Solved: Re: Access to Internet For VLAN

bhoops · ‎01-19-2007

How would I go about allowing a VLAN full access to the internet through a PIX.

Outside Interface: 88.88.88.88

Inside Interface: 10.36.1.1

Vlan35: 10.35.1.2

Version 6.3(3)

I have very limited PIX knowledge, so any help would be appreciated.

Collin Clark · ‎01-19-2007

So you then have a static route in the 3550 point to the Server_vlan interface on the PIX?

View solution in original post

Collin Clark · ‎01-19-2007

Too many assumptions. Please sanitize and post your config.

bhoops · ‎01-19-2007

Sorry about that. Current Pix config is attached.

VLAN Routing is being handled by the 3550 switch at 10.36.3.1 / 10.44.1.1 / 10.35.1.1 with

!

ip default-gateway 10.36.1.1

ip classless

ip route 0.0.0.0 0.0.0.0 10.36.1.1

!

Currently clients on VLAN 1 can access the outside, but VLANs 35 and 44 cannot.

From what I can see, if I send a ping from a device on VLAN35 the switch routes it to the Pix inside interface, but when the ping is returned it cannot reach that device from the inside interface.

The pix can ping the device through the VLAN interface, but not through the inside interface. It just seems like I'm missing something really simple here...

bhoops · ‎01-19-2007

deleted

Collin Clark · ‎01-19-2007

Everything looks good except that the following line:

access-group ServerVLAN_access_in in interface ServerVLAN

The command is OK, but you do not have an ACL named ServerVLAN_access_in. Because there is no ACL, a 'deny ip any any' is implied blocking all traffic. You could either remove the access-group command or create the ACL allowing whatever you need access to on the outside.

HTH and please rate.

bhoops · ‎01-19-2007

OK. I made some revisions to the config, but it still doesn't work. Same issue as before.

I also noticed that the static statements don't work -- I cannot access the servers from the outside.

Thanks!!

Collin Clark · ‎01-19-2007

Check your logs, they should help point us in the right direction. I'll check the statics.

Collin Clark · ‎01-19-2007

Statics look OK. What's the default gateway of your servers? From the PIX can you successfully ping the mail server?

bhoops · ‎01-19-2007

The server default gateway is the VLAN IP of the layer 3 switch, so 10.35.1.1.

From the Pix I can ping with

ping mail

ping ServerVLAN mail

but cannot ping with

ping inside mail

bhoops · ‎01-19-2007

The GuestWLAN VLAN (44) works just fine after I added nat (GuestWLAN) 1 10.44.1.0 255.255.255.0 0 0.

Collin Clark · ‎01-19-2007

So you then have a static route in the 3550 point to the Server_vlan interface on the PIX?

bhoops · ‎01-19-2007

Oh wow -- talk about focusing on the wrong place. Here I was convinced that it was a PIX configuration issue and never reviewed the switch. Doh!

I had A route configured on the 3550 -

ip route 0.0.0.0 0.0.0.0 10.36.1.1

But never added the route for VLAN35 -

ip route 0.0.0.0 0.0.0.0 10.35.1.2

Thanks for pointing this out for me! What a relief to have this resolved!

bhoops · ‎01-19-2007

Guess that didn't work after all. Sometimes it works, sometimes it doesn't - I guess it depends upon which route it chooses.

Is there another way to define the route for each VLAN?

Collin Clark · ‎01-22-2007

Is there a reason you're using the 3550 as the DG? It's a security vulnerability. Try setting the PIX as your DG.