Currently, we have a Cisco PIX firewall model 525, IOS 6.0(2) Pentum III 600MHz with 128MB Ram with 2GE and 2FE ports. The Cisco PIX firewall device manager is version 1.1(2).
The Cisco PIX firewall gigabit interface 0/1 connects to a Cisco 6500 switch module gigabit 2/1 and assigned VLAN 2. Network and subnet mask statement is 188.8.131.52 255.255.254.0
The Cisco PIX firewall inside gigabit interface currently supports one flat IP network, while the outside gigabit interface connects to a Cisco 6500 switch with MSFC used as the default gateway.
Current Inside gigabit network interface g0/1
--- 184.108.40.206 255.255.254.0
NEW Suggested Inside gigabit network interface g0/1
--- 220.127.116.11 255.255.254.0
Outside gigabit network interface g0/2
--- 192.168.1.1 255.255.255.240
We need connectivity between VLAN 2 and VLAN 3 and the outside world. To enable communication between the two VLANS and to the outside world requires a trunk link between the Cisco PIX firewall gigabit 0/1 interface and the Cisco 6500 port G2/1 RIGHT?
Does our current PIX firewall software/hardware support trunking in this configuration?
Should we use ISL or 802.1q protocol? Does it matter?
Should we combine VLAN 2 and VLAN 3 into one flat IP VLAN with a subnet mask of /22?
The PIX does not understand ISL or 802.1Q encapsulation:
Are you using a separate 6500 switch for PIX's outside interface? If I understand it correctly, PIX's INSIDE (gi0/1) is connected to Cat6500 (gi2/1). Then PIX's OUTSIDE is connected to another 6500 with MSFC. If VLANs 2 and 3 are located behind the INSIDE interface of the PIX, I think you should combine them to be able to pass through the PIX since the PIX doesn't support trunking.
If you use the new version 6.3.1 the PIX understand the 802.1q encapsulation:
Thanks for the assistance!
The Cisco 6500 switch named "Inside-A" does not have an MSFC, the firewall is the default gateway for the current vlan 2 on G0/1 interface. I plan to add another vlan, vlan 3 to the Cisco 6500 switch "Inside-A".
I need the firewall to also be the default gateway for this vlan 3 on the same g0/1 interface as vlan 2.
Yes, the outside switch is a different switch named "Outside-B"
I will look at the upgrade OS for trunk support.