Cisco Catalyst 6509 to Cisco PIX 515E InterVLAN routing issue

OK, so the story is: I have inherited a network consisting of a Cisco Catalyst 6509 and a pair of Cisco PIX 515E ver 7.0(1) with several devices sitting of different VLANs.

The PIX's are configured for simple active/ passive failover. I have connected each of the PIX Ethernet 1 ports to the 6509 (Gi3/47 and Gi3/48) and configured then as trunk ports. Each of the Ethernet 0 ports on the PIX's are uplinks to the ISP's switches.

The issue I am currently having is communicating between VLANs. I previously had a router on a stick setup, but this was apparently causing issues and I was advised to perform interVLAN routing via the PIX.

So at present, when I am consoled onto the C6509, I can ping everything. When I am consoled onto the PIX I can ping everything, BUT when I try to communicate with a device on a different VLAN e.g. server on VLAN 6 (172.16.0.1) to a server on VLAN 3 (172.16.16.2), it fails. I can only communicate with devices in the same VLAN. The default gateways of the devices are set to the corresponding IP address of the VLAN subinterface on the PIX.

Am I missing something obvious here?



C6509 trunk links to PIX inside interfaces

interface GigabitEthernet3/47
 description UPLINK to PIX-01 Primary
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-6,100
 switchport mode trunk
 no ip address
 speed 100
 duplex full
!
interface GigabitEthernet3/48
 description UPLINK to PIX-01 Secondary
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-6,100
 switchport mode trunk
 no ip address
 speed 100
 duplex full
!
!


The following VLANs exist on the C6509:


interface Vlan1
 no ip address
!
interface Vlan2
 description Hardware Admin Network
 ip address 172.16.19.253 255.255.255.0
!
interface Vlan3
 description Services Network
 ip address 172.16.16.253 255.255.255.0
!
interface Vlan4
 description DMZ Network
 ip address 172.16.17.253 255.255.255.0
!
interface Vlan5
 description Byte Network
 no ip address
!
interface Vlan6
 description Basestation Network
 ip address 172.16.15.253 255.255.240.0
!
interface Vlan100
 description Trap Network
 ip address 192.168.11.253 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.19.254
!


The PIX configuration is as follows

interface Ethernet0
 description OUTSIDE link to Byte Switch
 speed 10
 duplex full
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface Ethernet1
 description INSIDE link to 6509
 speed 100
 duplex full
 nameif inside
 security-level 100
 no ip address
!
interface Ethernet1.1
 description vlan 1 Native VLAN
 vlan 1
 nameif native_vlan
 security-level 100
 no ip address
!
interface Ethernet1.2
 description vlan 2 Hardware Network
 vlan 2
 nameif hardware_vlan
 security-level 100
 ip address 172.16.19.254 255.255.255.0
!
interface Ethernet1.3
 description vlan 3 Services Network
 vlan 3
 nameif services_vlan
 security-level 100
 ip address 172.16.16.254 255.255.255.0
!
interface Ethernet1.4
 description vlan 4 DMZ Network
 vlan 4
 nameif dmz_vlan
 security-level 100
 ip address 172.16.17.254 255.255.255.0
!
interface Ethernet1.5
 description vlan 5 Byte Network
 vlan 5
 nameif byte_vlan
 security-level 100
 no ip address
!
interface Ethernet1.6
 description vlan 6 Base Station Network
 vlan 6
 nameif basestation_vlan
 security-level 100
 ip address 172.16.15.254 255.255.240.0
!
interface Ethernet1.100
 description vlan 100 Trap Network
 vlan 100
 nameif trap_vlan
 security-level 100
 ip address 192.168.11.254 255.255.255.0
!
hostname PIX-01
domain-name ****
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Apr 1:00 last un Oct 1:00
pager lines 24
mtu outside 1500
mtu inside 1500
mtu native_vlan 1500
mtu hardware_vlan 1500
mtu services_vlan 1500
mtu dmz_vlan 1500
mtu byte_vlan 1500
mtu basestation_vlan 1500
mtu trap_vlan 1500
failover
failover mac address Ethernet0 0015.2b1b.158f 0015.2b1b.15cb
failover mac address Ethernet1 0015.2b1b.1590 0015.2b1b.15cc
monitor-interface outside
monitor-interface inside
no asdm history enable
arp timeout 14400
global (outside) 1 y.y.y.y
nat (hardware_vlan) 1 172.16.19.0 255.255.255.0
nat (services_vlan) 1 172.16.16.0 255.255.255.0
nat (dmz_vlan) 1 172.16.17.0 255.255.255.0
nat (basestation_vlan) 1 172.16.0.0 255.255.240.0
nat (trap_vlan) 1 192.168.11.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 80.76.205.214 1
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ntp server a.a.a.a source outside prefer
ntp server b.b.b.b source outside

Your help is much appreciated!
Gingus_MaximusAsked:
Who is Participating?
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
Is your PIX permitting the traffic between the VLANs?

If not the simplest way is to use ASDM to create necessary rules to allow traffic between the VLANs.

OR you can use the command "same-security-traffic permit inter-interface" to allow traffic between the same security level, that is if you arent securing intra-VLANs traffic.

discussed here ...

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html#wp1039276
0
 
mick442Commented:
There is no dot1q encapsulation set on the pix interfaces ethernet 1.1. - 1.6 and ethernet 1.100.

interface Ethernet1.1
encapsulation dot1q 1

inteface Ethernet1.2
encapsulation dot1q 2

etc, etc.....
0
 
Gingus_MaximusAuthor Commented:
Thanks for that Nazsky. However I am still not able to communicate between the VLANs. I cannot get access to the ASDM unfortunately. I have inserted the command "same-security-traffic permit inter-interface" which has allowed me to connect out to the internet from a client, but still unable into communicate with other VLANs.
From your comment I need to insert ACLs that would allow clients on the VLANs to communicate based on the configuration above, can you suggest suitable ACLs?

Thanks
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
Gingus_MaximusAuthor Commented:
Hi Mick, thanks for the post, but the encapsulation command is not available on the subinterface. I am assuming that dot1q is the only encapsulation type supported on this IOS and is therefore automatically assigned.
0
 
Gingus_MaximusAuthor Commented:
When I have the Dynamic PAT enabled on the PIX as follows:

global (outside) 1 80.76.205.211
nat (hardware_vlan) 1 172.16.19.0 255.255.255.0
nat (services_vlan) 1 172.16.16.0 255.255.255.0
nat (dmz_vlan) 1 172.16.17.0 255.255.255.0
nat (basestation_vlan) 1 172.16.0.0 255.255.240.0
nat (trap_vlan) 1 192.168.11.0 255.255.255.0

The clients can reach the internet, but cannot communicate with each other.

When I disable the nat config the clients are able to communicate with each other, but not out to the internet (obviously). So I need to keep the nat config and then some how allow the VLANs to communicate. Any ideas on an ACL that allow the VLANs to communicate anyone?
0
 
Nayyar HH (CCIE RS)Network ArchitectCommented:
I think whats left is a translation rule between those VLAN subnets, once that is in place you shlould be fine - using NAT 0 command

0
 
Gingus_MaximusAuthor Commented:
Thanks Nazsky- sorry to be a pain, but based on the configuration above, could you please suggest a few examples of using the NAT 0 command with the configured VLANs? I'm new to the PIX and under pressure to get this resolved- thanks so much for your help so far.
0
 
lrmooreCommented:
try adding the command
  no nat-control

0
 
Gingus_MaximusAuthor Commented:
lrmoore- thanks for the comment- doesn't have any effect unfortunately. Still have same issue
0
 
lrmooreCommented:
Does your 6509 not have Layer 3 capability? MSFC2/SUP720?
Far better to do all internal routing on a "real router" vs trying to force the PIX to do something it was never designed to do.
Else try a static :
static (hardware_vlan,services_vlan) 172.16.19.0 172.16.19.0 netmask 255.255.255.0

If these two networks can now talk to each other, then you would only have to create 24 more pairings for every possible pair.
0
 
Gingus_MaximusAuthor Commented:
Thanks lrmoore. I will try the static command tonight.
I believe the 6509 has Layer 3 capability, but i have not enabled it just yet.
0
 
lrmooreCommented:
If your 6509 does have L3 capability, it is far, far, far better solution than trying to use the PIX. Your performance will be so far superior.
0
 
Gingus_MaximusAuthor Commented:
Thanks for everyones help on this.
The static commands allowed the clients to communicate across VLANs, but some of the devices are not functioning properly. I am going to implement interVLAN routing on the c6509 and remove this functionality from the PIX.
0
 
prvnkumarkCommented:
Buddy why are you using pix for intervlan routing. Your 6509 is meant for routing of high traffic.

What i suggest is route all intervlan traffic at 6509 by creating vlan interface and add routing link to your pix. You can just use a default static route to pix.

I know you will not be completly clear on this . If u liked the solution please post  i will reply.

Regards,

Praveen
0
 
Gingus_MaximusAuthor Commented:
Thanks Praveen.
The VLANs on the 6509 currently have IP addresses of 172.16.x.253 /24. So i will change them to 172.16.x.254 /24 as the clients default gateways are set to 172.16.x.254. I need to enable "ip routing". Once this is complete the clients on different VLANs should be able to communicate.
I then need to set the default route on the 6509 to the PIX inside- 172.16.24.250.
Hopefully this should be everything.
Anything else anybody can think of?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.