AP, VLANs, and PIX

Armegeden · ‎07-21-2008

2801 router

fe0/0 with a 209.x.x.x address going to a switch.

fe0/1 with a 28.x.x.x going out to WAN

515 PIX

e0 outside with a 209.x.x.x address going to same switch as router.

e1 inside with a 192.168.0.1 address going to LAN. This acts as the network firewall/gateway

Client just purchased a Cisco AccessPoint 1130AG. Client wishes to have two SSID's. One "Guest" SSID which only gives access to HTTP/HTTPS. And one "Staff" SSID which gives access to everything (network servers/shares/printers/etc).

My understanding is that the PIX doesn't handle multiple VLANs, only ASA's do. But can I use the router to route the two VLAN's? There are currently no VLANs defined.

Can anyone help me out? Do you need to see the running-config on both to be able to tell? I was just wondering if the router could do a fe0/0.1 and fe0/0.2 int and add the two different VLAN's network statements to handle the routing, then the PIX restrict the access.

That's my idea, though I'm not sure how to go about implementing it.

Do I need to be more clear?

Thanks for any time given.

dhananjoy chowdhury · ‎07-21-2008

Create three different vlan's on the switch,

vlan 101 - for inside LAN

vlan 102 - for WLAN 1

vlan 103 - for WLAn 2

And then connect the trunk to the PIX inside

and on the pix you need to create sub-interfaces

hostname(config)# interface ethernet0/1.1

hostname(config-subif)# vlan 101

hostname(config-subif)# nameif inside

hostname(config-subif)# security-level 100

hostname(config-subif)# ip address 10.0.0.1 255.255.255.0

hostname(config)# interface ethernet0/1.2

hostname(config-subif)# vlan 102

hostname(config-subif)# nameif WLAN1

hostname(config-subif)# security-level 90

hostname(config-subif)# ip address 20.0.0.1 255.255.255.0

hostname(config)# interface ethernet0/1.3

hostname(config-subif)# vlan 103

hostname(config-subif)# nameif WLAN2

hostname(config-subif)# security-level 80

hostname(config-subif)# ip address 30.0.0.1 255.255.255.0

Then you can create access-lists on the PIX fir restricitng traffic based on your requirements.

Armegeden · ‎07-21-2008

wow,

So you mean that I shouldn't need to alter the router configuration whatsoever?

The PIX will support multiple VLANs?

dhananjoy chowdhury · ‎07-21-2008

Yes , pix will support, provided you have IOS 6.3 and above.

dhananjoy chowdhury · ‎07-21-2008

With the command " show ver" you can check the

details available on your PIX device.

You can also refer this link. It will give more details for your platform.

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1116060

Armegeden · ‎07-29-2008

PIX 515

interface ethernet1/1.1

vlan 101

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface ethernet1/1.2

vlan 102

nameif WStaff

security-level 90

ip address 192.168.2.1 255.255.255.0

interface ethernet1/1.3

vlan 103

nameif WGuest

security-level 50

ip address 192.168.3.1 255.255.255.0

2960G

interface vlan 101

description LAN

interface vlan 102

description WStaff

interface vlan 103

description WGuest

This is what I was thinking about putting in to get it started. My worry is, if I create the sub-interfaces on the PIX, will that bring down the connection to our WAN? Will I need to do any other configuration to keep it seamless for the Staff? Or will everything auto adjust to interface eth1/1.1 because of the "nameif inside" is still the same name, "inside"?

Armegeden · ‎08-04-2008

Anyone know the answer for this?