cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
542
Views
0
Helpful
4
Replies

PIX VLANs

mdieken01
Level 1
Level 1

I have a PIX 515 running 7.2(2). I am trying to set up a public and a private network to separate the traffic. My PIX doesn't seem to want to participate in the VLAN. VLAN 1 is my private VLAN and VLAN 2 is my public VLAN. My Switch is a 3560.

PIX Config

interface Ethernet1

no nameif

no security-level

no ip address

!

interface Ethernet1.1

vlan 1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet1.2

vlan 2

nameif public

security-level 10

ip address 172.16.0.1 255.255.255.0

Switch Config

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

interface Vlan1

ip address 10.0.0.221 255.255.255.0

I can't ping either direction. I do see the MAC address for the PIX in the ARP cache on the switch.

What am I doing wrong?

Thanks,

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Hi, where is the trunk config on the PIX can you post that portion.

Rgds

Jorge

Jorge Rodriguez

What Trunk configuration for the PIX? Maybe that is what I am missing.

JORGE RODRIGUEZ
Level 10
Level 10

Hi, where is the trunk config on the PIX can you post that portion.

[EDIT] never mind and sorry about that, 802.1q is automatically enable when creating logical interfaces.

Is the interface up on the PIX where you have the trunk.

If you connect a host in one of the vlans and try to ping its defaul gateway say 10.0.0.1 can you get replies.

Rgds

Jorge

Jorge Rodriguez

JORGE RODRIGUEZ
Level 10
Level 10

Mark, few things to look into.

First: From the PIX if you can ping the interfaces 172.16.0.1 and 10.0.0.1 that will

indicate they are pingable.

Second: From the switch issues " show interface trunk " to see the vlans passing through that trunk.

Third: Make sure you have created the vlans in the switch correspnding to these two new routable networks , check your vlan database.

Forth: Assign proper vlan membership on ports corresponding to these two new vlans.

Fith: From lower security level to highest security level you need access list to allow communications from 172.16.0.0/24 to 10.0.0.0/24 network, that include icmp or any other ports required.

HTH

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: