Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
4
Replies

PIX 6.3(4) on 506e - VLAN???

kenlinceccna
Level 1
Level 1

‎09-20-2004 02:28 PM - edited ‎02-20-2020 11:38 PM

So, after all the hype I read about being able to get a DMZ going on a logical VLAN interface using the latest firmware 6.3(4), I decided to give it a shot.

I got a basic setup going - pretty standard...

inside and outside IP's and subnets. Outside default gateway. A couple ACL's to get inbound mail working and that's about it. NAT turned on and the global is using 'interface'. Nothing fancy, pretty vanilla config...

The PIX works like a champ, until...

Here:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

in the "Using VLAN's with Firewalls" section it states to run the following commands to enable the VLAN:

interface ethernet0 auto

interface ethernet0 vlan2 physical

interface ethernet0 vlan3 logical

nameif ethernet0 outside security0

nameif vlan3 dmz security50

ipaddress outside 192.168.101.1 255.255.255.0

ipaddress dmz 192.168.103.1 255.255.255.0

As soon as I do that, I lose all connectivity. I can't ping my gateway from the PIX and all inbound and outbound connectivity is lost.

As soon as I turn off all those commands, the functionality comes back. Is there something I'm missing here? An ACL or static or something?

0 Helpful
4 Replies 4

shaun.oliver
Level 1
Level 1

‎09-20-2004 06:21 PM

I imagine you'll need to enable trunking on the switch port connected to the outside interface, if you haven't done so already.

From memory, it's a dot1q trunk.

0 Helpful

kenlinceccna
Level 1
Level 1
In response to shaun.oliver

‎09-20-2004 06:49 PM

Ummmm...what if the switch the outside interface isn't a Cisco - or a managed switch for that matter?

Is it not possible to do this?

0 Helpful

lng
Level 1
Level 1

‎11-12-2004 11:45 AM

Hi,

I'm so glad that I found your post cuz' it seems that nobody has really done this on a 506e. I'd like to do the exact setup that you have done on the 506e. I have a 506e and a switch that support 802.1q but I don't have a router at all. All I want is a simple DMZ on the inside interface. Could you please tell me what I have to do on the PIX and what I have to do on the switch? Your help is greatly appreciated. Thanks.

0 Helpful

scoclayton
Level 7
Level 7
In response to lng

‎11-14-2004 06:13 PM

Start here - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#wp1113411

and then ask me specific questions. I would rather not waste a whole lot of time on typing a long answer if it's not what you are looking for. I have done this several times...it is not difficult at all.

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card