Gingus_Maximus
asked on
Cisco Catalyst 6509 to Cisco PIX 515E InterVLAN routing issue
OK, so the story is: I have inherited a network consisting of a Cisco Catalyst 6509 and a pair of Cisco PIX 515E ver 7.0(1) with several devices sitting of different VLANs.
The PIX's are configured for simple active/ passive failover. I have connected each of the PIX Ethernet 1 ports to the 6509 (Gi3/47 and Gi3/48) and configured then as trunk ports. Each of the Ethernet 0 ports on the PIX's are uplinks to the ISP's switches.
The issue I am currently having is communicating between VLANs. I previously had a router on a stick setup, but this was apparently causing issues and I was advised to perform interVLAN routing via the PIX.
So at present, when I am consoled onto the C6509, I can ping everything. When I am consoled onto the PIX I can ping everything, BUT when I try to communicate with a device on a different VLAN e.g. server on VLAN 6 (172.16.0.1) to a server on VLAN 3 (172.16.16.2), it fails. I can only communicate with devices in the same VLAN. The default gateways of the devices are set to the corresponding IP address of the VLAN subinterface on the PIX.
Am I missing something obvious here?
C6509 trunk links to PIX inside interfaces
interface GigabitEthernet3/47
description UPLINK to PIX-01 Primary
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-6,100
switchport mode trunk
no ip address
speed 100
duplex full
!
interface GigabitEthernet3/48
description UPLINK to PIX-01 Secondary
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-6,100
switchport mode trunk
no ip address
speed 100
duplex full
!
!
The following VLANs exist on the C6509:
interface Vlan1
no ip address
!
interface Vlan2
description Hardware Admin Network
ip address 172.16.19.253 255.255.255.0
!
interface Vlan3
description Services Network
ip address 172.16.16.253 255.255.255.0
!
interface Vlan4
description DMZ Network
ip address 172.16.17.253 255.255.255.0
!
interface Vlan5
description Byte Network
no ip address
!
interface Vlan6
description Basestation Network
ip address 172.16.15.253 255.255.240.0
!
interface Vlan100
description Trap Network
ip address 192.168.11.253 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.19.254
!
The PIX configuration is as follows
interface Ethernet0
description OUTSIDE link to Byte Switch
speed 10
duplex full
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet1
description INSIDE link to 6509
speed 100
duplex full
nameif inside
security-level 100
no ip address
!
interface Ethernet1.1
description vlan 1 Native VLAN
vlan 1
nameif native_vlan
security-level 100
no ip address
!
interface Ethernet1.2
description vlan 2 Hardware Network
vlan 2
nameif hardware_vlan
security-level 100
ip address 172.16.19.254 255.255.255.0
!
interface Ethernet1.3
description vlan 3 Services Network
vlan 3
nameif services_vlan
security-level 100
ip address 172.16.16.254 255.255.255.0
!
interface Ethernet1.4
description vlan 4 DMZ Network
vlan 4
nameif dmz_vlan
security-level 100
ip address 172.16.17.254 255.255.255.0
!
interface Ethernet1.5
description vlan 5 Byte Network
vlan 5
nameif byte_vlan
security-level 100
no ip address
!
interface Ethernet1.6
description vlan 6 Base Station Network
vlan 6
nameif basestation_vlan
security-level 100
ip address 172.16.15.254 255.255.240.0
!
interface Ethernet1.100
description vlan 100 Trap Network
vlan 100
nameif trap_vlan
security-level 100
ip address 192.168.11.254 255.255.255.0
!
hostname PIX-01
domain-name ****
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Apr 1:00 last un Oct 1:00
pager lines 24
mtu outside 1500
mtu inside 1500
mtu native_vlan 1500
mtu hardware_vlan 1500
mtu services_vlan 1500
mtu dmz_vlan 1500
mtu byte_vlan 1500
mtu basestation_vlan 1500
mtu trap_vlan 1500
failover
failover mac address Ethernet0 0015.2b1b.158f 0015.2b1b.15cb
failover mac address Ethernet1 0015.2b1b.1590 0015.2b1b.15cc
monitor-interface outside
monitor-interface inside
no asdm history enable
arp timeout 14400
global (outside) 1 y.y.y.y
nat (hardware_vlan) 1 172.16.19.0 255.255.255.0
nat (services_vlan) 1 172.16.16.0 255.255.255.0
nat (dmz_vlan) 1 172.16.17.0 255.255.255.0
nat (basestation_vlan) 1 172.16.0.0 255.255.240.0
nat (trap_vlan) 1 192.168.11.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 80.76.205.214 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server a.a.a.a source outside prefer
ntp server b.b.b.b source outside
Your help is much appreciated!
The PIX's are configured for simple active/ passive failover. I have connected each of the PIX Ethernet 1 ports to the 6509 (Gi3/47 and Gi3/48) and configured then as trunk ports. Each of the Ethernet 0 ports on the PIX's are uplinks to the ISP's switches.
The issue I am currently having is communicating between VLANs. I previously had a router on a stick setup, but this was apparently causing issues and I was advised to perform interVLAN routing via the PIX.
So at present, when I am consoled onto the C6509, I can ping everything. When I am consoled onto the PIX I can ping everything, BUT when I try to communicate with a device on a different VLAN e.g. server on VLAN 6 (172.16.0.1) to a server on VLAN 3 (172.16.16.2), it fails. I can only communicate with devices in the same VLAN. The default gateways of the devices are set to the corresponding IP address of the VLAN subinterface on the PIX.
Am I missing something obvious here?
C6509 trunk links to PIX inside interfaces
interface GigabitEthernet3/47
description UPLINK to PIX-01 Primary
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-6,100
switchport mode trunk
no ip address
speed 100
duplex full
!
interface GigabitEthernet3/48
description UPLINK to PIX-01 Secondary
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-6,100
switchport mode trunk
no ip address
speed 100
duplex full
!
!
The following VLANs exist on the C6509:
interface Vlan1
no ip address
!
interface Vlan2
description Hardware Admin Network
ip address 172.16.19.253 255.255.255.0
!
interface Vlan3
description Services Network
ip address 172.16.16.253 255.255.255.0
!
interface Vlan4
description DMZ Network
ip address 172.16.17.253 255.255.255.0
!
interface Vlan5
description Byte Network
no ip address
!
interface Vlan6
description Basestation Network
ip address 172.16.15.253 255.255.240.0
!
interface Vlan100
description Trap Network
ip address 192.168.11.253 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.19.254
!
The PIX configuration is as follows
interface Ethernet0
description OUTSIDE link to Byte Switch
speed 10
duplex full
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet1
description INSIDE link to 6509
speed 100
duplex full
nameif inside
security-level 100
no ip address
!
interface Ethernet1.1
description vlan 1 Native VLAN
vlan 1
nameif native_vlan
security-level 100
no ip address
!
interface Ethernet1.2
description vlan 2 Hardware Network
vlan 2
nameif hardware_vlan
security-level 100
ip address 172.16.19.254 255.255.255.0
!
interface Ethernet1.3
description vlan 3 Services Network
vlan 3
nameif services_vlan
security-level 100
ip address 172.16.16.254 255.255.255.0
!
interface Ethernet1.4
description vlan 4 DMZ Network
vlan 4
nameif dmz_vlan
security-level 100
ip address 172.16.17.254 255.255.255.0
!
interface Ethernet1.5
description vlan 5 Byte Network
vlan 5
nameif byte_vlan
security-level 100
no ip address
!
interface Ethernet1.6
description vlan 6 Base Station Network
vlan 6
nameif basestation_vlan
security-level 100
ip address 172.16.15.254 255.255.240.0
!
interface Ethernet1.100
description vlan 100 Trap Network
vlan 100
nameif trap_vlan
security-level 100
ip address 192.168.11.254 255.255.255.0
!
hostname PIX-01
domain-name ****
ftp mode passive
clock timezone GMT 0
clock summer-time BST recurring last Sun Apr 1:00 last un Oct 1:00
pager lines 24
mtu outside 1500
mtu inside 1500
mtu native_vlan 1500
mtu hardware_vlan 1500
mtu services_vlan 1500
mtu dmz_vlan 1500
mtu byte_vlan 1500
mtu basestation_vlan 1500
mtu trap_vlan 1500
failover
failover mac address Ethernet0 0015.2b1b.158f 0015.2b1b.15cb
failover mac address Ethernet1 0015.2b1b.1590 0015.2b1b.15cc
monitor-interface outside
monitor-interface inside
no asdm history enable
arp timeout 14400
global (outside) 1 y.y.y.y
nat (hardware_vlan) 1 172.16.19.0 255.255.255.0
nat (services_vlan) 1 172.16.16.0 255.255.255.0
nat (dmz_vlan) 1 172.16.17.0 255.255.255.0
nat (basestation_vlan) 1 172.16.0.0 255.255.240.0
nat (trap_vlan) 1 192.168.11.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 80.76.205.214 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp server a.a.a.a source outside prefer
ntp server b.b.b.b source outside
Your help is much appreciated!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that Nazsky. However I am still not able to communicate between the VLANs. I cannot get access to the ASDM unfortunately. I have inserted the command "same-security-traffic permit inter-interface" which has allowed me to connect out to the internet from a client, but still unable into communicate with other VLANs.
From your comment I need to insert ACLs that would allow clients on the VLANs to communicate based on the configuration above, can you suggest suitable ACLs?
Thanks
From your comment I need to insert ACLs that would allow clients on the VLANs to communicate based on the configuration above, can you suggest suitable ACLs?
Thanks
ASKER
Hi Mick, thanks for the post, but the encapsulation command is not available on the subinterface. I am assuming that dot1q is the only encapsulation type supported on this IOS and is therefore automatically assigned.
ASKER
When I have the Dynamic PAT enabled on the PIX as follows:
global (outside) 1 80.76.205.211
nat (hardware_vlan) 1 172.16.19.0 255.255.255.0
nat (services_vlan) 1 172.16.16.0 255.255.255.0
nat (dmz_vlan) 1 172.16.17.0 255.255.255.0
nat (basestation_vlan) 1 172.16.0.0 255.255.240.0
nat (trap_vlan) 1 192.168.11.0 255.255.255.0
The clients can reach the internet, but cannot communicate with each other.
When I disable the nat config the clients are able to communicate with each other, but not out to the internet (obviously). So I need to keep the nat config and then some how allow the VLANs to communicate. Any ideas on an ACL that allow the VLANs to communicate anyone?
global (outside) 1 80.76.205.211
nat (hardware_vlan) 1 172.16.19.0 255.255.255.0
nat (services_vlan) 1 172.16.16.0 255.255.255.0
nat (dmz_vlan) 1 172.16.17.0 255.255.255.0
nat (basestation_vlan) 1 172.16.0.0 255.255.240.0
nat (trap_vlan) 1 192.168.11.0 255.255.255.0
The clients can reach the internet, but cannot communicate with each other.
When I disable the nat config the clients are able to communicate with each other, but not out to the internet (obviously). So I need to keep the nat config and then some how allow the VLANs to communicate. Any ideas on an ACL that allow the VLANs to communicate anyone?
I think whats left is a translation rule between those VLAN subnets, once that is in place you shlould be fine - using NAT 0 command
ASKER
Thanks Nazsky- sorry to be a pain, but based on the configuration above, could you please suggest a few examples of using the NAT 0 command with the configured VLANs? I'm new to the PIX and under pressure to get this resolved- thanks so much for your help so far.
try adding the command
no nat-control
no nat-control
ASKER
lrmoore- thanks for the comment- doesn't have any effect unfortunately. Still have same issue
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks lrmoore. I will try the static command tonight.
I believe the 6509 has Layer 3 capability, but i have not enabled it just yet.
I believe the 6509 has Layer 3 capability, but i have not enabled it just yet.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for everyones help on this.
The static commands allowed the clients to communicate across VLANs, but some of the devices are not functioning properly. I am going to implement interVLAN routing on the c6509 and remove this functionality from the PIX.
The static commands allowed the clients to communicate across VLANs, but some of the devices are not functioning properly. I am going to implement interVLAN routing on the c6509 and remove this functionality from the PIX.
Buddy why are you using pix for intervlan routing. Your 6509 is meant for routing of high traffic.
What i suggest is route all intervlan traffic at 6509 by creating vlan interface and add routing link to your pix. You can just use a default static route to pix.
I know you will not be completly clear on this . If u liked the solution please post i will reply.
Regards,
Praveen
What i suggest is route all intervlan traffic at 6509 by creating vlan interface and add routing link to your pix. You can just use a default static route to pix.
I know you will not be completly clear on this . If u liked the solution please post i will reply.
Regards,
Praveen
ASKER
Thanks Praveen.
The VLANs on the 6509 currently have IP addresses of 172.16.x.253 /24. So i will change them to 172.16.x.254 /24 as the clients default gateways are set to 172.16.x.254. I need to enable "ip routing". Once this is complete the clients on different VLANs should be able to communicate.
I then need to set the default route on the 6509 to the PIX inside- 172.16.24.250.
Hopefully this should be everything.
Anything else anybody can think of?
The VLANs on the 6509 currently have IP addresses of 172.16.x.253 /24. So i will change them to 172.16.x.254 /24 as the clients default gateways are set to 172.16.x.254. I need to enable "ip routing". Once this is complete the clients on different VLANs should be able to communicate.
I then need to set the default route on the 6509 to the PIX inside- 172.16.24.250.
Hopefully this should be everything.
Anything else anybody can think of?
interface Ethernet1.1
encapsulation dot1q 1
inteface Ethernet1.2
encapsulation dot1q 2
etc, etc.....