No problem - please find the attached .txt file.

I have included the config statements and not the physical config, is this waht you mean ?

When I enable the VLAN interface on the PIX, there is an implicit pemrmit statement created within the config. Whenever I try and add a rul within this it states that you cannot ammend, delete or add to these rules until the relevant transaltions have been configured.

Do I need to configure a translation rule to go between the 192.168.X.X VLAN on the PIX, across to the 192.168.X.X VLAN on the 2950 ?

The aim of all this is to connect the exisiting PIX to another PIX that will be sitting in the DMZ (the new PIX only has two physical interfaces, hence the setting up of the VLAN interfaces).

Thanks in advance.

What's the config for the 2950's switchport connected to the PIX, also you have the vlan10 interface in the pix in a shutdown state, do a show interface and post that too, maybe it's just shutdown

Please find attached interface config.

On the last config I had the PIX VLAN interface in shutdown, as I have been disabling it whilst not testing.

I re-enabled the interface but still can't ping to/from the 2950 VLAN.

I have done a sh vlan on the 2950 and the new VLAN 10 is not displayed, only the native VLAN 1 - as far as I'm aware I have configured the 2950 VLAN 10 correctly, as it says that it is'up' and you can ping it from the 2950.

I have also set the Fa0/1 interface on the 2950 to be a trunk, as it was originally set to be in VLAN 1.

Couuld it be an issue with 802.1Q set-up in the switch/PIX ? in the fact that the 2950 is not able to see packets tagged with the VLAN 10 ID ?

Thanks again.

Please find attached interface configs.

I have re-anbled the PIX interface, as it was disbale whilst not in use. Even with it enable, you cannot ping the 2950 VLAN interface.

I have configured the Fa0/1 int on the 2950 to be a trunk port, as it was originally set-up in VLAN 1.

I have also done sh vlan on the 2950 and for some reason the new VLAN 10 is not listed.

Could there be an issue with the VLAN tagging not being recognised by either the 2950 or PIX ? There does there need to be layer three device somewhere between these two devices ?

I assumed that becuase it is inter VLAN between the 2950 and the PIX, this wouldn't be necessary.

First I would enter the 'switchport nonnegotiate' command under the f0/1 of the switch. To get vlan 10 listed go to the vlan database and add it there, it should be listed then. Also, make sure you have the icmp permit any any [interface] command on the pix, you won't be able to ping the pix's inetrface without it.

I have created VLAN 10 in the VLAN database and it is now listed.

I have assigned the 192.168.X.X/24 address to the VLAN 10 interface and, but the inrerface does not become active until the native VLAN 1 is disabled.

Does the VLAN 1 interface become inactive as soon aonother VLAN is activated ? As VLAN 1 is sitting on the 10.X.X.X/8 range, will this become unusable if we try and create another VLAN (10) ?

My knowledge of VLAN creation a bit lacking, so excuse all the questions on VLAN's !

I have attached the config from the 2950 for info.

Thanks again.