[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1362
  • Last Modified:

Cisco pix vlan not working

I have a pix 506e and I'm trying to get it to route for two vlans.
I have the trunk link setup on the inside interface of the pix, to fao/5 of the switch. I'm using 802.1q.

int fa0/17 is configured to vlan2 (192.168.4.0)
The rest of teh ports are vlan1 (192.168.3.0)

192.168.4.0 cannot communicate with the pix
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password xIsrlcAkUmuvQSHs encrypted
passwd xIsrlcAkUmuvQSHs encrypted
hostname fwall
domain-name chpk.cpk.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list outside-to-inside permit icmp any any
access-list outside-to-inside permit tcp any interface outside eq 9090
access-list outside-to-inside permit tcp any interface outside eq www
pager lines 24
logging on
logging buffered informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.4.0 255.255.255.0 0 0
static (inside,outside) tcp interface www 192.168.3.130 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9090 192.168.3.131 9090 netmask 255.255.255.255 0 0
access-group outside-to-inside in interface outside
route outside 0.0.0.0 0.0.0.0 71.200.32.1 1
route outside 172.16.0.0 255.255.0.0 71.200.32.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto map mymap 88 ipsec-isakmp
crypto map mymap 88 match address ipsec
crypto map mymap 88 set peer 75.140.145.225
crypto map mymap 88 set transform-set aesmap
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 75.140.145.225 netmask 255.255.255.255 no-xauth
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:14645a136da4e57f42779e392f3ccf1a
: end

Open in new window

0
dissolved
Asked:
dissolved
  • 22
  • 17
  • 2
1 Solution
 
dissolvedAuthor Commented:


version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
logging buffered 16384 informational
enable secret 5 $1$uc2b$epHesnDuRC24F6FaR3F1c.
!
username ryan privilege 15 password 7 120B0A191B055A527C
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
 duplex full
 speed 100
!
interface FastEthernet0/2
 duplex full
 speed 100
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
 switchport access vlan 2
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface VLAN1
 ip address 192.168.3.254 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 192.168.3.1
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 password 7 1317181C0202527C7D
 logging synchronous
 login
 refuse-message ^Cet_the_fuck_out
^C
 transport input telnet
line vty 5 15
 no login
!
end
 
Switch#

Open in new window

0
 
JFrederick29Commented:
So, from the 192.168.4.x PC connected to fa0/17 on the switch, you can't ping 192.168.4.1?
0
 
dissolvedAuthor Commented:
Right I can't ping it. Port 17 has a wap with a 192.168.4.1 address. The wireless clients can ping the wap but nothing else
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
JFrederick29Commented:
Ahh, okay, your wap and pix overlap.  Change the IP on the wap or PIX to 192.168.4.2.

conf t
ip address dmz 192.168.4.2 255.255.255.0
0
 
dissolvedAuthor Commented:
$hit, I meant to say the WAP's address was 196.168.4.2. The interface on the pix is 192.168.4.1. Sorry was typing that from my blackberry
0
 
JFrederick29Commented:
Try adding this to the PIX:

conf t
interface ethernet1 vlan1 physical

Does the 192.168.3.x subnet work properly?
0
 
dissolvedAuthor Commented:
Ok I did the command. Still nothing. Yes the 192.168.3.x subnet works great
0
 
JFrederick29Commented:
Can you post a "show vlan" and a "show int trunk" from the switch.
0
 
RPPreacherCommented:
The PIX is not a router.  A PIX, by design, will NOT send information out the same port that it received it.

Version 7.x and 8.x has a way around this but you cannot do this on 506E.

Reference any of these
http://www.google.com/search?q=pix+same+interface
0
 
dissolvedAuthor Commented:
i dont have the sh int trunk option

Switch#sh vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9,
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13,
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/18,
                                                Fa0/19, Fa0/20, Fa0/21, Fa0/22,
                                                Fa0/23, Fa0/24
2    VLAN0002                         act/lshut Fa0/17
3    VLAN0003                         active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
 
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
2    enet  100002     1500  -      -      -        -    -        0      0
3    enet  100003     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    srb      0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0
Switch#

Open in new window

0
 
dissolvedAuthor Commented:
i see fa0/17 is in a local shutdown state?
0
 
JFrederick29Commented:
Try this:

conf t
no shut vlan 2
0
 
JFrederick29Commented:
RPPreacher:

Using VLAN's on the PIX is actually like having 3 physical interfaces (inside, outside, dmz).  The vlan1 (inside) to vlan2 (dmz) traffic is traversing two different interfaces albeit logical.  The inside to inside rules don't apply.
0
 
RPPreacherCommented:
Are you running unrestricted license?  Restricted does not support logical interfaces.
0
 
dissolvedAuthor Commented:
yes its a restricted license :(
0
 
JFrederick29Commented:
I didn't think restricted applied to 501/506 other than user restrictions.

Did you try the no shut vlan2 on the switch?
0
 
dissolvedAuthor Commented:
Yes I tried the no shut vlan2 and it said it wasn't shut down. I found this link: http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html#wp1113411
0
 
dissolvedAuthor Commented:
the above link states that the restricted license does not support vlans :(
Thanks for the feedback guys
0
 
JFrederick29Commented:
Yeah, but you see the footnote regarding the 501/506:

PIX 501 and PIX 506/506E do not support Restricted/Unrestricted licenses.
0
 
dissolvedAuthor Commented:
hmmm, I wonder why it does not work. I ran a packet sniffer and I keep seeing my WAP sending out ARP requests for 192.168.4.1. 192.168.4.1 does not respond
0
 
JFrederick29Commented:
I'll grab a 506 tomorrow and get it working then pass on the working setup.
0
 
dissolvedAuthor Commented:
thanks!
0
 
JFrederick29Commented:
Can you post a show version from the PIX.
0
 
dissolvedAuthor Commented:

fwall# sh ver

Cisco PIX Firewall Version 6.3(5)
Cisco PIX Device Manager Version 3.0(1)

Compiled on Thu 04-Aug-05 21:40 by morlee

fwall up 1 day 13 hours

Hardware:   PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000f.242a.4b30, irq 10
1: ethernet1: address is 000f.242a.4b31, irq 11
Licensed Features:
Failover:                    Disabled
VPN-DES:                     Enabled
VPN-3DES-AES:                Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces:          4
Cut-through Proxy:           Enabled
Guards:                      Enabled
URL-filtering:               Enabled
Inside Hosts:                Unlimited
Throughput:                  Unlimited
IKE peers:                   Unlimited

This PIX has a Restricted (R) license.

Serial Number: 808050462 (0x3029df1e)
Running Activation Key: 0xc45a23e0 0x6ae05e73 0x01df5c91 0x6f39bc42
Configuration last modified by enable_15 at 05:19:11.824 UTC Mon Apr 20 2009
fwall#
0
 
JFrederick29Commented:
Okay, looks good.  I got this working with the following config.  Same version (6.3(5)) with restricted license.

Switch:

vlan 2

interface FastEthernet0/1
 switchport mode trunk
!
interface FastEthernet0/2
 switchport mode access
!
interface FastEthernet0/3
 switchport access vlan 2
 switchport mode access

PIX:

interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
...
ip address outside 10.3.3.1 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip address dmz 10.2.2.1 255.255.255.0
...
global (outside) 1 interface
nat (inside) 1 10.1.1.0 255.255.255.0
nat (dmz) 1 10.2.2.0 255.255.255.0
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0     <--needed to enable inside to dmz comm.
...
route outside 0.0.0.0 0.0.0.0 10.3.3.2

If you are trying to ping from the inside to DMZ, you need to allow ICMP replies back into the DMZ interface.

access-list dmz permit icmp any any echo-reply
access-group dmz in interface dmz

Can you post a new "show run" from the switch and pix and a "show vlan" from the switch.
0
 
dissolvedAuthor Commented:
Great, thank you for doing that for me. Below are the sh runs
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan2 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan2 dmz security50
enable password xIsrlcAkUmuvQSHs encrypted
passwd xIsrlcAkUmuvQSHs encrypted
hostname fwall
domain-name chpk.cpk.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list ipsec permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list outside-to-inside permit icmp any any
access-list outside-to-inside permit tcp any interface outside eq 9090
access-list outside-to-inside permit tcp any interface outside eq www
access-list split_tunnel_acl permit ip 192.168.3.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list dmz permit icmp any any echo-reply
pager lines 24
logging on
logging buffered informational
logging history informational
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.3.1 255.255.255.0
ip address dmz 192.168.4.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn-pool 192.168.50.10-192.168.50.13 mask 255.255.255.0
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.4.0 255.255.255.0 0 0
static (inside,outside) tcp interface www 192.168.3.130 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9090 192.168.3.131 9090 netmask 255.255.255.255 0 0
static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0 0 0
access-group outside-to-inside in interface outside
access-group dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 71.200.32.1 1
route outside 172.16.0.0 255.255.0.0 71.200.32.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set aesmap esp-aes-256 esp-md5-hmac
crypto dynamic-map vpn 65535 set transform-set aesmap
crypto dynamic-map vpn 65535 set security-association lifetime seconds 84600 kilobytes 4608000
crypto map mymap 88 ipsec-isakmp
crypto map mymap 88 match address ipsec
crypto map mymap 88 set transform-set aesmap
! Incomplete
crypto map vpn 65535 ipsec-isakmp dynamic vpn
crypto map vpn client configuration address initiate
crypto map vpn client authentication LOCAL
crypto map vpn interface outside
isakmp enable outside
isakmp key ******** address 75.150.145.225 netmask 255.255.255.255 no-xauth
isakmp nat-traversal 20
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
vpngroup family address-pool vpn-pool
vpngroup family split-tunnel split_tunnel_acl
vpngroup family idle-time 14400
vpngroup family password ********
vpngroup password idle-time 1800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
username ryan password wo85KkhVm8/NDCLO encrypted privilege 15
username oscar password dcNuXgVIC4i4Lffv encrypted privilege 2
terminal width 80
Cryptochecksum:04a5beba38bf5e448dae36a845624ce9
: end
fwall#
 
 
------------------------------------------------------------
 
Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Switch
!
logging buffered 16384 informational
enable secret 5 $1$uc2b$epHesnDuRC24F6FaR3F1c.
!
username ryan privilege 15 password 7 120B0A191B055A527C
!
!
!
!
!
ip subnet-zero
!
!
!
interface FastEthernet0/1
 duplex full
 speed 100
!
interface FastEthernet0/2
 duplex full
 speed 100
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
 switchport access vlan 2
!
interface FastEthernet0/17
 shutdown
 switchport access vlan 2
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface VLAN1
 ip address 192.168.3.254 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
!
ip default-gateway 192.168.3.1
!
line con 0
 transport input none
 stopbits 1
line vty 0 4
 logging synchronous
 login
 
^C
 transport input telnet
line vty 5 15
 no login
!
end
 
Switch#

Open in new window

0
 
dissolvedAuthor Commented:
Should the following work?


fwall# ping inside 192.168.4.1
        192.168.4.1 NO response received -- 1000ms
        192.168.4.1 NO response received -- 1000ms
        192.168.4.1 NO response received -- 1000ms
fwall#
0
 
JFrederick29Commented:
No, that won't work.

I would plug a PC into the switch and assign the port to VLAN2.  Assign the PC a free 192.168.4.x IP then try to ping from the PC to 192.168.4.1.

Config looks good except your static for inside to dmz traffic.

conf t
no static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0

Do this on the switch if you still can't ping from the PC to 192.168.4.1.

vlan d
vlan 2 state active
0
 
dissolvedAuthor Commented:
ok I did that on the switch and the vlan said active

I also made the nat changes. I cannot ping 192.168.4.2, my WAP
0
 
JFrederick29Commented:
Did you try plugging a PC into the switch on the same subnet?

Does a "show vlan" now show active for VLAN2 instead of act/lshut?

Did you make the static change on the PIX?

conf t
no static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (inside,dmz) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
0
 
dissolvedAuthor Commented:
VLAN2 has shown active ever since I did a "no shut vlan 2" over the weekend.
I did make the change on the pix.

I haven't plugged a pc into the port yet. I will tonight. right now, there is a WAP plugged in with a 192.168.4.2 address.  Wireless clients can ping the WAP as long as they're in the 192.168.4.0/ address scheme.
0
 
JFrederick29Commented:
Okay, but a 192.168.4.x wireless client can't ping 192.168.4.1?  The wireless clients and the AP have a default gateway of 192.168.4.1, right?
0
 
dissolvedAuthor Commented:
that is correct
0
 
JFrederick29Commented:
Okay, add this just until connectivity is working:

conf t
access-list dmz permit ip any any

The configs look good so I'm wondering if it is something with the Wireless or AP.  Try the PC into a VLAN2 switchport and see if you can ping 192.168.4.1 and if a VLAN1 PC and communicate with the VLAN2 PC.
0
 
JFrederick29Commented:
Also post a "show vlan" from the switch and a "show int fa0/5 trunk" from the switch.

FastEthernet0/5 is connected to the E1 interface on the PIX, right?
The AP is connected to Fa0/16, right?
0
 
dissolvedAuthor Commented:
ok. I added the "access-list dmz permit ip any any"
I then plugged my pc directly into the port and gave myself a 192.168.4.0 address. Everything works. Sweet

What about this access-list dmz permit ip any any command. Is it safe to elave there or no

thanks again J
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4,
                                                Fa0/6, Fa0/7, Fa0/8, Fa0/9,
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13,
                                                Fa0/14, Fa0/15, Fa0/18, Fa0/19,
                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23,
                                                Fa0/24
2    VLAN0002                         active    Fa0/16, Fa0/17
3    VLAN0003                         active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
 
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
2    enet  100002     1500  -      -      -        -    -        0      0
3    enet  100003     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    srb      0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0
Switch#
 
 
Switch# sh int fa0/5  (the fa0/5 trunk command wasn't supported)
 
 
Switch#sh int fa0/5
FastEthernet0/5 is up, line protocol is up
  Hardware is Fast Ethernet, address is 0030.1944.2d45 (bia 0030.1944.2d45)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Auto-duplex (Full), Auto Speed (100), 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 1d21h, output 00:00:00, output hang never
  Last clearing of "show interface" counters 5d23h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
     2730530 packets input, 3119865247 bytes
     Received 6790 broadcasts, 16 runts, 0 giants, 0 throttles
     16 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 87 multicast
     0 input packets with dribble condition detected
     3732514 packets output, 524139331 bytes, 0 underruns
     0 output errors, 1 collisions, 0 interface resets
     0 babbles, 0 late collision, 9 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
Switch#

Open in new window

0
 
dissolvedAuthor Commented:
by the way J, nothing worked until I issued "access-list dmz permit ip any any"

Thats when I could get out to the internet. Before that, I could ping the pix and that was it
0
 
JFrederick29Commented:
Eventually you will want to restrict access if you don't want the DMZ to access the inside for example.  Do you want the Wireless clients to access anything on the inside?  Are the wireless clients using DNS servers on the inside LAN (192.168.3.0)?  If so, that is why the permit ip any any lets Internet work.
0
 
dissolvedAuthor Commented:
the wireless clients are using an external dns server for name resolution
0
 
dissolvedAuthor Commented:
0
 
dissolvedAuthor Commented:
J, I bought a new wap and did the same thing we discussed here and everything works. Looks lik the belkin Fd5 wap did not want to work in my environment
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

  • 22
  • 17
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now