Prapanch,

Thank you...the references you provided are basically what I've seen already. What I'm looking for is more of a script that I can enter to create the virtual interfaces, assign VLANs and trunking.

Here is some more specific information...

[DMZ SWITCH SIDE]

Physical configuration:

                           (Internet)

                                  |

----

The DMZ switch has one physical connection to the PIX so I want to make this a trunk port that will carry VLAN100 and VLAN110 to the PIX. VLAN110 will have only one port assigned to it in this case.

On the DMZ switch size (Cisco 2950) I need to create the VLANs (100 and 110). Currently all of the ports on the switch are in VLAN1. I need to assign all of the ports currently in VLAN1 to VLAN100.

interface range fastethernet0/1 – 11, fastethernet0/13 - 22, gigabit0/1-2

Then I need to assign port fastethernet 0/12 as the trunk port physically connected to the PIX. I want this trunk port to carry both VLAN110 and VLAN100 traffic to the PIX.

How do I do that (syntax)?

[PIX SIDE]

I need to create subinterfaces on ethernet3; ethernet3.1 and ethernet3.2:

name each new subinterface

Assign an IP to ethernet3.1, assign a security level of 30

Assign an IP to ethernet3.2, assign a security level of 30

Configure 3.1 and 3.2 to carry VLAN100 and VLAN110 traffic specifically

Apply an access-list acl_dmz_in to ethernet3.1

Apply access-list acl_dmz_out to ethernet3.2

I already ave acl_dmz_in applied to etherenet3 so do I need to create another access-group for the new subinterfaces? If so how would that look?

~Steve

Hi Steve,

Well i am not an expert with configuring switches. But, to configure a port as trunk, the config will be as below:

interface fa0/12

switchport mode trunk

To configure a port as an access port, for example, fa0/1 in vlan 100, it will look like this:

interface fa0/1

switchport mode access

switchport access vlan 100

PIX side:

======

On the pix side, the behavior is going to be like this. Assuming that the native VLAN on the switch is going to be VLAN 1. Now, on the trunk link, all native VLAN packets will go untagged. These untagged packets will be processed by the physical interface on the PIX, that is, Ethernet3. So you will need to put Ethernet3 in the same subnet as VLAN1 (better put as Native VLAN) on the switch.

All tagged packets, that is, packets on VLAN 100 and 101, will be processed by the respective subinterfaces. So we need to put the respective subinterfaces in the respective VLAN and give them an IP address in those respective subnets.

Assuming VLAN 100 and 101 are in the ranges 192.168.100.0 and 192.168.101.0/24 respectively, and VLAN 1 is 192.168.1.0/24, then the congi on the PIX would look something like this:

interface Ethernet 3

ip address 192.168.1.1 255.255.255.0

nameif VLAN1

security 100

interface Ethernet3.1

vlan 100

ip address 192.168.100.1 255.255.255.0

nameif VLAN100

security 30

interface Ethernet3.2

vlan 101

ip address 192.168.101.1  255.255.255.0

nameif VLAN101

security 30

the nameif and security-level will be based on your requirement. Applying access lists to these interfaces will be just like regular interfaces.

access-group acl_dmz_in in interface VLAN100

access-group acl_dmz_out out interface VLAN101

In the above commands, the directions and access-list names will again depend on what you want to configure them as.

Importantly, to allow communication between VLAN100 and VLAN101 on the PIX, you will also need the command "same-security-traffic permit inter-interface" as they both have the same security-levels configured.

Hope the above helps!! Let me know if there is anything unclear.

Regards,

Prapanch

Hello,

If you want to create subinterfaces on the DMZ port, please follow the procedure below:

interface ethernet 3.1

nameif DMZ1

security-level 30

ip address

exit

interface ethernet 3.2

nameif DMZ2

security-level 30

ip address

exit

If you want to enable communication between these two DMZ subnets, then

same-security traffic permit inter-interface

access-list DMZ1_nat0_outbound permit ip

nat (DMZ1) 0 access-list DMZ1_nat0_outbound

access-list DMZ2_nat0_outbound permit ip

nat (DMZ2) 0 access-list DMZ2_nat0_outbound

If you want these DMZ subnets to have access to internet, then

global (outside) 1 interface  -- This line could already be there

nat (DMZ1) 1 0.0.0.0 0.0.0.0

nat (DMZ2) 1 0.0.0.0 0.0.0.0

If you want to enable communication between specific inside hosts and these DMZ devices, then

access-list inside_nat0_outbound permit ip host

access-list inside_nat0_outbound permit ip host

nat (inside) 0 access-list inside_nat0_outbound

access-list DMZ1_access_outbound permit ip any any

access-group DMZ1_access_outbound in interface DMZ1

access-list DMZ2_access_outbound permit ip any any

access-group DMZ2_access_outbound in interface DMZ2

Hope this helps.

Regards,

NT

NT,

Thank you. This should help.

I  don't think we need the two DMZ segments to share traffic between them,  but the VLAN100 side certainly does. So given your syntax all I would  need to do is:

interface ethernet 3.1

vlan100
nameif DMZ1

security-level 30
ip address
exit

interface ethernet 3.2

vlan110
nameif DMZ2

security-level 30
ip address

exit

nat (DMZ1) 1 0.0.0.0 0.0.0.0 (this is already here since our current DMZ has access to the Internet)

Using your naming convension, DMZ2 will be the  'inside' DMZ link and I would need an access-group and apply an  access-list allowing our internal systems proper communication.

access-group DMZ2_access_internal in interface DMZ2

access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq www
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq https
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq 445
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 445
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq 88
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 88
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq ldap
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 389
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq ldaps
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 636
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq 3268
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 3268
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq 3269
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 3269
access-list DMZ2_access_internal permit tcp any host UAG1_Corp eq domain
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq domain
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq radius
access-list DMZ2_access_internal permit udp any host UAG1_Corp eq 1812

Is there anything on the PIX side I need to configure to allow trunking traffic from the DMZ switch?

~Steve

NT,

Thank you...

You mentioned this: "same-security-traffic permit inter-interface" along with the  access-list entries to enable communication between these two subnets. Is this so the PIX see's both VLANs or allows traffic between these? The idea is to segment the two so they are unaware of one another. The "UAG" box will process any traffic between the two VLANs. Specifically, this is will be a Microsoft Unified Access Gatway used to process inbound and outbound emails so I don't think we need to allow traffic between the two VLANs.

Hopefully that makes sense.

~Steve

Hello,

Where will this UAG box be located? If it will be in a different segment than DMZ1/DMZ2, then you do not need to enable communication between these two segments. Also, you need to make sure that both segments can talk to UAG box. So, you need to configure NAT translation for the UAG box on both interfaces. Can you post a rough sketch of how devices are connected to the PIX?

Regards,

NT

NT,

Here is a sketch of what we're trying to accomplish:

The port labeled "11" will be in the VLAN110 on the DMZ switch.