Re: PIX 506e + 2950 VLAN trunking confusion

josephnunham · ‎03-02-2011

Hi everyone,

I hope this is an easy one for all. I have a router on a stick setup going on and I would like to put a firewall into the picture. I have two VLANs - VLAN 2 and VLAN 3. VLAN 2 is in the 192.168.2.x network and trunks back to the router at 192.168.1.254. Before I had the firewall in place, whatever was on VLAN 2 could ping 192.168.1.254 and all worked fine and well. Now that I have put the firewall into the picture, I have lost connectivity (and my mind ). The trunk sits at 192.168.2.1 and I put 192.168.2.2 (outside interface on the PIX) into VLAN 2. From the 192.168.1.x network, I can ping the trunk and the outside interface on the PIX:

Pinging 192.168.2.2 with 32 bytes of data:

Reply from 192.168.2.2: bytes=32 time=1ms TTL=254

Ping statistics for 192.168.2.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 1ms, Maximum = 1ms, Average = 1ms

I put the inside interface on the PIX into VLAN 3 at 192.168.3.1. I can ping the trunk:

Pinging 192.168.3.1 with 32 bytes of data:

Reply from 192.168.3.1: bytes=32 time=1ms TTL=64

Reply from 192.168.3.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.3.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms

But I cannot ping the inside interface of the PIX or the server (inside sits at 192.168.3.2 and server sits at 192.168.3.3):

ping 192.168.3.2

Pinging 192.168.3.2 with 32 bytes of data:

Reply from 192.168.1.254: Destination host unreachable.

Ping statistics for 192.168.3.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

ping 192.168.3.3

Pinging 192.168.3.3 with 32 bytes of data:

Reply from 192.168.1.254: Destination host unreachable.

Ping statistics for 192.168.3.3:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Some firewall configuration:

show running config
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet0 vlan2 physical
interface ethernet1 auto
interface ethernet1 vlan3 physical
nameif ethernet0 outside security0
nameif ethernet1 inside security100

sh int
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000e.38a9.1cfd
IP address 192.168.2.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
        7192 packets input, 554252 bytes, 0 no buffer
        Received 7172 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        31 packets output, 2292 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/1)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
        39 aggregate VLAN packets input, 2646 bytes
        25 aggregate VLAN packets output, 1918 bytes
        39 vlan2 packets input, 2646 bytes
        26 vlan2 packets output, 1960 bytes
        7057 invalid VLAN ID errors, 0 native VLAN errors

interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000e.38a9.1cfe
IP address 192.168.3.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
        68 packets input, 5448 bytes, 0 no buffer
        Received 20 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        51 packets output, 3378 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/1)
        output queue (curr/max blocks): hardware (0/1) software (0/1)
        62 aggregate VLAN packets input, 5064 bytes
        42 aggregate VLAN packets output, 2404 bytes
        62 vlan3 packets input, 5064 bytes
        43 vlan3 packets output, 2446 bytes
        6 invalid VLAN ID errors, 0 native VLAN errors

And some switch configuration:

Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1

And a network diagram. Someone told me it is a trunking issue; you be the judge. I have tried everything I know how to do and have had no luck. Thanks for the help.

PAUL GILBERT ARIAS · ‎03-02-2011

the ping that fails is sourced from which IP? If the traffic comes from outside to inside remember you need to allow the traffic using ACLs and the proper NAT statement such as an static translation.

josephnunham · ‎03-02-2011

Hi Paul,

Thanks for the response. The ping that fails comes from any host that is on the 192.168.1.x network. I believed that ACLs and NAT were the issue, but since I am no expert in firewalling, I did not want to question the person helping me. Could you show me an example of the ACLs and NAT statements? Something along the lines of ICMP permit etc?

Thanks again

PAUL GILBERT ARIAS · ‎03-02-2011

Since the ping comes from the outside you will need the ACL and NAT statements. Assuming that routing is fine you could use the following:

static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

access-list outside_in permit icmp any 192.168.3.0 255.255.255.0

access-group outside_in in interface outside

The default gateway of the server on the inside should point to the IP of the inside interface of the PIX.

By the way, you can't ping the inside interface IP if you are on the outside and you can't ping the outside interface IP if you are on the inside.

Try also to ping from the server on the inside to the IP address of the trunk on the outside. The switch should know how to reach the 192.168.3.0 network.

josephnunham · ‎03-02-2011

The server cannot ping the trunk at 192.168.2.1 and it also cannot ping 192.168.3.1. All it can ping is 192.168.3.2 (PIX inside interface address) and 192.168.3.3 (itself).

PAUL GILBERT ARIAS · ‎03-02-2011

can you add your config please? I need to understand better your scenario.

josephnunham · ‎03-02-2011

Sure. Do you need the config from the firewall and the switch? The router is just a WRT54G running DD-WRT

PAUL GILBERT ARIAS · ‎03-02-2011

firewall and switch will be fine.

josephnunham · ‎03-02-2011

Firewall running config

show running config

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet0 vlan2 physical

interface ethernet1 auto

interface ethernet1 vlan3 physical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

mtu outside 1500

mtu inside 1500

ip address outside 192.168.2.2 255.255.255.0

ip address inside 192.168.3.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

route outside 192.168.1.0 255.255.255.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

: end

Switch running config

#sh running-config

Building configuration...

Current configuration : 2182 bytes

!

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

ip subnet-zero

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

interface FastEthernet0/1

no ip address

shutdown

!

interface FastEthernet0/2

switchport trunk allowed vlan 1-3

switchport mode trunk

no ip address

!

interface FastEthernet0/3

switchport access vlan 3

switchport mode access

no ip address

!

interface FastEthernet0/4

switchport mode access

no ip address

shutdown

!

interface FastEthernet0/5

no ip address

shutdown

!

interface FastEthernet0/6

no ip address

shutdown

!

interface FastEthernet0/7

no ip address

shutdown

!

interface FastEthernet0/8

no ip address

shutdown

!

interface FastEthernet0/9

no ip address

shutdown

!

interface FastEthernet0/10

no ip address

shutdown

!

interface FastEthernet0/11

no ip address

shutdown

!

interface FastEthernet0/12

no ip address

shutdown

!

interface FastEthernet0/13

no ip address

shutdown

!

interface FastEthernet0/14

no ip address

shutdown

!

interface FastEthernet0/15

no ip address

shutdown

!

interface FastEthernet0/16

no ip address

shutdown

!

interface FastEthernet0/17

no ip address

shutdown

!

interface FastEthernet0/18

no ip address

shutdown

!

interface FastEthernet0/19

no ip address

shutdown

!

interface FastEthernet0/20

no ip address

shutdown

!

interface FastEthernet0/21

no ip address

shutdown

!

interface FastEthernet0/22

no ip address

shutdown

!

interface FastEthernet0/23

no ip address

shutdown

!

interface FastEthernet0/24

no ip address

shutdown

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan2

no ip address

no ip route-cache

!

interface Vlan3

no ip address

no ip route-cache

shutdown

!

ip http server

!

line con 0

exec-timeout 0 0

logging synchronous

line vty 0 4

login local

transport input none

line vty 5

login local

transport input none

line vty 6 15

login

!

end

avmailpro · ‎03-03-2011

Hi,

can i offer this as a solution/suggestion based on your configuration. I would change the following on port 2 of your switch to only show vlan 1-2

then remove the vlan 2 from the pix 506e on interface (eth0) outside interface

try this for the switch.

conf t

int fa0/2

no switchport trunk allowed vlan 1-3

switchport trunk allowed vlan 1-2

no shut

end

on the pix506e -- remove the vlan 2

safe your configuration

then try pinging the ip address on eth0

josephnunham · ‎03-04-2011

I tried your suggestion, but it just made me unable to ping the eth0 address from the 192.168.1.x network. Everything else is still the same as before.

josephnunham · ‎03-05-2011

I followed this post on experts-exchange and now have connectivity to both PIX interfaces (outside, 192.168.2.2, dmz, 192.168.3.2). However, the server still cannot ping 192.168.3.1 and 192.168.3.2, and nothing anywhere else can ping the server 192.168.3.3. Now do I need to implement the ACLs or is something strange still going on with the configuration? Port 2 on the switch, which is connected to the inside interface on the PIX, is configured to trunk to VLANs 1 - 3. Port 3 on the switch, which is connected to the server, is set to be in VLAN 3.

Pix 506e will support up to 2 vlans with 6.3.

Step 1 Assign the interface speed to a physical interface by entering the following command:

interface ethernet0 auto

Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan2 physical

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.

Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan3 logical

This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.

Step 4 Configure the logical and physical interfaces by entering the following commands:

nameif ethernet0 outside security0

nameif vlan3 dmz security50

ipaddress outside 192.168.101.1 255.255.255.0

ipaddress dmz 192.168.103.1 255.255.255.0