Solved: PIX 515e, multiple VLAN's on one physical DMZ interface

vantagepointisg · ‎04-07-2005

We are trying to set up multiple VLAN's on one physical DMZ interface on a PIX 515e.

The goal is to have separate logical subnets connected to our one, physical, DMZ interface.

Here is what I have tried so far without success:

On switch

-created vlan 30

-added switchports fa0/1 to vlan 30

-connected host 192.168.100.1 into fa0/1

-added switchport fa0/24 to to vlan 1, and vlan 30 with multimode

-connected PIX DMZ interface to switchport fa0/24

-connected host 172.16.1.55 to switchport fa0/10 (vlan 1)

On PIX:

interface ethernet2 auto

interface ethernet2 vlan30 logical

nameif ethernet2 DMZ security50

nameif vlan30 dmz2 security50

ip address DMZ 172.16.1.254 255.255.255.0

ip address dmz2 192.168.100.254 255.255.255.0

Results:

-172.16.1.55 has full connectivity to the PIX and beyond.

-192.168.100.1 cannot ping the PIX at 192.168.100.254 or anything else for that matter.

Any help would be greatly appreciated. I also realize that I could buy a four port NIC and use physical interfaces, but I can't get the purchase approved.

Thanks

tonyam98 · ‎04-07-2005

Creating VLANs on Ethernet1

We want to create one new VLAN interface - VLAN30 and call it DMZ2. Also assign security level 50 to it.

Step 1: Create a Physical Interface:

pix(config)# interface ethernet1 vlan2 physical

Step 2: Name the Interface and set the Security Level:

pix(config)# nameif ethernet1 inside security100

Step 3: Assign IP Address to the interface:

pix(config)# ip address inside 192.168.1.1 255.255.255.0

Step 4: Create the Logical Interface:

pix(config)# interface ethernet1 vlan30 logical

Step 5: Name the Interface and set the Security Level:

pix(config)# nameif vlan30 DMZ2 security50

Step 6: Assign IP Address to the interface:

pix(config)# ip address DMZ2 192.168.100.254 255.255.255.0

Step7. On Switch , set the port where the physical interface the inside, for trunking ISL or dot1q. place the trunking in the native vlan2 like in step 1.

View solution in original post

vantagepointisg · ‎04-07-2005

We also are not trunking the VLAN's as we thought that wouldn't be necessary. We would be happy at this point to get the 192.168.100.1 host to ping the PIX at 192.168.100.254.

Thanks

mostiguy · ‎04-07-2005

Try configuring it as a trunk.

vantagepointisg · ‎04-07-2005

Will a PIX 515e handle ISL trunking?

jonathanstevens · ‎04-07-2005

I believe PIXs only support dot1q

vantagepointisg · ‎04-07-2005

That's all that I've found too. I didn't know if they could handle ISL or not. I will make the uplink port on the switch (fa0/24) a dot1q trunk port.

I will let you know how it goes.

Thanks

jonathanstevens · ‎04-07-2005

Have you allowed this on the pix?

icmp permit host 192.168.100.1

vantagepointisg · ‎04-07-2005

Yes all traffic is allowed from this host on this interface.

tonyam98 · ‎04-07-2005

Creating VLANs on Ethernet1

We want to create one new VLAN interface - VLAN30 and call it DMZ2. Also assign security level 50 to it.

Step 1: Create a Physical Interface:

pix(config)# interface ethernet1 vlan2 physical

Step 2: Name the Interface and set the Security Level:

pix(config)# nameif ethernet1 inside security100

Step 3: Assign IP Address to the interface:

pix(config)# ip address inside 192.168.1.1 255.255.255.0

Step 4: Create the Logical Interface:

pix(config)# interface ethernet1 vlan30 logical

Step 5: Name the Interface and set the Security Level:

pix(config)# nameif vlan30 DMZ2 security50

Step 6: Assign IP Address to the interface:

pix(config)# ip address DMZ2 192.168.100.254 255.255.255.0

Step7. On Switch , set the port where the physical interface the inside, for trunking ISL or dot1q. place the trunking in the native vlan2 like in step 1.

vantagepointisg · ‎04-07-2005

Works like a champ! I also found this which was helpful.

http://www.ciscotaccc.com/security/showcase?case=K10055697