Help need with PIX and vlans

[tklamb]

I have a lab set up but cannot get out to the internet through my pix 6.3 using vlans. My vlan config is below any thoughts would be appreciated. Thanks!

testpix# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan99 physical
interface ethernet1 vlan10 logical
interface ethernet1 vlan20 logical
interface ethernet1 vlan30 logical
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 management security99
nameif vlan30 vlan30 security99
nameif vlan20 vlan20 security99
nameif vlan10 vlan10 security99
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname testpix
domain-name cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.2 test_3750
name 10.1.1.3 test_2950
name 10.1.1.4 test_2600
name 10.0.0.0 test
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip address outside dhcp setroute
ip address inside 10.1.99.2 255.255.255.0
ip address management 10.1.1.5 255.255.255.0
ip address vlan30 10.1.30.2 255.255.255.0
ip address vlan20 10.1.20.2 255.255.255.0
ip address vlan10 10.1.10.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address management
no failover ip address vlan30
no failover ip address vlan20
no failover ip address vlan10
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.11
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http test 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet test_2950 255.255.255.255 management
telnet test_2600 255.255.255.255 management
telnet test_3750 255.255.255.255 management
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:55f5dc7d71e9a2d29ae3efedcd6e725f
: end

 

[tklamb]

Thanks for your input. The PIX is 6.3(5) and I am getting closer to getting this done but haven't had a lot of time of late to spend on it. Your right it is a firewall not a router but as I am learning it can get traffic from network to network it just takes a little more work.

Superg, thanks for your support on this I am getting close. I will post my latest config tomorrow when I'm back in the office. I can now ping between my vlans and to an IP out on the internet but cannot display a page in a browser.

Debug IP packet outside shows my pings going through but nothing when I open a browser, so obviously still missing something.

thanks again.

 

[burtsbees]

Post the latest config. Sounds like HTTP in not allowed back in or out?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[tklamb]

Ok.. here it is.

sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan99 physical
interface ethernet1 vlan10 logical
interface ethernet1 vlan20 logical
interface ethernet1 vlan30 logical
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif vlan10 intf5 security10
nameif vlan20 intf4 security9
nameif vlan30 intf3 security8
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname testpix
domain-name cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
<--- More --->

fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.2 test_3750
name 10.1.1.3 test_2950
name 10.1.1.4 test_2600
name 10.0.0.0 test
access-list intf5_access_in permit ip 10.1.20.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list intf5_access_in permit ip 10.1.30.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list intf5_access_in permit icmp any any
access-list intf5_access_in permit tcp any any eq www
access-list intf5_access_in permit udp any any eq echo
access-list intf5_access_in permit tcp any any eq echo
access-list intf4_access_in permit ip 10.1.10.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list intf4_access_in permit ip 10.1.30.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list intf4_access_in permit icmp any any
access-list intf4_access_in permit tcp any any eq www
<--- More --->

access-list intf4_access_in permit tcp any any eq echo
access-list intf4_access_in permit udp any any eq echo
access-list intf3_access_in permit ip 10.1.10.0 255.255.255.0 10.1.30.0 255.255.255.0
access-list intf3_access_in permit ip 10.1.20.0 255.255.255.0 10.1.30.0 255.255.255.0
access-list intf3_access_in permit tcp 10.1.10.0 255.255.255.0 10.1.30.0 255.255.255.0 eq echo
access-list intf3_access_in permit tcp 10.1.10.0 255.255.255.0 10.1.20.0 255.255.255.0 eq echo
access-list intf3_access_in permit udp 10.1.10.0 255.255.255.0 10.1.30.0 255.255.255.0 eq echo
access-list intf3_access_in permit udp 10.1.20.0 255.255.255.0 10.1.30.0 255.255.255.0 eq echo
access-list intf3_access_in permit icmp any any
access-list intf3_access_in permit tcp any any eq www
access-list intf3_access_in permit tcp any any eq echo
access-list intf3_access_in permit udp any any eq echo
access-list intf5_outbound_nat0_acl permit ip 10.1.10.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list intf5_outbound_nat0_acl permit ip 10.1.10.0 255.255.255.0 10.1.30.0 255.255.255.0
access-list intf4_outbound_nat0_acl permit ip 10.1.20.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list intf4_outbound_nat0_acl permit ip 10.1.20.0 255.255.255.0 10.1.30.0 255.255.255.0
access-list intf3_outbound_nat0_acl permit ip 10.1.30.0 255.255.255.0 10.1.10.0 255.255.255.0
access-list intf3_outbound_nat0_acl permit ip 10.1.30.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list inside_access_in permit ip any any
access-list inside_access_in permit icmp any any
access-list inside_access_in permit tcp any any
access-list inside_access_in permit tcp any any eq www
access-list inside_access_in permit tcp any any eq domain
access-list inside_access_in permit udp any any eq domain
<--- More --->

access-list inside_access_in permit udp any any
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any
access-list outside_access_in permit udp any any
access-list outside_access_in permit tcp any any eq www
pager lines 24
logging on
logging buffered informational
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute
ip address inside 10.1.99.2 255.255.255.0
ip address intf2 10.1.1.5 255.255.255.0
ip address intf5 10.1.10.2 255.255.255.0
ip address intf4 10.1.20.2 255.255.255.0
ip address intf3 10.1.30.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
<--- More --->

no failover ip address inside
no failover ip address intf2
no failover ip address intf5
no failover ip address intf4
no failover ip address intf3
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (intf5) 0 access-list intf5_outbound_nat0_acl
nat (intf5) 1 10.1.10.0 255.255.255.0 0 0
nat (intf4) 0 access-list intf4_outbound_nat0_acl
nat (intf4) 1 10.1.20.0 255.255.255.0 0 0
nat (intf3) 0 access-list intf3_outbound_nat0_acl
nat (intf3) 1 10.1.30.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group intf5_access_in in interface intf5
access-group intf4_access_in in interface intf4
access-group intf3_access_in in interface intf3
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
<--- More --->

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http test 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet test_2950 255.255.255.255 intf2
telnet test_2600 255.255.255.255 intf2
telnet test_3750 255.255.255.255 intf2
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.10.5-10.1.10.100 intf5
dhcpd address 10.1.20.5-10.1.20.100 intf4
dhcpd address 10.1.30.5-10.1.30.100 intf3
dhcpd dns 192.168.2.1
<--- More --->

dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable intf5
dhcpd enable intf4
dhcpd enable intf3
terminal width 80
Cryptochecksum:942a6e9dae118f918ed24df0667ddf7e
: end

testpix#

 

[tklamb]

GOT IT!!!!!!!!!!!

I just needed to add a permit statement to my access lists for tcp/udp eq 53 for dns and it worked.

thanks again for all your help!