That is one of the things I was unsure of - If I have more than one vlan to access the PIX, then do I set the 3750 port to PIX as switchport access vlan <#???>; also for adding vlan routes - is the destination IP the PIX intf or the vlan intf address?

Thanks for your input and patience.

Yes the 3750 has vlan interfaces set, however the port to PIX does not have a vlan access set.

No the PIX internal is not pingable.

ok, make sure that the pic is allowing ping to it's internal interface. The PIX routes to vlans 2 and 3 should be pointing to the interface vlan ip address. For example:

PIX fa0/0 -----fa0/1 3550

fa0/1 of 3550 belongs to vlan 3, for example, and has ip address 3.3.3.1/24 and PIX's internal interface have ip address 3.3.3.2/24, the PIX will have route to vlan 2 and clan 3 network that will point to 3.3.3.1. If 3550 have interface vlan 3, it should be able to ping 3.3.3.2 given that the PIX is allowing ICMP.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1026574

yes icmp's allowed.

the link keeps saying I can't login (I have account and have already reset pswd)...

So, in short the uplink has to belong to a/or any vlan?

How do I add a route to a PIX? there is no route cmd...

I will retest by adding a vlan access...

in the meant time I will wait for CCO support to fix login issue... so I can check the doc out...

thx again

YOu do not need a static route for the 3750 to ping a directly connected PIX as long as the 3750 have a L3 SVI on the same vlan as the port that connects to the internal interface of the PIX. The uplink from the PIX have to be in the vlan. On a switch by default all port belongs to vlan 1. Let's say the port of the 3550 is fa 0/1 and the port is an access port belonging to vlan 5. Do you have interface vlan 5 on the 3550? IF so, what is it's ip address and what is the PIX's interface interface's IP address? Are they in the smae subnet?

PIX inside is 172.16.0.1, Cat3750 Gi1/0/1 is 172.16.0.2; (172.16.0.0/30 network)

VLAN 1 is disabled.

3750 defines VLANS 10, 2, 3

Gi1/0/1 is set no switchport. There lies the issue - since another prod system has vlan access 11 going to that PIX.

Should I use existing vlan assignment or make a new one just for this routing-subnet (172.16.0.0)?

Okay, so the gig 1/0/1 is a L3 port, that should be fine. You should be able to ping the inside interface of the PIX. Is the gig1/0/1 showing connected? You ned to check the PIX if it's responding to the ARP of the 3750. Try configuring statis arp on the PIX for the 172.16.0.2 and then try to ping the 172.16.0.1 again from the 3650 or ping from the PIX to 172.16.0.2. You should be able to ping and this looks like a PIX configuration issue. Something might be missing there.

no pinging either way; arp on PIX only shows entry for int to router.

added arp inside x.x.x.x

no go.

...update OK. replaced the cabling (again). pings now! :)

I will test NAT tomorrow, that will be the true test.

Thx again Bosalaza.

NAT working. Rtr and PIX can ping internet except workstations; dns/pix ACL issue I assume (however ACL is same as used in current production system).