• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 694
  • Last Modified:

Cisco 2950 switch connecting with vlan PIX 506

I have a Cisco PIX 506 with a vlan configured now i have connected a catalyst 2950 but i am not able to connect with the vlan. Can anyone help me with the configuration of the Cisco Catalyst 2950?
  • 5
  • 5
1 Solution
A little more information is needed.
Have you assigned IP's to the vlan?
Have you assigned an IP to the 2950?

from what to what are you trying to connect?
adenhartogAuthor Commented:

I have a Cisco PIX 506 with a vlan configured (DMZ). Behind this PIX is a Cisco Catalyst 2950. I need the Catalyst to handle the vlan because the PIX cannot do this. So I need to know how to configure the vlan on the Catalyst.
The commands to create a VLAN on the catalyst 2950 are all documented here :


Switch(Config)#vlan 3
Switch(Config-vlan)#name DMZ

That will create a VLAN with a VLAN ID of 3 and a name of DMZ on the switch.

You then need to tell the switch what ports are going to access this VLAN :

Switch(Config)#interface fa0/1
Switch(Config-if)#switchport mode access
Switch(Config-if)#switchport access vlan 3

You will need to do this for every device that is going to be a member of that VLAN.
I am guessing that because it is a DMZ you are not going to need that VLAN anywhere else so you won;t need to worry about trunking or anything.

See how you get on.....
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

adenhartogAuthor Commented:

I followed the instructions as above but then I can only connect to one vlan on the Cisco.

I have the Cisco PIX connected to interface fa0/5. The Cisco PIX 506 is configured with vlan1 (interface) and vlan2 (logical). Now I need to connect with both of them on interface fa0/5 of the Cisco Catalyst 2950.

Can you post the configs of both devices so we can take a look, Not entirely sure what you are trying to acheive!

adenhartogAuthor Commented:

I am trying to setup a DMZ with a Cisco PIX and a Cisco Catalyst 2950. Now I put a trunk on interface fa0/5 (Cisco PIX). On this interface it will connect to the both vlan's on the PIX. On interface fa0/3 (DMZ) I put vlan 2 interface. Now i am able to ping the Cisco PIX from the DMZ and from the inside. Only i am not able to use the internet on the DMZ.

So the question has been a little bit changed. Can i ask this question here or do i need to open a new one?
Go for it! Ask away....
adenhartogAuthor Commented:
LOL :)

I can ping the Cisco PIX 506 on the vlan from the DMZ. Only i have no internet connection from the DMZ. Here is the config from the PIX.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password xxxxxxx encrypted
passwd xxxxx encrypted
hostname xxxxx
domain-name kennit.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit icmp any any source-quench
access-list outside_in permit icmp any any unreachable
access-list outside_in permit icmp any any time-exceeded
access-list 100 permit ip
access-list 100 permit ip
access-list 100 permit ip
access-list 100 permit ip
access-list 110 permit ip
access-list 110 permit ip
access-list 110 permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x
ip address inside
ip address dmz
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool mask
pdm location inside
pdm location outside
pdm location outside
pdm location outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list 100
nat (inside) 10 0 0
access-group outside_in in interface outside
route outside 1
route inside 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside cisco506
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set remoteuser esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 30 set transform-set remoteuser
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address 110
crypto map outside_map 10 set peer
crypto map outside_map 10 set peer
crypto map outside_map 10 set peer
crypto map outside_map 10 set transform-set remoteuser
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key xxxxxx address x.x.x.x netmask no-xauth no-config-mode
isakmp key xxxxxx address x.x.x.x netmask no-xauth no-config-mode
isakmp key xxxxxx address x.x.x.x netmask no-xauth no-config-mode
isakmp identity address
isakmp keepalive 30 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup kennit address-pool vpnpool
vpngroup kennit dns-server
vpngroup kennit wins-server
vpngroup kennit default-domain xxxx.local
vpngroup kennit idle-time 1800
vpngroup kennit password xxxxx
telnet timeout 5
ssh timeout 5
console timeout 60
username xxxxxxx password xxxxxxxx encrypted privilege 15
terminal width 80
: end

Thx :)
It could be something to do with your NAT setup. You have NAT running for the inside interface but nothing for the DMZ.
The 10.x.x.x will not be able to get routed on the internet....
adenhartogAuthor Commented:
LOL :(

Ofcourse I completly forget about that :)

Thx for your help
No problem, Have a nice day!

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now