11-23-2010 06:27 AM - edited 03-06-2019 02:10 PM
Hi All,
I am trying to trunk a PIX-515E to a C2950T switch. Both, from my understanding, support (only) 802.1q.
Briefly, vlan1 is for network device management 172.16.1.x ; vlan103 is for workstation data 192.168.32.x
PIX vlan1 IP: 172.16.1.1
PIX vlan103 IP: 192.168.32.3
Switch vlan1 IP: 172.16.1.4
My issue is that, while vlan103 is working fine (I can ping to and from 192.168.32.3; the PIX's vlan103 IP), I cannot ping to or from the PIX on vlan1.
Oddly, on the PIX "native VLAN" errors are being generated despite the native vlanID on the switch being set to 1. This would suggest the PIX is not using vlanID1 for native untagged traffic. But I am unsure if this is really the issue or how to fix it.
interface ethernet1 "IT_LAN" is up, line protocol is up
IP address 172.16.1.1, subnet mask 255.255.255.0
...
322004 aggregate VLAN packets input, 36029395 bytes
429874 aggregate VLAN packets output, 281698785 bytes
0 vlan1 packets input, 0 bytes
31 vlan1 packets output, 1426 bytes
43571 invalid VLAN ID errors, 37 native VLAN errors
interface vlan103 "inside" is up, line protocol is up
IP address 192.168.32.3, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
322004 packets input, 36029395 bytes
429843 packets output, 281697359 bytes
----switch config----
interface FastEthernet0/1
description PIX-INT TRUNK
switchport mode trunk
no ip address
!
interface Vlan1
ip address 172.16.1.4 255.255.255.0
no ip route-cache
!
------------------------
-----PIX config----
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan1 physical
interface ethernet1 vlan103 logical
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 IT_LAN security90
nameif ethernet2 intf2 security4
nameif vlan103 inside security100
...
ip address outside 173.162.187.50 255.255.255.240
ip address IT_LAN 172.16.1.1 255.255.255.0
no ip address intf2
ip address inside 192.168.32.3 255.255.255.0 103
----------------
Solved! Go to Solution.
11-23-2010 07:36 AM
mikespenard wrote:
Thanks Jon, this does seem to be either a bug or something very non-intuitive.
I'm not sure what you would like me to do with the dumby vlan... Could you explain more? As setting the native vlandID to 999 on the switch would still kick off "native vlan errors" on the PIX.
Mike
I'm not sure it would kick off errors because it won't be sending anything for vlan 999. If you set the native vlan to 999 then all vlans going to the pix will be tagged including vlan 1. Like i say i have never had an issue with trunking to pix firewalls but i have never used the native vlan as one of the vlans on the trunk.
If you create vlan 999 or any vlan really on the switch and make that the native vlan nothing will ever be sent for that vlan ie. no packets will arrive at the pix without an 802.1q tag. From experience i don't believe you have to have an untagged vlan on the pix physical interface, rather if you are going to use 802.1q and you want to pass the native vlan it must be on the physical interface.
Jon
11-23-2010 06:55 AM
Mike
Looking through the forums there does seem to be an issue with this. Apparently the vlan you configure as physical (as opposed to logical) must be the native vlan but you have done this already.
I have used trunking many times on pix but not using the native vlan because it is not recommended,
Could you on the 2950 switch -
1) create a dummy vlan ie. one with no ports in and no L3 vlan interface eg. vlan 999
2) on the 2950 -
int fa0/1
switchport trunk native vlan 999
Jon
11-23-2010 07:07 AM
Thanks Jon, this does seem to be either a bug or something very non-intuitive.
I'm not sure what you would like me to do with the dumby vlan... Could you explain more? As setting the native vlandID to 999 on the switch would still kick off "native vlan errors" on the PIX.
11-23-2010 07:36 AM
mikespenard wrote:
Thanks Jon, this does seem to be either a bug or something very non-intuitive.
I'm not sure what you would like me to do with the dumby vlan... Could you explain more? As setting the native vlandID to 999 on the switch would still kick off "native vlan errors" on the PIX.
Mike
I'm not sure it would kick off errors because it won't be sending anything for vlan 999. If you set the native vlan to 999 then all vlans going to the pix will be tagged including vlan 1. Like i say i have never had an issue with trunking to pix firewalls but i have never used the native vlan as one of the vlans on the trunk.
If you create vlan 999 or any vlan really on the switch and make that the native vlan nothing will ever be sent for that vlan ie. no packets will arrive at the pix without an 802.1q tag. From experience i don't believe you have to have an untagged vlan on the pix physical interface, rather if you are going to use 802.1q and you want to pass the native vlan it must be on the physical interface.
Jon
11-23-2010 01:52 PM
Gotchya, force native ID to 999. That way I can force vlan1 to be tagged on the PIX; which only seems to support tagged traffic.
Great idea! Many thanks.
Also, any idea how to clear vlan 'sh int' stats?
11-23-2010 03:40 PM
Mike
Do you mean on the pix ? - if so in config mode,
pix(config)# clear interface
Jon
11-24-2010 06:22 AM
Ahh, I need to be in config mode. That was my issue clearing counters, doh.
------------
Also, I'm having a subsquent issue now that all the vlan traffic is up to the PIX. I can ping nodes on each vlan subnet from the PIX. However, I can't seem to ping from a node on one subnet to a node on the other, using the PIX as a default gateway.
E.g.
PIX IP = 172.16.1.1 on vlan1
PIX IP - 192.168.32.3 on vlan103
Switch IP = 172.16.1.4 on vlan1 default GW = 172.16.1.1
And I cannot ping 192.168.32.3 from the switch
I'm guessing NAT and/or ACL(s) needs tweaking???
----pix config-----------
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan999 physical
interface ethernet1 vlan1 logical
interface ethernet1 vlan103 logical
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 native security90
nameif ethernet2 intf2 security4
nameif vlan103 inside security100
nameif vlan1 IT_LAN security90
.
ip address outside x.x.x.x 255.255.255.240
no ip address native
no ip address intf2
ip address inside 192.168.32.3 255.255.255.0
ip address IT_LAN 172.16.1.1 255.255.255.0
.
access-list inside_outbound_nat0_acl permit ip any 192.168.32.192 255.255.255.192
access-list vpnlist permit ip 192.168.32.0 255.255.255.0 any
access-list vpnlist permit ip 192.168.52.0 255.255.255.0 any
access-list outside_inbound_acl permit icmp any any
.
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
access-group outside_inbound_acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.52.0 255.255.255.0 192.168.32.1 1
11-24-2010 06:49 AM
Mike
interface ethernet1 vlan999 physical
interface ethernet1 vlan1 logical
interface ethernet1 vlan103 logical
interesting that you did it that way. I was assuming you would do -
interface ethernet1 vlan1 physical
interface ethernet1 vlan103 logical
however if it works fine.
Anyway on to the problem at hand.
inside interface (vlan 103) has security level 100
IT_LAN interface (vlan 1) has security level 90
so to get from IT_LAN to inside you would need to either do a nat exemption or setup statics. Easiest way is nat exemption because it works both ways so it would also cover inside -> IT_LAN.
Add this to your config
access-list NATEXT permit ip 192.168.32.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list NATEXT
Now if you want to initate connections from IT_LAN to inside you will also need an acl because IT_LAN has a lower security level eg.
access-list ITLAN_to_inside permit etc..... (ie. whatever you want to permit)
access-group ITLAN_to_inside in interface IT_LAN
*** Edit - Easiest way is nat exemption because it works both ways so it would also cover inside -> IT_LAN.
Actually, not trying to confuse the issue but statics would also work both ways just to be clear ie you could do -
static (inside,IT_LAN) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
If you only want to allow access between a few devices on both LANs individual static host entries would probably be better ***
Jon
11-24-2010 07:38 AM
Thanks Jon for the NAT & ACL pointers.
--
[incase someone else gets stuck on this like I did, and stumbles on this thread. To summarize...]
interesting that you did it that way. I was assuming you would do -
interface ethernet1 vlan1 physical
interface ethernet1 vlan103 logical
Well, that was what I was trying to do first off; it is how one typically sets up a vlan, i.e., with native traffic on vlan1. But the PIX just would not process native vlan1 traffic (which I have). Apparently PIXs will only process traffic on tagged/logical interfaces if the physical interface is involved in 802.1q at all. So the workaround apparently is to put a dumby vlan on the physical interface for native traffic (of which there is none, i.e. dumby vlan 999 ) and then redirect what was once untagged vlan1 traffic into a tagged/logical interface on the PIX.
11-24-2010 07:47 AM
Mike
Well, that was what I was trying to do first off; it is how one typically sets up a vlan, i.e., with native traffic on vlan1. But the PIX just would not process native vlan1 traffic (which I have).
Sorry didn't explain myself very well. What i meant was use this config -
interface ethernet1 vlan1 physical
interface ethernet1 vlan103 logical
but still tag vlan 1 ie. add the "switchport trunk native vlan 999" config to the the trunk connection on your switch. So vlan 1 and vlan 103 are both tagged going to the pix. There isn't actually any need to pass the vlan 999 traffic so the pix doens't need an interface for vlan 999. So the physical interface can be assigned to vlan 1 which will be tagged. At least that has always worked for me.
Jon
12-01-2010 02:51 PM
Jon,
I tried adding:
static (inside,IT_LAN) 192.168.32.0 192.168.32.0 netmask 255.255.255.0
...but to no avail. I still can't ping thru the router from vlan1(192.168.32.0) to vlan103(172.16.1.0)
A bit stumped.
Mike
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide