PIX VLANs

Unanswered Question
Sep 22nd, 2007

I have a PIX 515 running 7.2(2). I am trying to set up a public and a private network to separate the traffic. My PIX doesn't seem to want to participate in the VLAN. VLAN 1 is my private VLAN and VLAN 2 is my public VLAN. My Switch is a 3560.

PIX Config

interface Ethernet1

no nameif

no security-level

no ip address

!

interface Ethernet1.1

vlan 1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet1.2

vlan 2

nameif public

security-level 10

ip address 172.16.0.1 255.255.255.0

Switch Config

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

interface Vlan1

ip address 10.0.0.221 255.255.255.0

I can't ping either direction. I do see the MAC address for the PIX in the ARP cache on the switch.

What am I doing wrong?

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mdieken01 Sat, 09/22/2007 - 14:36

What Trunk configuration for the PIX? Maybe that is what I am missing.

JORGE RODRIGUEZ Sat, 09/22/2007 - 14:45

Hi, where is the trunk config on the PIX can you post that portion.

[EDIT] never mind and sorry about that, 802.1q is automatically enable when creating logical interfaces.

Is the interface up on the PIX where you have the trunk.

If you connect a host in one of the vlans and try to ping its defaul gateway say 10.0.0.1 can you get replies.

Rgds

Jorge

JORGE RODRIGUEZ Sun, 09/23/2007 - 08:40

Mark, few things to look into.

First: From the PIX if you can ping the interfaces 172.16.0.1 and 10.0.0.1 that will

indicate they are pingable.

Second: From the switch issues " show interface trunk " to see the vlans passing through that trunk.

Third: Make sure you have created the vlans in the switch correspnding to these two new routable networks , check your vlan database.

Forth: Assign proper vlan membership on ports corresponding to these two new vlans.

Fith: From lower security level to highest security level you need access list to allow communications from 172.16.0.0/24 to 10.0.0.0/24 network, that include icmp or any other ports required.

HTH

Jorge

Actions

This Discussion