Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
0
Helpful
8
Replies

simple switch config with firewall as gateway

maciej.garcarz
Level 1
Level 1

‎04-28-2015 07:32 AM - edited ‎03-07-2019 11:47 PM

Hi Everyone,

 

This is my first post here. Until now I was only reading others posts - hope I can join and be more active as my knowledge will increase ;) Sorry for posting some maybe very basic questions - hope I can learn and become help for others soon.

 

I am making a simple config switch config on Catalyst 2960CG with 8 ports. It is a L2 switch with lanbase-routing enabled so some L3 features are there as well. Switch has Gi 0/1-8 ports configured as switchport mode access and ports Gi 0/9-10 configured as switchport mode trunk.

 

interface GigabitEthernet0/1
 switchport mode access
!
interface GigabitEthernet0/2
 switchport mode access
!
interface GigabitEthernet0/3
 switchport mode access
!
interface GigabitEthernet0/4
 switchport mode access
!
interface GigabitEthernet0/5
 switchport mode access
!
interface GigabitEthernet0/6
 switchport mode access
!
interface GigabitEthernet0/7
 switchport mode access
!
interface GigabitEthernet0/8
 switchport mode access
!
interface GigabitEthernet0/9
 switchport mode trunk
!
interface GigabitEthernet0/10
 switchport mode trunk
!
interface Vlan1
 ip address 172.30.128.5 255.255.255.0
!
ip default-gateway 172.30.128.1
no ip http server
no ip http secure-server

 

Idea is that this is a switch dedicated to small DMZ and that on Gi 0/10 which is trunk there is a connection to firewall which is my gateway. I do not manage our UTM firewall but support has communicated to me that they have set firewall port to 172.30.128.0/24 as per my request. I should be able to get access to internet and additionally I should be able to telnet to 10.104.84.9 255.255.255.0 on port 5000 and some other addresses as you can see below. You can see rules for that on my firewall below.

 

(NAT 172.30.128.0/24) subnet to outside interface so this subnet can access internet.

Rules:

1.

Source: 172.30.128.9

Destination: 194.7.129.0/24, 65.216.73.194, 217.31.76.146, 217.31.76.137, 217.31.46.146

Ports: ssh

2.

Source: 172.30.128.9

Destination: 194.7.129.0/24, 194.36.113.137, 194.36.133.139

Ports: https

3.

Source: 172.30.128.9

Destination: 194.36.113.137, 188.94.133.139

Ports: TCP/45169, TCP/45791

4.

Source: 172.30.128.9, 10.104.84.9

Destination: 10.104.84.9, 172.30.128.9

Ports: TCP/5000

5.

Source: 172.30.128.9

Destination: 217.31.76.152

Ports: TCP/1514

6.

Source: 172.30.128.9

Destination: 194.7.15.70, 157.25.5.18, 157.25.5.3, 8.8.8.8

Ports: UDP/53

7.

Source: 172.30.128.9

Destination: 69.50.219.51

Ports: UDP/123

 

It is a very simple configuration and I believe it should work but I cannot get to 10.104.84.9 255.255.255.0 on port 5000 as well as I have no access to internet. There is no DHCP on this network - I am setting static IP:172.30.128.9 255.255.255.0 172.30.128.1 and 8.8.8.8; 194.7.15.70.

 

Can anyone please check if there is something that I am missing? I will be much obliged for your help.

Maciej Garcarz

 

Labels:
0 Helpful
8 Replies 8

gmagno001
Level 1
Level 1

‎04-28-2015 09:49 AM

0 Helpful

maciej.garcarz
Level 1
Level 1
In response to gmagno001

‎04-28-2015 10:17 AM

Hi Gus,

 

Thank you for your reply. Is ip default-gateway 172.30.128.1 not enough?

0 Helpful

gmagno001
Level 1
Level 1
In response to maciej.garcarz

‎04-28-2015 10:29 AM

Its correct!

Send us a tracert from 172.30.128.9 to 10.104.84.9 and to 8.8.8.8.

Send same pings from 172.30.128.9 to 10.104.84.9 and to 8.8.8.8.

0 Helpful

maciej.garcarz
Level 1
Level 1
In response to gmagno001

‎04-30-2015 02:14 AM

Sorry for late reply. It shows lack of connectivity. I have raised a ticket with support to check firewall configuration again. I think there could be something wrong with gateway. I will post update once it is done.

0 Helpful

maciej.garcarz
Level 1
Level 1
In response to maciej.garcarz

‎05-07-2015 01:38 AM

Hi,

 

Problem was solved - all was fine from my side but gateway IP. When support provided me with correct gateway IP all worked fine :)

0 Helpful

gmagno001
Level 1
Level 1
In response to maciej.garcarz

‎04-28-2015 10:42 AM

Its correct!

Send us a tracert from 172.30.128.9 to 10.104.84.9 and to 8.8.8.8.

Send same pings from 172.30.128.9 to 10.104.84.9 and to 8.8.8.8.

0 Helpful

gmagno001
Level 1
Level 1
In response to maciej.garcarz

‎04-28-2015 10:44 AM

Its correct!

Send us a tracert from 172.30.128.9 to 10.104.84.9 and to 8.8.8.8.

Send same pings from 172.30.128.9 to 10.104.84.9 and to 8.8.8.8.

0 Helpful

gmagno001
Level 1
Level 1

‎04-28-2015 10:18 AM

0 Helpful
Customers Also Viewed These Support Documents