firewall and vlan implementation

engr_muaida · ‎04-18-2005

hi All

i have 1 switch in which 9 vlans are there. and router that is connected with trunk port. i want to place pix for establishing security and i want to dedicate router for only routing purpose i have already upgrade pix IOS with v6.3. now the problem is that where should i place pix b/w switch and router and what should be the basic configuration i will use ? plzz plzz help me

Patrick Iseli · ‎04-19-2005

Here is an example:

VLAN Setup for PIX 6.3.4

------------------------------------------------------

interface ethernet1 vlan9 physical

interface ethernet1 vlan14 logical

interface ethernet1 vlan16 logical

interface ethernet1 vlan129 logical

nameif ethernet1 inside security100

nameif vlan14 internal security90

nameif vlan16 public security50

nameif vlan129 voip security80

ip address inside 192.168.9.1 255.255.0.0

ip address internal 192.168.14.1 255.255.0.0

ip address public 192.168.16.1 255.255.0.0

ip address voip 192.168.129.1 255.255.0.0

Switch setup:

------------------------------------------------------

vlan 9,14,16,129

!

interface FastEthernet0/1

description port uplink via PIX VPN

switchport trunk encapsulation dot1q

switchport trunk native vlan 9

switchport trunk allowed vlan 9,14,16

switchport mode trunk

no ip address

spanning-tree portfast

!

interface FastEthernet0/2

description port IP phone

switchport trunk encapsulation dot1q

switchport trunk native vlan 14

switchport mode trunk

switchport voice vlan 129

no ip address

spanning-tree portfast

.....

interface FastEthernet0/21

description port pour telephone IP avec PC en arriere

switchport trunk encapsulation dot1q

switchport trunk native vlan 16

switchport mode trunk

switchport voice vlan 129

no ip address

spanning-tree portfast

!

interface Vlan1

no ip address

no ip route-cache

shutdown

!

interface Vlan9

ip address 192.168.9.254 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.1.1 ===> Other side of VPN Tunnel

ip classless

ip http server

Referneces:

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.

see:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

sincerely

Patrick

engr_muaida · ‎04-19-2005

hi Patrick

thanks a lot for giving me a response but somethings are confusing here will u give me ur any contect that can i discuss with u??

Muaida

Patrick Iseli · ‎04-20-2005

Muaida,

Forget about the VPN part of the config. This was just an example !!!

What do you want to ask ?

sincerely

Patrick

arumugasamy · ‎04-20-2005

Dear Patrick,

I am little confused with following config.

ip address inside 192.168.9.1 255.255.0.0

ip address internal 192.168.14.1 255.255.0.0

ip address public 192.168.16.1 255.255.0.0

ip address voip 192.168.129.1 255.255.0.0

Have you mentioned the mask wrongly or all the interfaces are configured in the same network (192.168.x.x)

Pls clarify it

Thanks

swamy

Patrick Iseli · ‎04-20-2005

Sorry, I changed the IPs in the example and forgot to change the subnet maks to 255.255.255.0.

It should be of course like that !!!

ip address inside 192.168.9.1 255.255.255.0

ip address internal 192.168.14.1 255.255.255.0

ip address public 192.168.16.1 255.255.255.0

ip address voip 192.168.129.1 255.255.255.0

sincerely

Patrick