BRNIIT
asked on
Pix 506E - how to route between vlans
I am setting up a Pix 506E with an additional logical interface on each physical interface. I would like to add a dmz to the outside interface, and split the inside interface between two vlans.
I would like the two vlans on the inside interface to talk to each other without any restrictions, and I would like to allow access to and from the dmz also. I am planning to use the Pix to do my internal routing, so I need to figure out what combination of static routes, access lists, translation rules, and global address pools is necessary to make this happen.
This is my first time setting up a Pix, and I keep reading that the Pix is not a router. Is it unwise to use the Pix to route the traffic on the internal network?
I would like the two vlans on the inside interface to talk to each other without any restrictions, and I would like to allow access to and from the dmz also. I am planning to use the Pix to do my internal routing, so I need to figure out what combination of static routes, access lists, translation rules, and global address pools is necessary to make this happen.
This is my first time setting up a Pix, and I keep reading that the Pix is not a router. Is it unwise to use the Pix to route the traffic on the internal network?
ASKER
To say that a pix will not do internal routing is just to say that it will not function as a router, right? If I enter static routes, shouldn't it forward traffic between its logical interfaces?
Overall, what I am trying to achieve is:
Cisco 1841 as perimeter router, then the pix 506E, then my internal network. I would like a dmz, and I would like the internal network to be split into vlans, if possible, rather than one network.
Let me know if this is possible.
Overall, what I am trying to achieve is:
Cisco 1841 as perimeter router, then the pix 506E, then my internal network. I would like a dmz, and I would like the internal network to be split into vlans, if possible, rather than one network.
Let me know if this is possible.
Hello there
First of all, in order to have more than 2 VLANs on a PIX 506E you'd need to have UR License on it.
Here's a link to the Cisco's Website about VLANS:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1113411
In order to have connectivity between two VLANs you'd need to have static or nat & global statements or both to ensure connectivity between interfaces as well as its corresponding ACL statements
greets,
OMonge.
First of all, in order to have more than 2 VLANs on a PIX 506E you'd need to have UR License on it.
Here's a link to the Cisco's Website about VLANS:
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#1113411
In order to have connectivity between two VLANs you'd need to have static or nat & global statements or both to ensure connectivity between interfaces as well as its corresponding ACL statements
greets,
OMonge.
ASKER
I would love to see examples of the statements I need to have. If my interfaces are
interface ethernet1 vlan10 physical
interface ethernet1 vlan20 logical
nameif ethernet1 vlan10 security100
nameif ethernet1 vlan20 security95
ip address vlan10 10.1.1.0 255.255.255.0
ip address vlan20 10.1.2.0 255.255.255.0
then how do I get 10.1.1.0/24 to talk to 10.1.2.0/24?
interface ethernet1 vlan10 physical
interface ethernet1 vlan20 logical
nameif ethernet1 vlan10 security100
nameif ethernet1 vlan20 security95
ip address vlan10 10.1.1.0 255.255.255.0
ip address vlan20 10.1.2.0 255.255.255.0
then how do I get 10.1.1.0/24 to talk to 10.1.2.0/24?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you can describe a little more and plot a small diagram here on what you are trying to achieve then we may be able to derive at how it can be done. But bare in mind, PIX does routing for only those directly connected networks and nothing else.
Cheers,
Rajesh