topic Re: Access to Internet For VLAN in Network Security

Access to Internet For VLAN

bhoops — Mon, 11 Mar 2019 09:22:03 GMT

How would I go about allowing a VLAN full access to the internet through a PIX.

Outside Interface: 88.88.88.88

Inside Interface: 10.36.1.1

Vlan35: 10.35.1.2

Version 6.3(3)

I have very limited PIX knowledge, so any help would be appreciated.

Re: Access to Internet For VLAN

Collin Clark — Fri, 19 Jan 2007 16:44:25 GMT

Too many assumptions. Please sanitize and post your config.

Re: Access to Internet For VLAN

bhoops — Fri, 19 Jan 2007 17:04:05 GMT

Sorry about that. Current Pix config is attached.

VLAN Routing is being handled by the 3550 switch at 10.36.3.1 / 10.44.1.1 / 10.35.1.1 with

ip default-gateway 10.36.1.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.36.1.1

Currently clients on VLAN 1 can access the outside, but VLANs 35 and 44 cannot.

From what I can see, if I send a ping from a device on VLAN35 the switch routes it to the Pix inside interface, but when the ping is returned it cannot reach that device from the inside interface.

The pix can ping the device through the VLAN interface, but not through the inside interface. It just seems like I'm missing something really simple here...

Re: Access to Internet For VLAN

bhoops — Fri, 19 Jan 2007 17:31:58 GMT

deleted

Re: Access to Internet For VLAN

Collin Clark — Fri, 19 Jan 2007 17:42:41 GMT

Everything looks good except that the following line:

access-group ServerVLAN_access_in in interface ServerVLAN

The command is OK, but you do not have an ACL named ServerVLAN_access_in. Because there is no ACL, a 'deny ip any any' is implied blocking all traffic. You could either remove the access-group command or create the ACL allowing whatever you need access to on the outside.

HTH and please rate.

Re: Access to Internet For VLAN

bhoops — Fri, 19 Jan 2007 18:09:36 GMT

OK. I made some revisions to the config, but it still doesn't work. Same issue as before.

I also noticed that the static statements don't work -- I cannot access the servers from the outside.

Thanks!!

Re: Access to Internet For VLAN

Collin Clark — Fri, 19 Jan 2007 18:20:08 GMT

Check your logs, they should help point us in the right direction. I'll check the statics.

Re: Access to Internet For VLAN

Collin Clark — Fri, 19 Jan 2007 18:23:11 GMT

Statics look OK. What's the default gateway of your servers? From the PIX can you successfully ping the mail server?

Re: Access to Internet For VLAN

bhoops — Fri, 19 Jan 2007 18:36:03 GMT

The server default gateway is the VLAN IP of the layer 3 switch, so 10.35.1.1.

From the Pix I can ping with

ping mail

ping ServerVLAN mail

but cannot ping with

ping inside mail

Re: Access to Internet For VLAN

bhoops — Fri, 19 Jan 2007 18:46:02 GMT

The GuestWLAN VLAN (44) works just fine after I added nat (GuestWLAN) 1 10.44.1.0 255.255.255.0 0 0.

Re: Access to Internet For VLAN

Collin Clark — Fri, 19 Jan 2007 21:12:57 GMT

So you then have a static route in the 3550 point to the Server_vlan interface on the PIX?

Re: Access to Internet For VLAN

bhoops — Sat, 20 Jan 2007 04:16:54 GMT

Oh wow -- talk about focusing on the wrong place. Here I was convinced that it was a PIX configuration issue and never reviewed the switch. Doh!

I had A route configured on the 3550 -

ip route 0.0.0.0 0.0.0.0 10.36.1.1

But never added the route for VLAN35 -

ip route 0.0.0.0 0.0.0.0 10.35.1.2

Thanks for pointing this out for me! What a relief to have this resolved!

Re: Access to Internet For VLAN

bhoops — Sat, 20 Jan 2007 06:50:51 GMT

Guess that didn't work after all. Sometimes it works, sometimes it doesn't - I guess it depends upon which route it chooses.

Is there another way to define the route for each VLAN?

Re: Access to Internet For VLAN

Collin Clark — Mon, 22 Jan 2007 14:57:22 GMT

Is there a reason you're using the 3550 as the DG? It's a security vulnerability. Try setting the PIX as your DG.