oops! Pix VLAN mess up. VPN gone down

Unanswered Question

Ooops, made a bit of a mess of this. I didn't do this on site (the datacenter is too far away) - now I have a very early start b4 clients connect unless I can fix this on the PIX over SSH (which I can connect to)!

I've had a few issues with VLANs behind the firewall. There are x2: Vlan 2 ( and Vlan 10 (

The Pix connects to a catalyst via a trunk which has both Vlans. The PIX DID have the inside interface of and the catalyst had the default VLAN2.

I simply changed the default VLAN on the catalyst to VLAN10 (this kicked me off the VPN which I expected). I then thought I could login over SSH on the firewall change the internal interface to and everything would be fine. I did this - but no joy. Eveything is down. I think this is because the route on the catalyst is still pointing to the address.

Aaahh! Anything I can do? I've added a logical address in VLAN 2 with the address - still no joy! Do I have to make the physical address of have a lower security level than the logical VLAN2 address?

Sorry - I'm quite new to this - as you can see!

Thanks in advance



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 07/11/2007 - 12:27


Can you post config of pix.

When you say you added vlan 2 logical address how do you know nothing is working ?


I can no longer access any of the websites behind, and the LAN to LAN VPN I have is still up - but not routing traffic.

See below: I notice all the statics have dissapeared as well!

PIX Version 7.2(2)


hostname G-FWPIX-1

domain-name fwlevel3.com

enable password xxx





interface Ethernet0

nameif outside

security-level 0



interface Ethernet1

nameif inside

security-level 100

ip address


interface Ethernet1.1

vlan 2

nameif VLAN2

security-level 100

ip address


interface Ethernet2

nameif DMZ

security-level 50

ip address


passwd xxx

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

access-list acl_inbound extended permit tcp any host XXXXXXXXXXXX eq https


access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

access-list outside_cryptomap_20 extended permit ip

access-list outside_cryptomap_20 extended permit ip

pager lines 24

logging enable

logging timestamp

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu VLAN2 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm

no asdm history enable

arp timeout 14400


global (outside) 10 interface

access-group acl_inbound in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username admin password XXXXXXXXX encrypted privilege 15

username cisco password XXXXXXXXXXXXXX encrypted

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer XXXXXXXXXXXXX

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group XXXXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXXX ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_1


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global

ssl encryption des-sha1 rc4-md5

prompt hostname context


: end

Jon Marshall Wed, 07/11/2007 - 12:53


Lets start with basics. if you are on the pix can you ping either the 192.168.5.x address on the catalyst or the 10.0.0.x address on the catalyst ?

You don't have any routes for the inside networks - do you only have vlan 2 and vlan 10 on your internal network ?


Jon Marshall Wed, 07/11/2007 - 13:20


Are you saying it now works now you have the statics back.

Are your servers on either vlan 2 or vlan 10.

Apologies but i have an important meeting tomorrow so i have to get some shuteye now.

I hope you get it working. I'll check again tomorrow morning.



This Discussion