Pix 506e Possible VLAN Question, and alittle more

[judgestone]

I will try not to rant, but I have a question concerning possible pix506e not understanding VLAN for routing of separate VLAN on inside interface. I will propose a simple scenario and would appreciate an answer since I have been working on this for a week to no avail.

Scenario:

1. Pix 506e - IP External: 209.XXX.XXX.XXX, IP Internal: 10.10.60.X

2. A DLink 3326SMR layer 3 switch with default VLAN - ports 23-24, IP: 10.10.60.254, VLAN2 - ports 1-4, IP: 192.168.2.254
Default Gateway for Default VLAN 10.10.60.X from Pix 506e. RIP is enabled and have set up Group VLANs to dynamically join other VLANs.

Here is my problem. I can from the switch ping the interface addresses of both VLANs (10.10.60.X, 10.10.60.254, 192.168.2.254) and can ping a laptop with an IP Address of 192.168.2.8 in port 1 on VLAN2.

From the laptop 192.168.2.8 I can ping 10.10.60.254, 192.168.2.254, and another laptop with an IP Address of 10.10.60.8 in default VLAN port 23. I cannot ping past the Swithes 10.10.60.254 interface.

I know this may be a Dlink problem; but a few people have said that the Pix may not understand anything coming from the 192.168.X.X subnet since it isn't a VLAN of the Pix.

I have tried setting up a 192.168.2.0 host/network and a 192.168.2.1 VLAN on the inside interface of the Pix. I have tried pinging anything outside of my 10.10.60.254 and still to no avail.

I just want the 192.168.2.X network to be able to see all VLANs (Which it can as long as it is internal to the switch) and also be able to connect to the internet.

I have tried setting static routes in the DLink a couple of ways such as 192.168.2.0/25 DGW: 10.10.60.254, 192.168.2.0/24 DGW: 10.10.60.X (the switches DGW), 192.168.2.0/24 DGW: 192.168.2.1 (The Pix's VLAN inside Interface) all will not allow connectivity to internet.

I could just set all to 10.10.60.X since it is a small company; but now it has be come a spite/general cause issue.

Any help or questions on will be greatly appreciated.

 

[KiscoKid]

Setting up VLAN support on the PIX is relatively straight forward. See if the following helps you:

http://www.cisco.com/en/US/products..._guide_chapter09186a0080172786.html#wp1113411

 

[judgestone]

Out of curiosity, I have noticed that the 506 only allows 2 VLANs. So I assume, I would have to create one VLAN for each VLAN I have on my switch. If I have 192.168.2.X, 3.X, 4.X, 5.X, etc., then if I only create 192.168.2.X and 3.X, and they possibly worked, then 4.X, and 5.X, etc or out of luck?

I just took over this IT Coordinator position from someone else, and they had no clue as to what was needed or how to set up any type of network. They bought what was sold to them and configured by some else, versus what was needed or who to set up/plan and organize their network needs. I am limited to already purchased equipment with goals, that seem to exceed what equipment we have.

 

[castlesmadeofsand]

Actually, my first instinct would be to sell the dlink and pix on Ebay, and replace them with a 1721 router, depending upon how the business wants to scale, and a Cat 2950 switch. I am not familiar with PIX, so can you tell me how the PIX is limited to setting up only 2 VLANs? Can you only set tp 2 subinterfaces, or is it even doing 802.1q? Please inform.

Tim

 

[judgestone]

From the above link, the 506e is limited to 4 total interfaces and 2 virtual interfaces. Unless Im confused each interface on a VLAN has to have an ip address and you cannot set multiple ips on the native interface and then that would only allow you to create VLAN2 and VLAN3 since 1 is default.

 

[judgestone]

I also here ya on the sell the pix and dlink, put I used to work for the government and getting equipment was no problem regardless of cost; but out in the corporate world with a SMB it is hard to justify the expendature of the needed equipment. Their main goal is to make money versus spend money, and they also don't really understand why they need all this stuff; regardless of how you explain it to them.

 

[castlesmadeofsand]

Understood. I am sure you would have by now if you could. These guys sound like they're flying by the seat of their pants.

Tim

 

[judgestone]

I got it figured out, it was a routing problem between the pix and the dlink layer 3 switch. I had to add the host to the inside interface and put a default gw of the dlink switch for the host. All works great now, at least at one location. I haven't done the other locations for internal vlans, and haven't got the pix's talking to each other from site to site when on one vlans created on the switch. If you are on the main subnet there is no problem; but if you are on another subnet on the switch, you can't reach the other sites. I will get to that next week hopefully. Im just in a testing stage now and all is ok except for what needs to be done. It only really affect me and not the end user's right now, and I can deal with it until I can get more time to get to the remote sites, etc.