09-20-2004 02:28 PM - edited 02-20-2020 11:38 PM
So, after all the hype I read about being able to get a DMZ going on a logical VLAN interface using the latest firmware 6.3(4), I decided to give it a shot.
I got a basic setup going - pretty standard...
inside and outside IP's and subnets. Outside default gateway. A couple ACL's to get inbound mail working and that's about it. NAT turned on and the global is using 'interface'. Nothing fancy, pretty vanilla config...
The PIX works like a champ, until...
Here:
in the "Using VLAN's with Firewalls" section it states to run the following commands to enable the VLAN:
interface ethernet0 auto
interface ethernet0 vlan2 physical
interface ethernet0 vlan3 logical
nameif ethernet0 outside security0
nameif vlan3 dmz security50
ipaddress outside 192.168.101.1 255.255.255.0
ipaddress dmz 192.168.103.1 255.255.255.0
As soon as I do that, I lose all connectivity. I can't ping my gateway from the PIX and all inbound and outbound connectivity is lost.
As soon as I turn off all those commands, the functionality comes back. Is there something I'm missing here? An ACL or static or something?
09-20-2004 06:21 PM
I imagine you'll need to enable trunking on the switch port connected to the outside interface, if you haven't done so already.
From memory, it's a dot1q trunk.
09-20-2004 06:49 PM
Ummmm...what if the switch the outside interface isn't a Cisco - or a managed switch for that matter?
Is it not possible to do this?
11-12-2004 11:45 AM
Hi,
I'm so glad that I found your post cuz' it seems that nobody has really done this on a 506e. I'd like to do the exact setup that you have done on the 506e. I have a 506e and a switch that support 802.1q but I don't have a router at all. All I want is a simple DMZ on the inside interface. Could you please tell me what I have to do on the PIX and what I have to do on the switch? Your help is greatly appreciated. Thanks.
11-14-2004 06:13 PM
Start here - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1113411
and then ask me specific questions. I would rather not waste a whole lot of time on typing a long answer if it's not what you are looking for. I have done this several times...it is not difficult at all.
Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide