VLANs on PIX 515E

Unanswered Question
Sep 15th, 2008

Hi

I am trying to configure a PIX 515E unit with multiple VLANs (each VLAN for each client traffic). I have 2 /29 networks from my ISP and I want to use each IP to each client for their outgoing and incoming traffic. so each client traffic will be natted to a public IP for outgoing and incoming traffic

I would like to know how can I configure these IPs (2 different range /29 networks) on the pix unit as it doesnt accept secondary IPs as on the router.

To configure VLANs, can I just use eth 0/1 for the inside network and configure into sub interfaces?

Any advise on this is much appreciated and also any links for the configuration would be helpful.

I am using other brand routers now and having a terrible outage which seems hard to point the issue for the vendor as well. So I am planning to upgrade to the PIX unit.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Marwan ALshawi Mon, 09/15/2008 - 23:05

in this case u can use ur firewall with multiple context

so that eachinterface can be in a diffent context or each subinterface be i diffrent context thus u will have two saparate firtual firewalls each one with its own config like IPs, nating access policies and so on

but with multiple context mode u cant do VPN !!

also u can use shared outside interface or sapart physycal or subinterfaces for each context

have a look at the followin config example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

Enabling Multiple Context Mode

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1124172

good luck

if helpful Rate

techtips03 Tue, 09/16/2008 - 05:29

Hi

I think I need the license for multiple context right? I dont have one right now. Is there anyway to achieve this without contexts?

Thanks

techtips03 Wed, 09/17/2008 - 14:04

Hi

I have created sub interfaces to do trunking with my Adtran switch. I think the trunking is not happening properly.

interface Ethernet1

description "Trunk Connectivity to Switch"

no nameif

no security-level

no ip address

!

interface Ethernet1.1

vlan 1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet1.2

vlan 100

nameif DMZ2

security-level 90

ip address 10.10.100.1 255.255.255.0

!

interface Ethernet1.3

vlan 35

nameif DMZ3

security-level 90

ip address 10.10.35.1 255.255.255.0

!

interface Ethernet1.4

vlan 36

nameif DMZ4

security-level 90

ip address 10.10.36.1 255.255.255.0

----------------------------------------------------

switch config

int eth 0/24

switchport mode trunk

switchport trunk native vlan 400

can ping all the VLAN IPs from the PIX itself

can ping the 10.10.10.1 and the switch 10.10.10.2 from the pc but not any other vlans

can ping 10.10.10.1 from the switch but not any other vlans

cannot ping the switch from the pix

cannot ping the pc on vlan1 from the pix

I created the layer 2 vlans on the switch and assigned ports on the vlans

ip default gateway 10.10.10.1

switchport trunk native vlan 400 - I had to add this command as Adtran mentioned that PIX is not seeing the vlan1 as native vlan1. If I dont add this there are no pings from anywhere.

Please help me ASAP as my network is down. I tried the same with a Netgear switch and the same issue

Thanks

Marwan ALshawi Wed, 09/17/2008 - 16:41

i think the problem on the switch side now

first u have put the native vlan as 400

so that mean only vlan 400 will be passed through the trunk link as untaged which is by defualt vlan 1

so if u use vlan 1 and make sure the trunk encapsulation on the switch side it dot1q

if u wanna reach vlan one make the native

also for communication between vlans there is two ways

now based on ur config the communication between vlans must be through the firewall

so on the sitch done creat a SVI i mean vlan interface but just creat vlans corsponding to those on the firewall subinterfaces

and make each PC defual gatway as the firewall IP in the corspondin vlan number

as long as u have interfaces have same security level u need to put the command permit inra-same-securty somthing not surabout the syntax but to allow communicationbetween interface has the same sec level

but about vlan 1 did u created and SVI for it ?

Actions

This Discussion