Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
259
Views
0
Helpful
2
Replies

vlan through pix...

network27
Level 1
Level 1

‎10-23-2006 06:06 AM

Im trying to do intervlan through PIX but encountered a problem, I cant ping from inside PC 192.168.10.2 to 192.168.1.2. Please tell me what's wrong with my configuration:

PC1 (vlan10)----------------------|--------------- |---------------

IP:192.168.10.2/24 f0/1 | | | |

Gateway:192.168.10.1 |Cat1 -3550 | | |

| |f0/3 | PIX 515e |e0: 192.168.1.1

| |-----------| |------------PC3

| | e1 | | IP: 192.168.1.2

PC2 f0/2 | | | |

IP:192.168.20.2-------------------| | | |

________________ |--------------

Gateway:192.168.20.1

Cat1-3550#Show run

hostname Cat1-3550

!

ip routing

!

interface FastEthernet0/1

switchport access vlan 10

no ip address

!

interface FastEthernet0/2

switchport access vlan 20

no ip address

!

interface FastEthernet0/3

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

!

interface Vlan10

ip address 192.168.10.1 255.255.255.0

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

!

end

pixfirewall#show run

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet1 vlan10 physical

interface ethernet1 vlan20 logical

nameif ethernet0 outside security0

nameif ethernet1 in_vlan10 security98

nameif vlan20 in_vlan20 security99

hostname pixfirewall

access-list secure101 permit icmp any any echo

access-list secure101 permit icmp any any echo-reply

ip address outside 192.168.1.1 255.255.255.0

ip address in_vlan10 192.168.10.1 255.255.255.0

ip address in_vlan20 192.168.20.1 255.255.255.0

static (in_vlan10,outside) 192.168.1.99 192.168.10.2 netmask 255.255.255.255 0

static (in_vlan20,outside) 192.168.1.99 192.168.10.2 netmask 255.255.255.255 0 0

access-group secure101 in interface outside

: end

Labels:
0 Helpful
2 Replies 2

s.jankowski
Level 4
Level 4

‎10-27-2006 08:50 AM

If firewall doing routing for your vlans. That may not be optimal as the switch can do it faster in hardware.

Try these links

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1113411

http://www.cisco.com/en/US/customer/tech/tk389/tk815/technologies_configuration_example09186a008015f17a.shtml

0 Helpful

jgervia_2
Level 1
Level 1

‎10-29-2006 10:28 AM

Hello,

1) You have duplicate IP addresses in your network. You've configured the switch to have IP addresses in vlan 10/20 that are on the firewall. If you want the firewall to route between the vlans, take the ip addresses off the switch (or change them to a different IP address)

This:

interface Vlan10

ip address 192.168.10.1 255.255.255.0

!

interface Vlan20

ip address 192.168.20.1 255.255.255.0

!

conflicts on the firewall with this:

ip address in_vlan10 192.168.10.1 255.255.255.0

ip address in_vlan20 192.168.20.1 255.255.255.0

Also, one of your static statements appears to be incorrect:

static (in_vlan20,outside) 192.168.1.99 192.168.10.2 netmask 255.255.255.255 0

192.168.10.2 doesn't exist on that vlan - this is vlan 20. It should read:

static (in_vlan20,outside) 192.168.1.99 192.168.20.2 netmask 255.255.255.255 0

Make sure you do a clear xlate before you try this all out.

--Jason

Please rate this message if it helps.

0 Helpful
Customers Also Viewed These Support Documents