VLANs cant speak with each other any longer (since PIX installation)

All VLANs can hit the internet fine. They just cant speak to one another?

Is this because of their gateway for all, is the PIX?  So I have to permit the traffic inbound?
Thanks

The default gateway for the hosts on the 192.168.3.0 subnet should be 192.168.3.1 (the 2600 router subinterface).  The default gateway for the hosts on the 192.168.4.0 subnet should be 192.168.4.1 (the 2600 router subinterface).  The 2600 should have a default route to 192.168.2.1 (the pix).  The 192.168.2.0 hosts default route can be the PIX as long as the PIX has routes to the 192.168.3.0 and 192.168.4.0 subnets via 192.168.2.5 (2600 router).  Or, the 192.168.2.0 hosts can have a default gateway of 192.168.2.5 (2600 router) and the default route on the 2600 will send non-local traffic to the PIX.  I'd set it up with the later for the 192.168.2.0 hosts (default gateway of 192.168.2.5).

>>The default gateway for the hosts on the 192.168.3.0 subnet should be 192.168.3.1 (the 2600 router subinterface).
Check

>>The default gateway for the hosts on the 192.168.4.0 subnet should be 192.168.4.1 (the 2600 router subinterface).
Check

>>The 2600 should have a default route to 192.168.2.1 (the pix).
Check

>>The 192.168.2.0 hosts default route can be the PIX as long as the PIX has routes to the 192.168.3.0 and 192.168.4.0 subnets via 192.168.2.5 (2600 router).  Or, the 192.168.2.0 hosts can have a default gateway of 192.168.2.5 (2600 router) and the default route on the 2600 will send non-local traffic to the PIX.  I'd set it up with the later for the 192.168.2.0 hosts (default gateway of 192.168.2.5)

This must be the problem.  The static routes in my pix (for the VLANs) are as follows:
route inside 192.168.3.0 255.255.255.240 192.168.4.1 1
route inside 192.168.4.0 255.255.255.240 192.168.4.1 1

I'm guessing I should change it to

route inside 192.168.3.0 255.255.255.240 192.168.2.5 1
route inside 192.168.4.0 255.255.255.240 192.168.2.5 1

Yes, should be:

route inside 192.168.3.0 255.255.255.240 192.168.2.5 1
route inside 192.168.4.0 255.255.255.240 192.168.2.5 1

Ok, did that. Still unable to communicate with my VLANs (I'm on the 192.168.2.0 network btw)
Here is a sh run of the pix


pix# sh run
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xIsrlcAkUmuvQSHs encrypted
passwd JjCY8dtQbv7delLq encrypted
hostname pix
domain-name spira
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_in permit icmp any interface outside echo-reply
access-list outside_in permit icmp any interface outside unreachable
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.2 255.255.255.240
ip address inside 192.168.2.1 255.255.255.240
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.240 0 0
nat (inside) 1 192.168.3.0 255.255.255.240 0 0
nat (inside) 1 192.168.4.0 255.255.255.240 0 0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route inside 192.168.3.0 255.255.255.240 192.168.2.5 1
route inside 192.168.4.0 255.255.255.240 192.168.2.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.2.0 255.255.255.240 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c6ddd4cda262762c7335421be1799533
: end

add this

   sysopt noproxyarp inside

If it works, I'll explain...

Oops, forgot basic PIX routing rule.  The PIX will not send traffic it receives on the inside interface, back out the inside interface.  This is the way a PIX is, it really isn't a router, although it appears to act as such at times.  You'll need to set the default gateways on the 192.168.3.0 and 4.0 hosts to the appropriate 2600 subinterface for each subnet.

Ok, I added sysopt noproxyarp inside.  However, from the 192.168.2.0 network, I still cannot access any PCs on the other VLANs. The PIX can ping them though.

Right now, the hosts of 192.168.3.0 have a gateway of 192.168.3.1
The host of 192.168.4.0 have a gateway of 192.168.4.1

Thanks

How about the ip inspect rules in the 2600 @ 192.168.2.5 ?
It's not the pix in the mix, it may be the way you have the inspect applied to that router and have changed how IT behaves. It is the link between the vlans. Can you post its config?

Ok, here is the 2600 config:

Current configuration : 1272 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2600a
!
enable secret 5 -----------------
enable password ---------------
!
ip subnet-zero
!
!
!
!
ip cef
ip inspect name test tcp
ip inspect name test udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.2.5 255.255.255.240
 ip access-group 102 out
 ip inspect test in
 full-duplex
!
interface Ethernet0/0.1
 encapsulation dot1Q 2
 ip address 192.168.3.1 255.255.255.240
 ip access-group 101 out
 ip inspect test in
!
interface Ethernet0/0.2
 encapsulation dot1Q 3
 ip address 192.168.4.1 255.255.255.240
 ip access-group 102 out
 ip inspect test in
!
interface TokenRing0/0
 no ip address
 shutdown
 ring-speed 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
ip pim bidir-enable
!
access-list 104 deny   ip 192.168.4.0 0.0.0.255 host 216.109.112.135
access-list 104 permit ip any any
!
snmp-server community getifread RO
snmp-server community getif RW
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password ----
line aux 0
line vty 0 4
 password ---------
 login
!
end

2600a#

>ip access-group 102 out
> ip access-group 101 out
> ip inspect test in

The acls 102 and 101 don't appear to exist any longer.
Try removing both the acl and the inspect from all the interfaces and see if that works for you, then we can apply what you need once you get data flowing again..

How come you are using the IOS firewall when you have a PIX on your network?  Perhaps you should try removing ip inspect from the 2600 interfaces to test.  Can you also do a "show ip route".

Ok, made the changes. It still doesnt work. Here is the config. Am I missing anything?

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2600a
!
enable secret 5 -------------
enable password--------
!
ip subnet-zero
!
!
ip name-server 192.168.1.98
!
ip cef
ip inspect name test tcp
ip inspect name test udp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Ethernet0/0
 ip address 192.168.2.5 255.255.255.240
 full-duplex
!
interface Ethernet0/0.1
 encapsulation dot1Q 2
 ip address 192.168.3.1 255.255.255.240
!
interface Ethernet0/0.2
 encapsulation dot1Q 3
 ip address 192.168.4.1 255.255.255.240
!
interface TokenRing0/0
 no ip address
 shutdown
 ring-speed 16
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.2.1
no ip http server
ip pim bidir-enable
!
!
snmp-server community getifread RO
snmp-server community getif RW
!
dial-peer cor custom
!
!
!
!
!
line con 0
 password-----
line aux 0
line vty 0 4
 password ----
 login
!
end

2600a#

How about the "show ip route"...

Save the config and reboot this 2600. Need to clear all the arp cache and any existing inspected connections.

Rebooted. Still cannot connect. Here is the sh ip ro


2600a#sh ip ro
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 192.168.2.1 to network 0.0.0.0

     192.168.4.0/28 is subnetted, 1 subnets
C       192.168.4.0 is directly connected, Ethernet0/0.2
     192.168.2.0/28 is subnetted, 1 subnets
C       192.168.2.0 is directly connected, Ethernet0/0
     192.168.3.0/28 is subnetted, 1 subnets
C       192.168.3.0 is directly connected, Ethernet0/0.1
S*   0.0.0.0/0 [1/0] via 192.168.2.1
2600a#


Thanks

192.168.3.x cannot ping 192.168.2.x
192.168.4.x cannot ping 192.168.2.x

However:

192.168.3.x can ping 192.168.4.x
192.168.4.x can ping 192.168.3.x

Quick question: If I make the default gateway for 192.168.2.x, "192.168.2.5", will I be bypassing my PIX?
Thanks guys

Just internally, but when you go out to the Internet, you will be going through the PIX.

You really have no choice, the default gateway on the 192.168.2.0 hosts must be 192.168.2.5.

ah.....i see. Because the 2600's gateway IS the pix?

Yes, correct :)

So we normally do not use firewall's internal interfaces as gateways. Because by definition they are not routers?
Right?
thanks

Yes, the PIX won't "reroute" out the inside interface so a router is required.  Other firewalls may not have that "design" and in your situation, it would work.  But, like I said before, it's better to have the 2600 handle all internal routing and then have a default route to the PIX.

thanks a lot

No problem, nice working with you again, and lrmoore :)

Ditto !

ditto here too!