Vlans and PIX question

Unanswered Question
Jan 27th, 2010

Thanks again to everyone who replied to my last post... I've got another project related to the same VMWare server...

I have a situation where I need to set up network access for a new virtual server in a vlan where most of the existing hosts are on the other side of a PIX 525 (running 7.2(2)).

The other hosts in the vlan are connected to a 4507 core switch, which is connected to an interface which is the DMZ and has the default gateway address of that vlan. Actually, the vlan, let's use the number 10, was set up at one point but is currently shutdown. The connection to the PIX is an access port in the 10 vlan. The inside interface is connected to another port on the same 4507. The port the inside interface is connected to is an access port in the central site's core vlan... let's use 20 for this discussion.

The VMWare server is 2 hops away, first through an ATM connection to a 8540 (set up with IRB) to a 3560. Two other things about the configuration that might be important: (1) there is a second PIX in an active/standby configuration, and (2) the inside ports that the two PIXes are connected to is the source in a port mirror to a port that a content filter is connected to.

I'm guessing that some sort of routing needs to be set up on the PIX(es)... what is the best method of doing that? Since this is a production network, I was hoping to have to change as little as possible (obviously...)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Wed, 01/27/2010 - 13:31

Hi spfister

Do you have any sample diagram explaining your setup ? Im not really getting your setup right..aplogies..

i see that the PIX has a DMZ where some hosts are connected on Cisco 4500 on a dedicated vlan 10 ? default gateway of the PCs in VLAN 10 are the SVI address of the core switch, and the core switch has a connection to PIX DMZ ?

on the inside interface, you have vlan 20, which is connected to an ATM to a 3560 towards the VM server ? how is the connectivity of ATm/3560 ? on layer 3 ? are you routing traffic to VM server from 4500 to ATM/3560 ? do you have a dedicated /30 between pix inside and 4500 VLAN 20 ?

if this is the case, you can just have static routes on your PIX pointing to VLAN 20 SVI , for your VM Server Subnet.. Since this is just one subnet, static routes are good.. incase you have many subnets, and having other devices involved in routing, you can enable dynamic routing protocols like ospf/eigrp etc..

Let us know..

Raj

Ganesh Hariharan Wed, 01/27/2010 - 21:28

Thanks again to everyone who replied to my last post... I've got another project related to the same VMWare server...

I have a situation where I need to set up network access for a new virtual server in a vlan where most of the existing hosts are on the other side of a PIX 525 (running 7.2(2)).

The other hosts in the vlan are connected to a 4507 core switch, which is connected to an interface which is the DMZ and has the default gateway address of that vlan. Actually, the vlan, let's use the number 10, was set up at one point but is currently shutdown. The connection to the PIX is an access port in the 10 vlan. The inside interface is connected to another port on the same 4507. The port the inside interface is connected to is an access port in the central site's core vlan... let's use 20 for this discussion.

The VMWare server is 2 hops away, first through an ATM connection to a 8540 (set up with IRB) to a 3560. Two other things about the configuration that might be important: (1) there is a second PIX in an active/standby configuration, and (2) the inside ports that the two PIXes are connected to is the source in a port mirror to a port that a content filter is connected to.

I'm guessing that some sort of routing needs to be set up on the PIX(es)... what is the best method of doing that? Since this is a production network, I was hoping to have to change as little as possible (obviously...)

Hi,

As suggested by Raj please explain your setup in daigramatic presentation so that it will be clear to us to full fill your expectation.

Ganesh.H

spfister336 Thu, 01/28/2010 - 06:23

Yes, I guess I should have included that with the original post. I'll put something together... thanks!

Ganesh Hariharan Thu, 01/28/2010 - 23:07

I've got a diagram together and hopefully I've got everything on there that I need to...

http://www.pfisterfarm.com/vlan_and_pix_post.jpg

The ports on the 4507R going to the pix are both access ports in the appropriate vlan. All other ports should be trunk ports, currently.

Thanks!

Hi ,

As per the thread i am confused about the what is your requirement what i understand is you want your vmware server to be in dmz zone or separate zone.

As per the diagram If you want your vmware server to be in dmz zone then you can make trunk between the 4507 and 8540 and allow the dmz vlan over the trunk and you can have the access of the firewall of dmz interface from 8540.It will work !!

and if you want in separate zone then you need to create vlan on both switches and allow that vlan over the trunk and assign the vmware serve to new vlan and assign the gateway of the firewall.

Hope to help

If helpful do rate the valauble post

Ganesh.H

spfister336 Fri, 01/29/2010 - 06:19

Maybe the actual question got lost in the description of the network set up.

I've got a VLAN I need to use in two different network segments connected to two different interfaces of the PIX. Do I need to do anything on the PIX to make this work?

Ganesh Hariharan Sat, 01/30/2010 - 00:06

Maybe the actual question got lost in the description of the network set up.

I've got a VLAN I need to use in two different network segments connected to two different interfaces of the PIX. Do I need to do anything on the PIX to make this work?

With diagram attached and as per the original thread i wont recommend you for this type of setup using same vlan in different ports even true to my word i have not seen or configured this type of setup.

Yes pix 525 supports multiple virtual interfaces on a single physical interface through VLAN trunking.

I would suggest as per the attached diagram if vmware server to communicate with pix525 inside interface it can be possible just configure trunk between 4507 and 8540 and between 3560 where the server is connected by doing this you can have the connectivity to pix525 active inside interface whihc you can configure as gateway to vmware server.

Hope to help

Ganesh.H

Actions

This Discussion