

‎04-16-2013 12:20 AM

Ah, damn it - of course. No, the firewall doesn't have static routes back, which is why of course, as you say, only the core switch can ping it - it's the only one with an interface in that network. Ok, thank you Bilal - will test again tonight and get back to you.

The annoying thing is that now you've pointed it out, I realise I already knew - having come across this exact situation (or very, very similar) in my last place. Right, excellent.

0 Helpful

Bilal Nawaz
VIP Alumni
VIP Alumni
In response to Matthew Lucas

‎04-15-2013 12:55 PM

Hello Matthew, I have just tested my theory and it is the case! - you probably dont have routes back from the firewall to your networks.

If you have routes to go somewhere you also needs routes coming back. And I assume the firewall doesn't have those routes.

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

paul driver
VIP
VIP

‎04-14-2013 11:21 AM

hello
It could be an access port or trunk, if the fw is inter-vlan routing then i would say a trunk port, but it looks like your doing this.

Also i see a lot of trunk ports these are usually for connections to other switches if these ports are connected to end hosts then change them to access ports and assign them to the correct vlan,  make sure these vlans are also in the vtp database

con t
vlan x
exit

sh vlan brief

you also have a acl 101 which is denying traffic from 192.x to 10.0.x

res
paul


Sent from Cisco Technical Support Android App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Matthew Lucas
Level 1
Level 1
In response to paul driver

‎04-14-2013 11:40 AM

Yep - a lot of trunk ports. Got something like 23 access switches, and switches 3 and 4 in the stack are 3750X-24S-S - all fibre SFP's so the trunking is intentional.

The ACL is to deny access from the guest wifi VLAN onto any of the corporate VLANs, so again intentional.

0 Helpful

bdmckamey
Level 1
Level 1
In response to Matthew Lucas

‎04-14-2013 04:05 PM

My recommendation. Make the core's uplink interface connecting to the firewall a layer 3 interface. assign a /30 subnet to that connection and configure the inside interface of the firewall for one of the two ip's. Then configure 'ip routing' on the core and make a static route "ip route 0.0.0.0 0.0.0.0 x.x.x.x" where 'x.x.x.x' is the ip you assigned the inside interface of the firewall. Make sure you can ping that firewall interface ip from the core router. Then on the firewall, ensure there is a default static route going out the internet interface. Turn on Port Address Translation and assign the firewalls outside interface IP as the public address for the PAT (NAT is one for one, PAT is many to one via port assignments i.e. x.x.x.1:100 / x.x.x.1:101 / x.x.x.1:150 <- all using the same public IP).

Hope this helps.

Matthew Lucas
Level 1
Level 1
In response to bdmckamey

‎04-14-2013 11:13 PM

Thanks Buddy - I'll have a look at the FW and see how PAT is set up.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card