Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX VLANs

I have a PIX 515 running 7.2(2). I am trying to set up a public and a private network to separate the traffic. My PIX doesn't seem to want to participate in the VLAN. VLAN 1 is my private VLAN and VLAN 2 is my public VLAN. My Switch is a 3560.

PIX Config

interface Ethernet1

no nameif

no security-level

no ip address

!

interface Ethernet1.1

vlan 1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet1.2

vlan 2

nameif public

security-level 10

ip address 172.16.0.1 255.255.255.0

Switch Config

interface FastEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

interface Vlan1

ip address 10.0.0.221 255.255.255.0

I can't ping either direction. I do see the MAC address for the PIX in the ARP cache on the switch.

What am I doing wrong?

Thanks,

  • Firewalling
4 REPLIES

Re: PIX VLANs

Hi, where is the trunk config on the PIX can you post that portion.

Rgds

Jorge

New Member

Re: PIX VLANs

What Trunk configuration for the PIX? Maybe that is what I am missing.

Re: PIX VLANs

Hi, where is the trunk config on the PIX can you post that portion.

[EDIT] never mind and sorry about that, 802.1q is automatically enable when creating logical interfaces.

Is the interface up on the PIX where you have the trunk.

If you connect a host in one of the vlans and try to ping its defaul gateway say 10.0.0.1 can you get replies.

Rgds

Jorge

Re: PIX VLANs

Mark, few things to look into.

First: From the PIX if you can ping the interfaces 172.16.0.1 and 10.0.0.1 that will

indicate they are pingable.

Second: From the switch issues " show interface trunk " to see the vlans passing through that trunk.

Third: Make sure you have created the vlans in the switch correspnding to these two new routable networks , check your vlan database.

Forth: Assign proper vlan membership on ports corresponding to these two new vlans.

Fith: From lower security level to highest security level you need access list to allow communications from 172.16.0.0/24 to 10.0.0.0/24 network, that include icmp or any other ports required.

HTH

Jorge

206
Views
0
Helpful
4
Replies