PIX vlan and DMZ
in [Cisco]
|
From: Chris Fike on 11 Oct 2006 13:00 Hello, Please bear with me, I'm helping with an office transition from one company to another. In the process the old company wiped the configuration of the PIX 506. I'm trying to get everything up and running again. We have a Cisco 2950 switch with 2 vlans (10 and 20). Port 24 is the trunk port, set as 802.1Q trunking. On the PIX, I can get vlan 1 to work fine. VLAN 2, I can ping the router, but can't get to the internet. VLAN2 from my understanding was setup to allow some videoconferencing equipment to work. here's part of the configuration: PIX Version 6.3(5) interface ethernet0 10full interface ethernet1 auto interface ethernet1 vlan20 logical nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif vlan20 DMZ security50 access-list 100 permit tcp any host xx.xx.xx.2 eq smtp access-list 100 permit tcp any interface outside eq www access-list 100 permit tcp any interface outside eq https access-list 100 permit tcp any interface outside eq 3389 ip address outside xx.xx.xx.2 255.255.255.248 ip address inside 172.30.40.254 255.255.255.0 ip address DMZ 172.30.70.254 255.255.255.0 global (outside) 10 interface static (inside,outside) tcp interface www 172.30.40.2 www netmask 255.255.255.25 5 0 0 static (inside,outside) tcp interface 3389 172.30.40.2 3389 netmask 255.255.255. 255 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1 route inside 172.30.40.0 255.255.255.255 172.30.40.254 1 I feel as though it's an access list/group issue, but I can't for the life of me get it figured out.
From: Walter Roberson on 11 Oct 2006 13:39 In article <1160586041.840303.208940(a)e3g2000cwe.googlegroups.com>, Chris Fike <cfike(a)mac.com> wrote: > VLAN 2, I can ping the router, but can't get to the internet. >PIX Version 6.3(5) >interface ethernet0 10full >interface ethernet1 auto >interface ethernet1 vlan20 logical >nameif ethernet0 outside security0 >nameif ethernet1 inside security100 >nameif vlan20 DMZ security50 >access-list 100 permit tcp any host xx.xx.xx.2 eq smtp >access-list 100 permit tcp any interface outside eq www >access-list 100 permit tcp any interface outside eq https >access-list 100 permit tcp any interface outside eq 3389 >ip address outside xx.xx.xx.2 255.255.255.248 The first line of your ACL refers to host xx.xx.xx.2, and your ip address outside is given as xx.xx.xx.2 . If those are the same IP address, then your first line must be rewritten as access-list 100 permit tcp any interface outside eq smtp >ip address inside 172.30.40.254 255.255.255.0 >ip address DMZ 172.30.70.254 255.255.255.0 >global (outside) 10 interface >static (inside,outside) tcp interface www 172.30.40.2 www netmask 255.255.255.255 0 0 >static (inside,outside) tcp interface 3389 172.30.40.2 3389 netmask 255.255.255.255 0 0 >access-group 100 in interface outside >route outside 0.0.0.0 0.0.0.0 xx.xx.xx.1 1 >route inside 172.30.40.0 255.255.255.255 172.30.40.254 1 That route inside statement is redundant: it would be put in place automatically because of the 'ip address inside' (the range is the same as the inside address range, and the destination IP is the same as the PIX inside interface IP.) >I feel as though it's an access list/group issue, but I can't for the >life of me get it figured out. The reason your VLAN2 cannot reach the outside is that you have not established any translation for it, at least not in the part you have shown. You haven't established any translation for most inside hosts either. Try, nat (inside) 10 172.30.40.0 255.255.255.0 nat (DMZ) 10 172.30.70.0 255.255.255.0 > VLAN 2, I can ping the router, but can't get to the internet. You wouldn't be able to ping the router if you didn't have some kind of translation already in place. If you are trying to ping from inside or DMZ to outside hosts, I would recommend that you add access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any unreachable access-list 100 permit icmp any any time-exceeded These are needed because the PIX cannot reliably determine that any particular icmp message is a "response" to traffic that went outwards, so you have to configure the PIX as if the desirable icmp are "new" traffic inwards.
From: Chris Fike on 11 Oct 2006 14:31 Ok, Followed your suggestions and both vlans work as well as the video conferencing. Thank you very much. As far as this comment: The reason your VLAN2 cannot reach the outside is that you have > not established any translation for it, at least not in the part > you have shown. You haven't established any translation for most inside > hosts either. Do I need to establish translation for the individual hosts? Keep in mind I've never claimed to be a Cisco expert.
|
Pages: 1 Prev: Cisco Switch VLAN issue tb-vlanX Next: excessive collisions |