Avatar of halcyone
halcyone

asked on 

PIX/APwireless/Router/Switch Vlan Design Advice

Hi,

I am looking for advice on the design possibility  of a network I would like to build.

AIM:

To have two Segments A and B via VLAN implementation on one 2950 Cisco Switch.

To have wireless access via an AP

To have a PIX 560E ( 2 int)  connected to either VLAN A or B or the wireless  to provide internet Access via DSL

To have internet available to all hosts on both VLANs and Wireless.

What I have:

I have a Catalyst 2950; a 2600 router with two Ethernet interfaces, and a Pix 560E.

Before I purchase an AP I would like to know how to put these components together to come up with a workable design - then I will attempt to configure.

thanks in advance and if this is the wrong topic to post under please let me know as I couldn't find a VLAN section.

Rgds

halyone
Software FirewallsCisco

Avatar of undefined
Last Comment
halcyone
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

Hi halcyone,
I assume you mean PIX 506E.
One way you can set the system up is to connect the internal interface of the PIX to the 2950 configured on one VLAN. Connect the 2600 router to both VLAN's and configure it to route between the two.
Then just connect the wireless access point to the second VLAN.
Avatar of halcyone
halcyone

ASKER

Okay, great - Now wheres the best place in EE to post my relevent questions to get this set up - in bits and pieces or as one question given the following.

I have the Pix getting to the DSL and connected to one of the VLANS which have both been setup. The router is also setup to route between both VLANS but no routes set for internet etc. The AP will only come in a week or so, therefore I would like to get hosts on both VLAN browsing the internet. It looks like I am getting an external IP for DSL/internet on the Pix but no DNS etc...

Your suggestions please Sir?

Cheers
Halcyone
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

Post you furthur wuestions here and I will help you out. If you post your current PIX and router configuration I will look over it and give you any additional configuration required.
Avatar of halcyone
halcyone

ASKER

Thanks here is both of them :


Test3500>
Test3500>
Test3500>
Test3500>`

CISCO SYSTEMS PIX FIREWALL
Embedded BIOS Version 4.3.207 01/02/02 16:12:22.73
Compiled by morlee
32 MB RAM

PCI Device Table.
Bus Dev Func VendID DevID Class              Irq
 00  00  00   8086   7192  Host Bridge        
 00  07  00   8086   7110  ISA Bridge        
 00  07  01   8086   7111  IDE Controller    
 00  07  02   8086   7112  Serial Bus         9
 00  07  03   8086   7113  PCI Bridge        
 00  0D  00   8086   1209  Ethernet           11
 00  0E  00   8086   1209  Ethernet           10

Cisco Secure PIX Firewall BIOS (4.2) #0: Mon Dec 31 08:34:35 PST 2001
Platform PIX-506E
System Flash=E28F640J3 @ 0xfff00000

Use BREAK or ESC to interrupt flash boot.
Use SPACE to begin flash boot immediately.
Reading 2470400 bytes of image from flash.      
32MB RAM
System Flash=E28F640J3 @ 0xfff00000
BIOS Flash=am29f400b @ 0xd8000
mcwa i82559 Ethernet at irq 11  MAC: 0009.7c8a.b31c
mcwa i82559 Ethernet at irq 10  MAC: 0009.7c8a.b319

  -----------------------------------------------------------------------
                               ||        ||
                               ||        ||
                              ||||      ||||
                          ..:||||||:..:||||||:..
                         c i s c o S y s t e m s
                        Private Internet eXchange
  -----------------------------------------------------------------------
                        Cisco PIX Firewall

Cisco PIX Firewall Version 6.1(2)

Licensed Features:
Failover:       Disabled
VPN-DES:        Enabled
VPN-3DES:       Disabled
Maximum Interfaces:     2
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Inside Hosts:   Unlimited
Throughput:     Unlimited
ISAKMP peers:   Unlimited


  ****************************** Warning *******************************
  Compliance with U.S. Export Laws and Regulations - Encryption.
 
  This product performs encryption and is regulated for export
  by the U.S. Government.
 
  This product is not authorized for use by persons located
  outside the United States and Canada that do not have prior
  approval from Cisco Systems, Inc. or the U.S. Government.
 
  This product may not be exported outside the U.S. and Canada
  either by physical or electronic means without PRIOR approval
  of Cisco Systems, Inc. or the U.S. Government.
 
  Persons outside the U.S. and Canada may not re-export, resell
  or transfer this product by either physical or electronic means
  without prior approval of Cisco Systems, Inc. or the U.S.
  Government.
  ******************************* Warning *******************************

Copyright (c) 1996-2000 by Cisco Systems, Inc.

                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

                Cisco Systems, Inc.
                170 West Tasman Drive
                San Jose, California 95134-1706

....
Allocated IP address = 192.168.254.60,  netmask = 255.255.255.0, gateway = 192.
outside interface address added to PAT pool

Cryptochecksum(changed): 0193d360 2cf2df1c 7aa2a92c aebef3f2
Type help or '?' for a list of available commands.
IANTRADING>  
IANTRADING> en
Password: ********
Invalid password
Password: ******
IANTRADING# wr t
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ouGHk7Yho3Yj78Im encrypted
passwd ouGHk7Yho3Yj78Im encrypted
hostname IANTRADING
domain-name iantrading.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list IAN permit icmp any any
access-list IAN permit tcp any any eq 2823
access-list IAN permit tcp any any eq 2824
access-list IAN permit tcp any any eq www
access-list IAN permit udp any any eq domain
access-list IAN permit udp any any eq 9005
access-list IAN permit tcp any any eq 9005
access-list IAN permit tcp any any eq 8105
access-list IAN permit udp any any eq 8100
access-list acl_out permit icmp any any
pager lines 22
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.20.69 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
access-group acl_out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet 10.0.0.1 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:0193d3602cf2df1c7aa2a92caebef3f2
: end
[OK]
IANTRADING#      



And here is the router

Current configuration : 1228 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Test2600
!
enable secret 5 $1$t5CY$pwBVG5HRsMACfMSzl/i0A1
enable password gungfu
!
ip subnet-zero
!
!
!
!
!
!
interface Ethernet0/0
 bandwidth 10000
 ip address 10.0.20.100 255.255.255.0
 ip access-group 10 in
 full-duplex
!
interface Ethernet1/0
 bandwidth 10000
 ip address 10.0.10.100 255.255.255.0
 full-duplex
!
ip classless
ip route 10.0.10.0 255.255.255.0 Ethernet1/0 name 10Vlan
ip route 10.0.20.0 255.255.255.0 Ethernet0/0 permanent
ip http server
ip pim bidir-enable
!
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
!
line con 0
line aux 0
line vty 0 4
 password 12345678
 login
!
end


thanks
ASKER CERTIFIED SOLUTION
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of halcyone
halcyone

ASKER

Hey that's pretty cool. I have done what you suggested as well as put a host on the .20 Vlan and can connect to the internet etc. I will source an AP for wireless soon and put that on the 20 Vlan.

Now I need to start playing around to see how this all works and also undertand basics of packet structure to be able to use a sniffer etc.

Any suggestions quick reference or suggestions?

Thanks for you help

Regards
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

You can download a free copy of ethereal network analyser from http://www.ethereal.com
A good book to get is 'TCP/IP Illustrated'. There are probably some good links on the ethereal website aswell.
Avatar of halcyone
halcyone

ASKER

thanks
Avatar of halcyone
halcyone

ASKER

I have plugged the wireless in and I can't get out to the internet so I have unplugged the wireless and gone directly into the switch and I still can't get out. Please help - shouldn't take long.

The routes seem not to be well: How can I test from the host through to the interent.

Host: 10.0.20.45
SM:255.255.255.0
GW : 10.0.20.100
DNS:192.168.254.254 (this is the network I cant get to)

I think its the routing statements on the pix as the DHCP set route and the static routes give two different routes :

IANTRADING> en
Password:  
Invalid password
Password: ********
Invalid password
Password: ******
IANTRADING# wr t
Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ouGHk7Yho3Yj78Im encrypted
passwd ouGHk7Yho3Yj78Im encrypted
hostname IANTRADING
domain-name iantrading.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list IAN permit icmp any any
access-list IAN permit tcp any any eq 2823
access-list IAN permit tcp any any eq 2824
access-list IAN permit tcp any any eq www
access-list IAN permit udp any any eq domain
access-list IAN permit udp any any eq 9005
access-list IAN permit tcp any any eq 9005
access-list IAN permit tcp any any eq 8105
access-list IAN permit udp any any eq 8100
access-list acl_out permit icmp any any
pager lines 22
interface ethernet0 10full
interface ethernet1 10full
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.0.20.69 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
access-group acl_out in interface outside
route inside 10.0.10.0 255.255.255.0 10.0.20.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 s0
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
no floodguard enable
no sysopt route dnat
telnet 10.0.0.1 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:4ea2d295c9773478a719975b021a96d3
: end
[OK]
IANTRADING# sh ip
System IP Addresses:
        ip address outside 192.168.254.60 255.255.255.0
        ip address inside 10.0.20.69 255.255.255.0
Current IP Addresses:
        ip address outside 192.168.254.60 255.255.255.0
        ip address inside 10.0.20.69 255.255.255.0
IANTRADING# sh route
        outside 0.0.0.0 0.0.0.0 192.168.254.254 1 DHCP static
        inside 10.0.10.0 255.255.255.0 10.0.20.100 1 OTHER static
        inside 10.0.20.0 255.255.255.0 10.0.20.69 1 CONNECT static
        outside 192.168.254.0 255.255.255.0 192.168.254.60 1 CONNECT static
IANTRADING# route ?
Type help or '?' for a list of available commands.
IANTRADING# ip route ?
Type help or '?' for a list of available commands.
IANTRADING# conf t
IANTRADING(config)# ip route?
usage: ip address <if_name> <ip_address> [<mask>]
        ip address <if_name> dhcp [setroute] [retry <retry_cnt>]
        ip local pool <poolname> <ip1>[-<ip2>]
        ip verify reverse-path interface <if_name>
        ip audit [name|signature|interface|attack|info] ...
        show|clear ip audit count [global] [interface <interface>]
IANTRADING(config)#



IANTRADING(config)# ip route
Test2600>
Test2600>en
Password:
Password:
Test2600#wr t
Building configuration...

Current configuration : 1286 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Test2600
!
enable secret 5 $1$t5CY$pwBVG5HRsMACfMSzl/i0A1
enable password gungfu
!
ip subnet-zero
!
!
!
!
!
!
interface Ethernet0/0
 bandwidth 10000
 ip address 10.0.20.100 255.255.255.0
 ip access-group 10 in
 full-duplex
!
interface Ethernet1/0
 bandwidth 10000
 ip address 10.0.10.100 255.255.255.0
 full-duplex
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.20.69
ip route 10.0.10.0 255.255.255.0 Ethernet1/0 name 10Vlan
ip route 10.0.20.0 255.255.255.0 Ethernet0/0 permanent
ip http server
ip pim bidir-enable
!
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
!
line con 0
line aux 0
line vty 0 4
 password 12345678
 login
!
no scheduler allocate
end

Test2600#  


Thanks
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

The routing looks fine.
Avatar of halcyone
halcyone

ASKER

Hey thanks anyway - it was the natting again - the old statement creeped back in to now allow nat (inside) 10.0.0.0 255.0.0.0 etc..
Cisco
Cisco

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo