vlan configuration inside a pix

Unanswered Question
Mar 4th, 2006
User Badges:

Hi everybody



There are 4 vlans in our network.In the one of the vlan, there's a file server.

Users in the others 3 vlans should be able to access this file server.



How can I route traffic to the server ?


The network design is as follow :



internet --------- routeur -------- pix --------- switch -------- lan



We use pix 515E running with PIX software 6.3(3).

I tried these attached configurations in the router, pix and switch but it doesn't work.

I could ping different vlans and the router from the pix

but I couldn't ping ip address vlans in pix from the router.

Users in different vlan are not able to reach each other.




What should be the configuration ?



Thanks in advance



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
jackko Sat, 03/04/2006 - 02:52
User Badges:
  • Gold, 750 points or more

the issue may be related to one of the golden rules of pix, which is to deny traffic in and out the same interface. although logical interfaces have been created for vlan, however, it's still a single physical interface.


a router or a layer 3 switch is needed to route traffic between the vlans, pix simply is not designed to handle this.

harinirina Sun, 03/05/2006 - 05:11
User Badges:

Hi,


Thanks for your response.

There's something i'd like to know.


In the router between the pix and internet, is there a vlan configuration to do?


In case i use a router for intervlan routing ( is it put between pix and switch ? ),

do i need to configure vlan inside the pix ?

thamdani Sun, 03/05/2006 - 22:03
User Badges:

Hi,


We can do that through PIX as well,You dont need any config on the router for that because traffic will be routed through the pix between the Vlans.


Each logical interface will treated as an individual interface.remember the pix ASA rule . traffic from higher secure to lower secure zone is allowed but not reverse and we need to ocnfigure the NAT rule for the traffic in any case.


let me take an example.If you want that vlan 100 [security level 6 ] should access vlan 300 [security level 8] .then you need to configure two things.


static NAT

access list on vlan 6


static (sub3,sub1) 192.168.3.0 192.168.3.0 netmask 255.255.255.0


access-list sub1traffic permit ip any 192.168.3.0 255.255.255.0


access-group sub1traffic in interface sub1



Hope this helps.


Regards,

Tanveer

harinirina Mon, 03/06/2006 - 21:17
User Badges:

Hi everybody,



I've tried 2 things.




1) I put a router between switch and pix



Pix 515E ----------- Router 2611XM ------------- Switch 2950T


with :


PIX Version 6.3(3)

IOS (tm) C2600 Software (C2600-IK9O3S-M), Version 12.3(15)

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4



The configuration is in the config_1.txt attached file.




I first only tested connection through the pix , there's no vlan configuration.


PC1 --------- PIX ------------ PC2


PCs could ping each other


I tested connection between vlans.


Router --------- Switch -------- PCs

Pcs in different vlans could ping each other




when i put it together :


PC1 -------- Pix ----------- Router ---------- Switch ------- PCs

I couldn't ping PC1 from user in vlan.




2) I used the following architecture :



Pix ----------- Switch --------- PCs



and used the static and access-list.vlan 100, 200 and 300 need to access vlan 400.


The configuration is in the config_2.txt attached file.


Users in different vlans couldn't reach each other.




what should i modify in these config ? should i use other ios version ?



Attachment: 
harinirina Tue, 03/07/2006 - 04:51
User Badges:

Hi,



users in different vlans can now ping each other.

I've used pix for intervlan routing and used static and access-list as mentionned above .

i've changed "vlan 100 logical" into "vlan 100 physical".



But there's another problem.


I can't ping the inside interface of the pix from vlans. I can't go to the internet from users in vlans.


Pc in the outside interface is reachable from the router.


Can anybody tell what's missing in the configuration ?


Actions

This Discussion