Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
3
Replies

506e dmz

iainkilner
Level 1
Level 1

‎04-25-2005 01:21 AM - edited ‎03-09-2019 11:02 AM

Hi,

Can anyone offer any source of good documentation of a PIX506e and a 2950 switch config?

I have downloaded a couple of ebooks and have tried google newsgroup searches, but am struggling to find either working config to copy or a reasonable explantion.

At the moment I have set the port on the switch to mode trunk. I have two ports in VLAN100 on the switch.

On the PIX I have

interface ethernet0 100full

interface ethernet1 auto

interface ethernet1 vlan100 logical

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif vlan100 DMZ security50

By the fact that inside has a higher security number than DMZ and that I allow anything "out" on HTTP - I should in theory be able to talk to a web server running on the DMZ - but nothing.

I am a newbie to this, but have managed inbound connections to a host running on the inside interface - so know my logic and setup is good in a straight 2 interface setup.

Any help would be greatly appreciated.

Labels:
0 Helpful
3 Replies 3

lgijssel
Level 9
Level 9

‎04-25-2005 01:53 AM

This will not work when your pix is running version 6.x. The reason for this is that the pix will not redirect traffic on the same physical interface, regardless of any vlan configuration. You will need an internal router to do the vlan routing.

In PIX swrel 7.0 this feature should be implemented although I have not seen it in the wild.

Regards,

Leo

0 Helpful

iainkilner
Level 1
Level 1
In response to lgijssel

‎04-25-2005 02:09 AM

V7.0 is not supported on 501 or 506.

I can't believe that cisco would put the following in their product info - if it wasn't possible?

Provides increased flexibility when defining security policies and eases overall integration into switched network environments by supporting the creation of logical interfaces based on IEEE 802.1q VLAN tags, and the creation of security policies based on these virtual interfaces

· Supports multiple virtual interfaces on a single physical interface through VLAN trunking, with support for multiple VLAN trunks per Cisco PIX Security Appliance

· Supports up to 2 VLANs on a Cisco PIX 506E Security Appliance, providing a low-cost DMZ-enabled security solution that enables businesses to securely host Web servers, e-mail servers, and other services with the Internet or extranet environments

0 Helpful

iainkilner
Level 1
Level 1
In response to iainkilner

‎04-27-2005 02:42 AM

Just in case anyone else reads this and is struggling. The above CAN be done in V6.3(4) of the IOS on a 506e with 2 ports over VLANS on a 2950 switch.

If anyone wants any config suggestions, please post a message back with an email address. I hasten to add I am no CCNE, but through a mixture of news groups and persistance I have a secure solution working.

0 Helpful
Customers Also Viewed These Support Documents