03-24-2008 11:53 AM - edited 03-05-2019 09:56 PM
Can anyone point me in the direction of some examples of VLAN equipment 3550ish switches and a PIX firewall.
I've been trying to ping my firewalls from the inside of my VLAN and from the firewall to the inside of the VLAN and getting know where. I can ping from firewall to the routing port on the 3550. I'm using a /30 address from the PIX e1 to the routing port f0/1 on the 3550. But trying to ping from the other VLANs to e1 address or connecting through telnet from a VLAN to PIX is not working. I dont have any ACLs on the 3550. The PIX has ACLs on the e0 outside interface but not on the inside.
If its easier I can post the configs. this is my first going into production VLAN and it not going like the labs I've done.
03-24-2008 12:00 PM
Hi
Do you have routes on the pix and the 3550 ?
Lets say your point to point is
3550 fa0/1 - 192.168.5.1/30 -> 192.168.5.2/30 e1 pix
example vlans on switch
vlan 10 - 192.168.10.0/24
vlan 11 - 192.168.11.0/24
So on pix
route inside 192.168.10.0 255.255.255.0 192.168.5.1
route inside 192.168.11.0 255.255.255.0
192.168.5.1
On the 3550 the best solution is probably to have a default-route pointing to the pix ie.
ip route 0.0.0.0 0.0.0.0 192.168.5.2
HTH
Jon
03-24-2008 12:33 PM
I have the ip default-gateway 192.168.5.2 and thought that would take care of all the routing issues.
interface vlan10
ip address 192.168.15.1 255.255.255.0
192.168.15.1 is the gateway for the network correct?
so for vlan10 my IP =
192.168.10.5
255.255.255.0
192.168.15.1
03-24-2008 12:50 PM
Hi
The PC setup is correct.
The ip default-gateway setting - is this on the 3550 ?
The ip default-gateway command is used if the 3550 is acting as a layer 2 switch. If you want the 3550 to route then
1) 3550(config)# ip route 0.0.0.0 0.0.0.0 192.168.5.2
2) 3550(config)# ip routing
Then if 192.168.5.2 is the pix you need to tell the pix how to get back to vlan 10 eg.
route inside 192.168.15.0 255.255.255.0 192.168.5.1
assuming 192.168.5.1 is the routed fa0/1 port on the 3550.
Jon
03-24-2008 01:15 PM
Thank You!
It was the
route inside 192.168.15.0 255.255.255.0 192.168.5.1
that was killing me. I was thinking because I had previously had the 192.168.1.0/24 network that I would not need it the route. But the interface was previously in the class range. I changed it to be a /30 and it didn't know what to do.
Thanks again.
03-24-2008 01:16 PM
No problem, glad you got it working.
Jon
03-25-2008 08:06 AM
For the other VPNs locations to connect to a VLAN network at HQ do I just have to add the route in command or do I just need to add nat (in) 0 ?
HQ VLANs
vlan 10 - 192.168.10.0/24
vlan 11 - 192.168.11.0/24
Br2
network - 192.168.20.0/24
Br3
network - 192.168.30.0/24
Br2
nat (in) 0 access-l 120
access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-l 120 permit ip 192.168.20.0 255.255.255.0 192.168.11.0 255.255.255.0
Br3
nat (in) 0 access-l 120
access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.10.0 255.255.255.0
access-l 120 permit ip 192.168.30.0 255.255.255.0 192.168.11.0 255.255.255.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: