Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3998
  • Last Modified:

Pix 506e & Vlan

Hi,

I have a Pix506e and a cisco catylist 1900 en. I want to setup 2 vlans on the pix 1 DMZ and 1 inside but a little unsure of the security implications of doing so. I am new to cisco products and this is part of my home study lab. What is the best/common practice for this design. I also need some guidance with the physical connections of this design as well as the 1900 config.
0
hotdiggetydawg
Asked:
hotdiggetydawg
1 Solution
 
rshooper76Commented:
The PIX is actually designed to do this without using a VLAN.  I'm not sure if it can do VLAN like the switch can.   To do this you would need 3 interfaces.  One for the outside, one for the inside and one for the DMZ.  If you setup the intrfaces and routes correctly everything should work fine.  You can then add you rules/access-lists to the firewall to limit traffic.  I'll post a few links for the PIX and switch later if no one else does.
0
 
Blackduke77Commented:
what are you trying to do??? setup a inside interface, a outside interface, adn a DMZ interface (this is standard out of the box no vlans) or are you trying to setup 2 vlans on the pix DMZ interface. I will guess the latter.

vlans use 802.1x on the pix and the switch (the switch must support tagging (802.1x)
note there is a secruity flax on the pixes and it is advised you do not use the default VLAN this means you will need to create three vlans and not use the first please see my config below where I have done this.

PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto
interface ethernet2 vlan1 physical
interface ethernet2 vlan2 logical
interface ethernet2 vlan3 logical
interface ethernet2 vlan4 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif vlan2 edi security40
nameif vlan3 cvpn security60
nameif vlan4 dmz_vlan security55

hostname xxxPIX
domain-name wrt
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 172.16.xx.xx wffexch

access-list outside_access_in permit esp any host xxx.xxx.30.1
access-list outside_access_in permit tcp any host xxx.xxx.30.1 eq 10000
access-list outside_access_in permit udp any host xxx.xxx.30.1 eq isakmp        
access-list outside_access_in permit udp any host xxx.xxx.30.1 eq 4500
access-list outside_access_in permit tcp any host xxx.xxx.30.1 eq pptp
access-list outside_access_in permit gre any host xxx.xxx.30.1
access-list outside_access_in permit tcp any host xxx.xxx.30.15 eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq www
access-list dmz_vlan_access_out permit tcp host wffexch any eq https
access-list dmz_vlan_access_out permit tcp host wffexch any eq domain
access-list dmz_vlan_access_out permit udp host wffexch any eq domain
pager lines 24
logging on
logging timestamp
logging standby
logging trap warnings
logging host inside 172.16.xx.xx
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside xxx.xxx.30.xxx 255.255.255.0
ip address inside 172.16.xx.xx 255.255.254.0
ip address dmz_vlan 172.16.xx.xx 255.255.254.0
ip audit info action alarm
ip audit attack action alarm

pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
nat (dmz_vlan) 10 0.0.0.0 0.0.0.0 0 0

static (inside,dmz_vlan) 172.16.44.0 172.16.44.0 netmask 255.255.254.0 0 0
static (dmz_vlan,outside) xxx.xxx.30.xx wffexch netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

access-group dmz_vlan_access_out in interface dmz_vlan

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1



notice the logical interfaces they are the vlans
0
 
Blackduke77Commented:
where the pix connects to the swich the switch must have the same Vlans and the same vlan id's look above there is vlan 1 - 4 this gives me three vlans (if i follow ciscos advice)

the port that the pix connects to the switch must be a member (tagged) of all vlans on the switch
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
hotdiggetydawgAuthor Commented:
Blackduke77,

The 506e has only 2 physical interfaces outside & inside so a in/out/dmx out of the box is not possible. I read somewhere that the 506e is able to support vlans and it is possible to create a third logical DMZ interface with this physical limitation. Just confused about the physical cabling structure. if I set up the outside int as a vlan physical interface and a dmx as a logical vlan, how do I configure the connecting port on the 1900? Do I set it up to be a member of the 2 vlans?
0
 
QuetzalCommented:
Pix 506e will support up to 2 vlans with 6.3.

Step 1 Assign the interface speed to a physical interface by entering the following command:

interface ethernet0 auto

Step 2 Assign VLAN2 to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan2 physical

By assigning a VLAN to the physical interface, you ensure that all frames forwarded on the interface will be tagged. VLAN 1 is not used because that is the default native VLAN for Cisco switches. Without the physical parameter, the default for the interface command is to create a logical interface.

Step 3 Create a new logical interface (VLAN3) and tie it to the physical interface (ethernet0) by entering the following command:

interface ethernet0 vlan3 logical

This will allow the PIX Firewall to send and receive VLAN-tagged packets with a VLAN identifier equal to 3 on the physical interface, ethernet0.

Step 4 Configure the logical and physical interfaces by entering the following commands:

nameif ethernet0 outside security0

nameif vlan3 dmz security50

ipaddress outside 192.168.101.1 255.255.255.0

ipaddress dmz 192.168.103.1 255.255.255.0


The first line assigns the name outside to ethernet0 (the physical interface) and sets the security level to zero. The second line assigns the name dmz to vlan3 (the logical interface) and sets the security level to 50. The third and fourth lines assign IP addresses to both interfaces.

After this configuration is enabled, the outside interface sends packets with a VLAN identifier of 2, and the dmz interface sends packets with a VLAN identifier of 3. Both types of packets are transmitted from the same physical interface (ethernet0).


--------------------------------------------------------------------------------

Managing VLANs
To display information about the VLAN configuration, enter the following command:

show interface


To temporarily disable a logical interface, enter the following command:

interface ethernet0 vlan_id shutdown


Replace vlan_id with the VLAN ID associated with the logical interface that you want to temporarily shut down.

To change the VLAN ID of a logical interface, enter the following command:

interface change-vlan old_vlan_id new_vlan_id


Replace old_vlan_id with the existing VLAN ID and replace new_vlan_id with the new VLAN ID you want to use.

This command lets you change the VLAN ID without removing the logical interface, which is helpful if you have added a number of access-lists or firewall rules to the interface and you do not want to start over.

To disable VLAN tagging on the interface, enter the following command:

no interface ethernet0 vlan_id physical


Replace vlan_id with the VLAN ID for which you want to disable VLAN tagging.


To remove the logical interface and remove all configuration, enter the following command:

no interface ethernet0 vlan_id logical

Replace vlan_id with the VLAN ID associated with the logical interface that you want to remove.
--------------------------------------------------------------------------------
Caution Using this command removes the interfaces and deletes all configuration rules applied to the interface.
0
 
Blackduke77Commented:
Good post above  :) :) I will add that to my fav's
0
 
dkuhlmanCommented:
I'm trying to do the exact same thing, but I'm running into th is problem:

From 506E

pixfirewall(config)# int e1 vlan2 physical
pixfirewall(config)# int e1 vlan3 logical
Interface limit (2) reached.
Unable to create logical interface.
Internal Error: Unable to initialize logical interface.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now