cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
625
Views
0
Helpful
6
Replies

oops! Pix VLAN mess up. VPN gone down

dcooke
Level 1
Level 1

Ooops, made a bit of a mess of this. I didn't do this on site (the datacenter is too far away) - now I have a very early start b4 clients connect unless I can fix this on the PIX over SSH (which I can connect to)!

I've had a few issues with VLANs behind the firewall. There are x2: Vlan 2 (192.168.5.0/24) and Vlan 10 (10.0.0.0/24).

The Pix connects to a catalyst via a trunk which has both Vlans. The PIX DID have the inside interface of 192.168.5.1 and the catalyst had the default VLAN2.

I simply changed the default VLAN on the catalyst to VLAN10 (this kicked me off the VPN which I expected). I then thought I could login over SSH on the firewall change the internal interface to 10.0.0.1 and everything would be fine. I did this - but no joy. Eveything is down. I think this is because the route on the catalyst is still pointing to the 192.168.5.1 address.

Aaahh! Anything I can do? I've added a logical address in VLAN 2 with the 192.168.5.1 address - still no joy! Do I have to make the physical address of 10.0.0.0 have a lower security level than the logical VLAN2 address?

Sorry - I'm quite new to this - as you can see!

Thanks in advance

Dan

I

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Dan

Can you post config of pix.

When you say you added vlan 2 logical address how do you know nothing is working ?

Jon

I can no longer access any of the websites behind, and the LAN to LAN VPN I have is still up - but not routing traffic.

See below: I notice all the statics have dissapeared as well!

PIX Version 7.2(2)

!

hostname G-FWPIX-1

domain-name fwlevel3.com

enable password xxx

names

XXXXXXXXXXXXXX

dns-guard

!

interface Ethernet0

nameif outside

security-level 0

ip address XXXXXXXXXXXX 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Ethernet1.1

vlan 2

nameif VLAN2

security-level 100

ip address 192.168.5.1 255.255.255.0

!

interface Ethernet2

nameif DMZ

security-level 50

ip address 192.168.15.1 255.255.255.0

!

passwd xxx

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

access-list acl_inbound extended permit tcp any host XXXXXXXXXXXX eq https

etc...

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.6.12.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.6.12.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 192.168.5.0 255.255.255.0 192.6.12.0 255.255.255.0

access-list outside_cryptomap_20 extended permit ip 10.0.0.0 255.255.255.0 192.6.12.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging console debugging

logging monitor debugging

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu VLAN2 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm

no asdm history enable

arp timeout 14400

nat-control

global (outside) 10 interface

access-group acl_inbound in interface outside

route outside 0.0.0.0 0.0.0.0 85.133.38.97 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username admin password XXXXXXXXX encrypted privilege 15

username cisco password XXXXXXXXXXXXXX encrypted

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer XXXXXXXXXXXXX

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group XXXXXXXXXXXX type ipsec-l2l

tunnel-group XXXXXXXXXXXX ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

ssl encryption des-sha1 rc4-md5

prompt hostname context

Cryptochecksum:xxx

: end

Dan

Lets start with basics. if you are on the pix can you ping either the 192.168.5.x address on the catalyst or the 10.0.0.x address on the catalyst ?

You don't have any routes for the inside networks - do you only have vlan 2 and vlan 10 on your internal network ?

Jon

Thanks Jon

All my statics are back now - thank goodness for backups!

I can ping the VLAN 10 address of the Catalyst (10.0.0.2) and the VLAN2 address (192.168.5.100) from the PIX.

Dan

Dan

Are you saying it now works now you have the statics back.

Are your servers on either vlan 2 or vlan 10.

Apologies but i have an important meeting tomorrow so i have to get some shuteye now.

I hope you get it working. I'll check again tomorrow morning.

Jon

No. I can ping but I don't think the catalyst can pass anything else. Its got the right native VLAN but the wrong gateway (192.168.5.1) - which is now on as a virtual iterface on the PIX but it still isn't playing ball. Looks like an early one for me as well to go an change the switch locally.

Thanks anyway

Dan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: