This new PIX VLAN stuff is really cool but I have one quick question. Lets say you have configured the inside interface with 2 VLAN's 20 and 21. Now, does the same hold true about a packet entering an interface cannot leave the same interface? I just want to get this straight that this does not turn the PIX into a router or MSFC if you will. Will it only forward packets entering the inside interface on these VLAN's, out another interface say the outside or the DMZ?
Nope, the old limitation doesn't hold true with VLAN interfaces. You'll be able to send a packet in VLAN 20 and out VLAN 21, even though physically these are the same interface. Logically within the PIX they're completely separate interfaces and treated as such.
I wish this did hold true but there are probably 100 reasons why it does not. OK, if thats the case can you apply in-bound and out-bound access lists to the VLAN interface? Can you apply an access list at all to the VLAN?
Or, if you cannot apply access lists to the logical interfaces, can you control the communication between the vlan's with the security level? I'm going to have to set this up in a lab and let everyone know.
Yes definately, that's the whole point of the PIX thinking they're separate interfaces. Assign security levels just like you would for any dmz interface and assign nat/global or statics/ACL's accordingly to control access between them.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...