Proper Syntax for creating virtual interfaces on PIX 515E

Unanswered Question
Sep 17th, 2010
User Badges:

Hi Folks,


I've not had good luck finding good or concise syntax for creating virutal interfaces on a 515E PIX.


Could someone point me in the right direction or provide me with a syntax example on how to do this?


For example, in my environment I'd like to take ethernet3 and make two virtual interfaces which will both carry trunk information for vlan 100 and vlan 110.  Further, I'd like ethernet3.1 to handle vlan100 and ethernet3.2 to handle vlan100.


Many thanks,


~Steve

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
praprama Fri, 09/17/2010 - 08:35
User Badges:
  • Cisco Employee,

Hi,


For command details on configuring subinterfaces, here's where you can find it:


http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1726041


For config guide on configuring subinterfaces, please refer the below page:


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006


Let me know if this helps and if you have more questions!!


Regards,

Prapanch

Steven Smith Fri, 09/17/2010 - 09:16
User Badges:

Prapanch,


Thank you...the references you provided are basically what I've seen already. What I'm looking for is more of a script that I can enter to create the virtual interfaces, assign VLANs and trunking.


Here is some more specific information...


[DMZ SWITCH SIDE]


Physical configuration:


                           (Internet)

                                  |

----


The DMZ switch has one physical connection to the PIX so I want to make this a trunk port that will carry VLAN100 and VLAN110 to the PIX. VLAN110 will have only one port assigned to it in this case.


On the DMZ switch size (Cisco 2950) I need to create the VLANs (100 and 110). Currently all of the ports on the switch are in VLAN1. I need to assign all of the ports currently in VLAN1 to VLAN100.


interface range fastethernet0/1 – 11, fastethernet0/13 - 22, gigabit0/1-2


Then I need to assign port fastethernet 0/12 as the trunk port physically connected to the PIX. I want this trunk port to carry both VLAN110 and VLAN100 traffic to the PIX.


How do I do that (syntax)?


[PIX SIDE]


I need to create subinterfaces on ethernet3; ethernet3.1 and ethernet3.2:


name each new subinterface

Assign an IP to ethernet3.1, assign a security level of 30

Assign an IP to ethernet3.2, assign a security level of 30

Configure 3.1 and 3.2 to carry VLAN100 and VLAN110 traffic specifically


Apply an access-list acl_dmz_in to ethernet3.1

Apply access-list acl_dmz_out to ethernet3.2


I already ave acl_dmz_in applied to etherenet3 so do I need to create another access-group for the new subinterfaces? If so how would that look?



~Steve

praprama Fri, 09/17/2010 - 09:40
User Badges:
  • Cisco Employee,

Hi Steve,


Well i am not an expert with configuring switches. But, to configure a port as trunk, the config will be as below:


interface fa0/12

switchport mode trunk


To configure a port as an access port, for example, fa0/1 in vlan 100, it will look like this:


interface fa0/1

switchport mode access

switchport access vlan 100


PIX side:

======


On the pix side, the behavior is going to be like this. Assuming that the native VLAN on the switch is going to be VLAN 1. Now, on the trunk link, all native VLAN packets will go untagged. These untagged packets will be processed by the physical interface on the PIX, that is, Ethernet3. So you will need to put Ethernet3 in the same subnet as VLAN1 (better put as Native VLAN) on the switch.


All tagged packets, that is, packets on VLAN 100 and 101, will be processed by the respective subinterfaces. So we need to put the respective subinterfaces in the respective VLAN and give them an IP address in those respective subnets.


Assuming VLAN 100 and 101 are in the ranges 192.168.100.0 and 192.168.101.0/24 respectively, and VLAN 1 is 192.168.1.0/24, then the congi on the PIX would look something like this:


interface Ethernet 3

ip address 192.168.1.1 255.255.255.0

nameif VLAN1

security 100


interface Ethernet3.1

vlan 100

ip address 192.168.100.1 255.255.255.0

nameif VLAN100

security 30


interface Ethernet3.2

vlan 101

ip address 192.168.101.1  255.255.255.0

nameif VLAN101

security 30


the nameif and security-level will be based on your requirement. Applying access lists to these interfaces will be just like regular interfaces.


access-group acl_dmz_in in interface VLAN100

access-group acl_dmz_out out interface VLAN101


In the above commands, the directions and access-list names will again depend on what you want to configure them as.


Importantly, to allow communication between VLAN100 and VLAN101 on the PIX, you will also need the command "same-security-traffic permit inter-interface" as they both have the same security-levels configured.


Hope the above helps!! Let me know if there is anything unclear.


Regards,

Prapanch

Nagaraja Thanthry Fri, 09/17/2010 - 09:49
User Badges:
  • Cisco Employee,

Hello,


If you want to create subinterfaces on the DMZ port, please follow the procedure below:


interface ethernet 3.1

nameif DMZ1

security-level 30

ip address

exit


interface ethernet 3.2

nameif DMZ2

security-level 30

ip address

exit


If you want to enable communication between these two DMZ subnets, then


same-security traffic permit inter-interface


access-list DMZ1_nat0_outbound permit ip


nat (DMZ1) 0 access-list DMZ1_nat0_outbound


access-list DMZ2_nat0_outbound permit ip


nat (DMZ2) 0 access-list DMZ2_nat0_outbound


If you want these DMZ subnets to have access to internet, then


global (outside) 1 interface  -- This line could already be there


nat (DMZ1) 1 0.0.0.0 0.0.0.0

nat (DMZ2) 1 0.0.0.0 0.0.0.0


If you want to enable communication between specific inside hosts and these DMZ devices, then


access-list inside_nat0_outbound permit ip host

access-list inside_nat0_outbound permit ip host


nat (inside) 0 access-list inside_nat0_outbound


access-list DMZ1_access_outbound permit ip any any


access-group DMZ1_access_outbound in interface DMZ1


access-list DMZ2_access_outbound permit ip any any


access-group DMZ2_access_outbound in interface DMZ2


Hope this helps.


Regards,


NT

Steven Smith Fri, 09/17/2010 - 10:13
User Badges:

NT,


Thank you. This should help.


I  don't think we need the two DMZ segments to share traffic between them,  but the VLAN100 side certainly does. So given your syntax all I would  need to do is:


interface ethernet 3.1

vlan100
nameif DMZ1

security-level 30
ip address
exit


interface ethernet 3.2

vlan110
nameif DMZ2

security-level 30
ip address

exit


nat (DMZ1) 1 0.0.0.0 0.0.0.0 (this is already here since our current DMZ has access to the Internet)


Using your naming convension, DMZ2 will be the  'inside' DMZ link and I would need an access-group and apply an  access-list allowing our internal systems proper communication.



access-group DMZ2_access_internal in interface DMZ2


access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq www
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq https
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq 445
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 445
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq 88
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 88
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq ldap
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 389
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq ldaps
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 636
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq 3268
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 3268
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq 3269
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 3269
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq domain
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq domain
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq radius
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 1812


Is there anything on the PIX side I need to configure to allow trunking traffic from the DMZ switch?


~Steve

Nagaraja Thanthry Fri, 09/17/2010 - 10:20
User Badges:
  • Cisco Employee,

Hello,


As long as you have created the sub-interfaces, that is pretty much all you need on the firewall side to enable trunk communication. Please make sure that on the switch side, the native VLAN is something other than VLAN 100 or VLAN 110.


Also, I forgot to include a keyword in the earlier configuration:


interface ethernet 3.1

vlan 100
nameif DMZ1
security-level 30
ip address
exit

interface ethernet 3.2

vlan 110
nameif DMZ2
security-level 30
ip address
exit


You still need "same-security-traffic permit inter-interface" along with the access-list entries to enable communication between these two subnets.


Regards,


NT

Steven Smith Fri, 09/17/2010 - 10:25
User Badges:

NT,


Thank you...


You mentioned this: "same-security-traffic permit inter-interface" along with the  access-list entries to enable communication between these two subnets. Is this so the PIX see's both VLANs or allows traffic between these? The idea is to segment the two so they are unaware of one another. The "UAG" box will process any traffic between the two VLANs. Specifically, this is will be a Microsoft Unified Access Gatway used to process inbound and outbound emails so I don't think we need to allow traffic between the two VLANs.


Hopefully that makes sense.


~Steve

Nagaraja Thanthry Fri, 09/17/2010 - 10:30
User Badges:
  • Cisco Employee,

Hello,


Where will this UAG box be located? If it will be in a different segment than DMZ1/DMZ2, then you do not need to enable communication between these two segments. Also, you need to make sure that both segments can talk to UAG box. So, you need to configure NAT translation for the UAG box on both interfaces. Can you post a rough sketch of how devices are connected to the PIX?


Regards,


NT

Steven Smith Fri, 09/17/2010 - 10:52
User Badges:

The port labeled "11" will be in the VLAN110 on the DMZ switch.

Actions

This Discussion