topic Re: PIX and Vlans. in Network Security

PIX and Vlans.

rcapao — Fri, 21 Feb 2020 06:56:32 GMT

Hi,

I have one question that as to do with the way that vlans work with PIX, that is, when it’s configured in PIX.

I have a PIX that, beside other things, as two (2) vlans configured on it, in the same interface (inside).

But the problem is that these two vlans cannot communicate between them.

I put a router in one vlan and another router in the other vlan. Then I tray to do a simple connection test between them (a ping between them) and I cannot succeed.

I read some documentation from Cisco and, apparently, in theory, they say that I can.

As any one could tell me, why cannot?

Thanks,

Rui

Re: PIX and Vlans.

bdube — Tue, 19 Aug 2003 12:30:50 GMT

Hi Rui,

First, you only need 1 router to route traffics between both VLAN, not 2.

Second, by default, PIX doesn't route traffic between VLANs which would result to a security breach. If it's really what you are looking for, make PIX routing between both, you have to configure this manually.

If you have some routers, why don't you use them between LANs, not VLANs, and connect 1 Eth port to the PIX, this port can be a router port or switch port.

Regards

Ben

Re: PIX and Vlans.

rcapao — Tue, 19 Aug 2003 13:15:50 GMT

Hi,

Thanks for the replay.

But the thing is like this.

The question that I put as to do with a lab.

I talked about the two router as an example. I used these two routers to have something to connect to between the two Vlans.

In my opinion, it was the simplest way to do a test. Nothing more.

Rui

Re: PIX and Vlans.

rcapao — Tue, 19 Aug 2003 15:07:06 GMT

Ben,

you said that if I which to have routing, in the PIX, between the two Vlans I had to route traffic between them. I had to do that in the PIX and manually.

How can I do that?

Can you tell me, or some one can tell me?

Thanks,

Rui

Re: PIX and Vlans.

bdube — Tue, 19 Aug 2003 17:35:10 GMT

You can try "NAT (inside) 0 access-list acl_id"

The access-list must permit ip addresses coming from any VLANs with destination to the other VLANs. Example:

access-list full-routing permit ip 10.1.0.0 255.0.0.0 10.2.0.0 255.0.0.0

access-list full-routing permit ip 10.2.0.0 255.0.0.0 10.1.0.0 255.0.0.0

nat (inside) 0 access-list full-routing

Check the syntax to be sure because i have write it fast.

Regards,

Ben

Re: PIX and Vlans.

rcapao — Thu, 21 Aug 2003 08:12:40 GMT

Hi,

I had applied that solution to the PIX, but that don’t worked.

Did I miss something?

Thanks,

Rui

Re: PIX and Vlans.

scoclayton — Thu, 21 Aug 2003 09:56:46 GMT

Hi Rui, this should work fine. Any chance you can attac the relevant config info? (interface settings and security levels, nat/global or statics, and access-lists)

Scott

Re: PIX and Vlans.

rcapao — Thu, 21 Aug 2003 13:10:17 GMT

Hi,

the configuration that I’m using in the PIX is like this

PIX Version 6.3(1)

interface ethernet0 10baset

interface ethernet1 10baset

interface ethernet1 vlan2 physical

interface ethernet1 vlan3 logical

interface ethernet2 10baset

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 DMZ security20

nameif vlan3 intf3 security99

enable password Yxxxxx encrypted

passwd xxxxxxx encrypted

hostname PIX-LAB

domain-name porto.convex.pt

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list routing remark ****************** ACL para routing *****************

access-list routing permit 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list routing permit 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list routing deny tcp any any

access-list routing deny udp any any

access-list routing remark ***********************************

pager lines 24

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

ip address outside xxx.xxx.xxx.xxx 255.255.255.0

ip address inside 10.10.10.254 255.255.255.0

ip address DMZ 50.50.50.254 255.255.255.0

ip address intf3 20.20.20.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address DMZ

no failover ip address intf3

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list routing

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

nat (DMZ) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server ACS protocol tacacs+

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

console timeout 0

terminal width 80

Cryptochecksum:xxxx

: end

[OK]

PIX-LAB(config)#

As you can see it’s a simple configuration.

Thanks,

Rui

Re: PIX and Vlans.

scoclayton — Thu, 21 Aug 2003 13:23:05 GMT

Rui, looks good. A couple of comments:

These entries in the ACL are not needed and can be removed:

access-list routing permit 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list routing deny tcp any any

access-list routing deny udp any any

With this config in place, you should be able to get from a host on the 10.10.10.0 network to a host on the 20.20.20.0 network (assuming default gateways on the host are correct).

One item to note here is that you do have a vlan assigned to the physical interface (which is fine). The important item to remember is that when you do this, the PIX will no longer accept packets from the native VLAN on the switch so make sure that all packets coming in on vlan2 are tagged as such. A 'sh int' may help in determining any errors such as this.

Re: PIX and Vlans.

bdube — Thu, 21 Aug 2003 17:12:04 GMT

Also,

access-list routing permit ip ... The "ip" was missing.

I'm not sure about the necessity to have the access-list permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0 but i suggest you keep it for test purpose, and when you will get perfect routing between both VLAN, try to remove this line to check the behavior without it. Also, i'm interested to know the result about this issue, if you can post later the result, i will appreciate.

Regards,

Ben