07-11-2007 12:07 PM - edited 03-11-2019 03:43 AM
Ooops, made a bit of a mess of this. I didn't do this on site (the datacenter is too far away) - now I have a very early start b4 clients connect unless I can fix this on the PIX over SSH (which I can connect to)!
I've had a few issues with VLANs behind the firewall. There are x2: Vlan 2 (192.168.5.0/24) and Vlan 10 (10.0.0.0/24).
The Pix connects to a catalyst via a trunk which has both Vlans. The PIX DID have the inside interface of 192.168.5.1 and the catalyst had the default VLAN2.
I simply changed the default VLAN on the catalyst to VLAN10 (this kicked me off the VPN which I expected). I then thought I could login over SSH on the firewall change the internal interface to 10.0.0.1 and everything would be fine. I did this - but no joy. Eveything is down. I think this is because the route on the catalyst is still pointing to the 192.168.5.1 address.
Aaahh! Anything I can do? I've added a logical address in VLAN 2 with the 192.168.5.1 address - still no joy! Do I have to make the physical address of 10.0.0.0 have a lower security level than the logical VLAN2 address?
Sorry - I'm quite new to this - as you can see!
Thanks in advance
Dan
I
07-11-2007 12:27 PM
Dan
Can you post config of pix.
When you say you added vlan 2 logical address how do you know nothing is working ?
Jon
07-11-2007 12:49 PM
I can no longer access any of the websites behind, and the LAN to LAN VPN I have is still up - but not routing traffic.
See below: I notice all the statics have dissapeared as well!
PIX Version 7.2(2)
!
hostname G-FWPIX-1
domain-name fwlevel3.com
enable password xxx
names
XXXXXXXXXXXXXX
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address XXXXXXXXXXXX 255.255.255.224
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Ethernet1.1
vlan 2
nameif VLAN2
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet2
nameif DMZ
security-level 50
ip address 192.168.15.1 255.255.255.0
!
passwd xxx
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list acl_inbound extended permit tcp any host XXXXXXXXXXXX eq https
etc...
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.6.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.6.12.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 192.168.5.0 255.255.255.0 192.6.12.0 255.255.255.0
access-list outside_cryptomap_20 extended permit ip 10.0.0.0 255.255.255.0 192.6.12.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu VLAN2 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
access-group acl_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 85.133.38.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password XXXXXXXXX encrypted privilege 15
username cisco password XXXXXXXXXXXXXX encrypted
aaa authentication ssh console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer XXXXXXXXXXXXX
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group XXXXXXXXXXXX type ipsec-l2l
tunnel-group XXXXXXXXXXXX ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
prompt hostname context
Cryptochecksum:xxx
: end
07-11-2007 12:53 PM
Dan
Lets start with basics. if you are on the pix can you ping either the 192.168.5.x address on the catalyst or the 10.0.0.x address on the catalyst ?
You don't have any routes for the inside networks - do you only have vlan 2 and vlan 10 on your internal network ?
Jon
07-11-2007 01:16 PM
Thanks Jon
All my statics are back now - thank goodness for backups!
I can ping the VLAN 10 address of the Catalyst (10.0.0.2) and the VLAN2 address (192.168.5.100) from the PIX.
Dan
07-11-2007 01:20 PM
Dan
Are you saying it now works now you have the statics back.
Are your servers on either vlan 2 or vlan 10.
Apologies but i have an important meeting tomorrow so i have to get some shuteye now.
I hope you get it working. I'll check again tomorrow morning.
Jon
07-11-2007 01:25 PM
No. I can ping but I don't think the catalyst can pass anything else. Its got the right native VLAN but the wrong gateway (192.168.5.1) - which is now on as a virtual iterface on the PIX but it still isn't playing ball. Looks like an early one for me as well to go an change the switch locally.
Thanks anyway
Dan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: