Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX Interfaces & VLANs Everywhere! :)

Hi There,

I am setting up an Internet/VPN solution but it's a little different than what I'm used to...

In our main office, and 2 of our branch offices, we have ethernet over fibre comming in from our service provider. (Just native ethernet, converted to fibre for the haul, then back to ethernet)

I was wondering how the PIX distinguishes between normal Internet traffic and encrypted VPN traffic from the other sites and how it handles communication between two, indirectly connected sites, in a hub and spoke VPN topology? (The ethernet from the media converter is directly connected to the PIX and there is a default route to my service provider's router)

Also, to put a little bit of a twist on things, in one of the branches I want to have 2 seperate Internet feeds, one for our clients, and one for our web servers. Both of these feeds will come down the same fibre on different VLANs, into my switch trunked, where I will break out the two VLANs and send the traffic to two different interfaces on the PIX. Obviously there will be two internal interfaces as well, one for my server farm and the other for my clients.

Will the PIX be able to handle this kind of config? How should I configure the interfaces? 'Outside' for the web servers' Internet feed, 'Inside' for the server farm, 'DMZ10' for the client Internet feed, & 'DMZ90' for the client subnet? How can I restrict traffic access to only flow between 'Inside' and 'Outside', & 'DMZ90' and 'DMZ10'?

I'm pretty sure it can't, but can the PIX do anything in the way of QoS?

Thanks in advance! :)


New Member

Re: PIX Interfaces & VLANs Everywhere! :)

It might be a little easier if I break your question into three parts.

1.) As far as the PIX and internet are concerned, IPSec traffic is the same as all other traffic except that that payload needs to be encrypted/decrypted depending on which side of the tunnel the packet arrives on. The tunnel is setup between the remote PIX/Router or client and is built to the PIX at your main office. How the Ethernet packet arrives at the PIX is not relevant.

2.) Two Internet feeds? I would have your design reviewed by an expert at your Cisco office (or reseller). There may be security implications as well using VLAN’s around the PIX. There are a few ways to configure the PIX to restrict traffic between interfaces. If you don’t build a translation for example, no traffic will transverse between those interfaces. It gets complex because routing between interfaces and configuration varies dependant on the security levels you establish. Again, get a design specialist to assist you. I can help with specific error messages and line item configuration issues once you get to that point.

3.) QoS must be done before it arrives at the PIX. I heard they are looking at adding very basic QoS to the PIX in the future but they always prioritize performance and QoS could drag the PIX down. Better to have a workhorse router doing this anyway. The PIX is not designed to be a router.

CreatePlease to create content