07-21-2008 07:32 PM - edited 03-06-2019 12:22 AM
2801 router
fe0/0 with a 209.x.x.x address going to a switch.
fe0/1 with a 28.x.x.x going out to WAN
515 PIX
e0 outside with a 209.x.x.x address going to same switch as router.
e1 inside with a 192.168.0.1 address going to LAN. This acts as the network firewall/gateway
Client just purchased a Cisco AccessPoint 1130AG. Client wishes to have two SSID's. One "Guest" SSID which only gives access to HTTP/HTTPS. And one "Staff" SSID which gives access to everything (network servers/shares/printers/etc).
My understanding is that the PIX doesn't handle multiple VLANs, only ASA's do. But can I use the router to route the two VLAN's? There are currently no VLANs defined.
Can anyone help me out? Do you need to see the running-config on both to be able to tell? I was just wondering if the router could do a fe0/0.1 and fe0/0.2 int and add the two different VLAN's network statements to handle the routing, then the PIX restrict the access.
That's my idea, though I'm not sure how to go about implementing it.
Do I need to be more clear?
Thanks for any time given.
07-21-2008 08:26 PM
Create three different vlan's on the switch,
vlan 101 - for inside LAN
vlan 102 - for WLAN 1
vlan 103 - for WLAn 2
And then connect the trunk to the PIX inside
and on the pix you need to create sub-interfaces
hostname(config)# interface ethernet0/1.1
hostname(config-subif)# vlan 101
hostname(config-subif)# nameif inside
hostname(config-subif)# security-level 100
hostname(config-subif)# ip address 10.0.0.1 255.255.255.0
hostname(config)# interface ethernet0/1.2
hostname(config-subif)# vlan 102
hostname(config-subif)# nameif WLAN1
hostname(config-subif)# security-level 90
hostname(config-subif)# ip address 20.0.0.1 255.255.255.0
hostname(config)# interface ethernet0/1.3
hostname(config-subif)# vlan 103
hostname(config-subif)# nameif WLAN2
hostname(config-subif)# security-level 80
hostname(config-subif)# ip address 30.0.0.1 255.255.255.0
Then you can create access-lists on the PIX fir restricitng traffic based on your requirements.
07-21-2008 08:52 PM
wow,
So you mean that I shouldn't need to alter the router configuration whatsoever?
The PIX will support multiple VLANs?
07-21-2008 09:14 PM
Yes , pix will support, provided you have IOS 6.3 and above.
07-21-2008 09:21 PM
With the command " show ver" you can check the
details available on your PIX device.
You can also refer this link. It will give more details for your platform.
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1116060
07-29-2008 07:59 AM
PIX 515
interface ethernet1/1.1
vlan 101
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface ethernet1/1.2
vlan 102
nameif WStaff
security-level 90
ip address 192.168.2.1 255.255.255.0
interface ethernet1/1.3
vlan 103
nameif WGuest
security-level 50
ip address 192.168.3.1 255.255.255.0
2960G
interface vlan 101
description LAN
interface vlan 102
description WStaff
interface vlan 103
description WGuest
This is what I was thinking about putting in to get it started. My worry is, if I create the sub-interfaces on the PIX, will that bring down the connection to our WAN? Will I need to do any other configuration to keep it seamless for the Staff? Or will everything auto adjust to interface eth1/1.1 because of the "nameif inside" is still the same name, "inside"?
08-04-2008 03:07 PM
Anyone know the answer for this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide