Cisco 2600, 2 Pix's, and a 2950 1

[dbotts]

Currently, I have a public facing 2600. The ethernet interface is directly connected to a Pix 515, which in turn has 2 interfaces going to 2 separate VLANS. We have a need to install a wireless network for guests to use. But in order to install a 4th interface to the Pix, we would have to pony up $3200 for a license upgrade and int. card.

We have an older Pix 501 collecting dust. So my idea was to create 2 new Vlans. One new VLAN would be used to connect the 2600 (63.xxx.xxx.129/25), the 515 (63.xxx.xxx.130/25), and the 501 (63.xxx.xxx.132/25). I would then use PAT on the Pix 501, and use the 2nd new VLAN for an internal network for the wireless access points. Also, this guest network would be totally outside our internal networks.

So, I put my idea to the test, and everything seemed to be working fine, until about 4 hrs after I implemented. Users could not get to the internet from our internal networks. But I was on the wireless network, and I could reach the internet fine. I check the switch, and the port the router was plugged into was blinking green/amber.

Does anyone have any tips on what to look for. I had the 3 ports the router and 2 Pixs used set to static, and auto. Also, is this a viable setup?

Thanks in advance.

 

[baddos]

1.) Make sure your not having an IP address conflict.

2.) Are you doing NAT on the 2600 or on the PIXes? If on the 2600, you might have to look at your configuration and adjust for the new pix.

 

[lgarner]

I'm thinking that it might be the speed & duplex. There's no reason your setup shouldn't work fine.

 

[dbotts]

I am doing NAT (static on the server VLAN, dynamic on the user VLAN) on the Pix 515. I am doing PAT on the 501.

 

[dbotts]

*bump*

What I did was eliminate the Pix 501 from the equation, and plugged the 2600 and Pix 515 into the switch. Everything worked fine.

I adjusted the port for the Pix 501 to 10mb half-duplex, and after running just the 2600 and 515 for a few days, I plugged the 501 in to the switch on the same VLAN, and within 20 min, users could not get out to the internet from the internal network, but the wireless was fine. Unplugging the 501 and reloading the switch fixed the problem.

I am going to do some sniffing tomorrow, but I was hoping someone might have an idea what might be going on.

 

[vipergg]

That doesn't sound right if you plugging them into the same vlan , sounds like you are getting a spanning tree loop and this is causing a problem , are wireless on a separate vlan on the 2950 ? Are the users like on vlan 1 and then you put the wireless users on vlan 2 . Make sure these are separate ,this may be why you were seeing green and amber cause by a loop and the switch is cutting off one side and if your internet users on the side where spanning tree blocked the loop and they couldn't get to their gateway it would shut them down .

 

[dbotts]

Stupid, stupid.

IP address conflict, as someone said earlier. Sorry for the run around.