?
Solved

Pix506e, Cisco3750x and VLANs to NAT

Posted on 2013-01-10
11
Medium Priority
?
483 Views
Last Modified: 2013-01-11
I got much needed help on configuring the switch to do IVR, everything worked for the first subnet/VLAN, now maybe someone can help me on how to get the VLAN to the pix and out to the web.

Internet -> PIX506e -> Cisco3750x -> corporate network

VLAN1 is 192.168.1.0/24 (3750x is 1.1 gateway, Pix is 1.2)
VLAN3 is 192.168.3.0/24

Switch handles all IVR and sends it to the pix.  I can ping the pix from a 192.168.3.x address but am not able to go through to the net.

I think I have to add a logical VLAN interface to the pix for 3.0 VLAN3 and I am not exactly sure how to do that.  Can someone point me in the right direction?  I'll be happy to post sanitized pix and router configs if necessary.

Thanks
Tim
0
Comment
Question by:Timothy Kashin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 38764000
If the gateway for 192.168.3.0 is downstream of the PIX, then you need a route inside for that subnet and update NAT to allow that subnet out the outside with an external IP.

If the gateway for 192.168.3.0 is on the PIX, then you need another subinterface or vlan on the PIX for the gateway IP and update NAT to allow that subnet out the outside with an external IP.
0
 
LVL 3

Author Comment

by:Timothy Kashin
ID: 38766906
The gateway for the 192.168.3.0 is on the switch at 192.168.1.1.  Traffic from the switch is routed accordingly to destination either within the network to the server or out the internet gateway at the pix.  I am able to ping the pix from a 192.168.3.x address, however the pix is not passing that traffic.  The question is how to I add a VLAN interface to the pix and/or a NAT update in order to accomplish this?  

Thanks
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 38767081
So you have 192.168.3.1 on the PIX as the gateway for the 192.168.3.0/24 subnet?

If that's the case, then all you need to do is make sure that 192.168.3.0/24 can NAT out.

           sh run | i nat
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 3

Author Comment

by:Timothy Kashin
ID: 38767136
I have 192.168.1.0/24 and 192.168.3.0/24 on the switch.  The pix is 192.168.1.2, the switch is 192.169.1.1.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 38767234
Okay, then you just need to allow NAT and routing:

On the pix route 192.168.3.0 to the inside interface 192.168.1.X IP on the switch and then do a "sh run | i nat" (no qoutes).
0
 
LVL 3

Author Comment

by:Timothy Kashin
ID: 38767417
The switch currently does route 192.168.3.0 via IVR to the pix, the pix just isn't natting to the outside.  From 192.168.3.0 addresses I can see the pix, I can even telnet to the pix from a 3.0 address.  I'm not pix saavy and that seems to be my issue here.

Below is the "sh run | i nat"  results from the pix before I make any changes:

access-list inside_nat0_outbound permit ip host 192.168.1.12 host 66.244.xxx.xxx
access-list inside_nat0_outbound permit ip any 192.168.1.144 255.255.255.252
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 host 207.7.xxx.xxx
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
isakmp nat-traversal 20
vpngroup VpnAccess4Chicago default-domain natxxxxxxx.com
vpdn username xxxxxxxxx password *********

Open in new window

0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 38767664
On the PIX after attempting to get out the internet with 192.168.3.x:

sh log | i 192.168.3
sh xlate |i 192.168.3
sh route 192.168.3.0
0
 
LVL 3

Author Comment

by:Timothy Kashin
ID: 38767731
I got it by adding the following to my pix:

route inside 192.168.3.0 255.255.255.0 192.168.1.2 CONNECT static

Thank you very much for the help, I guess I needed a push in the right direction and to slow down a minute and think it through more clearly!!

I'm gonna do a bit more thorough testing on the matter to make sure the VLAN interacts with the rest of the environment, but will accept your answer as the solution ultimately.

Thanks again,

Tim
0
 
LVL 3

Author Comment

by:Timothy Kashin
ID: 38767866
Actually, if I could trouble you for an answer to another question.  Again, I'm new to VLANs and such, but have done well with some reading, research and of course EE.  With a VLAN, is it possible to allow VLAN1 and VLAN3 access at the same port?  Example....VOIP Phone is connected to the RJ-45 jack at the workstation, PC is a pass-through from the VOIP (polycom)phone.  If I wanted to put the PHONE on 192.168.1.0 subnet and the PC on the 192.168.3.0 subnet, is that a possibility?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 38767903
No.
0
 
LVL 3

Author Comment

by:Timothy Kashin
ID: 38767984
Well, that throws a wrench into the gears, but thanks for the answer.  The company I now work for built out a new office before I started and did it based upon the passthrough of the phones for the cabling, therefore only running 1 jack per cubicle/office.  This presents a major issue as far as voice quality as we move into that.  Once I am able to remove the PIX from the network, I will move to a Class B subnet instead of the Class C currently and that should resolve the issue somewhat.

Thanks again.
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question