09-15-2008 08:57 PM - edited 03-11-2019 06:44 AM
Hi
I am trying to configure a PIX 515E unit with multiple VLANs (each VLAN for each client traffic). I have 2 /29 networks from my ISP and I want to use each IP to each client for their outgoing and incoming traffic. so each client traffic will be natted to a public IP for outgoing and incoming traffic
I would like to know how can I configure these IPs (2 different range /29 networks) on the pix unit as it doesnt accept secondary IPs as on the router.
To configure VLANs, can I just use eth 0/1 for the inside network and configure into sub interfaces?
Any advise on this is much appreciated and also any links for the configuration would be helpful.
I am using other brand routers now and having a terrible outage which seems hard to point the issue for the vendor as well. So I am planning to upgrade to the PIX unit.
Thanks
09-15-2008 11:05 PM
in this case u can use ur firewall with multiple context
so that eachinterface can be in a diffent context or each subinterface be i diffrent context thus u will have two saparate firtual firewalls each one with its own config like IPs, nating access policies and so on
but with multiple context mode u cant do VPN !!
also u can use shared outside interface or sapart physycal or subinterfaces for each context
have a look at the followin config example:
Enabling Multiple Context Mode
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/contexts.html#wp1124172
good luck
if helpful Rate
09-16-2008 05:29 AM
Hi
I think I need the license for multiple context right? I dont have one right now. Is there anyway to achieve this without contexts?
Thanks
09-16-2008 05:34 AM
go to subinterfaces then
09-17-2008 02:04 PM
Hi
I have created sub interfaces to do trunking with my Adtran switch. I think the trunking is not happening properly.
interface Ethernet1
description "Trunk Connectivity to Switch"
no nameif
no security-level
no ip address
!
interface Ethernet1.1
vlan 1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1.2
vlan 100
nameif DMZ2
security-level 90
ip address 10.10.100.1 255.255.255.0
!
interface Ethernet1.3
vlan 35
nameif DMZ3
security-level 90
ip address 10.10.35.1 255.255.255.0
!
interface Ethernet1.4
vlan 36
nameif DMZ4
security-level 90
ip address 10.10.36.1 255.255.255.0
----------------------------------------------------
switch config
int eth 0/24
switchport mode trunk
switchport trunk native vlan 400
can ping all the VLAN IPs from the PIX itself
can ping the 10.10.10.1 and the switch 10.10.10.2 from the pc but not any other vlans
can ping 10.10.10.1 from the switch but not any other vlans
cannot ping the switch from the pix
cannot ping the pc on vlan1 from the pix
I created the layer 2 vlans on the switch and assigned ports on the vlans
ip default gateway 10.10.10.1
switchport trunk native vlan 400 - I had to add this command as Adtran mentioned that PIX is not seeing the vlan1 as native vlan1. If I dont add this there are no pings from anywhere.
Please help me ASAP as my network is down. I tried the same with a Netgear switch and the same issue
Thanks
09-17-2008 04:41 PM
i think the problem on the switch side now
first u have put the native vlan as 400
so that mean only vlan 400 will be passed through the trunk link as untaged which is by defualt vlan 1
so if u use vlan 1 and make sure the trunk encapsulation on the switch side it dot1q
if u wanna reach vlan one make the native
also for communication between vlans there is two ways
now based on ur config the communication between vlans must be through the firewall
so on the sitch done creat a SVI i mean vlan interface but just creat vlans corsponding to those on the firewall subinterfaces
and make each PC defual gatway as the firewall IP in the corspondin vlan number
as long as u have interfaces have same security level u need to put the command permit inra-same-securty somthing not surabout the syntax but to allow communicationbetween interface has the same sec level
but about vlan 1 did u created and SVI for it ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide