PIX 506E with VLANs

Unanswered Question
Jun 17th, 2008

I have a PIX 506E running with 2 VLANs and for some reason on the logical interface I can't communicate with hosts in the same subnet. The physical interface is good, all hosts talk properly. The networks are autonomous and are not to talk to each other but, I figured that being on the same subnet and VLAN I wouldn't have to explicitly allow the traffic. Enclosed is a config snippet of the pertinent interfaces:

interface ethernet0 auto

interface ethernet1 auto

interface ethernet1 vlan5 physical

interface ethernet1 vlan10 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan10 intf2 security99

ip address inside 192.168.0.1 255.255.255.0

ip address intf2 192.168.1.1 255.255.255.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (intf2) 1 0.0.0.0 0.0.0.0 0 0

Is an ACL needed to allow communications on the logical interface?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mike-greene Tue, 06/17/2008 - 07:36

Hi,

Sounds like a trunking issue. Is VLAN10 allowed over the trunk to the PIX? Whats the native VLAN set to on the switch?

Mike

sdemlow007 Tue, 06/17/2008 - 08:30

Nah, the trunk is good on the switch port. I can browse out via both VLANs going all the way out the PIX through the NATs on both inside and intf2. On the inside interface I can connect to other hosts within its subnet, IE I can map a drive or ping from 192.168.0.5 to 192.168.0.10. But, on the intf2 interface I can not go from 192.168.1.5 to 192.168.1.10. I'm just thinking I may need an ACL or adjustment of the interface security setting since the logical interface has different criteria to adhere to. Just seems strange that one can't talk to hosts on a common subnet...

Jon Marshall Tue, 06/17/2008 - 08:55

If you are going from 192.168.1.5 to 192.168.1.10 then the firewall interface does not come into it because there is no need to route the traffic.

You should be able to communicate from your pix firewall to any hosts on the 192.168.1.x subnet.

If you want traffic to go from the logical subnet to the physical inside subnet you will need access-lists and static translations.

Jon

sdemlow007 Tue, 06/17/2008 - 09:03

That's exactly what has me scratching my head about this...

I also noticed this in the logs:

no route to host 192.168.1.10 from 192.168.1.5

Which is odd because the 192.168.0.0/24 and 192.168.1.0/24 networks are directly connected and have their routes inherited into the routing table.

Yeah, I have no need to have inter VLAN communication so, I'm good on that front.

Jon Marshall Tue, 06/17/2008 - 09:10

Can you check the subnet masks on the pix, and your 2 hosts 192.168.1.10 & 192.168.1.5.

On the actual pix can you ping 192.168.1.10 and 192.168.1.5 ?

Jon

sdemlow007 Tue, 06/17/2008 - 10:19

Ding, ding, ding. We have a winner.

I should have config'ed the servers network settings myself as they had a few of them at a /25...that's the last time I take someone's word that they are "configured properly" for the network settings.

I knew there wasn't too much to the PIX and switch port settings that's why this was driving me nuts...

Thanks for the assistance all.

Jon Marshall Tue, 06/17/2008 - 10:27

No problem. Glad you got it sorted.

If i had a penny for every time a server guy told me the subnet mask was correct..... :-)

Jon Marshall Tue, 06/17/2008 - 10:31

Scott

That is still confusing though as 192.168.1.1, 192.168.1.5 & 192.168.1.10 would all be covered by /25 so even if some of them had incorrect subnet masks they should still be able to communicate.

Jon

sdemlow007 Tue, 06/17/2008 - 11:08

Correct, but the DHCP scope was in the other /25 network...so, yeah it was handing out IPs but they were in the .129-.254 range with a /24 so they could see the PIX as it had the CORRECT mask but, as for the servers that lived in the first half of the /25 and had the /25 mask, no go.

Actions

This Discussion