topic Re: PIX VLAN Problem? in Network Security

PIX VLAN Problem?

rryan — Fri, 21 Feb 2020 08:14:04 GMT

I'm wondering if someone could clarify a possible vlan issue with a PIX515. I currently have a server/software firewall in place and am trying to replace it with a PIX515. My network has 2 user vlan's and a third for the router. My current firewall doesn't have any vlan configuration, it just passes all traffic to the router and then it sends it to the vlan. I can't seem to get the pix to pass traffic back inside. Must I configure vlan on the PIX? Thanks,

Re: PIX VLAN Problem?

bparish — Mon, 27 Jun 2005 19:14:53 GMT

yes, better to configure pix for listening these two vlans. dont pass the traffic to the router.

you will have two interfaces, one for outside

one for inside (vlan1 +vlan2)

thanks

Re: PIX VLAN Problem?

rryan — Mon, 27 Jun 2005 23:55:25 GMT

I'm trying to keep everything the same as it is. Do I have to do anything special on the PIX to pass data to and from the router. My inside networks are vlan1 and vlan2 at the switch level and my router is on 1,2 and vlan3which is for outbound traffic. It's a router on a stick configuration.

Re: PIX VLAN Problem?

baileja — Sat, 02 Jul 2005 02:43:13 GMT

You will have to configure an 802.1q trunk link on the switch port that connects to your PIX. (interface fa0/1, switchport trunk encap dot1q, swi mode trunk). Than do something like the below on your PIX (changing the VLAN numbers to correspond to your VLAN's that you created on your switch). The PIX will route between VLAN's so you will probably be changing your routers config around as well. Be sure your PIX is running a minimum of PIX code 6.3 to do VLAN's. If your running 7.0, let me know, the config has changed quite a bit. The below config will only create the VLAN interface and the PIX will treat it as a completely seperate physical interface so you will need to create your routes, NAT, statics, and rules to allow traffic to pass.

interface ethernet0 auto shutdown

interface ethernet1 auto shutdown

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan3 SomeName security50

nat (inside) 0 0.0.0.0 0.0.0.0 0 0 <--- or whatever

nat (SomeName) 0 0.0.0.0 0.0.0.0 0 0 <--- or whatever

ip address outside X.X.X.X 255.255.255.0

ip address inside X.X.X.X 255.255.255.0

ip address SomeName X.X.X.X 255.255.255.0

(etc....)

Re: PIX VLAN Problem?

wanghmk1223 — Fri, 05 Aug 2005 06:31:05 GMT

Hi baileja ,

How can a failover pix be included in this senario? single L2 switch provide 2 trunks to two PIX?

how to do that, pls advise.