InterVLAN routing behind PIX

[fieryhail]

I'm not sure if this is the right area for this or not, f not, I apologize. I've got a PIX 525 with UR license and multiple interfaces (6). Currently I have 2 catalyst switches behind it, one is a 3524XL and the other a 3550-48. I would like to consolidate switches and retire the 3524, putting those hosts in another vlan on the 3550. I would also like to enable intervlan routing on he 3550 since the 3524 currently is connected as a workstation switch. I'd like to have traffic from the workstations to a vlan on the 3550 go all through the 3550 instead of passing through the PIX as it slows down large transfers. Is there a way to have intervlan routing on the 3550 "behind" the PIX? Sorry for being so confusing. For example the current config is:

PIX: xx.xx.xx.xx --> e0 (outside)

3524: 192.168.1.0/24 --> PIX e1 (inside)

3550: 192.168.2.0/24 --> PIX e2 (DMZ1)

3550: 192.168.3.0/24 --> PIX e3 (DMZ2)

With this config any traffic to/from 192.168.10.0 and 192.168.2.0 has to go through PIX. This gets very slow at times with large transfers (1GB+) What I would like is to put the 192.168.1.0/24 on another vlan on the 3550 and have traffic going to/from 1.0 and 2.0 move only through the 3550, using the PIX just for edge. Thanks in advance for any suggestions.

 

[IPKONFIG]

You can't talk between vlans without having a layer 3 interface (or router). So unless your switches have layer 3 capabilities, then you must go through the PIX as it will function as a layer 3 device. Or you'll need a router and you could do what's called "routing on a stick".

Hope this helps.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[IPKONFIG]

Oh and if your switches can support layer 3 routing, then you'd just need to put a connection between them and create a vlan interface with another address other than what is configured for the gateway. Don't worry about routing, the switches will figure it out, because they'll be directly connected and those routes always show as AD 0 in the routing table versues a default route of AD 1. This is assuming you used default settings for those commands.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[fieryhail]

Thanks for the prompt response. Yes, I'm aware of the layer3 requirement. This is one reason I want to consolidate hosts to the 3550 and retire the 3524. The 3550 is EMI version and fully layer3 capable. So if I understand you correctly, I can just create a routed interface for each vlan that I want to do intervlan routing for. Leave the default gateway set for the PIX interface and then when traffic needs to go between vlans they will autyomatically transfer through the layer 3 switch?

 

[IPKONFIG]

Yes, in simple terms that's correct. No need for anything special as all Cisco devices know about all of their directly connected interfaces by default. So they'll be able to route to each other.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[fieryhail]

Thank you very much. I'll be trying this later after people go home for the day. I appreciate your quick anwers.

 

[fieryhail]

Ok, I tried what you suggested. Perhaps I did something wrong. I'll explain. Two vlans in question for example 192.168.1.0/24 (workstations) and 192.168.2.0/24 (file and media servers). Both vlans are configured in the Catalyst 3550 with the proper interfaces assigned. I have a connection from each vlan on the 3550 to a PIX interface so that systems in each vlan can have internet access. I assigned an IP to each vlan interface (192.168.1.200 and 192.168.2.200) and the PIX interface is assigned 192.168.1.1 and 192.168.2.1 respectively. Hosts on the 192.168.1.0 network use 192.168.1.1 as the gateway and hosts on the 192.168.2.0 network use 192.168.2.1 as the gateway. What I want to happen is for traffic between hosts on each of those 2 networks to pass through only the 3550 switch, not the PIX at all. Yet, traffic is stil passing through the PIX instead of vlan to vlan on the layer 3 switch. With only a couple transfers going on, not so bad unless they are very large. With multiple transfers occurring, the PIX bogs down the connections and causes issues. I thought that with a layer 3 switch this was possible.

One ting I may have done wrong I think is maybe I need to not assign IP to the vlan interface and instead connect the PIX via a crossover cable to a routed interface? But then from what I understand I can not have the routed interface as part of a vlan. I am also posting this in the Cisco Switches area as I think it has developed more into a switching issue than a PIX issue. If anyone has any ideas however I'd love to hear them. Thanks in advance.

 

[IPKONFIG]

What you did was right, you need to make sure your default gateway is the routed interfaces on the switch and not the PIX. The switch should have a default gateway of the PIX. So inter-vlan routing will work like you want and anything that needs off the .1 or .2 networks will use the PIX.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[baddos]

The hosts need to use the 3550 switch vlan interfaces as their default gateway and set the 3550's default gateway to the PIX. You wouldn't need the vlan setup on your PIX any more either, you can just set it up on one of the existing VLANs or put it into a seperate one, since only the 3550 will be directly routing to it.

 

[fieryhail]

Thanks again for the response. Very much appreciated. One last question in regards to this, this question more to do with the PIX end. I have numerous static NAT statements for hosts in the 192.168.2.0 on the PIX. Would I have the switch use the (inside) interface of the PIX as it's gateway? I would think so. With that done, how would this affect the NAT statements on the PIX? Is there something I would need to do in regards to the NAT statements on the PIX? I would think so. I have been searching for anything relating to this and have so far come up dry. I realize I may be over-complicating this or worrying too much also. I don't want something I change to make certain servers inaccessable to clients on the internet lol. Thanks again for all the excellent assistance. It is very much appreciated.

 

[IPKONFIG]

Yes use the inside interface, and depending on your NAT statements it is possible that a configuration change would be needed. What networks are you allowing to be NAT'd to the outside? Most people do the quad zeros, but if you didn't you might need to adjust that statement. Post that part of the PIX config and we'll know for sure.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts

 

[fieryhail]

I have multiple static nat statements going from the outside to inside, SMTP, FTP, Lotus Notes, as well as some custom ports. I think you are referring mainly to the nat statements though, and they are:

nat (inside) 0 access-list no_nat1
nat (inside) 101 0.0.0.0 0.0.0.0
nat (SERVERS) 1 access-list no_nat2
nat (SERVERS) 101 0.0.0.0 0.0.0.0
nat (VOIP) 1 access-list no_nat4
nat (VOIP) 101 0.0.0.0 0.0.0.0
nat (Web) 1 access-list no_nat3
nat (Web) 101 0.0.0.0 0.0.0.0

If I am correct, the static statements will have to be modified? Such as this:

static (SERVERS,outside) tcp xx.xx.xx.172 2080 192.168.10.2

http://www netmask

255.255.255.255
static (SERVERS,outside) tcp xx.xx.xx.172 2443 192.168.10.2 https netmask 255.255.255.255

This is the part that is confusing to me as of yet. Since static nat was done using PIX interfaces, and now if I am correct, there will be only 2 interfaces used on the PIX, all traffic from the internet going into the PIX will be carried into the 3550 to the appropriate network and outbound to the internet will be done this way as well, from the 3550 --> PIX -->Internet.

 

[fieryhail]

Got it now. It was something very stupid, I had to simply add "route inside 192.168.1.0 255.255.255.0 192.168.0.1" on this pix and equivalent statements for the other vlans on the switch. Boy do I feel stupid now, lol. Thanks again for all the excellent help people!