PIX 506E with VLANs

Unanswered Question
Jun 17th, 2008
User Badges:

I have a PIX 506E running with 2 VLANs and for some reason on the logical interface I can't communicate with hosts in the same subnet. The physical interface is good, all hosts talk properly. The networks are autonomous and are not to talk to each other but, I figured that being on the same subnet and VLAN I wouldn't have to explicitly allow the traffic. Enclosed is a config snippet of the pertinent interfaces:


interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan5 physical

interface ethernet1 vlan10 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan10 intf2 security99


ip address inside 192.168.0.1 255.255.255.0

ip address intf2 192.168.1.1 255.255.255.0


global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (intf2) 1 0.0.0.0 0.0.0.0 0 0



Is an ACL needed to allow communications on the logical interface?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mike-greene Tue, 06/17/2008 - 07:36
User Badges:
  • Bronze, 100 points or more

Hi,

Sounds like a trunking issue. Is VLAN10 allowed over the trunk to the PIX? Whats the native VLAN set to on the switch?


Mike

sdemlow007 Tue, 06/17/2008 - 08:30
User Badges:

Nah, the trunk is good on the switch port. I can browse out via both VLANs going all the way out the PIX through the NATs on both inside and intf2. On the inside interface I can connect to other hosts within its subnet, IE I can map a drive or ping from 192.168.0.5 to 192.168.0.10. But, on the intf2 interface I can not go from 192.168.1.5 to 192.168.1.10. I'm just thinking I may need an ACL or adjustment of the interface security setting since the logical interface has different criteria to adhere to. Just seems strange that one can't talk to hosts on a common subnet...

Jon Marshall Tue, 06/17/2008 - 08:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If you are going from 192.168.1.5 to 192.168.1.10 then the firewall interface does not come into it because there is no need to route the traffic.


You should be able to communicate from your pix firewall to any hosts on the 192.168.1.x subnet.


If you want traffic to go from the logical subnet to the physical inside subnet you will need access-lists and static translations.


Jon

sdemlow007 Tue, 06/17/2008 - 09:03
User Badges:

That's exactly what has me scratching my head about this...


I also noticed this in the logs:


no route to host 192.168.1.10 from 192.168.1.5


Which is odd because the 192.168.0.0/24 and 192.168.1.0/24 networks are directly connected and have their routes inherited into the routing table.

Yeah, I have no need to have inter VLAN communication so, I'm good on that front.

Jon Marshall Tue, 06/17/2008 - 09:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Can you check the subnet masks on the pix, and your 2 hosts 192.168.1.10 & 192.168.1.5.


On the actual pix can you ping 192.168.1.10 and 192.168.1.5 ?


Jon

sdemlow007 Tue, 06/17/2008 - 10:19
User Badges:

Ding, ding, ding. We have a winner.


I should have config'ed the servers network settings myself as they had a few of them at a /25...that's the last time I take someone's word that they are "configured properly" for the network settings.


I knew there wasn't too much to the PIX and switch port settings that's why this was driving me nuts...


Thanks for the assistance all.

Jon Marshall Tue, 06/17/2008 - 10:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No problem. Glad you got it sorted.


If i had a penny for every time a server guy told me the subnet mask was correct..... :-)

Jon Marshall Tue, 06/17/2008 - 10:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Scott


That is still confusing though as 192.168.1.1, 192.168.1.5 & 192.168.1.10 would all be covered by /25 so even if some of them had incorrect subnet masks they should still be able to communicate.


Jon

sdemlow007 Tue, 06/17/2008 - 11:08
User Badges:

Correct, but the DHCP scope was in the other /25 network...so, yeah it was handing out IPs but they were in the .129-.254 range with a /24 so they could see the PIX as it had the CORRECT mask but, as for the servers that lived in the first half of the /25 and had the /25 mask, no go.

Jon Marshall Tue, 06/17/2008 - 11:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Makes sense. Thanks for clearing that up.

Actions

This Discussion