PIX 515e with 7.2 IOS, VLANs?

Unanswered Question
Oct 13th, 2008

Hello's,

I'm trying to setup an Internal and a Guest wireless SSID. Have our internal DHCP server handle "Internal" and use the PIX dhcpd pool to handle the Guest.

I think I have an idea of how to set this up, but I've hit a snag.

I was reading that IOS 6.3 would not support such a setup, so I've successfully updated to 7.2 (yay?). I see the possibility to use subinterfaces now (interface ethernet 0.1) and assign vlans (vlan 100). But I'm not seeing where to define the said VLANs?

I know this is possible with an ASA (another client has an ASA). I was hoping I'd be able to do the same on the 515e once I got 7.2 on there. Is this not possible?

Some pseudo code:

vlan 100

nameif outside

ip address 20.1.1.1

vlan 1

nameif inside

ip address 192.168.1.1

vlan 2

nameif guest

ip address 172.16.1.1

ethernet 0.1

vlan 100

ethernet 1.1

vlan 1

vlan 2

Does my question make sense?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
scott.bridges Mon, 10/13/2008 - 10:37

Oh Bah.

The only Cisco switch I have on the network is a 2960, so I can define VLANs there, but cannot give them an IP range.

Maybe I don't need to:

I have a Cisco AP and want to have two SSID's. "Internal" and "Guest". "Internal" has full network and http access, "Guest" only has http access.

I was under the assumption 7.0+ was needed for this. Is it possible with 7.2 on a PIX 515e connected to a 2960 switch and a Cisco 1180ag AP?

Was thinking I would allow "Internal" SSID full access to network and DHCP server, and use "dhcpd relay" for the "Guest" VLAN and have the PIX give out DHCP to them and run them through an ACL.

Make sense?

Jon Marshall Mon, 10/13/2008 - 22:04

Scott

You don't need to have a L3 switch only a L2 one so the 2960 will be fine. You define the L2 vlans on the switch but you "route" them on the pix so it will work fine.

The IP range is allocated on the pix interfaces.

Jon

Mo'ath Al Rawashdeh Tue, 10/14/2008 - 01:12

Hi Scott,

Define the ip ranges for both VLANs as subinterfaces on your PIX (the PIX is the gateway for your 2 VLANs).

interface Ethernet1.1

vlan 1

nameif Internal

security-level 100

ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2

interface Ethernet1.2

vlan 2

nameif Guests

security-level 100

ip address 10.0.1.1 255.255.255.0 standby 10.0.1.2

After that, create an access-list with the rules you want and apply it on the outbound direction on interface Ethernet 1.

Hope this helps :)

scott.bridges Tue, 10/14/2008 - 15:12

Ok, this is what I have:

interface Ethernet1.1

vlan 1

nameif inside

security-level 100

ip address 192.168.1.253 255.255.255.0

interface Ethernet1.2

vlan 2

nameif guest

security-level 100

ip address 10.3.3.1 255.255.255.0

telnet 0.0.0.0 0.0.0.0 inside

It seems logical, but I can't seem to "telnet 192.168.1.253"

Am I missing something here?

Also, how should the config for Ethernet1 look?

interface Ethernet1

no ip address

no vlan

no nameif

? Does this config turn it into a trunk port for the VLAN tags?

Thanks for all the input so far!

scott.bridges Tue, 10/14/2008 - 16:42

Progress!

So I currently have a mock-setup at home that I've been playing with. I want to get it working at home before I implement live.

My PC is directly connected to the PIX with static IP in the same network as "inside". I wasn't for the life of me able to ping or telnet to "inside". I was thinking since we assigned VLANs, that my PC must not be carrying a VLAN tag.

So I was digging around in my NIC card properties and enabled VLAN tagging, tried pinging, Bingo!. Telnet worked, also!

So the thing I'm missing at home is the 2960.

Now my question is this:

At the client, there is only one Cisco 2960 switch, then there are 3 or 4 Cisco Linksys series, and a couple D-Link switches. I'm not sure how these other switches handle VLANs.

If, on the PIX, VLAN 1 is on interface Ethernet1.1 as 192.168.1.x, does that mean that all traffic passing through the 2960 with 192.168.1.x traffic will be tagged with VLAN 1?

In other words, how will all that other switch vendor traffic get tagged with with the VLAN 1?

Mo'ath Al Rawashdeh Wed, 10/15/2008 - 05:17

Are the D-Link switches managable? I mean do they allow you to telnet them and do some configuration?

I have worked on D-Link switches once that were managable, and had no issues with VLANs and trunking since they supported 802.1q IEEE standard and were compatible with the cisco ones accordingly.

Regards,

Mo'ath Al Rawashdeh Wed, 10/15/2008 - 05:05

In order to telnet your PIX, you have to allow the hosts that you want to login from by using the command below on you PIX:

PIX(config)# telnet A.B.C.D X.X.X.X interface

where A.B.C.D is the IP address you are going to connect from.

X.X.X.X is the subnetmask (usually 255.255.255.255)

interface is the interface on the PIX you are expected to connect from (Usually inside)

As for Ethernet 1, I recommend to make it this way:

speed 100

duplex full

nameif inside

security-level 100

no ip address

"Does this config turn it into a trunk port for the VLAN tags?"

The answer is yes.

Cheers mate :)

Jon Marshall Mon, 10/13/2008 - 14:37

Scott

I might be misunderstanding but you don't define vlans on the firewall, rather they are defined on the switch that the firewall connects to and you make the link from the firewall to the switch an 802.1q trunk.

By the way you could run logical vlan interfaces on version 6.3 of pix as well.

6.3 - http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113411

7.2 - http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

Jon

Actions

This Discussion