VLANs cant ping PIX e1 address.

Unanswered Question
Mar 24th, 2008

Can anyone point me in the direction of some examples of VLAN equipment 3550ish switches and a PIX firewall.

I've been trying to ping my firewalls from the inside of my VLAN and from the firewall to the inside of the VLAN and getting know where. I can ping from firewall to the routing port on the 3550. I'm using a /30 address from the PIX e1 to the routing port f0/1 on the 3550. But trying to ping from the other VLANs to e1 address or connecting through telnet from a VLAN to PIX is not working. I dont have any ACLs on the 3550. The PIX has ACLs on the e0 outside interface but not on the inside.

If its easier I can post the configs. this is my first going into production VLAN and it not going like the labs I've done.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jon Marshall Mon, 03/24/2008 - 12:00

Hi

Do you have routes on the pix and the 3550 ?

Lets say your point to point is

3550 fa0/1 - 192.168.5.1/30 -> 192.168.5.2/30 e1 pix

example vlans on switch

vlan 10 - 192.168.10.0/24

vlan 11 - 192.168.11.0/24

So on pix

route inside 192.168.10.0 255.255.255.0 192.168.5.1

route inside 192.168.11.0 255.255.255.0

192.168.5.1

On the 3550 the best solution is probably to have a default-route pointing to the pix ie.

ip route 0.0.0.0 0.0.0.0 192.168.5.2

HTH

Jon

jmaurer1205 Mon, 03/24/2008 - 12:33

I have the ip default-gateway 192.168.5.2 and thought that would take care of all the routing issues.

interface vlan10

ip address 192.168.15.1 255.255.255.0

192.168.15.1 is the gateway for the network correct?

so for vlan10 my IP =

192.168.10.5

255.255.255.0

192.168.15.1

Jon Marshall Mon, 03/24/2008 - 12:50

Hi

The PC setup is correct.

The ip default-gateway setting - is this on the 3550 ?

The ip default-gateway command is used if the 3550 is acting as a layer 2 switch. If you want the 3550 to route then

1) 3550(config)# ip route 0.0.0.0 0.0.0.0 192.168.5.2

2) 3550(config)# ip routing

Then if 192.168.5.2 is the pix you need to tell the pix how to get back to vlan 10 eg.

route inside 192.168.15.0 255.255.255.0 192.168.5.1

assuming 192.168.5.1 is the routed fa0/1 port on the 3550.

Jon

jmaurer1205 Mon, 03/24/2008 - 13:15

Thank You!

It was the

route inside 192.168.15.0 255.255.255.0 192.168.5.1

that was killing me. I was thinking because I had previously had the 192.168.1.0/24 network that I would not need it the route. But the interface was previously in the class range. I changed it to be a /30 and it didn't know what to do.

Thanks again.

jmaurer1205 Tue, 03/25/2008 - 08:06

For the other VPNs locations to connect to a VLAN network at HQ do I just have to add the route in command or do I just need to add nat (in) 0 ?

HQ VLANs

vlan 10 - 192.168.10.0/24

vlan 11 - 192.168.11.0/24

Br2

network - 192.168.20.0/24

Br3

network - 192.168.30.0/24

Br2

nat (in) 0 access-l 120

access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.11.0 255.255.255.0

Br3

nat (in) 0 access-l 120

access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0

access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.11.0 255.255.255.0

Actions

This Discussion