Virtual interface

Posted on 2006-05-31
Last Modified: 2013-11-15
Let me explain my network:

--Internet pipe--
--PIX506E(I have PIX515E on production) outside connected to PUBLIC VLAN
--Pix Inside connected to Switch private VLAN
because of OLD sin we assign only 253 host) to inside interface.

Now I would like to wash the OLD SIN, I like to expand the network. I know following solution is possiable

[1] change mask on PIX inside interface -- as this is production setup and I need to do lot of changes in ACL/machine level / load balancer level. Downtime also require for this process.
[2] I came to know from cisco my pix will support virtual interface so I did following on staging setup:

-pix inside IP is
-created Virtual interface virt and IP is

now my problem is I am not able to ping from my machines.

please give me suggestion or some other idea which will solve my problem

Question by:arvind
    LVL 79

    Expert Comment

    virtual interfaces on a pix are not the same as sub--interfaces on a router. each still has its own security level. You still have to setup access-lists and nat rules or exemptions between interfaces of different security levels.
    I'm assuming that you're talking about the 506? Then if you assign the two interfaces the same security level there will be NO communication between them.
    If you're talking about the 515, and if you upgrade to v7 you can then setup basic routing between two interfaces of same security level
    LVL 5

    Author Comment

    here is my running config:
     PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    interface ethernet1 vlan4 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan4 virt security80
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname pixfirewall
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside
    ip address inside
    ip address virt
    ip audit info action alarm
    ip audit attack action alarm
    pdm location outside
    pdm location inside
    pdm location inside
    pdm location inside
    pdm location inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 netmask
    global (inside) 1 netmask
    nat (outside) 1 0 0
    nat (inside) 1 0 0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet inside
    telnet timeout 5
    ssh inside
    ssh timeout 5
    console timeout 0
    terminal width 80
    : end
    please suggest what shud I add in ACL?

    LVL 8

    Expert Comment

    hi arvind....what are these for....i really cant understand.....
    global (inside) 1 netmask
    nat (outside) 1 0 0
    anyway..i beleive u can give some different security level to virtual interface and define a acl permitting all ip withing 2 local networks...........

    access-list 101 permit ip
    access-list 101 permit ip
    access-group 101 in interface virt
    nat (inside) 1

    i beleive that shud make things work as u dont have much on it besides for browsing traffic...
    LVL 5

    Author Comment

    I'll try this and let you know, By the way that is my testing pix config.

    LVL 5

    Author Comment

    Not able to ping 101 series..

    Could you please suggest me fresh config as this is my testing pix.

    My inside interface conected to VLAN 14
    Extra VLAN is VLAN4

    LVL 5

    Author Comment

    I solved problem by myself...
    LVL 5

    Accepted Solution

    Closed, 500 points refunded.
    Site Admin

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    VM backups can be lost due to a number of reasons: accidental backup deletion, backup file corruption, disk failure, lost or stolen hardware, malicious attack, or due to some other undesired and unpredicted event. Thus, having more than one copy of …
    A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
    This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now