Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Access to Internet For VLAN

How would I go about allowing a VLAN full access to the internet through a PIX.

Outside Interface: 88.88.88.88

Inside Interface: 10.36.1.1

Vlan35: 10.35.1.2

Version 6.3(3)

I have very limited PIX knowledge, so any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Access to Internet For VLAN

So you then have a static route in the 3550 point to the Server_vlan interface on the PIX?

13 REPLIES

Re: Access to Internet For VLAN

Too many assumptions. Please sanitize and post your config.

New Member

Re: Access to Internet For VLAN

Sorry about that. Current Pix config is attached.

VLAN Routing is being handled by the 3550 switch at 10.36.3.1 / 10.44.1.1 / 10.35.1.1 with

!

ip default-gateway 10.36.1.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.36.1.1

!

Currently clients on VLAN 1 can access the outside, but VLANs 35 and 44 cannot.

From what I can see, if I send a ping from a device on VLAN35 the switch routes it to the Pix inside interface, but when the ping is returned it cannot reach that device from the inside interface.

The pix can ping the device through the VLAN interface, but not through the inside interface. It just seems like I'm missing something really simple here...

New Member

Re: Access to Internet For VLAN

deleted

Re: Access to Internet For VLAN

Everything looks good except that the following line:

access-group ServerVLAN_access_in in interface ServerVLAN

The command is OK, but you do not have an ACL named ServerVLAN_access_in. Because there is no ACL, a 'deny ip any any' is implied blocking all traffic. You could either remove the access-group command or create the ACL allowing whatever you need access to on the outside.

HTH and please rate.

New Member

Re: Access to Internet For VLAN

OK. I made some revisions to the config, but it still doesn't work. Same issue as before.

I also noticed that the static statements don't work -- I cannot access the servers from the outside.

Thanks!!

Re: Access to Internet For VLAN

Check your logs, they should help point us in the right direction. I'll check the statics.

Re: Access to Internet For VLAN

Statics look OK. What's the default gateway of your servers? From the PIX can you successfully ping the mail server?

New Member

Re: Access to Internet For VLAN

The server default gateway is the VLAN IP of the layer 3 switch, so 10.35.1.1.

From the Pix I can ping with

ping mail

ping ServerVLAN mail

but cannot ping with

ping inside mail

New Member

Re: Access to Internet For VLAN

The GuestWLAN VLAN (44) works just fine after I added nat (GuestWLAN) 1 10.44.1.0 255.255.255.0 0 0.

Re: Access to Internet For VLAN

So you then have a static route in the 3550 point to the Server_vlan interface on the PIX?

New Member

Re: Access to Internet For VLAN

Oh wow -- talk about focusing on the wrong place. Here I was convinced that it was a PIX configuration issue and never reviewed the switch. Doh!

I had A route configured on the 3550 -

ip route 0.0.0.0 0.0.0.0 10.36.1.1

But never added the route for VLAN35 -

ip route 0.0.0.0 0.0.0.0 10.35.1.2

Thanks for pointing this out for me! What a relief to have this resolved!

New Member

Re: Access to Internet For VLAN

Guess that didn't work after all. Sometimes it works, sometimes it doesn't - I guess it depends upon which route it chooses.

Is there another way to define the route for each VLAN?

Re: Access to Internet For VLAN

Is there a reason you're using the 3550 as the DG? It's a security vulnerability. Try setting the PIX as your DG.

248
Views
4
Helpful
13
Replies
CreatePlease to create content