• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 490
  • Last Modified:

Pix506e, Cisco3750x and VLANs to NAT

I got much needed help on configuring the switch to do IVR, everything worked for the first subnet/VLAN, now maybe someone can help me on how to get the VLAN to the pix and out to the web.

Internet -> PIX506e -> Cisco3750x -> corporate network

VLAN1 is 192.168.1.0/24 (3750x is 1.1 gateway, Pix is 1.2)
VLAN3 is 192.168.3.0/24

Switch handles all IVR and sends it to the pix.  I can ping the pix from a 192.168.3.x address but am not able to go through to the net.

I think I have to add a logical VLAN interface to the pix for 3.0 VLAN3 and I am not exactly sure how to do that.  Can someone point me in the right direction?  I'll be happy to post sanitized pix and router configs if necessary.

Thanks
Tim
0
Timothy Kashin
Asked:
Timothy Kashin
  • 6
  • 5
1 Solution
 
Jan SpringerCommented:
If the gateway for 192.168.3.0 is downstream of the PIX, then you need a route inside for that subnet and update NAT to allow that subnet out the outside with an external IP.

If the gateway for 192.168.3.0 is on the PIX, then you need another subinterface or vlan on the PIX for the gateway IP and update NAT to allow that subnet out the outside with an external IP.
0
 
Timothy KashinInfrastructure ManagerAuthor Commented:
The gateway for the 192.168.3.0 is on the switch at 192.168.1.1.  Traffic from the switch is routed accordingly to destination either within the network to the server or out the internet gateway at the pix.  I am able to ping the pix from a 192.168.3.x address, however the pix is not passing that traffic.  The question is how to I add a VLAN interface to the pix and/or a NAT update in order to accomplish this?  

Thanks
0
 
Jan SpringerCommented:
So you have 192.168.3.1 on the PIX as the gateway for the 192.168.3.0/24 subnet?

If that's the case, then all you need to do is make sure that 192.168.3.0/24 can NAT out.

           sh run | i nat
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
Timothy KashinInfrastructure ManagerAuthor Commented:
I have 192.168.1.0/24 and 192.168.3.0/24 on the switch.  The pix is 192.168.1.2, the switch is 192.169.1.1.
0
 
Jan SpringerCommented:
Okay, then you just need to allow NAT and routing:

On the pix route 192.168.3.0 to the inside interface 192.168.1.X IP on the switch and then do a "sh run | i nat" (no qoutes).
0
 
Timothy KashinInfrastructure ManagerAuthor Commented:
The switch currently does route 192.168.3.0 via IVR to the pix, the pix just isn't natting to the outside.  From 192.168.3.0 addresses I can see the pix, I can even telnet to the pix from a 3.0 address.  I'm not pix saavy and that seems to be my issue here.

Below is the "sh run | i nat"  results from the pix before I make any changes:

access-list inside_nat0_outbound permit ip host 192.168.1.12 host 66.244.xxx.xxx
access-list inside_nat0_outbound permit ip any 192.168.1.144 255.255.255.252
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 host 207.7.xxx.xxx
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
isakmp nat-traversal 20
vpngroup VpnAccess4Chicago default-domain natxxxxxxx.com
vpdn username xxxxxxxxx password *********

Open in new window

0
 
Jan SpringerCommented:
On the PIX after attempting to get out the internet with 192.168.3.x:

sh log | i 192.168.3
sh xlate |i 192.168.3
sh route 192.168.3.0
0
 
Timothy KashinInfrastructure ManagerAuthor Commented:
I got it by adding the following to my pix:

route inside 192.168.3.0 255.255.255.0 192.168.1.2 CONNECT static

Thank you very much for the help, I guess I needed a push in the right direction and to slow down a minute and think it through more clearly!!

I'm gonna do a bit more thorough testing on the matter to make sure the VLAN interacts with the rest of the environment, but will accept your answer as the solution ultimately.

Thanks again,

Tim
0
 
Timothy KashinInfrastructure ManagerAuthor Commented:
Actually, if I could trouble you for an answer to another question.  Again, I'm new to VLANs and such, but have done well with some reading, research and of course EE.  With a VLAN, is it possible to allow VLAN1 and VLAN3 access at the same port?  Example....VOIP Phone is connected to the RJ-45 jack at the workstation, PC is a pass-through from the VOIP (polycom)phone.  If I wanted to put the PHONE on 192.168.1.0 subnet and the PC on the 192.168.3.0 subnet, is that a possibility?
0
 
Jan SpringerCommented:
No.
0
 
Timothy KashinInfrastructure ManagerAuthor Commented:
Well, that throws a wrench into the gears, but thanks for the answer.  The company I now work for built out a new office before I started and did it based upon the passthrough of the phones for the cabling, therefore only running 1 jack per cubicle/office.  This presents a major issue as far as voice quality as we move into that.  Once I am able to remove the PIX from the network, I will move to a Class B subnet instead of the Class C currently and that should resolve the issue somewhat.

Thanks again.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now