PIX515e, Cisco AP 1130AG, VLANS, please help

Unanswered Question
Aug 10th, 2008

From previous topic, but the advice given there isn't working, here is a copy & paste of the problem:

2801 router

fe0/0 with a 209.x.x.x address going to a switch.

fe0/1 with a 28.x.x.x going out to WAN

515 PIX

e0 outside with a 209.x.x.x address going to same switch as router.

e1 inside with a address going to LAN. This acts as the network firewall/gateway

Client just purchased a Cisco AccessPoint 1130AG. Client wishes to have two SSID's. One "Guest" SSID which only gives access to HTTP/HTTPS. And one "Staff" SSID which gives access to everything (network servers/shares/printers/etc).

I have tried creating subinterfaces on the PIX, but it apparently doesn't support this (it is IOS 6.3). I tried messing around with the eth2 (which is not in use) and creating "logical" interfaces, but I'm not really sure where to go with that.

I'm including a rough Visio JPG of the network. I'd rather not touch the Router config; would rather do anything I need on the PIX.

Is there any way to get these VLANs working on PIX 515e with IOS 6.3? Would it help to see the current running-config on the PIX?

Please, any help would be greatly appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Armegeden Mon, 08/11/2008 - 09:33

I've been playing around with the logical interfaces on IOS 6.3:

interface ethernet0 auto

interface ethernet1 100full

interface ethernet2 auto shutdown

interface ethernet2 vlan10 logical

interface ethernet2 vlan20 logical

ip address outside 209.x.x.x

ip address inside

ip address test1

no ip address intf3

no ip address intf4

It appears that although these aren't subinterfaces as I know them on a router IOS, it appears that I can assign intf3 and intf4 (the logical interfaces) IP addresses.

If this is true, then I should be able to throw in ACL's to do inter VLAN routing, thereby accomplishing what I need.

Is this at all correct?

Tshi M Mon, 08/11/2008 - 09:46

I am not sure if you can create object-group with that version of PIX but object-group and ACL inside and ACL outside might be able to help out. You will create an object-group for the guest network and another one for the regular users. And then create an inside acl that will allow guest network access to http and https and the other group access to any.

Tshi M Mon, 08/11/2008 - 10:06

You actually don't need to use object-group. Just use the VLAN subnets that you created on your 2960G switch.


This Discussion