PIX VLANs

Unanswered Question
Sep 22nd, 2007
User Badges:

I have a PIX 515 running 7.2(2). I am trying to set up a public and a private network to separate the traffic. My PIX doesn't seem to want to participate in the VLAN. VLAN 1 is my private VLAN and VLAN 2 is my public VLAN. My Switch is a 3560.

PIX Config

interface Ethernet1

no nameif

no security-level

no ip address

!

interface Ethernet1.1

vlan 1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet1.2

vlan 2

nameif public

security-level 10

ip address 172.16.0.1 255.255.255.0


Switch Config

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

interface Vlan1

ip address 10.0.0.221 255.255.255.0


I can't ping either direction. I do see the MAC address for the PIX in the ARP cache on the switch.

What am I doing wrong?

Thanks,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sat, 09/22/2007 - 14:33
User Badges:
  • Green, 3000 points or more

Hi, where is the trunk config on the PIX can you post that portion.


Rgds

Jorge


mdieken01 Sat, 09/22/2007 - 14:36
User Badges:

What Trunk configuration for the PIX? Maybe that is what I am missing.

JORGE RODRIGUEZ Sat, 09/22/2007 - 14:45
User Badges:
  • Green, 3000 points or more

Hi, where is the trunk config on the PIX can you post that portion.


[EDIT] never mind and sorry about that, 802.1q is automatically enable when creating logical interfaces.


Is the interface up on the PIX where you have the trunk.



If you connect a host in one of the vlans and try to ping its defaul gateway say 10.0.0.1 can you get replies.


Rgds

Jorge


JORGE RODRIGUEZ Sun, 09/23/2007 - 08:40
User Badges:
  • Green, 3000 points or more

Mark, few things to look into.


First: From the PIX if you can ping the interfaces 172.16.0.1 and 10.0.0.1 that will

indicate they are pingable.


Second: From the switch issues " show interface trunk " to see the vlans passing through that trunk.


Third: Make sure you have created the vlans in the switch correspnding to these two new routable networks , check your vlan database.


Forth: Assign proper vlan membership on ports corresponding to these two new vlans.


Fith: From lower security level to highest security level you need access list to allow communications from 172.16.0.0/24 to 10.0.0.0/24 network, that include icmp or any other ports required.


HTH

Jorge




Actions

This Discussion