Hello, the 3 ports are connected to the same switch? (1 trunk port and 2 access ports) I mean Firewall and PCs are connected to the same switch? If this is not the case, check about the mac address(My mistake last email, I mentioned about IP address, but is mac address)...if Pcs are connected to another switch(not the same where firewall is connected) check in the trunk port between the switch for the firewall and the Switch for pcs, if you don't see the mac address of these Pcs, it means is a L2 problem(misconfiguration in your cisco switches)...
Run this command in the switch were firewall is connected to #sh mac address-table int (trunk to cascade switch of pc users) if you see the macs of your pcs in vlan4 and vlan5, L2 its ok...if you don't see mac address, check your cisco switches configuration. > Mac Address Table > ------------------------------------------- > > Vlan Mac Address Type Ports > ---- ----------- -------- ----- > 4 0015.1715.76ca DYNAMIC Gi2/0/1 > 5 0000.0000.fe01 DYNAMIC Gi2/0/1 > 4 0015.1715.76ca DYNAMIC Gi2/0/1 As I understand there is not router but Checkpoint, so L3 must be done through the Firewall Interface...in case your PC need routing between 1.1.1.x and 2.2.2.x, your firewall must be the L3 equipment...but before L3 takes place, make sure L2 its working, it means the firewall is watching PCs mac address. I hope this help you a little bit.. -----Mensaje original----- De: Mailing list for discussion of Firewall-1 [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombre de Stefan Schweizer Enviado el: Friday, November 12, 2010 5:58 PM Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM Asunto: Re: [FW-1] multi-VLANs to Cisco Catalyst Hi Jason, the setup you described sounds exactly what we have running on R65.70 fine for some 2 years. Doesn't help you at all right now I know. So my question now would be, is your eth3 active? Means enabled? I might have overlooked it in your OP, but didnt see that being mentioned. In our setup it has to be Up even there is now IP on it. Stefan Am 12.11.2010 um 15:21 schrieb Ebersole, Jason: > Oscar, > > Only one switch. Gi2/0/1 is trunk port connected to Eth3 on SPLAT. The other two ports are access ports. No L3 routing on switch. (Well, "ip routing" is enabled, but no ip addressing on these vlans.) > > Anyway, I am still running R60, so support with Checkpoint might be limited. Not sure yet what I'll be trying next when I get back to it on Monday. > > --jason > > > ________________________________________ > From: Mailing list for discussion of Firewall-1 [fw-1-mailingl...@amadeus.us.checkpoint.com] On Behalf Of Oscar Esquivel [oscar.esqui...@digicelgroup.com] > Sent: Friday, November 12, 2010 4:54 PM > To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Subject: Re: [FW-1] multi-VLANs to Cisco Catalyst > > Hello, I have found some pretty interesting questions to ask you... > Eth3 from your firewall is connected to cisco switch interface > GigabitEthernet2/0/1, so FastEthernet1/0/17 and FastEthernet1/0/18 are > in a different switch? I guess you have connected 2 pc in 1/0/17 and > 1/0/18 and try to reach your firewall in 1.1.1.1 and 2.2.2.1 ? right? > > if this is what you got, make sure that the switch where firewall is > connected to(gi2/0/1) is passing L2 Vlan throught the destination > switches where your access port are( Fas1/0/18 and Fas1/0/17)...if you > haven't added this vlans in the path between switches, you will never > reach the firewall from the pcs.... > > Example: > > > Firewall_switch--Switch1 in the middle--Switch2 in the middle--Switch > for Access to PC > > Firewall switch: in this switch add the vlan 4 and 5 to the trunk that > connect to switch1 in the middle.. > Switch1 in the middle: in this switch add the vlan 4 and 5 to the trunk > that connect to Firewall_switch and switch1 in the middle > Switch2 in the middle: in this switch add the vlan 4 and 5 to the trunk > that connect to switch1 in the middle and switch for access to pc > Switch for Access to Pc: in this switch add the vlan 4 and 5 to the > trunk that connect to switch2 in the middle . > > > Try this in your switches...in the switch where your firewall is > connected, if vlans are configured well in your switches, you must see > the IP address of your PCs connected to access ports in other switches.. > > > switch were firewall is connected #sh mac address-table int > GigabitEthernet2/0/1 > Mac Address Table > ------------------------------------------- > > Vlan Mac Address Type Ports > ---- ----------- -------- ----- > 4 0015.1715.76ca DYNAMIC Gi2/0/1 > 5 0000.0000.fe01 DYNAMIC Gi2/0/1 > 4 0015.1715.76ca DYNAMIC Gi2/0/1 > > > Beside try this, if you are connecting your PC to a different switch, > try to create in access port in the switch where the firewall is > connected, and connect your pc and try to ping..if this works, the > problem its not checkpoint, is your Cisco switch configuration... > > Beside in secure Platform you can have an interface without IP Address, > like your case in eth3..cause you are not running a L3 on this > interface..because you are using subinterfaces 8021.1Q.... > > If you have any doubts just let me know.. > > > Rgds.. > > > > -----Mensaje original----- > De: Mailing list for discussion of Firewall-1 > [mailto:fw-1-mailingl...@amadeus.us.checkpoint.com] En nombre de > Ebersole, Jason > Enviado el: Friday, November 12, 2010 12:11 PM > Para: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM > Asunto: [FW-1] multi-VLANs to Cisco Catalyst > > I've found various information online about how to do this, and I'm not > sure what else to try. Before beating my head against the wall some > more, I thought I'd share my config and hope someone can provide some > insight. First, I'm still on SecurePlatform R60, so be nice! > > Anyway, here is my firewall topology: > > Eth0 --> 3.3.3.1 / 255.255.255.0 / This network > Eth1 --> 4.4.4.1 / 255.255.255.252 / External > Eth2 --> 5.5.5.1 / 255.255.255.252 / This network > Eth3.4 --> 1.1.1.1 / 255.255.255.0 / This network > Eth3.5 --> 2.2.2.1 / 255.255.255.0 / This network > > No IP address on Eth3, so that is why it doesn't show up. My Google > searching says that this is pretty much it as far as SPLAT config. This > will send VLAN IDs 4 & 5 (via 802.1q encapsulation) down the wire > physically attached to Eth3 interface. > > Ok, now the Cisco 3750 switch. I'm working with three interfaces on the > switch. One is a trunk port that connects to the SPLAT Eth3 interface, > and the other two are access ports; one for VLAN4 and the other for > VLAN5: > > Trunk Port: > interface GigabitEthernet2/0/1 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 4,5 > switchport mode trunk > > Access port for VLAN4: > interface FastEthernet1/0/17 > switchport access vlan 4 > switchport mode access > > Access port for VLAN5: > interface FastEthernet1/0/18 > switchport access vlan 5 > switchport mode access > > No IP Addressing on the vlans as I want routing to happen through the > gateway. Also, this switch is configured as VTP Server, but since I > don't have access ports on other switches for VLAN4 & 5, VTP config > shouldn't matter; at least that's what I think. > > PCs are plugged into the access ports, each configured appropriately: > > PC1 --> Fa1/0/17 (VLAN4) --> 1.1.1.2 / 255.255.255.0 > PC2 --> Fa1/0/18 (VLAN5) --> 2.2.2.2 / 255.255.255.0 > > This should be it, but I see no evidence of any communication using > PINGS and watching the SmartView Tracker. Please let me know if you see > something terriibly wrong with my configuration. > > Thanks, Jason Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com ================================================= Notice of Confidentiality: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to lists...@amadeus.us.checkpoint.com in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email fw-1-ow...@ts.checkpoint.com =================================================
