AP, VLANs, and PIX

Unanswered Question
Jul 21st, 2008

2801 router

fe0/0 with a 209.x.x.x address going to a switch.

fe0/1 with a 28.x.x.x going out to WAN

515 PIX

e0 outside with a 209.x.x.x address going to same switch as router.

e1 inside with a address going to LAN. This acts as the network firewall/gateway

Client just purchased a Cisco AccessPoint 1130AG. Client wishes to have two SSID's. One "Guest" SSID which only gives access to HTTP/HTTPS. And one "Staff" SSID which gives access to everything (network servers/shares/printers/etc).

My understanding is that the PIX doesn't handle multiple VLANs, only ASA's do. But can I use the router to route the two VLAN's? There are currently no VLANs defined.

Can anyone help me out? Do you need to see the running-config on both to be able to tell? I was just wondering if the router could do a fe0/0.1 and fe0/0.2 int and add the two different VLAN's network statements to handle the routing, then the PIX restrict the access.

That's my idea, though I'm not sure how to go about implementing it.

Do I need to be more clear?

Thanks for any time given.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
dhananjoy chowdhury Mon, 07/21/2008 - 20:26

Create three different vlan's on the switch,

vlan 101 - for inside LAN

vlan 102 - for WLAN 1

vlan 103 - for WLAn 2

And then connect the trunk to the PIX inside

and on the pix you need to create sub-interfaces

hostname(config)# interface ethernet0/1.1

hostname(config-subif)# vlan 101

hostname(config-subif)# nameif inside

hostname(config-subif)# security-level 100

hostname(config-subif)# ip address

hostname(config)# interface ethernet0/1.2

hostname(config-subif)# vlan 102

hostname(config-subif)# nameif WLAN1

hostname(config-subif)# security-level 90

hostname(config-subif)# ip address

hostname(config)# interface ethernet0/1.3

hostname(config-subif)# vlan 103

hostname(config-subif)# nameif WLAN2

hostname(config-subif)# security-level 80

hostname(config-subif)# ip address

Then you can create access-lists on the PIX fir restricitng traffic based on your requirements.

Armegeden Mon, 07/21/2008 - 20:52


So you mean that I shouldn't need to alter the router configuration whatsoever?

The PIX will support multiple VLANs?

Armegeden Tue, 07/29/2008 - 07:59

PIX 515

interface ethernet1/1.1

vlan 101

nameif inside

security-level 100

ip address

interface ethernet1/1.2

vlan 102

nameif WStaff

security-level 90

ip address

interface ethernet1/1.3

vlan 103

nameif WGuest

security-level 50

ip address


interface vlan 101

description LAN

interface vlan 102

description WStaff

interface vlan 103

description WGuest

This is what I was thinking about putting in to get it started. My worry is, if I create the sub-interfaces on the PIX, will that bring down the connection to our WAN? Will I need to do any other configuration to keep it seamless for the Staff? Or will everything auto adjust to interface eth1/1.1 because of the "nameif inside" is still the same name, "inside"?


This Discussion