Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
3
Replies

PIX515e, Cisco AP 1130AG, VLANS, please help

Armegeden
Level 1
Level 1

‎08-10-2008 10:13 AM - edited ‎03-06-2019 12:42 AM

From previous topic, but the advice given there isn't working, here is a copy & paste of the problem:

2801 router

fe0/0 with a 209.x.x.x address going to a switch.

fe0/1 with a 28.x.x.x going out to WAN

515 PIX

e0 outside with a 209.x.x.x address going to same switch as router.

e1 inside with a 192.168.0.1 address going to LAN. This acts as the network firewall/gateway

Client just purchased a Cisco AccessPoint 1130AG. Client wishes to have two SSID's. One "Guest" SSID which only gives access to HTTP/HTTPS. And one "Staff" SSID which gives access to everything (network servers/shares/printers/etc).

I have tried creating subinterfaces on the PIX, but it apparently doesn't support this (it is IOS 6.3). I tried messing around with the eth2 (which is not in use) and creating "logical" interfaces, but I'm not really sure where to go with that.

I'm including a rough Visio JPG of the network. I'd rather not touch the Router config; would rather do anything I need on the PIX.

Is there any way to get these VLANs working on PIX 515e with IOS 6.3? Would it help to see the current running-config on the PIX?

Please, any help would be greatly appreciated

Labels:
Preview file
37 KB
0 Helpful
3 Replies 3

Armegeden
Level 1
Level 1

‎08-11-2008 09:33 AM

I've been playing around with the logical interfaces on IOS 6.3:

interface ethernet0 auto

interface ethernet1 100full

interface ethernet2 auto shutdown

interface ethernet2 vlan10 logical

interface ethernet2 vlan20 logical

ip address outside 209.x.x.x 255.255.255.192

ip address inside 192.168.1.1 255.255.255.0

ip address test1 10.1.1.1 255.255.255.0

no ip address intf3

no ip address intf4

It appears that although these aren't subinterfaces as I know them on a router IOS, it appears that I can assign intf3 and intf4 (the logical interfaces) IP addresses.

If this is true, then I should be able to throw in ACL's to do inter VLAN routing, thereby accomplishing what I need.

Is this at all correct?

0 Helpful

Tshi M
Level 5
Level 5

‎08-11-2008 09:46 AM

I am not sure if you can create object-group with that version of PIX but object-group and ACL inside and ACL outside might be able to help out. You will create an object-group for the guest network and another one for the regular users. And then create an inside acl that will allow guest network access to http and https and the other group access to any.

0 Helpful

Tshi M
Level 5
Level 5
In response to Tshi M

‎08-11-2008 10:06 AM

You actually don't need to use object-group. Just use the VLAN subnets that you created on your 2960G switch.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card