PIX 506e + 2950 VLAN trunking confusion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 05:44 PM - edited 03-11-2019 12:59 PM
Hi everyone,
I hope this is an easy one for all. I have a router on a stick setup going on and I would like to put a firewall into the picture. I have two VLANs - VLAN 2 and VLAN 3. VLAN 2 is in the 192.168.2.x network and trunks back to the router at 192.168.1.254. Before I had the firewall in place, whatever was on VLAN 2 could ping 192.168.1.254 and all worked fine and well. Now that I have put the firewall into the picture, I have lost connectivity (and my mind ). The trunk sits at 192.168.2.1 and I put 192.168.2.2 (outside interface on the PIX) into VLAN 2. From the 192.168.1.x network, I can ping the trunk and the outside interface on the PIX:
Pinging 192.168.2.2 with 32 bytes of data:
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Reply from 192.168.2.2: bytes=32 time=1ms TTL=254
Ping statistics for 192.168.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet0 vlan2 physical
interface ethernet1 auto
interface ethernet1 vlan3 physical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 000e.38a9.1cfd
IP address 192.168.2.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
7192 packets input, 554252 bytes, 0 no buffer
Received 7172 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
31 packets output, 2292 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
39 aggregate VLAN packets input, 2646 bytes
25 aggregate VLAN packets output, 1918 bytes
39 vlan2 packets input, 2646 bytes
26 vlan2 packets output, 1960 bytes
7057 invalid VLAN ID errors, 0 native VLAN errors
Hardware is i82559 ethernet, address is 000e.38a9.1cfe
IP address 192.168.3.2, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
68 packets input, 5448 bytes, 0 no buffer
Received 20 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
51 packets output, 3378 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/1)
output queue (curr/max blocks): hardware (0/1) software (0/1)
62 aggregate VLAN packets input, 5064 bytes
42 aggregate VLAN packets output, 2404 bytes
62 vlan3 packets input, 5064 bytes
43 vlan3 packets output, 2446 bytes
6 invalid VLAN ID errors, 0 native VLAN errors
Fa0/2 on 802.1q trunking 1
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 06:12 PM
the ping that fails is sourced from which IP? If the traffic comes from outside to inside remember you need to allow the traffic using ACLs and the proper NAT statement such as an static translation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 06:21 PM
Hi Paul,
Thanks for the response. The ping that fails comes from any host that is on the 192.168.1.x network. I believed that ACLs and NAT were the issue, but since I am no expert in firewalling, I did not want to question the person helping me. Could you show me an example of the ACLs and NAT statements? Something along the lines of ICMP permit etc?
Thanks again
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 06:32 PM
Since the ping comes from the outside you will need the ACL and NAT statements. Assuming that routing is fine you could use the following:
static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-list outside_in permit icmp any 192.168.3.0 255.255.255.0
access-group outside_in in interface outside
The default gateway of the server on the inside should point to the IP of the inside interface of the PIX.
By the way, you can't ping the inside interface IP if you are on the outside and you can't ping the outside interface IP if you are on the inside.
Try also to ping from the server on the inside to the IP address of the trunk on the outside. The switch should know how to reach the 192.168.3.0 network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 06:43 PM
The server cannot ping the trunk at 192.168.2.1 and it also cannot ping 192.168.3.1. All it can ping is 192.168.3.2 (PIX inside interface address) and 192.168.3.3 (itself).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 07:03 PM
can you add your config please? I need to understand better your scenario.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 07:25 PM
Sure. Do you need the config from the firewall and the switch? The router is just a WRT54G running DD-WRT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 07:54 PM
firewall and switch will be fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-02-2011 08:06 PM
Firewall running config
show running config
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet0 vlan2 physical
interface ethernet1 auto
interface ethernet1 vlan3 physical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.2 255.255.255.0
ip address inside 192.168.3.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
route outside 192.168.1.0 255.255.255.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Switch running config
#sh running-config
Building configuration...
Current configuration : 2182 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
!
ip subnet-zero
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
interface FastEthernet0/1
no ip address
shutdown
!
interface FastEthernet0/2
switchport trunk allowed vlan 1-3
switchport mode trunk
no ip address
!
interface FastEthernet0/3
switchport access vlan 3
switchport mode access
no ip address
!
interface FastEthernet0/4
switchport mode access
no ip address
shutdown
!
interface FastEthernet0/5
no ip address
shutdown
!
interface FastEthernet0/6
no ip address
shutdown
!
interface FastEthernet0/7
no ip address
shutdown
!
interface FastEthernet0/8
no ip address
shutdown
!
interface FastEthernet0/9
no ip address
shutdown
!
interface FastEthernet0/10
no ip address
shutdown
!
interface FastEthernet0/11
no ip address
shutdown
!
interface FastEthernet0/12
no ip address
shutdown
!
interface FastEthernet0/13
no ip address
shutdown
!
interface FastEthernet0/14
no ip address
shutdown
!
interface FastEthernet0/15
no ip address
shutdown
!
interface FastEthernet0/16
no ip address
shutdown
!
interface FastEthernet0/17
no ip address
shutdown
!
interface FastEthernet0/18
no ip address
shutdown
!
interface FastEthernet0/19
no ip address
shutdown
!
interface FastEthernet0/20
no ip address
shutdown
!
interface FastEthernet0/21
no ip address
shutdown
!
interface FastEthernet0/22
no ip address
shutdown
!
interface FastEthernet0/23
no ip address
shutdown
!
interface FastEthernet0/24
no ip address
shutdown
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan2
no ip address
no ip route-cache
!
interface Vlan3
no ip address
no ip route-cache
shutdown
!
ip http server
!
!
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login local
transport input none
line vty 5
login local
transport input none
line vty 6 15
login
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-03-2011 11:41 PM
Hi,
can i offer this as a solution/suggestion based on your configuration. I would change the following on port 2 of your switch to only show vlan 1-2
then remove the vlan 2 from the pix 506e on interface (eth0) outside interface
try this for the switch.
conf t
int fa0/2
no switchport trunk allowed vlan 1-3
switchport trunk allowed vlan 1-2
no shut
end
on the pix506e -- remove the vlan 2
safe your configuration
then try pinging the ip address on eth0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-04-2011 01:48 PM
I tried your suggestion, but it just made me unable to ping the eth0 address from the 192.168.1.x network. Everything else is still the same as before.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-05-2011 04:50 PM
I followed this post on experts-exchange and now have connectivity to both PIX interfaces (outside, 192.168.2.2, dmz, 192.168.3.2). However, the server still cannot ping 192.168.3.1 and 192.168.3.2, and nothing anywhere else can ping the server 192.168.3.3. Now do I need to implement the ACLs or is something strange still going on with the configuration? Port 2 on the switch, which is connected to the inside interface on the PIX, is configured to trunk to VLANs 1 - 3. Port 3 on the switch, which is connected to the server, is set to be in VLAN 3.
Pix 506e will support up to 2 vlans with 6.3.
Step 1 Assign the interface speed to a physical interface by entering the following command:
interface ethernet0 auto
Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command:
interface ethernet0 vlan2 physical
By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.
Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:
interface ethernet0 vlan3 logical
This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.
Step 4 Configure the logical and physical interfaces by entering the following commands:
nameif ethernet0 outside security0
nameif vlan3 dmz security50
ipaddress outside 192.168.101.1 255.255.255.0
ipaddress dmz 192.168.103.1 255.255.255.0
