Currently, we have a Cisco PIX firewall model 525, IOS 6.0(2) Pentum III 600MHz with 128MB Ram with 2GE and 2FE ports. The Cisco PIX firewall device manager is version 1.1(2).
The Cisco PIX firewall gigabit interface 0/1 connects to a Cisco 6500 switch module gigabit 2/1 and assigned VLAN 2. Network and subnet mask statement is 18.104.22.168 255.255.254.0
The Cisco PIX firewall inside gigabit interface currently supports one flat IP network, while the outside gigabit interface connects to a Cisco 6500 switch with MSFC used as the default gateway.
Current Inside gigabit network interface g0/1
--- 22.214.171.124 255.255.254.0
NEW Suggested Inside gigabit network interface g0/1
--- 126.96.36.199 255.255.254.0
Outside gigabit network interface g0/2
--- 192.168.1.1 255.255.255.240
We need connectivity between VLAN 2 and VLAN 3 and the outside world. To enable communication between the two VLANS and to the outside world requires a trunk link between the Cisco PIX firewall gigabit 0/1 interface and the Cisco 6500 port G2/1 RIGHT?
Does our current PIX firewall software/hardware support trunking in this configuration?
Should we use ISL or 802.1q protocol? Does it matter?
Should we combine VLAN 2 and VLAN 3 into one flat IP VLAN with a subnet mask of /22?
I do not know much about VLAN, but you should know that the latest pix OS version adds support for VLAN:
However if the switch has "layer 3" capabilities, you have the option to connect the VLANs at the switch.
Do you want VLAN2 and VLAN3 to be able to access the outside *ONLY*, or can they also access each other?
Thanks for the reply.
The Cisco 6500 switch named "Inside-A" does not have an MSFC, the firewall is the default gateway for the current vlan 2 on G0/1 interface. I plan to add another vlan, vlan 3 to the Cisco 6500 switch "Inside-A".
I need the firewall to also be the default gateway for this vlan 3 on the same g0/1 interface as vlan 2.
Yes, vlan 2 and vlan 3 must be able to talk to each other and to the outside world also.
I will look at the upgrade OS for trunk support.
> Yes, vlan 2 and vlan 3 must be able to talk to each other and to the outside world also.
This may lead to un-needed load at the pix (if you're expecting high traffic between VLANs and are not going to filter it).
You should also look for a solution with a router or the switch itself for routing between VLANs, then use the pix traditionaly as gateway for your router/swtich only. (The default gateway of hosts will be the switch or the router).
Again - I'm not an expert with switching, so better verify my advices with some one more experienced.
You have to configure dot1q trunking because the PIX (version 6.3) does not support ISL. Second thing: Hope you do not have any other gateway in one of these VLANs. Because the PIX does not support ICMP redirects and does not send packets on the same interface as they were received.
Ok, I understand the trunking protocol issue -802.1q this is fine. Industry standard!!
It is not clear to me about the ICMP redirects.
Are you saying that if I ping from vlan2 to a device in vlan 3, then the firewall will not forward the request over? PLEASE explain!!!