Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VLAN with PIX 506 and Catalyst 3550

Status
Not open for further replies.
aleonhardt

aleonhardt

Technical User
May 12, 2003
60
GB
Hi !

I've got a problem with configuring the Catalyst to allow traffic to the PIX from the "normal" network and from a dedicated port where a webserver is supposed to be.

I know that I need to put the interface the PIX is connected to into trunk mode and the interface for the server should be working with normal "access" mode but for some reason, each time I enable the trunk ( ils or dot1q ) it just drops all packets to the PIX.

Anybody has an example config ?

Thanks !
Alex
 
Sort by date Sort by votes
Here are my configs, what I need to do is setup the DMZ over a VLAN with the Cisco PIX 506E and the Catalyst 3550.

Catalyst Config
----------
#sh run
Building configuration...

Current configuration : 3577 bytes
!
! Last configuration change at 21:15:59 BST Mon Oct 17 2005
! NVRAM config last updated at 19:38:42 BST Mon Oct 3 2005
!
version 12.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname #####
!
enable secret 5 $1$fGY9$p2J6ZorhtO5Cc2GB3Z3ZT0
!
clock timezone BST 1
errdisable recovery cause udld
errdisable recovery cause bpduguard
errdisable recovery cause channel-misconfig
errdisable recovery cause pagp-flap
errdisable recovery cause dtp-flap
errdisable recovery cause link-flap
errdisable recovery cause l2ptguard
errdisable recovery cause psecure-violation
errdisable recovery cause gbic-invalid
errdisable recovery interval 120
no ip subnet-zero
no ip domain-lookup
!
!
spanning-tree portfast bpduguard default
spanning-tree extend system-id
!
mac access-list extended blockports
deny host 1234.5678.90ab host 5678.90ab.cdef
deny host 1234.5678.90ac host 5678.90ab.cdef
deny host 1234.5678.90ad host 5678.90ab.cdef
deny any any
!
define interface-range all FastEthernet0/1 - 24
!
interface FastEthernet0/1
no ip address
spanning-tree portfast
!
interface FastEthernet0/10
no ip address
spanning-tree portfast
!
interface FastEthernet0/11
switchport trunk pruning vlan none
no ip address
spanning-tree portfast
!
interface FastEthernet0/12
description GLWEB
switchport access vlan 3
switchport mode access
no ip address
spanning-tree portfast
!
interface FastEthernet0/13
no ip address
spanning-tree portfast
!
interface FastEthernet0/24
no ip address
spanning-tree portfast
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface Vlan1
ip address 10.29.1.5 255.255.255.0
no ip route-cache
!
interface Vlan3
description ###########
ip address 10.29.64.254 255.255.255.0
no ip route-cache
!
ip default-gateway 10.29.1.254
no ip http server
!
ip access-list extended testblocking
!
logging history size 100
snmp-server engineID local 800000090300000AF49A8901
snmp-server community GCHQ161 RO
!
line con 0
exec-timeout 3 0
password 7 ########
login
line vty 0 4
exec-timeout 3 0
password 7 ##########
login
line vty 5 15
exec-timeout 3 0
password 7 #######
login
!
ntp clock-period 17180417
ntp server 204.70.128.1
end

*******************************************


PIX config
-----------
sh ver

Cisco PIX Firewall Version 6.3(4)
Cisco PIX Device Manager Version 3.0(2)

Compiled on Fri 02-Jul-04 00:07 by morlee

fw up 14 hours 42 mins

Hardware: PIX-506E, 32 MB RAM, CPU Pentium II 300 MHz
Flash E28F640J3 @ 0x300, 8MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 0015.6280.bdc1, irq 10
1: ethernet1: address is 0015.6280.bdc2, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled
Maximum Physical Interfaces: 2
Maximum Interfaces: 2
Cut-through Proxy: Enabled
Guards: Enabled
URL-filtering: Enabled
Inside Hosts: Unlimited
Throughput: Unlimited
IKE peers: Unlimited

This PIX has a Restricted (R) license.

Serial Number: 809350272 (0x303db480)
Running Activation Key: #################
Configuration last modified by enable_15 at 11:22:03.550 UTC Mon Oct 17 2005

fw# sh run
: Saved
:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan3 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan3 DMZ security50
enable password ###### encrypted
passwd #### encrypted
hostname fw###
domain-name dom.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 10.29.64.1 web
object-group network sites
network-object 195.0.0.0 255.255.224.0
network-object 212.0.0.0 255.255.224.0
network-object 62.0.0.0 255.255.224.0
network-object 193.0.0.0 255.255.254.0
network-object 62.0.0.0 255.255.255.0
network-object 195.0.0.0 255.255.254.0
object-group network site
network-object 62.0.0.0 255.255.255.192
network-object 217.0.0.0 255.255.255.240
access-list 100 permit ip 10.29.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 10.29.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 10.29.1.0 255.255.255.0 10.29.2.0 255.255.255.0
access-list nonat permit ip 10.29.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list nonat permit ip 10.29.1.0 255.255.255.0 10.29.5.0 255.255.255.0
access-list nonat permit ip 10.29.1.0 255.255.255.0 10.29.100.0 255.255.255.0
access-list nonat permit ip 10.29.1.0 255.255.255.0 10.29.4.0 255.255.255.0
access-list nonat permit ip 10.29.1.0 255.255.255.0 10.29.11.0 255.255.255.0
access-list 120 permit ip 10.29.1.0 255.255.255.0 10.29.2.0 255.255.255.0
access-list site1 permit ip 10.29.1.0 255.255.255.0 10.0.0.0 255.255.255.
0
access-list 140 permit ip 10.29.1.0 255.255.255.0 10.29.5.0 255.255.255.0
access-list site2 permit ip 10.29.1.0 255.255.255.0 10.29.4.0 255.255.255.0
access-list site permit ip 10.29.1.0 255.255.255.0 10.29.11.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging console warnings
logging monitor debugging
logging buffered notifications
logging trap notifications
logging history notifications
logging queue 1096
no logging message 111009
no logging message 111008
no logging message 304001
no logging message 111005
no logging message 111007
icmp permit any DMZ
mtu outside 1500
mtu inside 1500
ip address outside 217.0.0.0 255.255.255.252
ip address inside 10.29.1.254 255.255.255.0
ip address DMZ 10.29.64.253 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool pptp-pool 10.29.100.1-10.29.100.255
pdm location 62.0.0.0 255.255.255.0 outside
pdm location 62.0.0.0 255.255.224.0 outside
pdm location 193.0.0.0 255.255.254.0 outside
pdm location 195.0.0.0 255.255.224.0 outside
pdm location 195.0.0.0 255.255.254.0 outside
pdm location 212.0.0.0 255.255.224.0 outside
pdm location 10.29.1.3 255.255.255.255 inside
pdm location 10.29.1.4 255.255.255.255 inside
pdm location 10.29.1.6 255.255.255.255 inside
pdm location 10.29.1.7 255.255.255.255 inside
pdm location 10.29.1.8 255.255.255.255 inside
pdm location 10.29.1.253 255.255.255.255 inside
pdm location 10.29.3.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.0.0 255.255.255.0 outside
pdm location 10.1.1.0 255.255.255.0 outside
pdm location 10.29.2.0 255.255.255.0 outside
pdm location 10.29.4.0 255.255.255.0 outside
pdm location 10.29.5.0 255.255.255.0 outside
pdm location 10.29.11.0 255.255.255.0 outside
pdm location 10.29.100.0 255.255.255.0 outside
pdm location 81.0.0.0 255.255.255.255 outside
pdm location 217.0.0.0 255.255.255.255 outside
pdm location 217.0.0.0 255.255.255.255 outside
pdm location 10.0.0.0 255.255.255.255 DMZ
pdm group ### outside
pdm logging informational 100
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.29.1.0 255.255.255.0 0 0
nat (inside) 1 10.29.3.0 255.255.255.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (DMZ) 1 10.29.64.1 255.255.255.255 0 0

conduit permit icmp any any
conduit permit tcp host 10.29.64.1 eq route outside 0.0.0.0 0.0.0.0 217.150.100.121 1
route inside 10.29.3.0 255.255.255.0 10.29.1.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set weak esp-des esp-md5-hmac
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address 120
crypto map newmap 20 set peer 213.0.0.0
crypto map newmap 20 set transform-set strong
crypto map newmap 30 ipsec-isakmp
crypto map newmap 30 match address site1
crypto map newmap 30 set peer 81.0.0.0
crypto map newmap 30 set transform-set strong
crypto map newmap 40 ipsec-isakmp
crypto map newmap 40 match address 140
crypto map newmap 40 set peer 217.0.0.0
crypto map newmap 40 set transform-set strong
crypto map newmap 50 ipsec-isakmp
crypto map newmap 50 match address site2
crypto map newmap 50 set peer 212.0.0.0
crypto map newmap 50 set transform-set strong
crypto map newmap 60 ipsec-isakmp
crypto map newmap 60 match address site
crypto map newmap 60 set peer 62.0.0.0
crypto map newmap 60 set transform-set strong
crypto map newmap interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000
telnet 10.29.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 50
console timeout 0
vpdn group 1 accept dialin pptp
vpdn group 1 ppp authentication pap
vpdn group 1 ppp authentication chap
vpdn group 1 ppp authentication mschap
vpdn group 1 ppp encryption mppe 128
vpdn group 1 client configuration address local pptp-pool
vpdn group 1 pptp echo 60
vpdn group 1 client authentication local
vpdn enable outside
terminal width 80
Cryptochecksum:#####################################
: end
fw#
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
326
CPM86
CPM86
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
392
Lccarter
Lccarter
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
682
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
276
bfordz
bfordz
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
273
inlsp05
inlsp05

Part and Inventory Search

Sponsor

Back
Top