Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLANs cant ping PIX e1 address.

Can anyone point me in the direction of some examples of VLAN equipment 3550ish switches and a PIX firewall.

I've been trying to ping my firewalls from the inside of my VLAN and from the firewall to the inside of the VLAN and getting know where. I can ping from firewall to the routing port on the 3550. I'm using a /30 address from the PIX e1 to the routing port f0/1 on the 3550. But trying to ping from the other VLANs to e1 address or connecting through telnet from a VLAN to PIX is not working. I dont have any ACLs on the 3550. The PIX has ACLs on the e0 outside interface but not on the inside.

If its easier I can post the configs. this is my first going into production VLAN and it not going like the labs I've done.

6 REPLIES
Hall of Fame Super Blue

Re: VLANs cant ping PIX e1 address.

Hi

Do you have routes on the pix and the 3550 ?

Lets say your point to point is

3550 fa0/1 - 192.168.5.1/30 -> 192.168.5.2/30 e1 pix

example vlans on switch

vlan 10 - 192.168.10.0/24

vlan 11 - 192.168.11.0/24

So on pix

route inside 192.168.10.0 255.255.255.0 192.168.5.1

route inside 192.168.11.0 255.255.255.0

192.168.5.1

On the 3550 the best solution is probably to have a default-route pointing to the pix ie.

ip route 0.0.0.0 0.0.0.0 192.168.5.2

HTH

Jon

New Member

Re: VLANs cant ping PIX e1 address.

I have the ip default-gateway 192.168.5.2 and thought that would take care of all the routing issues.

interface vlan10

ip address 192.168.15.1 255.255.255.0

192.168.15.1 is the gateway for the network correct?

so for vlan10 my IP =

192.168.10.5

255.255.255.0

192.168.15.1

Hall of Fame Super Blue

Re: VLANs cant ping PIX e1 address.

Hi

The PC setup is correct.

The ip default-gateway setting - is this on the 3550 ?

The ip default-gateway command is used if the 3550 is acting as a layer 2 switch. If you want the 3550 to route then

1) 3550(config)# ip route 0.0.0.0 0.0.0.0 192.168.5.2

2) 3550(config)# ip routing

Then if 192.168.5.2 is the pix you need to tell the pix how to get back to vlan 10 eg.

route inside 192.168.15.0 255.255.255.0 192.168.5.1

assuming 192.168.5.1 is the routed fa0/1 port on the 3550.

Jon

Highlighted
New Member

Re: VLANs cant ping PIX e1 address.

Thank You!

It was the

route inside 192.168.15.0 255.255.255.0 192.168.5.1

that was killing me. I was thinking because I had previously had the 192.168.1.0/24 network that I would not need it the route. But the interface was previously in the class range. I changed it to be a /30 and it didn't know what to do.

Thanks again.

Hall of Fame Super Blue

Re: VLANs cant ping PIX e1 address.

No problem, glad you got it working.

Jon

New Member

Re: VLANs cant ping PIX e1 address.

For the other VPNs locations to connect to a VLAN network at HQ do I just have to add the route in command or do I just need to add nat (in) 0 ?

HQ VLANs

vlan 10 - 192.168.10.0/24

vlan 11 - 192.168.11.0/24

Br2

network - 192.168.20.0/24

Br3

network - 192.168.30.0/24

Br2

nat (in) 0 access-l 120

access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.11.0 255.255.255.0

Br3

nat (in) 0 access-l 120

access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0

access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.11.0 255.255.255.0

188
Views
15
Helpful
6
Replies
CreatePlease login to create content