01-04-2012 12:25 AM - edited 03-11-2019 03:09 PM
I have the following devices:
I have a PIX 515e (8.0 (2)) and 1841 router (12.4(25)).
I had the following setup working without issue:
[Internet] <-----> PIX <-----> 1841 <-----> [LAN]
I then tried to introduce VLANs and now I can not reach the Internet from the LAN. It seems that no nat translations are taking place.
I can successfully ping the LAN from the PIX.
I can successfully ping the Internet from the PIX.
I can successfully ping the PIX inside_lan interface from the router
I can not ping the outside interface from the router
I can not ping the Internet from the router
I introduced the LAN side VLAN first and everything still worked. However, once i introduced the VLAN between the router and PIX, things have broken down.
Some config:
PIX
interface Ethernet0
nameif outside
security-level 0
ip address 100.100.100.100 255.255.255.248
!
interface Ethernet1
no nameif
no security-level
no ip address
!
interface Ethernet1.401
vlan 401
nameif inside_lan
security-level 0
ip address 172.16.2.1 255.255.255.252
!
....
global (outside) 1 interface
nat (inside_lan) 1 0.0.0.0 0.0.0.0
....
route outside 0.0.0.0 0.0.0.0 100.100.100.100 1
route inside_lan 10.0.8.0 255.255.255.0 172.16.2.2 1
...
fw1(config)# show nat inside_lan outside
match ip inside_lan any outside any
dynamic translation to pool 1 (100.100.100.100 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
1841
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface FastEthernet0/0.401
encapsulation dot1Q 401
ip address 172.16.2.2 255.255.255.252
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.101
encapsulation dot1Q 101
ip address 10.0.8.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.2.1
Anyone have any ideas?
01-04-2012 12:44 AM
The router interface shold be a trunk interface as it is allowing multiple vlans:
interface FastEthernet0/0.401
encapsulation dot1Q 401
switchport mode access
switchport access vlan 401
ip address 172.16.2.2 255.255.255.252
!
interface FastEthernet0/1
no ip address
switchport mode trunk
switchport trunk allowed vlan 401,101
duplex auto
speed auto
!
interface FastEthernet0/1.101
encapsulation dot1Q 101
switchport mode access
switchport access vlan 101
ip address 10.0.8.1 255.255.255.0
Hope that helps.
Thanks,
Varun
01-04-2012 02:19 AM
I am unable to use the switchport command on the interface I am currently using however it looks like if I change the interface to the HWIC card (FastEthernet0/0/0) then I can issue the command. What is the difference between the inbuilt port and the HWIC? I thought that the built in one was layer 3 (hence why an IP could be assigned) and HWIC was layer 2 only. However, surely a layer 3 port would have layer 2 functionality as well?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide