I have a PIX 506E running with 2 VLANs and for some reason on the logical interface I can't communicate with hosts in the same subnet. The physical interface is good, all hosts talk properly. The networks are autonomous and are not to talk to each other but, I figured that being on the same subnet and VLAN I wouldn't have to explicitly allow the traffic. Enclosed is a config snippet of the pertinent interfaces:
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan5 physical
interface ethernet1 vlan10 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan10 intf2 security99
ip address inside 192.168.0.1 255.255.255.0
ip address intf2 192.168.1.1 255.255.255.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
Is an ACL needed to allow communications on the logical interface?
Nah, the trunk is good on the switch port. I can browse out via both VLANs going all the way out the PIX through the NATs on both inside and intf2. On the inside interface I can connect to other hosts within its subnet, IE I can map a drive or ping from 192.168.0.5 to 192.168.0.10. But, on the intf2 interface I can not go from 192.168.1.5 to 192.168.1.10. I'm just thinking I may need an ACL or adjustment of the interface security setting since the logical interface has different criteria to adhere to. Just seems strange that one can't talk to hosts on a common subnet...
If you are going from 192.168.1.5 to 192.168.1.10 then the firewall interface does not come into it because there is no need to route the traffic.
You should be able to communicate from your pix firewall to any hosts on the 192.168.1.x subnet.
If you want traffic to go from the logical subnet to the physical inside subnet you will need access-lists and static translations.
That's exactly what has me scratching my head about this...
I also noticed this in the logs:
no route to host 192.168.1.10 from 192.168.1.5
Which is odd because the 192.168.0.0/24 and 192.168.1.0/24 networks are directly connected and have their routes inherited into the routing table.
Yeah, I have no need to have inter VLAN communication so, I'm good on that front.
Can you check the subnet masks on the pix, and your 2 hosts 192.168.1.10 & 192.168.1.5.
On the actual pix can you ping 192.168.1.10 and 192.168.1.5 ?
Ding, ding, ding. We have a winner.
I should have config'ed the servers network settings myself as they had a few of them at a /25...that's the last time I take someone's word that they are "configured properly" for the network settings.
I knew there wasn't too much to the PIX and switch port settings that's why this was driving me nuts...
Thanks for the assistance all.
No problem. Glad you got it sorted.
If i had a penny for every time a server guy told me the subnet mask was correct..... :-)
That is still confusing though as 192.168.1.1, 192.168.1.5 & 192.168.1.10 would all be covered by /25 so even if some of them had incorrect subnet masks they should still be able to communicate.
Correct, but the DHCP scope was in the other /25 network...so, yeah it was handing out IPs but they were in the .129-.254 range with a /24 so they could see the PIX as it had the CORRECT mask but, as for the servers that lived in the first half of the /25 and had the /25 mask, no go.