Help need with PIX and vlans

[tklamb]

I have a lab set up but cannot get out to the internet through my pix 6.3 using vlans. My vlan config is below any thoughts would be appreciated. Thanks!

testpix# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan99 physical
interface ethernet1 vlan10 logical
interface ethernet1 vlan20 logical
interface ethernet1 vlan30 logical
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 management security99
nameif vlan30 vlan30 security99
nameif vlan20 vlan20 security99
nameif vlan10 vlan10 security99
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname testpix
domain-name cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.2 test_3750
name 10.1.1.3 test_2950
name 10.1.1.4 test_2600
name 10.0.0.0 test
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip address outside dhcp setroute
ip address inside 10.1.99.2 255.255.255.0
ip address management 10.1.1.5 255.255.255.0
ip address vlan30 10.1.30.2 255.255.255.0
ip address vlan20 10.1.20.2 255.255.255.0
ip address vlan10 10.1.10.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address management
no failover ip address vlan30
no failover ip address vlan20
no failover ip address vlan10
pdm history enable
arp timeout 14400
global (outside) 1 192.168.1.11
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http test 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet test_2950 255.255.255.255 management
telnet test_2600 255.255.255.255 management
telnet test_3750 255.255.255.255 management
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:55f5dc7d71e9a2d29ae3efedcd6e725f
: end

 

[Supergrrover]

you need a nat statement for each interface

nat (vlanXX) 1 0 0

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[tklamb]

Thanks I tried that but still nothing no internet... what else am I missing?


testpix# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan99 physical
interface ethernet1 vlan10 logical
interface ethernet1 vlan20 logical
interface ethernet1 vlan30 logical
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif vlan10 intf5 security10
nameif vlan20 intf4 security8
nameif vlan30 intf3 security6
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname testpix
domain-name cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.2 test_3750
name 10.1.1.3 test_2950
name 10.1.1.4 test_2600
name 10.0.0.0 test
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute
ip address inside 10.1.99.2 255.255.255.0
ip address intf2 10.1.1.5 255.255.255.0
ip address intf5 10.1.10.2 255.255.255.0
ip address intf4 10.1.20.2 255.255.255.0
ip address intf3 10.1.30.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf5
no failover ip address intf4
no failover ip address intf3
pdm history enable
arp timeout 14400
nat (intf5) 5 10.1.10.0 255.255.255.0 0 0
nat (intf4) 4 10.1.20.0 255.255.255.0 0 0
nat (intf3) 3 10.1.30.0 255.255.255.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http test 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet test_2950 255.255.255.255 intf2
telnet test_2600 255.255.255.255 intf2
telnet test_3750 255.255.255.255 intf2
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:eb0d5cd109db8145c60c628e3ec888c0
: end

 

[FloDiggs]

Is your switch configured correctly?

 

[tklamb]

Good question... in my lab I have a 3750, 2950 a 2600 router and the pix. I have 3 vlans configured 10, 20 and 30 and the 3750 is doing the routing so here is that config. Thanks.

sh run
Building configuration...

Current configuration : 4226 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test_3750
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
ip dhcp excluded-address 10.1.10.1
ip dhcp excluded-address 10.1.20.1
ip dhcp excluded-address 10.1.30.1
ip dhcp excluded-address 10.1.10.2
ip dhcp excluded-address 10.1.20.2
ip dhcp excluded-address 10.1.30.2
!
ip dhcp pool vlan10
network 10.1.10.0 255.255.255.0
domain-name cisco
default-router 10.1.10.1
!
ip dhcp pool vlan20
network 10.1.20.0 255.255.255.0
domain-name cisco
default-router 10.1.20.1
!
ip dhcp pool vlan30
network 10.1.30.0 255.255.255.0
domain-name cisco
default-router 10.1.30.1
!
ip dhcp snooping
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface Loopback1
no ip address
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 30
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 20
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
description pix_mngmnt
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
description to test_pix
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/24
description trunk to test_2950
switchport trunk encapsulation dot1q
switchport mode trunk
speed 100
duplex full
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
ip address 10.1.1.2 255.255.255.0
!
interface Vlan10
ip address 10.1.10.1 255.255.255.0
!
interface Vlan20
ip address 10.1.20.1 255.255.255.0
!
interface Vlan30
ip address 10.1.30.1 255.255.255.0
!
interface Vlan99
description PIX
ip address 10.1.99.1 255.255.255.0
!
ip classless
ip http server
!
!
control-plane
!
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
login
!
end

 

[burtsbees]

In the PIX

clear xlate

then post sh xlate after another attempt

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[tklamb]

OK did clear xlate.

test_pix#show xlate
0 in use, 0 used
test_pix#

 

[burtsbees]

Did you try and get out to the internet before you posted sh xlate?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Supergrrover]

So you have your router doing the routing and the pix doing what exactly?

Your router has the default router -
default-router 10.1.x0.1

but your pix has ip of -
ip address intf5 10.1.x0.2

Can you post a theoretical & a physical topology (ports and all?)

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[tklamb]

In this lab I simply want to use the PIX for internet access. I have a default route to the PIX inside interface 10.1.99.2(for some reason it doesn't show above but it is there currently). The only way I can get internet is if I configure a static address on vlan99, but I want to get internet access from my three vlans (10,20,30).

As far as how its put together, I have

3750 g1/0/24 - trunk to 2950 f0/47
3750 g1/0/23 - trunk to pix e1
3750 g1/0/22 - vlan 1 to pix e2 (management)

2950 f0/48 - trunk to test_2600 e0/0

PIX e0 - DSL pppoe client

Thanks all for your assistance with this!

 

[Supergrrover]

Your traffic should bypass the router all together and just have routes to the pix.

Change this to -
nat (intf5) 1 10.1.10.0 255.255.255.0 0 0
nat (intf4) 1 10.1.20.0 255.255.255.0 0 0
nat (intf3) 1 10.1.30.0 255.255.255.0 0 0

add -
global (outside) 1 interface

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[tklamb]

Brent I've applied this change, still no internet on vlan 10, 20,30. Are you saying the gateway should be the pix?

thx

 

[Supergrrover]

Yes, the pix will handle traffic between each vlan to each other and all external traffic. That's its purpose.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[tklamb]

OK Brent... I got it, sort of. I took the interfaces and routing off the 3750 and put the dhcp etc for the 3 vlans on the pix. Now I can get out to the internet on the vlans but I don't have routing... is there something you have to do on the pix to enable routing. I can do sh route and see all the connected networks but I can't ping from one to the other.

thanks

 

[Supergrrover]

You will need access lists that allow traffic from one to the other if the initiating interface is a lower security and natting between (or no natting ACL.)

Post your current config

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[tklamb]

here it is, thanks man!

testpix# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan99 physical
interface ethernet1 vlan10 logical
interface ethernet1 vlan20 logical
interface ethernet1 vlan30 logical
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif vlan10 intf5 security10
nameif vlan20 intf4 security10
nameif vlan30 intf3 security10
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname testpix
domain-name cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.1.2 test_3750
name 10.1.1.3 test_2950
name 10.1.1.4 test_2600
name 10.0.0.0 test
pager lines 24
icmp permit 10.1.99.0 255.255.255.0 inside
icmp permit 10.1.10.0 255.255.255.0 inside
icmp permit 10.1.20.0 255.255.255.0 inside
icmp permit 10.1.30.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside dhcp setroute
ip address inside 10.1.99.2 255.255.255.0
ip address intf2 10.1.1.5 255.255.255.0
ip address intf5 10.1.10.2 255.255.255.0
ip address intf4 10.1.20.2 255.255.255.0
ip address intf3 10.1.30.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf5
no failover ip address intf4
no failover ip address intf3
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (intf5) 1 10.1.10.0 255.255.255.0 0 0
nat (intf4) 1 10.1.20.0 255.255.255.0 0 0
nat (intf3) 1 10.1.30.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http test 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet test_2950 255.255.255.255 intf2
telnet test_2600 255.255.255.255 intf2
telnet test_3750 255.255.255.255 intf2
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.10.5-10.1.10.100 intf5
dhcpd address 10.1.20.5-10.1.20.100 intf4
dhcpd address 10.1.30.5-10.1.30.100 intf3
dhcpd dns 192.168.2.1
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable intf5
dhcpd enable intf4
dhcpd enable intf3
terminal width 80
Cryptochecksum:24526f1e36773a2030558c5c7bef6ca5
: end

 

[Supergrrover]

Here is an example that you can apply to each interface

Build Access List to allow the traffic in (one line for each port)-
access-list int5f_access_in permit TCP 10.1.10.0 255.255.255.0 10.1.20.0 255.255.255.0 eq [Port#]
access-list int5f_access_in permit TCP 10.1.10.0 255.255.255.0 10.1.30.0 255.255.255.0 eq [Port#]
*****this is not accounting for traffic to the internet, you will have to add****

Apply the ACL to the intf5 interface -
access-group intf5_access_in in interface intf5

Nat exempt traffic between those interfaces.

access-list nat_0_intf5 permit IP 10.1.10.0 255.255.255.0 10.1.20.0 255.255.255.0
access-list nat_0_intf5 permit IP 10.1.10.0 255.255.255.0 10.1.30.0 255.255.255.0

nat (intf5) 0 access-list nat_0_intf5


Anything in brackets needs to be replaced for your specific config. Bold means you have to enter a value (either a port # or IP address)

do this for each interface to allow the specific traffic you will want.

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[tklamb]

Well I'm not having much luck I've followed your directions and tried a myriad of other possibilities but I cannot get traffic to go between my vlans using the PIX as the router, I'm beginning to think it's not possible.

 

[Supergrrover]

The pix will definitely do it. It does take some work. You have to take the time.

Take a look at this -

http://www.cisco.com/en/US/products...s_configuration_example09186a00806745b8.shtml

and (although I don't know why you would set it up this way) this might be what you're looking for -

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html#wp1039276

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[nosebreaker]

Are you trying to use an older pix? I thought the older ones had a basic security premise of "if it comes in this interface, it must go out another interface" so that it knows what policy to apply to it. It's a firewall, not a router, so wouldn't it need to go out another interface? Or are you just trying to get internet access? Are you sure the traffic is even hitting the pix? Did you turn on debugging and see traffic hitting it (and if so, whats the error message)? Are you sure the Layer3 switches are even routing it properly across vlans?