Currently, we have a Cisco PIX firewall model 525, IOS 6.0(2) Pentum III 600MHz with 128MB Ram with 2GE and 2FE ports. The Cisco PIX firewall device manager is version 1.1(2).
The Cisco PIX firewall gigabit interface 0/1 connects to a Cisco 6500 switch module gigabit 2/1 and assigned VLAN 2. Network and subnet mask statement is 126.96.36.199 255.255.254.0
The Cisco PIX firewall inside gigabit interface currently supports one flat IP network, while the outside gigabit interface connects to a Cisco 6500 switch with MSFC used as the default gateway.
Current Inside gigabit network interface g0/1
--- 188.8.131.52 255.255.254.0
NEW Suggested Inside gigabit network interface g0/1
--- 184.108.40.206 255.255.254.0
Outside gigabit network interface g0/2
--- 192.168.1.1 255.255.255.240
We need connectivity between VLAN 2 and VLAN 3 and the outside world. To enable communication between the two VLANS and to the outside world requires a trunk link between the Cisco PIX firewall gigabit 0/1 interface and the Cisco 6500 port G2/1 RIGHT?
Does our current PIX firewall software/hardware support trunking in this configuration?
Should we use ISL or 802.1q protocol? Does it matter?
Should we combine VLAN 2 and VLAN 3 into one flat IP VLAN with a subnet mask of /22?
The Cisco 6500 switch named "Inside-A" does not have an MSFC, the firewall is the default gateway for the current vlan 2 on G0/1 interface. I plan to add another vlan, vlan 3 to the Cisco 6500 switch "Inside-A".
I need the firewall to also be the default gateway for this vlan 3 on the same g0/1 interface as vlan 2.
Yes, vlan 2 and vlan 3 must be able to talk to each other and to the outside world also.
> Yes, vlan 2 and vlan 3 must be able to talk to each other and to the outside world also.
This may lead to un-needed load at the pix (if you're expecting high traffic between VLANs and are not going to filter it).
You should also look for a solution with a router or the switch itself for routing between VLANs, then use the pix traditionaly as gateway for your router/swtich only. (The default gateway of hosts will be the switch or the router).
Again - I'm not an expert with switching, so better verify my advices with some one more experienced.
You have to configure dot1q trunking because the PIX (version 6.3) does not support ISL. Second thing: Hope you do not have any other gateway in one of these VLANs. Because the PIX does not support ICMP redirects and does not send packets on the same interface as they were received.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...