Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
3
Helpful
2
Replies

PIX firewall VLAN support

thisisshanky
Level 11
Level 11

‎12-30-2003 06:53 AM - edited ‎02-20-2020 11:10 PM

Even though the PIX is not a true router, with 6.3 version of OS, PIX supports Vlans and you can assign IP addresses to each vlan configured. Does the PIX truly route between these vlans ?

When logical VLAN interfaces are created, a security value is also assigned (between 0 and 100) to that vlan.When communication occurs from one vlan (with security 50) to another vlan (with security 40) or the inside physical interface (with security 0), do we have to configure an access-list and apply it to the higher security interface, to permit the packets to pass through ?

I am trying to use PIX as the default gateway for devices. I have one vlan configured on the inside interface with security 90. An IP address each, has been configured on the vlan as well as on the inside interface. I can ping devices in either vlans from the PIX. But cannot ping from device to device.

Tried configuring an access-list which permits ping packets and applied it, inbound on the vlan interface. Still the ping is not working. Any ideas ??

(Note that there is no default gateway issues on the devices. Also each device can ping their respective default gateways - that is the ip addresses configured on the pix)

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful
2 Replies 2

jon-sills
Level 1
Level 1

‎12-30-2003 07:04 AM

What your trying to do will work, however keep in mind that all the associated problems with any router on a stick configuration will apply :-)

You will need access-lists to allow lower security interfaces to access higher security interfaces just as if they were physical interfaces, and you will likewise need to set up nat translations to allow the traffic to pass between interfaces. From what you have written, I suspect a check of your PIX logs will show a low of translation failed messages.

thisisshanky
Level 11
Level 11
In response to jon-sills

‎12-30-2003 07:27 AM

Jon, Thanks for the response. I will check the logs sometime today.

Can the PIX pass DHCP requests (like IP Helper) from One Vlan to another Vlan ?

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card