Hardware required for DMZ on PIX 506E?

Unanswered Question
Jun 15th, 2007
User Badges:

Hello,

We recently bought a Cisco Pix 506E firewall app. for our (small sized) network. The specs state that the pix 506 is capable of using a DMZ interface, however there are only two physical interfaces. I figure that for a DMZ i have to configure an additional logical interface (vlan). The setup that we have (with the pix 506) will be:

Pix 506:

interface 0 (outside): global ip address

interface 1 (inside): 192.168.1.1, subnet 255.255.255.0

Vlan1 (logical on interface 1): 192.168.100.1, subnet 255.255.255.0


Interface 1 is connected to an unmanaged 3com switch.

Behind the switch there are several 192.168.1.x systems and one webserver with ip address 192.168.100.7.


I was under the assumption that the pix would figure out the proper (logical) interface based on the ip address of the system, but the webserver is not able to reach any interface (not 192.168.1.1, not 192.168.100.1).


My experience with Cisco equipment is very, very limited (as one probably has figured out by now) but i assume that i need an additional switch with vlan support to make this setup work?

Can anyone confirm that this is the case? or is it possible to construct a Wan/Lan/DMZ setup with a Pix 506E without additional "intelligent" hardware?

Thank you for the reply.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 06/15/2007 - 00:37
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


if you are using logical interfaces on the Pix 506E then the connection from the inside interface to the switch must be configured as a trunk port on the switch. This is because multiple vlan information must be passed down this link.


I don't know whether the 3com supports 802.1q vlan tagging but this is what it needs to work.


HTH


Jon

WillemOtten Fri, 06/15/2007 - 00:48
User Badges:

Thanx for your reply Jon, the 3Com that we currently have is unmanaged, and does not support vlans. Your reply thus also indicates that I probably need additional hardware.

Actions

This Discussion