Solved

My Trunking between a PIX 515E and a Switch 3550 is not working.

Posted on 2011-09-11
26
840 Views
Last Modified: 2012-05-12
Hi Experts,
I have configure my PIX 515E creating 2 sub-interfaces and I created on my Switch 3550 2 vlans which I want to give them access through the firewall.

VLANS on the Switch
VLAN 10 will go through the network 192.168.1.0
VLAN 20 will go through the network 10.0.0.0
what I want to accomplish is what they call router on a stick but on this case will be FIREWALL on a stick.
Here is the config of the firewall and the Switch.

Switch:

LABSwitch#sh run
Building configuration...

Current configuration : 3567 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LABSwitch
!
enable secret 5 $1$3f
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 switchport mode access
!
interface FastEthernet0/2
 switchport mode access
!
interface FastEthernet0/3
 switchport mode access
!
interface FastEthernet0/4
 switchport mode access
!
interface FastEthernet0/5
 switchport mode access
!
interface FastEthernet0/6
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface FastEthernet0/7
 switchport mode access
!
interface FastEthernet0/8
 switchport mode access
!
interface FastEthernet0/9
 switchport mode access
!
interface FastEthernet0/10
 switchport mode access
!
interface FastEthernet0/11
 switchport mode access
!
interface FastEthernet0/12
 switchport mode access
!
interface FastEthernet0/13
 switchport mode access
!
interface FastEthernet0/14
 switchport mode access
!
interface FastEthernet0/15
 switchport mode access
!
interface FastEthernet0/16
 switchport mode access
!
interface FastEthernet0/17
 switchport mode access
!
interface FastEthernet0/18
 switchport mode access
!
interface FastEthernet0/19
 switchport mode access
!
interface FastEthernet0/20
 switchport mode access
!
interface FastEthernet0/21
 switchport mode access
!
interface FastEthernet0/22
 switchport mode access
!
interface FastEthernet0/23
 switchport mode access
!
interface FastEthernet0/24
 switchport mode access
!
interface FastEthernet0/25
 switchport mode access
!
interface FastEthernet0/26
 switchport mode access
!
interface FastEthernet0/27
 switchport mode access
!
interface FastEthernet0/28
 switchport mode access
!
interface FastEthernet0/29
 switchport mode access
!
interface FastEthernet0/30
 switchport mode access
!
interface FastEthernet0/31
 switchport mode access
!
interface FastEthernet0/32
 switchport mode access
!
interface FastEthernet0/33
 switchport mode access
!
interface FastEthernet0/34
 switchport mode access
!
interface FastEthernet0/35
 switchport mode access
!
interface FastEthernet0/36
 switchport mode access
!
interface FastEthernet0/37
 switchport mode access
!
interface FastEthernet0/38
 switchport mode access
!
interface FastEthernet0/39
 switchport mode access
!
interface FastEthernet0/40
 switchport mode access
!
interface FastEthernet0/41
 switchport mode access
!
interface FastEthernet0/42
 switchport mode access
!
interface FastEthernet0/43
 switchport mode access
!
interface FastEthernet0/44
 switchport mode access
!
interface FastEthernet0/45
 switchport mode access
!
interface FastEthernet0/46
 switchport mode access
!
interface FastEthernet0/47
 switchport mode access
!
interface FastEthernet0/48
 switchport mode access
!
interface GigabitEthernet0/1
 switchport mode dynamic desirable
!
interface GigabitEthernet0/2
 switchport mode dynamic desirable
!
interface Vlan1
 ip address 192.168.1.10 255.255.255.0
!
ip default-gateway 192.168.1.1
ip classless
ip http server
!
banner motd ^C
WARNING.
******************************************************************************************
*************************************************************************
**************************************************************************
^C
!
line con 0
line vty 0 2
 password
 login
line vty 3 4
 login
line vty 5 15
 login
!
!
end

LABSwitch#sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/7, Fa0/8, Fa0/9
                                                Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24, Fa0/25
                                                Fa0/26, Fa0/27, Fa0/28, Fa0/29
                                                Fa0/30, Fa0/31, Fa0/32, Fa0/33
                                                Fa0/34, Fa0/35, Fa0/36, Fa0/37
                                                Fa0/38, Fa0/39, Fa0/40, Fa0/41
                                                Fa0/42, Fa0/43, Fa0/44, Fa0/45
                                                Fa0/46, Fa0/47, Fa0/48, Gi0/1
                                                Gi0/2
10   HOME                             active
20   LAB                              active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0
10   enet  100010     1500  -      -      -        -    -        0      0
20   enet  100020     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        0      0
1003 tr    101003     1500  -      -      -        -    -        0      0
1004 fdnet 101004     1500  -      -      -        ieee -        0      0
1005 trnet 101005     1500  -      -      -        ibm  -        0      0

Remote SPAN VLANs
------------------------------------------------------------------------------


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------




FIREWALLLLLLL:

: Saved
:
PIX Version 8.0(4)32
!
hostname PIXLAB
enable password 1p encrypted
passw encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 no nameif
 no security-level
 no ip address
!
interface Ethernet1.1
 vlan 10
 nameif vlan10
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1.20
 vlan 20
 nameif vlan20
 security-level 99
 ip address 10.0.0.1 255.255.255.0
!
banner motd [
banner motd *****WARNING*******
ftp mode passive
pager lines 24
mtu outside 1500
mtu vlan10 1500
mtu vlan20 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (vlan10) 1 192.168.1.0 255.255.255.0
nat (vlan20) 1 10.0.0.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username USER  password LYx.6/v encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:da5dccaf89bd8fb0f3ecfe0
: end
PIXLAB(config-if)#




PIX SHOW VLANS:

PIXLAB# sh int
Interface Ethernet0 "outside", is down, line protocol is down
  Hardware is i82559, BW 100 Mbps, DLY 100 usec
        Auto-Duplex, Auto-Speed
        MAC address 000a.411e.f20c, MTU 1500
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max packets): hardware (0/0) software (0/0)
        output queue (curr/max packets): hardware (0/0) software (0/0)
  Traffic Statistics for "outside":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet1 "", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 000a.411e.f20d, MTU not set
        IP address unassigned
        326 packets input, 22446 bytes, 0 no buffer
        Received 325 broadcasts, 0 runts, 0 giants
        1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored, 0 abort
        325 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max packets): hardware (0/1) software (0/128)
        output queue (curr/max packets): hardware (0/0) software (0/0)
Interface Ethernet1.1 "vlan10", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps, DLY 100 usec
        VLAN identifier 10
        MAC address 000a.411e.f20d, MTU 1500
        IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "vlan10":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
Interface Ethernet1.20 "vlan20", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps, DLY 100 usec
        VLAN identifier 20
        MAC address 000a.411e.f20d, MTU 1500
        IP address 10.0.0.1, subnet mask 255.255.255.0
  Traffic Statistics for "vlan20":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped




Please review and advise me on why I can not ping any of the sub-interfaces on the firewall and tell me if I configure it the way suppose to be configure.

Thanks
0
Comment
Question by:chenzovicc
  • 9
  • 7
  • 4
  • +2
26 Comments
 
LVL 6

Expert Comment

by:jgibbar
ID: 36519832
Are you trying to ping directly from the switch?

There is no Interface on the Switch for VLAN 10 nor VLAN 20 and interface VLAN 1 is configured with the same subnet as what you are intending for VLAN 1. Two VLANs can share a subnet range, they just won't be routable.

This being the case, if you assign one of your access ports to either VLAN, you should be able to ping the PIX interface of that appropriate VLAN.

Also, I am assuming that you are connecting to interface 0/6 on the 3550  for the trunk from the firewall correct?
0
 

Author Comment

by:chenzovicc
ID: 36520043
Are you trying to ping directly from the switch?
YES

Also, I am assuming that you are connecting to interface 0/6 on the 3550  for the trunk from the firewall correct?
YES


Can you please provide a configuration on How it should be configure on the Switch?
Is my firewall config done wright?

Please advise
0
 
LVL 6

Assisted Solution

by:jgibbar
jgibbar earned 143 total points
ID: 36520205
On the 3550:

Conf t

int vl 1
no ip address
shut

int vl 10
ip add 192.168.1.10 255.255.255.0
no shut

I am not as familiar with pix but it looks ok to me. Do you plan on letting the 10.x.x.x network talk to the 192.x.x.x network?

With the security levels in place, vlan 10 can initiate traffic to vlan 20 but not the other way around since vlan 20 has a lower security level I believe.

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36521235
Try adding switchport nonegotiate to the interface on the 3550.
0
 
LVL 8

Assisted Solution

by:SeeMeShakinMyHead
SeeMeShakinMyHead earned 70 total points
ID: 36521773
you don't have any access port setup for these vlans.  They are all setup in vlan 1 (default).  Try to add one of the ports to vlan 10 (switchport mode access vlan 10) and then try to ping.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36521802
@SeeMeShakinMyHead : It's a trunk......
0
 
LVL 8

Expert Comment

by:SeeMeShakinMyHead
ID: 36521834
yup, should've waited for coffee to kick in before answering questions... :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36521839
One cup just isn't enough ;)
0
 
LVL 8

Expert Comment

by:SeeMeShakinMyHead
ID: 36521896
One thing of interesting to note is the number of L2 decode errors you are getting on the physical eth int on the pix:

        326 packets input, 22446 bytes, 0 no buffer
        Received 325 broadcasts, 0 runts, 0 giants
        1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored, 0 abort
        325 L2 decode drops

you are trunking vlan1 in the same network as vlan 10 exists on the pix.  something doesn't smell right about this :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36522032
@SeeMeShakinMyHead: you're right, the vlans should be the same (number/ip) on the switch and the firewall.
One cup just isn't enough.......

@jgibbar: So try to match the vlans on the pix and the switch and see if that helps.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 36522591
First, in order to ping the pix from other IPs on your vlans. you need these statements:
icmp permit 192.168.1.0 255.255.255.0 vlan10
icmp permit 10.0.0.0 255.255.255.0 vlan20

and if you want to use the pix as a "router on a stick", I assume you want to route from the 192.168.1.0/24 home network to the 10.0.0.0/24 lab network, so youe need this statement:
same-security-traffic permit intra-interface
(and if vice versa. Make both interfaces the same security and then add this statement:
same-security-traffic permit inter-interface)

Lets say you want to test each vlan on the Pix. COnfigure one of your switch ports for vlan 20, and another for vlan 10. Take a laptop and connect it to the Vlan 20 port. set the laptop ip to 10.0.0.2, and then ping the Firewall 10.0.0.1. Repeat for Vlan 10, using 192.168.1.2 as your address and ping that fw interface.
0
 

Author Comment

by:chenzovicc
ID: 36524494
I reconfigure the switch according to this diagram on this cisco link and still does not work:

http://www.cisco.com/en/US/tech/tk389/tk81/technologies_configuration_example09186a00800949fd.shtml

I did re-configure the firewall  according to the vlans on the Switch.
I have the problem on the trunk because I enable icmp and still can not ping.
Can it be that I have FASTETHERNET PORTS ON THE Switch and Ethernet 10/100 on the firewall?

I would like to ask you  experts if you can provide me with a step by step configuration for my Switch so that way I can try according to your configuration. I would like to accomplish something like the link above.
0
 
LVL 8

Expert Comment

by:SeeMeShakinMyHead
ID: 36524713
can you repost your new configs please?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:chenzovicc
ID: 36524815
User Access Verification

Password:
Password:
Password:
LABSwitch>en
Password:
Password:
Password:
LABSwitch#config t
Enter configuration commands, one per line.  End with CNTL/Z.
LABSwitch(config)#sh run
                    ^
% Invalid input detected at '^' marker.

LABSwitch(config)#^Z
LABSwitch#sh run
Building configuration...

Current configuration : 3304 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LABSwitch
!
enable secret 5 $1$
enable password C
!
ip subnet-zero
!
ip ssh time-out 120
ip ssh authentication-retries 3
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode access
!
interface FastEthernet0/2
 switchport access vlan 2
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport mode access
!
interface FastEthernet0/4
 switchport mode access
!
interface FastEthernet0/5
 switchport mode access
!
interface FastEthernet0/6
 switchport mode access
!
interface FastEthernet0/7
 switchport mode access
!
interface FastEthernet0/8
 switchport mode access
!
interface FastEthernet0/9
 switchport mode access
!
interface FastEthernet0/10
 switchport mode access
!
interface FastEthernet0/11
 switchport mode access
!
interface FastEthernet0/12
 switchport mode access
!
interface FastEthernet0/13
 switchport mode access
!
interface FastEthernet0/14
 switchport mode access
!
interface FastEthernet0/15
 switchport mode access
!
interface FastEthernet0/16
 switchport mode access
!
interface FastEthernet0/17
 switchport mode access
!
interface FastEthernet0/18
 switchport mode access
!
interface FastEthernet0/19
 switchport mode access
!
interface FastEthernet0/20
 switchport mode access
!
interface FastEthernet0/21
 switchport mode access
!
interface FastEthernet0/22
 switchport mode access
!
interface FastEthernet0/23
 switchport mode access
!
interface FastEthernet0/24
 switchport mode access
!
interface FastEthernet0/25
 switchport mode access
!
interface FastEthernet0/26
 switchport mode access
!
interface FastEthernet0/27
 switchport mode access
!
interface FastEthernet0/28
 switchport mode access
!
interface FastEthernet0/29
 switchport mode access
!
interface FastEthernet0/30
 switchport mode access
!
interface FastEthernet0/31
 switchport mode access
!
interface FastEthernet0/32
 switchport mode access
!
interface FastEthernet0/33
 switchport mode access
!
interface FastEthernet0/34
 switchport mode access
!
interface FastEthernet0/35
 switchport mode access
!
interface FastEthernet0/36
 switchport mode access
!
interface FastEthernet0/37
 switchport mode access
!
interface FastEthernet0/38
 switchport mode access
!
interface FastEthernet0/39
 switchport mode access
!
interface FastEthernet0/40
 switchport mode access
!
interface FastEthernet0/41
 switchport mode access
!
interface FastEthernet0/42
 switchport mode access
!
interface FastEthernet0/43
 switchport mode access
!
interface FastEthernet0/44
 switchport mode access
!
interface FastEthernet0/45
 switchport mode access
!
interface FastEthernet0/46
 switchport mode access
!
interface FastEthernet0/47
 switchport mode access
!
interface FastEthernet0/48
 switchport mode access
!
interface GigabitEthernet0/1
 switchport mode dynamic desirable
!
interface GigabitEthernet0/2
 switchport mode dynamic desirable
!
interface Vlan1
 ip address 192.168.1.10 255.255.255.0
!
ip default-gateway 192.168.1.1
ip classless
ip http server
!
!
line con 0
line vty 0 4
 password CI
 login
line vty 5 15
 login
!
!
end

LABSwitch#
LABSwitch#
0
 

Author Comment

by:chenzovicc
ID: 36524839
According to a CISCO SUPPORT TECHNICIAN that reply to me a couple of minutes the Firewall is configure properly. He gave me some commands to verify the traffic between the Switch and the Firewall which I will try tonight.
0
 
LVL 7

Assisted Solution

by:Boilermaker85
Boilermaker85 earned 287 total points
ID: 36525047
You still have no ports on the switch set to vlan 10 or 20. And the mgmt address of the switch is on vlan 1. So you cant ping from the switch to the Firewall because the switch IP is not on the same vlan as any of the Firewall IP's.  I would suggest this in your switch using a console connection:
conf t
Interface vlan 1
  no ip address
  shut
interface vlan10
 ip address 192.168.1.10 255.255.255.0
 no shut
write mem

Now you should be able to ping 192.168.1.1 (the firewall), from the switch.  Then you still need to verify that you can attach real devices to the switch vlans and reach what you want. So lets assume you put a PC on port 35 of the switch, and you want that PC in the lab. And you have another PC that you want on he Home vlan on port 15. YOu need to set the switch like this:
conf t
interface fa0/15
switchport access vlan 10
interface fa0/35
switchport access vlan 20
wr mem
Now connect those PCs (or similar) and ping the Pix on its respective IP, ping from one net to the other, etc, and tell us the results.

 
0
 

Author Comment

by:chenzovicc
ID: 36525189
Hi Boilermaker85,

I did changes on my pix too. but I got the idea, any way I am sending you the pix configuration for you to double check.

Thanks
PIXLAB.docx
0
 

Author Comment

by:chenzovicc
ID: 36526507
OK. Let me ask: Do I ever have to assign an ip address to the VLANS on the Switch? or as long as they match on the VLAN number with the PIX Firewall?
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 36527206
You can have the switch IP on any vlan you like (but only one, and it must match the IP subnet of that vlan. As long as the vlans numbers match, the pix and the switch can pass traffic on that vlan. But in general, the traffic is going through the switch. O
0
 

Author Comment

by:chenzovicc
ID: 36527678
I did follow all the steps you guys mentioned but some how it is not working. It seems is not trunking properly.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 36529275
What is not working? What are you doing to test the configuration?  

I see that now in the Pix config you are using Vlan 1 and Vlan 2. And in the switch you specify vlan 1 for most ports and vlan 2 on port Fa0/2 . For simplicity sake, lets tackle testing by first getting the switch and the firewall on the Home Vlan 192.168.1.0, which at this point is Vlan 1, correct?
Assuming we are working with Vlan 1, then the switch config for vlan 1 was correct, so undo what I said at 12:02 yesterday by putting the mgmt ip of the switch on vlan 1 like this:
 interface vlan10
 no ip address
 shut
Interface vlan 1
ip address 192.168.1.10 255.255.255.0
no  shut
exit

Now, the connection between the pix and switch goes to switchport 1, right? Looking at the pix, you still dont have the ICMP statements you need to allow the interfaces to respond to ping. (my first comment in this thread):
icmp permit 192.168.1.0 255.255.255.0 vlan1
icmp permit 10.0.0.0 255.255.255.0 vlan2

You also dont have the Intra-interface permit statement that I gave you yesterday:
same-security-traffic permit intra-interface




0
 

Author Comment

by:chenzovicc
ID: 36531287
Do I still need to apply the ip default-gateway 192.168.1.1 on the vlan1?

Thanks
0
 
LVL 7

Accepted Solution

by:
Boilermaker85 earned 287 total points
ID: 36536268
The switch already had that statement as I see. No need to change it if the Mgmt Vlan is 192.168.1.0
0
 

Author Closing Comment

by:chenzovicc
ID: 36537966
Hi Boilermaler85,

I thank you for all your help and I review my CBNUGGETS class once again and on the class this guy says that the port that I am TRUNKING should not be configure as SWITCHPORT MODE ACCESS which my mistake was to configure all the ports with this command,  I did reconfigure the switch yesterday and I did not apply the  SWITCHPORT MODE ACCESS command on the F0/1 port but instead the  switchport trunk encapsulation dot1q and BINGO I was able to ping my VLAN 2 10.0.0.1 BUT i WAS NOT ABLE TO PING THE 192.168.1.1 which still it does not make sense to me because most of the ports are on the VLAN 1 so what I did I created a VLAN 3 with a different name on the switch but assigning a port F0/10, TO THE vlan 3, I created the subinterface on the firewall and created the icmp command for 172.16.0.0 for vlan 3 and both vlans 2 and 3 are able to ping from my different computers with different ips.
Thanks for your help but still I have to test internet connectivity but I will open another question just in case I encounter a problem.

Thanks Guys.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 36538464
I did not review the switch config very much after you said you had a Cisco engr approve it. But yes, you either leave off the "switchport mode access" statement (making the port negotiate trunk or access), or you can change the statement to "Switchport mode trunk".

Again you stated that you could not ping 192.168.1.1, but failed to mention from what IP you are pinging from. If from the switch console to the pix interface you tried, then I would make sure that the Vlan 1 status of the switch is UP/UP. If you are trying to ping from 10.0.0.x to 192.168.1.1, you wont be able to do that. FWs only let you ping the nearest interface, not the interface on the other side of the pix, or another subinterface. Also, because of your security levels, 10.0.0.x cannot reach 192.168.1.0 without explicit rules (access-list, and access-group applied to that interface.

PS. Thanks for the points. and kudos to the others also. It was tough hanging in there with you on this long thread because you dont clearly answer direct questions, and I was getting frustrated trying to keep track of what you were testing.
0
 
LVL 7

Expert Comment

by:Boilermaker85
ID: 36538482
One other thing. Usually, in order to get a Vlan to come up, you must have one active port in that Vlan. So hang a PC off of one port that is Vlan 1
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now