PIX 506e Vlan DMZ issues

You don't say what happens when it is configured??

interface ethernet0 auto interface ethernet1 auto interface ethernet1 vlan2 logical nameif ethernet0 outside sec0 nameif ethernet1 inside sec100 nameif vlan2 dmz sec50 ip address outside 67.xxx.xxx.xxx 255.255.?.? ip address inside 10.0.0.x 255.255.?.? ip address dmz 172.16.0.x 255.255.?.?

The result of this is that all packets out of ethernet1 that are in the 10.0.0.0 network will -not- be tagged, but all packets out ethernet1 in 172.16.0.0 *will* be tagged.

You would connect ethernet1 to your layer2 switch and have the port configured as a trunk, with the native vlan number corresponding to the one you want to carry 10.0.0.0 traffic, and with the port configured to carry that vlan # and vlan #2. All of your other ports would be set to be untagged members of either that vlan (for regular hosts) or of vlan #2 (for the connections to the DMZ hosts.)

As long as your layer 2 switch is able to handle 802.1Q trunks and untagged 802.1Q ports, you do NOT need a layer 3 switch or router.

Thanks Walter, I didn't think that you could configure a single switch port to carry both tagged and untagged packets. I'll try it. What happened was that if i configured the port for untagged it SEEMED to drop all of my DMZ packets if I Configured it tagged it dropped my inside stuff. I'm using a Linksys SRW248G4 switch. If that sheds any light on anything. Thanks Guys.

This is how the manual describes the Vlan settings.

The VLAN Interface Settings screen lets you define properties of the interfaces that are associated with VLANs. Interface.

This is the physical address of the interface, Port or LAG. Interface VLAN Mode. One of the following VLAN modes will appear =B7 General - The port belongs to VLANs, and each VLAN is user-defined as tagged or untagged (full 802.1q mode). =B7 Access - The port belongs to a single, untagged VLAN. When a port is in Access mode, the packet tapes accepted on the port cannot be designated. Ingress filtering cannot be enabled/disabled on an access port. =B7 Trunk - The port belongs to VLANs in which all ports are tagged (except for one port that can be untagged).

802.1Q requires that the "native" VLAN on a trunk *NOT* be tagged even though everything else is.

But if your switch can't handle that, then change

interface ethernet1 auto

to

interface ethernet1 auto interface ethernet1 vlan1 physical

That will cause the packets on ethernet1 to go out tagged with ID#1 (except for the ones that are part of any 'logical' VLAN on the interface.)

Thanks again Walter I'll try again this afternoon.

Sorry didn't get a chance to play with this till today but no I still can't get it to work. I feel like I'm missing something. What is going to route the traffic between the Physical E1 10.xxx.xxx.xxx network and the Logical E1 172.16.xxx.xxx network. I've tried tagged for both networks on the switch untagged for both I've created another vlan as a Physical on E1 as vlan3 because the switches native (that can't be changed is vlan1 untagged) and nothing seems to work. Maybe some sort of RIP config on the PIX that would take a packet up the Port as one network than bring it down the same port into the trunk as another?

Please quote context; very few of us use googlegroups as our news reader, so we do not have the previous postings "right there" to look at.

The PIX is going to do that routing. The PIX automatically adds routes corresponding to the IP address ranges for all of its interfaces.

PIX can emit RIP default routes towards the LANs, but nothing more detailed.

Try using "debug icmp trace" and try using the capture command to see what is actually happening with those interfaces.

Trying to figure the commands you stated out but in the mean time I'd thought I'd post up the current config i'm running with. Thanks for looking at this mess.

Building configuration... : Saved : PIX Version 6.3(5) interface ethernet0 auto interface ethernet1 auto interface ethernet1 vlan2 logical nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif vlan2 dmz security50 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQjbNIdI.2KYOU encrypted hostname pixfirewall domain-name Xtechs.com clock timezone EST -5 clock summer-time EDT recurring fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 access-list outside permit icmp any any echo-reply access-list outside permit icmp any any time-exceeded access-list outside permit icmp any any traceroute access-list dmz permit tcp any host ftp eq ftp access-list inside_in permit tcp 10.0.0.0 255.255.255.0 any eq pop3 access-list inside_in permit tcp 10.0.0.0 255.255.255.0 any eq smtp access-list inside_in permit tcp 10.0.0.0 255.255.255.0 any eq https access-list inside_in permit tcp 10.0.0.0 255.255.255.0 any eq 1443 access-list inside_in permit tcp 10.0.0.0 255.255.255.0 any eq 1433 access-list inside_in permit tcp 10.0.0.0 255.255.255.0 any eq www access-list inside_in permit tcp 10.0.0.0 255.255.255.0 172.16.0.0

255.255.0.0 eq ftp access-list dmz_in permit tcp 172.16.0.0 255.255.0.0 any eq ftp access-list outside_in deny ip 0.0.0.0 255.0.0.0 any access-list outside_in deny ip 10.0.0.0 255.0.0.0 any access-list outside_in deny ip 127.0.0.0 255.0.0.0 any access-list outside_in deny ip 172.16.0.0 255.240.0.0 any access-list outside_in deny ip 192.168.0.0 255.255.0.0 any access-list outside_in deny ip 224.0.0.0 224.0.0.0 any pager lines 24 logging on logging timestamp logging console debugging logging monitor debugging logging buffered debugging logging trap debugging logging facility 23 mtu outside 1500 mtu inside 1500 ip address outside 67.128.xxx.xxx 255.255.255.240 ip address inside 10.0.xxx.xxx 255.255.255.0 ip address dmz 172.16.xxx.xxx 255.255.0.0 ip audit name Default attack action alarm drop ip audit name Default-Info info action alarm ip audit interface outside Default-Info ip audit interface outside Default ip audit info action alarm ip audit attack action alarm ip local pool travelpool 10.99.0.1-10.99.0.24 mask 255.255.255.0 arp timeout 14400 global (outside) 1 67.128.xxx.xxx global (outside) 1 interface global (dmz) 1 interface nat (inside) 1 10.0.0.0 255.255.255.0 0 0 static (dmz,outside) ftp 172.16.xxx.xxx netmask 255.255.255.255 0 0 access-group dmz in interface outside access-group inside_in in interface inside rip inside default version 1 route outside 0.0.0.0 0.0.0.0 67.128.xxx.xxx 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ max-failed-attempts 3 aaa-server TACACS+ deadtime 10 aaa-server RADIUS protocol radius aaa-server RADIUS max-failed-attempts 3 aaa-server RADIUS deadtime 10 aaa-server LOCAL protocol local http server enable http 0.0.0.0 0.0.0.0 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable isakmp enable outside isakmp nat-traversal 1800 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup ontheroadagain address-pool travelpool vpngroup ontheroadagain idle-time 1800 vpngroup ontheroadagain password ******** telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd lease 3600 dhcpd ping_timeout 750 terminal width 80

I found this on Cisco site they have the vlan setup on E0 vs E1