AP, VLANs, and PIX

Unanswered Question
Jul 21st, 2008
User Badges:

2801 router

fe0/0 with a 209.x.x.x address going to a switch.

fe0/1 with a 28.x.x.x going out to WAN


515 PIX

e0 outside with a 209.x.x.x address going to same switch as router.

e1 inside with a 192.168.0.1 address going to LAN. This acts as the network firewall/gateway


Client just purchased a Cisco AccessPoint 1130AG. Client wishes to have two SSID's. One "Guest" SSID which only gives access to HTTP/HTTPS. And one "Staff" SSID which gives access to everything (network servers/shares/printers/etc).


My understanding is that the PIX doesn't handle multiple VLANs, only ASA's do. But can I use the router to route the two VLAN's? There are currently no VLANs defined.


Can anyone help me out? Do you need to see the running-config on both to be able to tell? I was just wondering if the router could do a fe0/0.1 and fe0/0.2 int and add the two different VLAN's network statements to handle the routing, then the PIX restrict the access.


That's my idea, though I'm not sure how to go about implementing it.


Do I need to be more clear?


Thanks for any time given.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dhananjoy chowdhury Mon, 07/21/2008 - 20:26
User Badges:
  • Silver, 250 points or more

Create three different vlan's on the switch,

vlan 101 - for inside LAN

vlan 102 - for WLAN 1

vlan 103 - for WLAn 2


And then connect the trunk to the PIX inside

and on the pix you need to create sub-interfaces


hostname(config)# interface ethernet0/1.1

hostname(config-subif)# vlan 101

hostname(config-subif)# nameif inside

hostname(config-subif)# security-level 100

hostname(config-subif)# ip address 10.0.0.1 255.255.255.0


hostname(config)# interface ethernet0/1.2

hostname(config-subif)# vlan 102

hostname(config-subif)# nameif WLAN1

hostname(config-subif)# security-level 90

hostname(config-subif)# ip address 20.0.0.1 255.255.255.0


hostname(config)# interface ethernet0/1.3

hostname(config-subif)# vlan 103

hostname(config-subif)# nameif WLAN2

hostname(config-subif)# security-level 80

hostname(config-subif)# ip address 30.0.0.1 255.255.255.0


Then you can create access-lists on the PIX fir restricitng traffic based on your requirements.

Armegeden Mon, 07/21/2008 - 20:52
User Badges:

wow,


So you mean that I shouldn't need to alter the router configuration whatsoever?


The PIX will support multiple VLANs?



dhananjoy chowdhury Mon, 07/21/2008 - 21:14
User Badges:
  • Silver, 250 points or more

Yes , pix will support, provided you have IOS 6.3 and above.

Armegeden Tue, 07/29/2008 - 07:59
User Badges:

PIX 515


interface ethernet1/1.1

vlan 101

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0


interface ethernet1/1.2

vlan 102

nameif WStaff

security-level 90

ip address 192.168.2.1 255.255.255.0


interface ethernet1/1.3

vlan 103

nameif WGuest

security-level 50

ip address 192.168.3.1 255.255.255.0



2960G


interface vlan 101

description LAN


interface vlan 102

description WStaff


interface vlan 103

description WGuest




This is what I was thinking about putting in to get it started. My worry is, if I create the sub-interfaces on the PIX, will that bring down the connection to our WAN? Will I need to do any other configuration to keep it seamless for the Staff? Or will everything auto adjust to interface eth1/1.1 because of the "nameif inside" is still the same name, "inside"?




Actions

This Discussion