Unanswered Question
Sep 22nd, 2007
User Badges:

I have a PIX 515 running 7.2(2). I am trying to set up a public and a private network to separate the traffic. My PIX doesn't seem to want to participate in the VLAN. VLAN 1 is my private VLAN and VLAN 2 is my public VLAN. My Switch is a 3560.

PIX Config

interface Ethernet1

no nameif

no security-level

no ip address


interface Ethernet1.1

vlan 1

nameif inside

security-level 100

ip address


interface Ethernet1.2

vlan 2

nameif public

security-level 10

ip address

Switch Config

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

interface Vlan1

ip address

I can't ping either direction. I do see the MAC address for the PIX in the ARP cache on the switch.

What am I doing wrong?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sat, 09/22/2007 - 14:33
User Badges:
  • Green, 3000 points or more

Hi, where is the trunk config on the PIX can you post that portion.



mdieken01 Sat, 09/22/2007 - 14:36
User Badges:

What Trunk configuration for the PIX? Maybe that is what I am missing.

JORGE RODRIGUEZ Sat, 09/22/2007 - 14:45
User Badges:
  • Green, 3000 points or more

Hi, where is the trunk config on the PIX can you post that portion.

[EDIT] never mind and sorry about that, 802.1q is automatically enable when creating logical interfaces.

Is the interface up on the PIX where you have the trunk.

If you connect a host in one of the vlans and try to ping its defaul gateway say can you get replies.



JORGE RODRIGUEZ Sun, 09/23/2007 - 08:40
User Badges:
  • Green, 3000 points or more

Mark, few things to look into.

First: From the PIX if you can ping the interfaces and that will

indicate they are pingable.

Second: From the switch issues " show interface trunk " to see the vlans passing through that trunk.

Third: Make sure you have created the vlans in the switch correspnding to these two new routable networks , check your vlan database.

Forth: Assign proper vlan membership on ports corresponding to these two new vlans.

Fith: From lower security level to highest security level you need access list to allow communications from to network, that include icmp or any other ports required.




This Discussion