https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317534#M549587 <HTML><HEAD></HEAD><BODY><P>Creating VLANs on Ethernet1</P><P>We want to create one new VLAN interface - VLAN30 and call it DMZ2. Also assign security level 50 to it.</P><P></P><P></P><P>Step 1: Create a Physical Interface:</P><P></P><P>pix(config)# interface ethernet1 vlan2 physical</P><P></P><P>Step 2: Name the Interface and set the Security Level:</P><P></P><P>pix(config)# nameif ethernet1 inside security100</P><P></P><P>Step 3: Assign IP Address to the interface:</P><P></P><P>pix(config)# ip address inside 192.168.1.1 255.255.255.0</P><P></P><P></P><P></P><P>Step 4: Create the Logical Interface:</P><P></P><P>pix(config)# interface ethernet1 vlan30 logical</P><P></P><P>Step 5: Name the Interface and set the Security Level:</P><P></P><P>pix(config)# nameif vlan30 DMZ2 security50</P><P></P><P>Step 6: Assign IP Address to the interface:</P><P></P><P>pix(config)# ip address DMZ2 192.168.100.254 255.255.255.0</P><P></P><P></P><P>Step7. On Switch , set the port where the physical interface the inside, for trunking ISL or dot1q. place the trunking in the native vlan2 like in step 1.</P><P></P><P></P></BODY></HTML> Thu, 07 Apr 2005 19:43:15 GMT tonyam98 2005-04-07T19:43:15Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317526#M549578 <P>We are trying to set up multiple VLAN's on one physical DMZ interface on a PIX 515e.</P><P></P><P>The goal is to have separate logical subnets connected to our one, physical, DMZ interface. </P><P></P><P>Here is what I have tried so far without success:</P><P></P><P>On switch</P><P>-created vlan 30</P><P>-added switchports fa0/1 to vlan 30</P><P>-connected host 192.168.100.1 into fa0/1</P><P>-added switchport fa0/24 to to vlan 1, and vlan 30 with multimode</P><P>-connected PIX DMZ interface to switchport fa0/24</P><P>-connected host 172.16.1.55 to switchport fa0/10 (vlan 1)</P><P></P><P>On PIX:</P><P>interface ethernet2 auto</P><P>interface ethernet2 vlan30 logical</P><P>nameif ethernet2 DMZ security50</P><P>nameif vlan30 dmz2 security50</P><P>ip address DMZ 172.16.1.254 255.255.255.0</P><P>ip address dmz2 192.168.100.254 255.255.255.0</P><P></P><P>Results:</P><P>-172.16.1.55 has full connectivity to the PIX and beyond.</P><P>-192.168.100.1 cannot ping the PIX at 192.168.100.254 or anything else for that matter.</P><P></P><P>Any help would be greatly appreciated. I also realize that I could buy a four port NIC and use physical interfaces, but I can't get the purchase approved.</P><P></P><P>Thanks</P> Fri, 21 Feb 2020 08:03:53 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317526#M549578 vantagepointisg 2020-02-21T08:03:53Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317527#M549579 <HTML><HEAD></HEAD><BODY><P>We also are not trunking the VLAN's as we thought that wouldn't be necessary. We would be happy at this point to get the 192.168.100.1 host to ping the PIX at 192.168.100.254.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 07 Apr 2005 13:53:48 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317527#M549579 vantagepointisg 2005-04-07T13:53:48Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317528#M549580 <HTML><HEAD></HEAD><BODY><P>Try configuring it as a trunk. </P></BODY></HTML> Thu, 07 Apr 2005 14:08:28 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317528#M549580 mostiguy 2005-04-07T14:08:28Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317529#M549581 <HTML><HEAD></HEAD><BODY><P>Have you allowed this on the pix?</P><P>icmp permit host 192.168.100.1</P></BODY></HTML> Thu, 07 Apr 2005 14:31:47 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317529#M549581 jonathanstevens 2005-04-07T14:31:47Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317530#M549582 <HTML><HEAD></HEAD><BODY><P>Will a PIX 515e handle ISL trunking?</P></BODY></HTML> Thu, 07 Apr 2005 15:08:18 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317530#M549582 vantagepointisg 2005-04-07T15:08:18Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317531#M549583 <HTML><HEAD></HEAD><BODY><P>Yes all traffic is allowed from this host on this interface.</P></BODY></HTML> Thu, 07 Apr 2005 15:09:34 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317531#M549583 vantagepointisg 2005-04-07T15:09:34Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317532#M549584 <HTML><HEAD></HEAD><BODY><P>I believe PIXs only support dot1q</P></BODY></HTML> Thu, 07 Apr 2005 16:26:56 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317532#M549584 jonathanstevens 2005-04-07T16:26:56Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317533#M549585 <HTML><HEAD></HEAD><BODY><P>That's all that I've found too. I didn't know if they could handle ISL or not. I will make the uplink port on the switch (fa0/24) a dot1q trunk port.</P><P></P><P>I will let you know how it goes.</P><P></P><P>Thanks</P></BODY></HTML> Thu, 07 Apr 2005 16:33:34 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317533#M549585 vantagepointisg 2005-04-07T16:33:34Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317534#M549587 <HTML><HEAD></HEAD><BODY><P>Creating VLANs on Ethernet1</P><P>We want to create one new VLAN interface - VLAN30 and call it DMZ2. Also assign security level 50 to it.</P><P></P><P></P><P>Step 1: Create a Physical Interface:</P><P></P><P>pix(config)# interface ethernet1 vlan2 physical</P><P></P><P>Step 2: Name the Interface and set the Security Level:</P><P></P><P>pix(config)# nameif ethernet1 inside security100</P><P></P><P>Step 3: Assign IP Address to the interface:</P><P></P><P>pix(config)# ip address inside 192.168.1.1 255.255.255.0</P><P></P><P></P><P></P><P>Step 4: Create the Logical Interface:</P><P></P><P>pix(config)# interface ethernet1 vlan30 logical</P><P></P><P>Step 5: Name the Interface and set the Security Level:</P><P></P><P>pix(config)# nameif vlan30 DMZ2 security50</P><P></P><P>Step 6: Assign IP Address to the interface:</P><P></P><P>pix(config)# ip address DMZ2 192.168.100.254 255.255.255.0</P><P></P><P></P><P>Step7. On Switch , set the port where the physical interface the inside, for trunking ISL or dot1q. place the trunking in the native vlan2 like in step 1.</P><P></P><P></P></BODY></HTML> Thu, 07 Apr 2005 19:43:15 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317534#M549587 tonyam98 2005-04-07T19:43:15Z https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317535#M549588 <HTML><HEAD></HEAD><BODY><P>Works like a champ! I also found this which was helpful.</P><P></P><P><A class="jive-link-custom" href="http://www.ciscotaccc.com/security/showcase?case=K10055697" target="_blank">http://www.ciscotaccc.com/security/showcase?case=K10055697</A></P><P></P><P></P></BODY></HTML> Thu, 07 Apr 2005 23:38:40 GMT https://community.cisco.com/t5/network-security/pix-515e-multiple-vlan-s-on-one-physical-dmz-interface/m-p/317535#M549588 vantagepointisg 2005-04-07T23:38:40Z