Announcement

Collapse
No announcement yet.

pix and VLAN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • pix and VLAN

    Hi all of the forum!
    I was unsure if to post here or in the router - switch section because the issue is "in the middle".

    So...
    In my network i have a certain number of computers, a switch Cisco 2950, a firewall Cisco pix515E and a router. I only can act on the pix and on the switch.

    Actually the architecture is something like this:

    LAN --> Switch --> PIX --> Router --> Internet

    where PIX 515E is configured in order to translate via NAT the private lan addresses into public ones.

    My aim is to create 2 group of computers separated logically by 2 vlan on the switch.

    I know the 515E is able to manage vlan traffic and i want just to ask to you a simple thing.
    Considering that:
    VLAN1 : 192.168.1.0 / 24
    VLAN2 : 192.168.2.0 / 24

    and that switch is already been configured to manage vlan, i want to know if the only thing i've to do on my pix is to configure 2 subinterfaces under eth0(towards switch) with 192.168.1.1 and 192.168.2.1 addresses respectively.

    Have i to add any NAT statements??
    Have i to add any route statements??
    Have i to add any ACL statements??

    Thanks in advance for the suggestion!

    Sergio

  • #2
    Re: pix and VLAN

    Here is a link to get you started.

    http://www.cisco.com/en/US/docs/secu...e/bafwcfg.html

    I know that the pix supports virtual interfaces since 6.3 so that isnt an issue. If it where me I would grab a router or a L3 switch and use that for intervlan routing .
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: pix and VLAN

      Originally posted by auglan View Post
      Here is a link to get you started.

      http://www.cisco.com/en/US/docs/secu...e/bafwcfg.html

      I know that the pix supports virtual interfaces since 6.3 so that isnt an issue. If it where me I would grab a router or a L3 switch and use that for intervlan routing .
      Thx Auglan!
      My pix supports 7.0 version so no problems about vlan.
      My doubt was if I have to use NAT in a configuration like this:



      interface Ethernet1
      nameif outside
      security-level 0
      ip address my_public_ip


      interface Ethernet0
      nameif inside
      security-level 100
      no ip address

      interface eth0.1
      vlan 10
      nameif admin-users
      security-level 50
      ip address 10.1.1.1 255.255.255.0

      interface eth0.2
      vlan 20
      nameif temp-users
      security-level 50
      ip address 10.2.1.1 255.255.255.0


      nat (admin-users) 1 10.1.1.1 255.255.255.255
      nat (temp-users) 1 10.2.1.1 255.255.255.255

      global 1 (outside) ****


      or i've to leave nat for inside interface like that:


      interface Ethernet1
      nameif outside
      security-level 0
      ip address my_public_ip


      interface Ethernet0
      nameif inside
      security-level 100
      10.0.0.1 255.255.255.0

      interface eth0.1
      vlan 10
      nameif admin-users
      security-level 50
      ip address 10.1.1.1 255.255.255.0

      interface eth0.2
      vlan 20
      nameif temp-users
      security-level 50
      ip address 10.2.1.1 255.255.255.0



      nat (inside) 1 10.0.0.1 255.0.0.0
      global 1 (outside) ****



      I'm sorry for this questions but my customer is far from me now so i cannot simply to "try" but to be enough sure about configuration!

      Thx a lot in advance!

      Sergio

      Comment


      • #4
        Re: pix and VLAN

        Yeah i would say that you would need some no-nat statements so the traffic between the vlans doesnt get natted. Also you will probably need some acl's as well. Going from a higher security interface to a lower isnt an issue on the pix but going from lower to higher needs explicit permissions. Also typically on a pix when data comes in a port it isnt allowed to go out the same interace. In this case im not sure if the pix thinks the 2 logical subinterfaces are "seperate". I would think it would.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X