I have the same type of setup.
Some VLANs:
VLAN 10: 10.0.0.0/29 (255.255.255.248)
VLAN 11: 10.0.1.0/24
VLAN 12: 10.0.2.0/24
VLAN 13: 10.0.3.0/14
FW int IP: 10.0.0.1 Interface name: eth5
FW ext IP: x.x.x.x Interface name: eth0
Cisco 6509 switch/router behind firewall: 10.0.0.6
(This switch has many VLAN configured)
6509 default gateway: 10.0.0.1
FW default gateway: Whatever the router is past the firewall
(outside)
FW routing using sysconfig:
New network route:
Destination: 10.0.1.0 Mask: 255.255.255.0 Gateway: 10.0.0.6 Interface: eth5
(internal interface)
Destination: 10.0.2.0 Mask: 255.255.255.0 Gateway: 10.0.0.6 Interface: eth5
(internal interface)
Destination: 10.0.3.0 Mask: 255.255.255.0 Gateway: 10.0.0.6 Interface: eth5
(internal interface)
....
Repeated for all VLANs
Default: 0.0.0.0 <outside router> 0.0.0.0 eth0 (external
interface)
I created a network object for each VLAN network. I know its a lot,
but it helps me view the network better.
I have a group called FW_eth5 which contains all my internal VLAN
networks. This group is used on the topology tab of the FW object for
anti-spoofing. It is defined for the internal interface.
For Hide-NAT:
I have a different public IP for each VLAN network as we have IPs to
spare. I did, however, used to have all of them hiding behind the same
public IP with no problems. I changed because it gives me some specific
tracking info that I need.
I hope this helps.
Dave Crowfoot
Hi
all,
I'm testing out a
SecurePlatform FP3 Edition 2 system and I'm having issues getting it to route
through my internal router which has 4 VLANs.
The firewall's
internal IP is 192.168.2.2, the router's IP is 192.168.2.1 (and
192.168.3.1, 192.168.4.1, 192.168.5.1) and its default gateway is the firewall's
internal IP. It seems that FW-1 thinks that only its VLAN 192.168.2.0
is behind the internal interface, and the other VLANs are
external networks (at least in that SmartDashboard diagram, which may mean
nothing). How do I let FW-1 know these VLANs are internal networks
attached to its internal interface?
Also, in terms of
routing, to route to these internal VLANs I've given the OS static routes
(192.168.3.0 255.255.255.0 192.168.2.1, 192.168.4.0 255.255.255.0 192.168.2.1,
etc.). Is that all I need to do?
For Hide
NAT:
Let's say I wanted all 4
of these VLANs, 192.168.2.0, 192.168.3.0, 192.168.4.0, 192.168.5.0, to have a
Hide NAT all behind the same public IP address.
Should I define each network separately and give them each a Hide NAT
with the same IP address, or would I only define an Address Range (192.168.2.0 -
192.168.5.0) and give that the Hide NAT, and not define the networks
individually? Or some combination therein?
thanks for any
help,
Chris
|