Implementing a PIX in a VLAN scenario

    I wonder if someone can help me come up with a solution that I have been trying to figure out for a while now. In a few days time I am going to have access to my own dedicated full rack in a datacenter near me. I currently have collocated servers but I do not manage any of the routing/IP address/VLAN, that is all done by another company that owns a number of racks in the same datacenter.

    Basically my goal when I have the rack is to have multiple VLANs, routed by a 2621 series router with each individual VLAN is firewalled by a PIX 515. I also have a 2950 for switching.

    I have set up a few lab scenarios in my workshop and have been able to set up the router and switch to route between the VLANs and understand and can program this as I require.

    Where I am stuck now is how to now ‘add’ the PIX to the scenario. Does it come before the router? Does it come between the router and the switch? My guess is that the hardware is arranged in the following order,


    If this is correct how do I need program the PIX to firewall each individual VLAN?

    I understand that this is a big question without a yes/no answer. If anyone can help point me in the right direction to solving this situation it would be most appreciated. My Cisco, Networking and IP addressing knowledge is good so feel free to post any configs or anything else that will make the question easier to answer,

    Many thanks

  • #2
    Re: Implementing a PIX in a VLAN scenario

    well you can arrange in many ways you like
    what I recomend you use this way

    Firewall -------- Internet
    • #3
      Re: Implementing a PIX in a VLAN scenario

      Hi Ryan,

      when you say that each vlan will be firewalled by a PIX, do you mean a separate PIX? Or is this going to be a single unit? Perhaps
      a better question to ask is: what do you want to achieve in terms of
      traffic separation? Eg, would you want server1 on vlan1 to be able to
      talk smtp to server2, vlan2, etc etc...?

      Bear in mind that a PIX (later versions of FOS) will run vlans on an interface,
      (negating the need for a router)-which it still views as a logical interface, and you can then create the rules that govern traffic between them. As I think I noted to an
      earlier poster, you are then restricted by the 100Mb TCP throughout of the 515.
      Might be enough?



      • #4
        Re: Implementing a PIX in a VLAN scenario

        Presumably you've got Pix OS 7.X on the pix or else this stuff won't help.

        You want either the router or the pix here - not both. Trunk the port to the pix on the 2950:

        int fa0/1
        descr to pix e1
        sw mode trunk
        sw trunk allowed vlan 2,3,4
        speed 100
        duplex full
        no shut

        then on the pix subinterface your e1 interface:

        interface Ethernet1
        speed 100
        duplex full
        no nameif
        security-level 0
        no ip address
        interface Ethernet1.2
        description vlan2
        vlan 2
        nameif Inside
        security-level 100
        ip address
        interface Ethernet1.3
        description vlan3
        vlan 3
        nameif vlan3
        security-level 30
        ip address
        interface Ethernet1.4
        description vlan4
        vlan 4
        nameif vlan4
        security-level 40
        ip address

        Make your e0 the Internet connection:

        interface Ethernet0
        description internet
        nameif Outside
        security-level 0
        ip address

        Something like that should work. If you've got multiple internet connections the 2600 in front of the pix running bgp will be helpful.
        Brian Desmond
        Microsoft MVP - Directory Services


        • #5
          Re: Implementing a PIX in a VLAN scenario


          thanks for your reply, this makes perfect sense. if only i could have worked this out myself!

          what i have done is run the feed from the datacenter into my switch and then run one switchport into the cisco router and then another port into the PIX. this way i can now have 2 separate VLANs on the switch, one firewalled and the other not.

          thanks again