Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
1
Replies

PIX not operate correctly if plugged into a trunk port on a switch.

alexdenev
Level 1
Level 1

‎06-13-2004 01:01 AM - edited ‎02-20-2020 11:27 PM

Here is the situation. One PIX515E, 3 catalyst 2950-48 EI. PIXs outside interface is connected directly to internet(ISP).

I post similar question at vlan, trunking etc. conversation, but i think this is firewalling issue.

In a FAQ i read that PIX must be configured for 802.1Q encapsulation. I did the following:

pix(config)#interface ethernet1 vlan4 logical

pix(config)#nameif vlan4 dmz security50

pix(config)#ip address dmz 192.168.4.1 255.255.255.0

I write some ACLs to allow TCP traffic from dmz to inside, from inside to dmz and from dmz to outside, since these are my needs.

At the switchport i send 802.1Q trunks, where is expecting to carry information about two vlans:vlan1(native) and vlan4. But the link between vlan 4 at the switch and the vlan 4 at the pix seems to be broken(no ICMP echo request/reply received, since icmp is permited by ACLs).

Can anyone assist and give me some ideas ?

0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎06-13-2004 06:18 PM

Are you pinging the pix interface or the host behind the pix? If you are pinging the pix, then run the show icmp command as the acls that are applied to the interface only work for traffic thru the pix, not to it.

If the icmp is destined for an inside host, then make sure that your statics are defined properly as you need them since the traffic will go from a lower to a higher security interface. Depending upon how the static is setup, the pix may need to be configured for proxy arp on the logical interface named dmz.

Insure that the 2950 switch port is set to portfast mode (as the pix will not send or process STP BPDU frames even though the port is a trunk port), and that pagp and etherchannel are not configured on the switch port. Make sure that vlan 4 is allowed on the trunk link if you are pruning vlans on that link in the switch configuration.

If you still have an issue after validating the statics and vlan pruning as well as permitting icmp to/from the pix, please post the statics and nat/global statements plus the acls here.

Set the pix buffer logging to the debug level and see if there are any messages relating to the icmp packets.

Please post the swich config as well, as well as what the pix log states and I can assist further.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card