08-10-2008 10:13 AM - edited 03-06-2019 12:42 AM
From previous topic, but the advice given there isn't working, here is a copy & paste of the problem:
2801 router
fe0/0 with a 209.x.x.x address going to a switch.
fe0/1 with a 28.x.x.x going out to WAN
515 PIX
e0 outside with a 209.x.x.x address going to same switch as router.
e1 inside with a 192.168.0.1 address going to LAN. This acts as the network firewall/gateway
Client just purchased a Cisco AccessPoint 1130AG. Client wishes to have two SSID's. One "Guest" SSID which only gives access to HTTP/HTTPS. And one "Staff" SSID which gives access to everything (network servers/shares/printers/etc).
I have tried creating subinterfaces on the PIX, but it apparently doesn't support this (it is IOS 6.3). I tried messing around with the eth2 (which is not in use) and creating "logical" interfaces, but I'm not really sure where to go with that.
I'm including a rough Visio JPG of the network. I'd rather not touch the Router config; would rather do anything I need on the PIX.
Is there any way to get these VLANs working on PIX 515e with IOS 6.3? Would it help to see the current running-config on the PIX?
Please, any help would be greatly appreciated
08-11-2008 09:33 AM
I've been playing around with the logical interfaces on IOS 6.3:
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet2 vlan10 logical
interface ethernet2 vlan20 logical
ip address outside 209.x.x.x 255.255.255.192
ip address inside 192.168.1.1 255.255.255.0
ip address test1 10.1.1.1 255.255.255.0
no ip address intf3
no ip address intf4
It appears that although these aren't subinterfaces as I know them on a router IOS, it appears that I can assign intf3 and intf4 (the logical interfaces) IP addresses.
If this is true, then I should be able to throw in ACL's to do inter VLAN routing, thereby accomplishing what I need.
Is this at all correct?
08-11-2008 09:46 AM
I am not sure if you can create object-group with that version of PIX but object-group and ACL inside and ACL outside might be able to help out. You will create an object-group for the guest network and another one for the regular users. And then create an inside acl that will allow guest network access to http and https and the other group access to any.
08-11-2008 10:06 AM
You actually don't need to use object-group. Just use the VLAN subnets that you created on your 2960G switch.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: