• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 340
  • Last Modified:

vlans and the 506e

I know this only has two physical ethernet ports. But is there a way to do VLANs on this?  I have the local network on a 192.168.3.0/24 subnet. I want to put all of the wireless stuff on the 192.168.4.0/24 network and have no connectivity between the two. How can I do this?

Thanks
0
dissolved
Asked:
dissolved
  • 6
  • 2
1 Solution
 
JFrederick29Commented:
Yes, you can trunk the ethernet1 interface to a switch that supports 802.1Q trunking.

Here is an example config:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
...
ip address outside 1.1.1.1 255.255.255.240
ip address inside 192.168.3.0 255.255.255.0
ip address dmz 192.168.4.0 255.255.255.0
...
0
 
dissolvedAuthor Commented:
the link between the switch's switchport and the pix's inside interface should be a trunk link then, correct?
0
 
dissolvedAuthor Commented:
nevermind, the answer was in your response! THanks again
0
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

 
dissolvedAuthor Commented:
J, I have the vlan setup on my switch, as well as the trunk configured between my pix and switch. The pix has the added vlan interface as well.

Users on the 192.168.4.0/24 subnet can communicate to each other, but can't get out to the internet. I don't think the pix is doing any routing. Do I need to add any route statements?
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password xIsrlcAkUmuvQSHs encrypted
passwd xIsrlcAkUmuvQSHs encrypted
hostname fwall
domain-name chpk.cpk.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside-to-inside permit icmp any any
access-list outside-to-inside permit tcp any interface outside eq 9090
access-list outside-to-inside permit tcp any interface outside eq www
pager lines 24
logging on
logging buffered informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface 9090 192.168.3.233 9090 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface www 192.168.3.130 www netmask 255.255.255.255 0 0
access-group outside-to-inside in interface outside
route outside 0.0.0.0 0.0.0.0 71.200.32.1 1
route outside 172.16.0.0 255.255.0.0 71.200.32.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto map mymap 88 ipsec-isakmp
crypto map mymap 88 match address ipsec
crypto map mymap 88 set peer 75.140.145.225
crypto map mymap 88 set transform-set aesmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 75.140.145.225 netmask 255.255.255.255 no-xauth
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:9c2eb014bad3b71492e71bcd2adedfd8
: end

Open in new window

0
 
JFrederick29Commented:
Add this:

nat (dmz) 1 192.168.4.0 255.255.255.0
0
 
dissolvedAuthor Commented:
Thanks!
0
 
dissolvedAuthor Commented:
well, still nothing. Here is the switch sh run
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
 
!
 
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
 duplex full
 speed 100
!
interface FastEthernet0/2
 duplex full
 speed 100
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5 <---------------------to e1 of pix
 switchport trunk encapsulation dot1q
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17 <---------------WAP (192.168.4.2) plugged in here
 switchport access vlan 2
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface VLAN1
 ip address 192.168.3.254 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 192.168.3.1
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password 7 1317181C0202527C7D
 logging synchronous
 login
 
!
end

Open in new window

0
 
dissolvedAuthor Commented:
i just realized i never made fa0/5 an actual trunk. I just defined encapsulation. Sorry to bother you so much
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now