Re: Inter-VLAN communication with PIX

bahouh888 · ‎11-22-2005

Hello there,

I have a Firewall PIX 525 in my network and i would use it to configure inter-VLAN communication.

If it's possible please i need your help and links on howtos.

Thank you in advance.

colin.mccrory · ‎11-22-2005

Hi,

Ver6.3 of PIX software supports vlans. Please see link on how to configure vlans.

The number of vlans supported is dependant on the type of PIX you have, Restricted or Unrestricted.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

Regards

Colin

bahouh888 · ‎11-23-2005

Hi colin,

thank u for your help, while i have my pix version 7.0(1) on production i need more assistance for implementing VLANs on my network. Her's my network

PIX

|

SW2900

|

SW2900---SW2900

| |

| |---SW2900

|

SW2900

When i've read the document on VLAN i haven't understand the difference between the two commands below :

# interface ethernet0 vlan2 physical

# interface ethernet0 vlan3 logical

An another question : If i have on my switchs two VLANs (VLAN1 and VLAN100 ) how can i do this on PIX and should i reconfigure the access lists ?

Thank you.

colin.mccrory · ‎11-23-2005

Hi,

The commands you have shown are for v6.3 pix. As you have stated that you have v7.0 then please see the following link

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_command_reference_book09186a0080484fe1.html

The pix can support both vlan 1 and vlan 100 on the same interface by using the sub-interfaces. If you set the security level the same for both interfaces then traffic would be allowed to flow between then once allowed by a static command.

For example, devices on vlan1 would use the vlan1 IP address of the pix as their default gateway and the devices on vlan 100 would use the vlan100 ip address of the pix as their default gateway.

Any access restrictions that you require between these two vlans can be configured as access-lists which you apply as inbound filters on each of the two interfaces.

Regards

bahouh888 · ‎11-23-2005

Hi Colin,

Thank you for your response,

I cann't access the link you have give it to me, but i have found other documentation on the net and i suppose that the commands will be like this :

Fw01# config t

Fw01# int e 1

Fw01# no ip address

Fw01# no shutdown

/*---------- VLAN 1

Fw01# int e1/0.1

Fw01(config-subif)# vlan 1

Fw01(config-subif)# nameif inside

Fw01(config-subif)# level-security 100

Fw01(config-subif)# ip address 192.168.1.1 255.255.255.0

Fw01(config-subif)# no shutdown

/*---------- VLAN 100

Fw01# int e1/0.100

Fw01(config-subif)# vlan 100

Fw01(config-subif)# nameif vlan100

Fw01(config-subif)# level-security 100

Fw01(config-subif)# ip address 192.168.100.1 255.255.255.0

Fw01(config-subif)# no shutdown

Please correct me if i've missed any thing.

Thank you in advance.

scottmac · ‎11-22-2005

The PIX will not act as a router or L3 device. It will not route from one VLAN to another.

It can support multiple VLANs inside to the DMZ or Outside ... but it won't move traffic from one Inside VLAN to another VLAN inside.

Good Luck

Scott

lgijssel · ‎11-23-2005

Scott is correct, the pix does not redirect traffic on the same interface. It only forwards traffic between physical interfaces.

Regards,

Leo

bahouh888 · ‎11-24-2005

Dear friends,

I would like to configure inter-VLAN communication on

PIX 525 version 7.0(1) but i don't know how to do that.

I'm looking for doc or clear steps so I can follow to resolve this problem.

Please any body try to help URGENT.

Best Regards.