Re: Pix 515 v7 DMZ & VLAN config question

monkeyboy · ‎09-01-2005

Hello, I've been looking through the forums and have been seeing different answers to this:

Say I have two PIX 515e's running V7 in failover - I've got 6 interfaces: outside, dmz1, dmz2, dmz3, failover and inside.

Can I run multiple VLANs in dmz2 for external business partner networks without a layer3 switch or router in dmz2? And instead just have a layer2 switch?

There is no need to route between the vlans as they dont need to talk to each other - they just need to communicate with our network on the inside of the fw and vice-versa..

also would I need to enable routing on the fw to achieve this (don't want to if I can help it..)

Apols for the crap Q btw/

cheers

Mark

rsmith · ‎09-01-2005

As long as your L2 switches are VLAN capable, you should have no problem. Configure your DMZ2 interface with sub-interfaces, each one will be a different VLAN, and have it's own security level and configuration, just like a physical interface. The switch port attached to this interface (Primary AND Failover) will need to be VLAN Tagged on all active VLANS. No routing will be needed at all on this if there is just the local network, if there are other networks on these VLANS (routed on the partner network) you can put in static routes for these.

(PIX 515e unlimited will allow up to 25 VLANS)

I would be happy to provide further details if you need clarification on any part of this.

bahouh888 · ‎11-25-2005

Hi Russel Smith,

I'm concerned by implementing VLANs on PIX 525 version 7.0(1). My PIX is working properly now but without VLANs and I would like to create VLANs for each department on the inside interface.

interface Ethernet1

speed 100

duplex full

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

Could you give me clear steps about :

1- Configure your inside interface with sub-interfaces, each one will be a different VLAN, and have it's own security level and configuration, just like a physical interface.

2- The switch port attached to this interface will need to be VLAN Tagged on all active VLANS.

3- How to route networks to access to servers on Server's VLAN like DHCP, DNS ...

Thank you very much in advance.

rsmith · ‎11-30-2005

Hi, sorry for not replying earlier. First, please read the command reference refering to VLAN and sub-interfaces: http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_command_reference_book09186a0080484fe1.html

Now, for the first question, (assuming you are configuring interface Ethernet3), commands would be similar to the following:

PIX(config)# interface eth3.1 (this creates the sub-interface)

PIX(config-subif)#VLAN 1032 (creates the tagged vlan for this interface)

PIX(config-subif)#Nameif Inside1 (names interface)

PIX(config-subif)#ip address 10.10.32.1 255.255.255.0 (Network IP address for this interface. I believe that when you create sub-interfaces, you cannot have an IP address for the physical interface, but I am not certain)

PIX(config-subif)#security-level 80 (sets security level, just like physical interface)

#2: This depends on the switch you are using. Basically, as long as the switch port that attaches to the physical interface has the same VLAN(s), and is Tagged (vs. Untagged), the pix will communicate with that network.

#3: Routing depends again on your environment, but the PIX will "know" directly attached networks, and you can add static routes, or enable OSPF (internally, I would not use any routing protocols on any public segment!)

To illustrate: assume you have 3 subinterfaces, VLAN 1032(client), 1033(DMZ), and 1034(Servers). A client that wants to access a Server. The data would flow from the client, into the PIX on VLAN 1032. The data would flow back out the same interface on VLAN 1034, and to the Servers.

Please reply if you need more information, or if I have provided TMI.