Firewall and Addressing questions

Hi All,

I have a few questions regarding switching and default gateways within a real world environment:

1) Within a properly designed network (access, distribution, core), first hop redundancy protocols could be used at the distribution level. If I then wanted to forward the traffic off campus connected to the other end of the core router, would you issue the ip default-gateway command on the switch or would you create a static route to forward the needed traffic across the core link or to the outside world?

2) Firewalls then come into the situation, would you make your default gateway (considering that's where NAT happens) the inside interface of the ASA firewall? If not, would you create a static route again?

3) When you are using a ASA firewall, do you need to create a policy map to allow for routing updates such as OSPF to go outside to inside etc?

I hope this makes sense.

Thanks.

Find more posts tagged with

Comments

networker050184

The ip-default gateway command is not for forwarded traffic. You would use a default route in that situation.

It really depends on your design. Usually the default gateway as the inside IP is fine. Unfortunately ASAs do not support secondary IPs so a lot of time people will do a P2P with a router and route blocks at it.

You aren't going to be sending routing updates through the firewall.

Simrid

Thanks for your reply. Interesting, I guess running HSRP at the distribution level will still help to provide resilience within your network. Of course I won't be, my derp mistake! Thanks for picking up on that.

These questions were in line for my new job I start next week, trying to cram in a lot of bits before I start. Thanks for clarifying.

shortstop20

Simrid wrote: »

Hi All,

I have a few questions regarding switching and default gateways within a real world environment:

1) Within a properly designed network (access, distribution, core), first hop redundancy protocols could be used at the distribution level. If I then wanted to forward the traffic off campus connected to the other end of the core router, would you issue the ip default-gateway command on the switch or would you create a static route to forward the needed traffic across the core link or to the outside world?

2) Firewalls then come into the situation, would you make your default gateway (considering that's where NAT happens) the inside interface of the ASA firewall? If not, would you create a static route again?

3) When you are using a ASA firewall, do you need to create a policy map to allow for routing updates such as OSPF to go outside to inside etc?

I hope this makes sense.

Thanks.

1) There would be either a routing protocol or some static routes between the distribution and core layers. That is what would be used to forward the traffic.

2) Typically, a clients default gateway would be on a Layer 3 switch or possibly a router. Then you'd route between the Switch/Router and the Firewall.

3) You wouldn't have routes passing thru the ASA.