cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
591
Views
5
Helpful
4
Replies

Connecting modem-2950-2 gateway/firewall appliances

altafmawji
Level 1
Level 1

Hey all,

First post so be gentle

OK We've got a 24 port 2950 setup as our DMZ switch. It's providing web access to our web servers on a secondary ISP. The DMZ switch has about 12 ports unused. What we'd like to do is take our primary ISP, used to supply internet access to our internal LAN, and split it up between 2 firewall/gateway appliances (one servicing internal, Fortigate 200A, and one servicing a separate test environment, TMG 2010). The DMZ does go through the Fortigate already.

Now what I was thinking of, was putting 4 ports on a seperate VLAN, setting them up as regular switchports, connecting the modem up to one port and the two appliances to the other ports, leaving one as a spare. Keep in mind, we also have 2 IP addresses from this ISP available to us through DHCP.

My question is will this work or am I way off base? If I am, any suggestions on how I can make this work?

I also have access to a couple of spare 2950's and 3750's, as well as, a couple of 4 port linksys and dlink switches.

Let me know if I can clarify anything. Any help would be much appreciated!

Thanks,

Altaf

1 Accepted Solution

Accepted Solutions

Dennis Leon
Cisco Employee
Cisco Employee

Hello Altaf,

Actually, if my understanding is correct, what you are trying to achieve is getting one single Internet link connected to both of your firewall appliances using a Switch to split the connection.

That is posible, just remember to either use a separated VLAN and if posible use other switch than the one you are already using for other functions, so that you are not creating a single point of failure for two segments of your network.

As of the Firewalls, I'm not familiar with the Fortigates on this matter, but with Cisco ASA Appliances you can use one single IP if they are in a failover cluster; optionally you can use two but that is to manage the standby one for IOS updates, etc...But I'll rather use the internal IP address instead of wasting one public IP address only for management purposes.

Hope this helps,

Dennis.

View solution in original post

4 Replies 4

Antonio Knox
Level 7
Level 7

Can you post a drawing of what you are looking to accomplish?  In matters of design is one thing to imagine what you are doing, but it makes sense quicker when we can see it.

Hey Antonio,

Thanks for the response. Here's what I would like the setup to look like. The Dashed lines are not to be touched and are on a seperate VLAN (say VLAN 100). Policies are set on the fortigate to prevent the DMZ side of things from communicating with the internal side of things, other than the internal DNS/AD (one in the same) servers. 

Now if I was to configure the 4 ports on the right of the DMZ to VLAN 200 and set them to just regular switchport's, would this setup be sufficient for sharing the ISP between the two Gateways? My guess is no, since there has got to be some kind of routing between the 2 appliances...but I was lead to believe this was setup and functional previously in this way.

Dennis Leon
Cisco Employee
Cisco Employee

Hello Altaf,

Actually, if my understanding is correct, what you are trying to achieve is getting one single Internet link connected to both of your firewall appliances using a Switch to split the connection.

That is posible, just remember to either use a separated VLAN and if posible use other switch than the one you are already using for other functions, so that you are not creating a single point of failure for two segments of your network.

As of the Firewalls, I'm not familiar with the Fortigates on this matter, but with Cisco ASA Appliances you can use one single IP if they are in a failover cluster; optionally you can use two but that is to manage the standby one for IOS updates, etc...But I'll rather use the internal IP address instead of wasting one public IP address only for management purposes.

Hope this helps,

Dennis.

Thank you, Dennis! I really appreciate the help.

In regards to Fortigate appliances...not a fan, which is why we're moving to the TMG appliance eventually (alot simpler to manage for my clients Network admins). Anyways, neither here nor there.

Thanks again!

Review Cisco Networking for a $25 gift card