?
Solved

vlan trunking with PIX 515E

Posted on 2007-10-18
14
Medium Priority
?
3,762 Views
Last Modified: 2012-05-05
Here's my scenario:

I have a PIX 515E with Interface 4 going into my DMZ VLAN which is on my 3750 stack.  I've created a guest vlan in my stack and a vlan interface on the pix off of interface 4.  This vlan interface is 4.12.  I understand I need to trunk the port on my switch to see the vlan's on this interface.  Here's what I've put:

Gi1/0/25
switchport trunk encapsulate dot1q
switchport mode trunk
switchport trunk allowed vlan 12,15

However when i do this i can't get a reponse back.  Can someone help?
0
Comment
Question by:bigz71
  • 8
  • 6
14 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20104949
What version PIX OS? How did you create the vlan interface?
That looks like the correct config for the switch side. You might need to create 2 logical subifs on the PIX now that you have 2 vlan tags.

0
 

Author Comment

by:bigz71
ID: 20104989
i'm running version 7 on the pix.  The DMZ interface is native and the GUEST interface is a vlan off the DMZ.  DMZ is Interface 4 and GUEST is Interface 4.12
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20105172
The native interface is expecting no vlan tag, where you are tagging 2 different vlans. It works fine as long as you were connected to an access port. Create another logical vlan interface 4.15 for vlan 15 and remove the ip address from the physical interface 4
0
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

 

Author Comment

by:bigz71
ID: 20105217
Here's what my firewall looks like now and it still doesn't work:

interface Ethernet4
 nameif Trunk
 security-level 0
 no ip address
!
interface Ethernet4.12
 description GUEST
 vlan 12
 nameif GUEST
 security-level 25
 ip address 192.168.12.254 255.255.255.0
!
interface Ethernet4.15
 description DMZ
 vlan 15
 nameif DMZ
 security-level 70
 ip address 192.168.15.254 255.255.255.0
0
 

Author Comment

by:bigz71
ID: 20105240
and this is what my switch looks like:

!
interface GigabitEthernet1/0/25
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 12,15
 switchport mode access
!
interface GigabitEthernet2/0/25
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 12,15
 switchport mode access
!
I have two firewalls...
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 760 total points
ID: 20105276
> switchport mode access
Needs to be switchport mode trunk
0
 

Author Comment

by:bigz71
ID: 20105304
changed to switchport mode trunk and still no luck...
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20105314
Can you post result of 'show interface' from the PIX showing those three interfaces?
Did you cycle the interface on the switch and/or PIX? shut/no shut?
0
 

Author Comment

by:bigz71
ID: 20105366
Yes a shut/no shut was performed on the stack and the PIX.  Here's the config:  

btw thanks for the help so far

Interface Ethernet4 "Trunk", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        MAC address 000d.8811.94b6, MTU 1500
        IP address unassigned
        112133914 packets input, 49387809096 bytes, 0 no buffer
        Received 2238824 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        1423 L2 decode drops
        97705257 packets output, 27967621576 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        5 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/40)
        output queue (curr/max blocks): hardware (0/30) software (0/3)
  Traffic Statistics for "Trunk":
        112260370 packets input, 47638335615 bytes
        97800990 packets output, 26208047060 bytes
        455188 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet4.12 "GUEST", is up, line protocol is up
        VLAN identifier 12
        Description: GUEST
        MAC address 000d.8811.94b6, MTU 1500
        IP address 192.168.12.254, subnet mask 255.255.255.0
  Traffic Statistics for "GUEST":
        456 packets input, 22800 bytes
        5 packets output, 140 bytes
        456 packets dropped
Interface Ethernet4.15 "DMZ", is up, line protocol is up
        VLAN identifier 15
        Description: DMZ
        MAC address 000d.8811.94b6, MTU 1500
        IP address 192.168.15.254, subnet mask 255.255.255.0
  Traffic Statistics for "DMZ":
        627 packets input, 34208 bytes
        82 packets output, 5804 bytes
        603 packets dropped
0
 

Author Comment

by:bigz71
ID: 20105429
increased this by 65 more points... all i have for now!  
0
 

Author Comment

by:bigz71
ID: 20105542
anybody?  My DMZ is currently down and I need to bring it back asap!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20108052
Sorry to leave you hanging.  Hope you were able to get back to where you were at least.
Whenever you change up interfaces like you did with the dmz interface to a sub interface, you also have to adjust all your statics, nats, and access-lists to match the new interface
0
 

Author Comment

by:bigz71
ID: 20108094
i figured out the issue... it was my static nat's... i guess thats what happens when you work at 2am... points awarded to you.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20108129
Glad you got it sorted.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question