Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

pix and inside routes 2

Status
Not open for further replies.
boymarty24

boymarty24

Technical User
Aug 21, 2003
362
SE
Hi,


Have a pix firewall that works fine. On the inside i have configured a vlan network.

192.168.1.x vlan 1
192.168.2.x vlan 110
192.168.3.x vlan 120

Have no problem with the vlan switching, but i have a problem with vlan 110 and 120 when they try to reach the internet. I think the problem is that the pix
does not have routes for the two vlans. So the pix droppes the packets when no route exists. Is this right?

If yes, how should the routes look like

route inside vlan1 mask vlan 110 perhaps.
 
Sort by date Sort by votes
Did you set up the VLANs directly on the inside interface? If yes, then no inside routes should be needed. Did you define the first VLAN as "physical" in your commands? This tags packets with 802.1q

Also as an FYI, the use of VLAN 1 should be avoided. VALN1 is central to an attack known as "hopping VLANs" Here's more on the subject:

If the VLANs are defined somewhere else, then yes, you will need to add static routes, with the syntax being:
route inside [dest network] [subnet mask] [next hop]
 
Upvote 0 Downvote
Hi,

I have the vlan defined somewhere else. But i think that your route statement is missing the source part. I get a error when trying to add a route.

I have a allied telesyn switch
 
Upvote 0 Downvote
Maybe i am doing something very wrong...

pix inside interface is connected to vlan1. Then i have the other vlans configured on the same switch. Maybe this is the wrong way to do this.


This is a 48 port switch. I only use this switch.
 
Upvote 0 Downvote
Use,

Usage: [no] route <if_name> <foreign_ip> <mask> <gateway> [<metric>]

So, it would be something like:

route inside 192.168.2.0 255.255.255.0 192.168.1.254

route inside 192.168.3.0 255.255.255.0 192.168.1.254

Where 192.168.1.254 would be a router on the same VLAN as the Pix but also connected to the other VLAN.

I presume that you have a device that routes between VLANs?

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
I understand.

I don´t if my L3,4 switch can act as a router. But it should be able to do that since its a L3 switch. Have to check it out.
 
Upvote 0 Downvote
The pix cannot route the same packet back out the same interface it came in on, so you can't use it in this way to route between vlans.
 
Upvote 0 Downvote
He's not using the Pix to route between VLANs. He has stated that he has a layer 3 switch. The Pix is only connected to VLAN 1.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Actualy Chris, it sounded like he was not using the layer 3 switch to route but was just of the realization that it could be used to route.

I was simply trying to point out why he would need to use another device to route.




 
Upvote 0 Downvote
Question, can you possibly route the vlans from a switch to a router with a PIX firewall inbetween?

 
Upvote 0 Downvote
Jason, you may be right. Point taken.

Namekian, the Pix can be used between VLANs but it's not the best solution and you can't bounce traffic off an interface. Any traffic hitting the Pix must be forwarded to a different interface. You can't route "on a stick".

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
I wouldn't need to necessarily route between the VLANs, just get it to the router. Once there, if needed, I can have the router route between the two. How would I go about setting that up on the firewall. I have a Cisco PIX 515 version 6.3(1).
 
Upvote 0 Downvote
In this case the pix is redundant. Why not just use the router? I'm not sure what you are trying to achieve.

Perhaps you should start another thread and explain your question in full.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Well, I only have two ports on the router and one has to be pluged into the port thats coming from the wall, the ISP. This is because our building has all our offices connected to some sort of switch. I have 4 ports on the firewall, so I would prefer using that.
 
Upvote 0 Downvote
So what I think you are suggesting is to have your main network on the inside port of the pix and then another network/VLAN connected to a different port on the pix. In effect this would just act as a DMZ port.

You can set up another port in the same way as the internal LAN port on the Pix with an outbound NAT rule for outbound traffic. The only thing that you will need to realise is that this port will have a lower security level than the inside interface of the firewall and so any connections that need to be made from this network to the main inside network will require access list rules to be created for traffic going from a lower security level (outside or DMZ)network to the highest security level (the inside).

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
245
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
207
Nitta84
Nitta84
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
102
kythri
kythri
quazimotto
  • Locked
  • Question
Ping thru PIX to subnet inside??!!
Replies
0
Views
58
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top