Link to home
Start Free TrialLog in
Avatar of BRNIIT
BRNIIT

asked on

Pix 506E - how to route between vlans

I am setting up a Pix 506E with an additional logical interface on each physical interface.  I would like to add a dmz to the outside interface, and split the inside interface between two vlans.

I would like the two vlans on the inside interface to talk to each other without any restrictions, and I would like to allow access to and from the dmz also.  I am planning to use the Pix to do my internal routing, so I need to figure out what combination of static routes, access lists, translation rules, and global address pools is necessary to make this happen.

This is my first time setting up a Pix, and I keep reading that the Pix is not a router.  Is it unwise to use the Pix to route the traffic on the internal network?
Avatar of rsivanandan
rsivanandan
Flag of India image

First of all PIX *WILL NOT* do internal routing for you. It is not designed to be a router and so the functionality you are trying to get will not work.

If you can describe a little more and plot a small diagram here on what you are trying to achieve then we may be able to derive at how it can be done. But bare in mind, PIX does routing for only those directly connected networks and nothing else.

Cheers,
Rajesh
Avatar of BRNIIT
BRNIIT

ASKER

To say that a pix will not do internal routing is just to say that it will not function as a router, right?  If I enter static routes, shouldn't it forward traffic between its logical interfaces?

Overall, what I am trying to achieve is:

Cisco 1841 as perimeter router, then the pix 506E, then my internal network.  I would like a dmz, and I would like the internal network to be split into vlans, if possible, rather than one network.

Let me know if this is possible.
Hello there

First of all, in order to have more than 2 VLANs on a PIX 506E you'd need to have UR License on it.

Here's a link to the Cisco's Website about VLANS:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1113411


In order to have connectivity between two VLANs you'd need to have static or nat & global statements or both to ensure connectivity between interfaces as well as its corresponding ACL statements

greets,

OMonge.
Avatar of BRNIIT

ASKER

I would love to see examples of the statements I need to have.  If my interfaces are

interface ethernet1 vlan10 physical
interface ethernet1 vlan20 logical
nameif ethernet1 vlan10 security100
nameif ethernet1 vlan20 security95
ip address vlan10 10.1.1.0 255.255.255.0
ip address vlan20 10.1.2.0 255.255.255.0

then how do I get 10.1.1.0/24 to talk to 10.1.2.0/24?
ASKER CERTIFIED SOLUTION
Avatar of OMonge
OMonge

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial