Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VLANs on Cisco PIX 506e

Reply
Thread Tools

VLANs on Cisco PIX 506e

 
 
dilan.weerasinghe@gmail.com
Guest
Posts: n/a
 
      09-02-2006
Good morning

We currently have a Cisco PIX 506e connected to a couple of managed
3Com switches. We also have a PIX-PIX VPN to our HQ in Africa, and
users can VPN to the network using the VPN client on their Windows XP
laptop.

I'd like to implement VLAN's on our network.

We're going to upgrade to 6.3(4) to faciliate this.

http://www.cisco.com/en/US/products/....html#wp159177

However, quoting from the document;

"When 506 and 506E are used as VPN hardware clients, logical interfaces
on the 506/506E cannot be used to initiate a VPN tunnel."

Does this mean that we would be unable to carry on with our PIX-PIX VPN
to HQ, or is there a way around this?

Many thanks in advance.

 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-02-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:

>We currently have a Cisco PIX 506e connected to a couple of managed
>3Com switches. We also have a PIX-PIX VPN to our HQ in Africa, and
>users can VPN to the network using the VPN client on their Windows XP
>laptop.



>I'd like to implement VLAN's on our network.


>We're going to upgrade to 6.3(4) to faciliate this.


No, upgrade to 6.3(5)112 --
http://www.cisco.com/en/US/products/...0806824ec.html


>However, quoting from the document;
>"When 506 and 506E are used as VPN hardware clients, logical interfaces
>on the 506/506E cannot be used to initiate a VPN tunnel."


>Does this mean that we would be unable to carry on with our PIX-PIX VPN
>to HQ, or is there a way around this?


The line is saying that you would be able to start a VPN tunnel
from an interface which is not a VLAN.

Tunnels to remote location are always connected to a lower security
interface, usually the outside interface. If you were planning on
configuring your switches so that the lower security interface was
connected to the switch -only- through the tagged VLAN (e.g., you
would not configure an IP address on ethernet0, only on
the VLAN that you have overlaying ethernet0), then Don't Do That

Configure an IP address on ethernet0 (the "outside" interface) and
connect it to the 3COM switch. If that is the only broadcast domain
(vlan) configured on that wire, then configure that port on the 3COM
as an access port -- a non-tagged interface, which you can make a
part of any necessary VLAN at the 3COM level. For inbound traffic,
the 3COM would strip the VLAN tag off before sending it to the PIX
outside interface and the PIX doesn't need to have any idea that
further out in your infrastructure that there is VLANing going on.

If there are multiple broadcast domains (vlans) configured on the
wire that connects the PIX outside interface to the 3COM, then
configure that port on the 3COM as a trunk port, but take the
VLAN number that is carrying the inbound internet traffic and
configure that on the 3COM as the "native" VLAN for that trunk port.
802.1Q -requires- that the VLAN tag be stripped off of the
"native" VLAN for any port; this gets you back to the situation
above, except allowing you to add one or more VLANs onto
ethernet0 at the PIX level and that the tags for those would *not* be
stripped off (because they wouldn't be the native vlan number for the
trunk.)

Keep in mind, by the way, that the PIX 506 and 506E only support
2 VLANs in addition to the 2 physical interfaces.
 
Reply With Quote
 
 
 
 
dilan.weerasinghe@gmail.com
Guest
Posts: n/a
 
      09-02-2006

Walter Roberson wrote:
> In article <(E-Mail Removed) .com>,
> <(E-Mail Removed)> wrote:
>
> >We currently have a Cisco PIX 506e connected to a couple of managed
> >3Com switches. We also have a PIX-PIX VPN to our HQ in Africa, and
> >users can VPN to the network using the VPN client on their Windows XP
> >laptop.

>
>
> >I'd like to implement VLAN's on our network.

>
> >We're going to upgrade to 6.3(4) to faciliate this.

>
> No, upgrade to 6.3(5)112 --
> http://www.cisco.com/en/US/products/...0806824ec.html
>
>
> >However, quoting from the document;
> >"When 506 and 506E are used as VPN hardware clients, logical interfaces
> >on the 506/506E cannot be used to initiate a VPN tunnel."

>
> >Does this mean that we would be unable to carry on with our PIX-PIX VPN
> >to HQ, or is there a way around this?

>
> The line is saying that you would be able to start a VPN tunnel
> from an interface which is not a VLAN.


I read it as meaning that I couldn't start a VPN tunnel on an interface
that was on a VLAN? I know this is similar to what you're saying, but
am I thinking along the right lines?

>
> Tunnels to remote location are always connected to a lower security
> interface, usually the outside interface. If you were planning on
> configuring your switches so that the lower security interface was
> connected to the switch -only- through the tagged VLAN (e.g., you
> would not configure an IP address on ethernet0, only on
> the VLAN that you have overlaying ethernet0), then Don't Do That
>
> Configure an IP address on ethernet0 (the "outside" interface) and
> connect it to the 3COM switch. If that is the only broadcast domain
> (vlan) configured on that wire, then configure that port on the 3COM
> as an access port -- a non-tagged interface, which you can make a
> part of any necessary VLAN at the 3COM level. For inbound traffic,
> the 3COM would strip the VLAN tag off before sending it to the PIX
> outside interface and the PIX doesn't need to have any idea that
> further out in your infrastructure that there is VLANing going on.
>
> If there are multiple broadcast domains (vlans) configured on the
> wire that connects the PIX outside interface to the 3COM, then
> configure that port on the 3COM as a trunk port, but take the
> VLAN number that is carrying the inbound internet traffic and
> configure that on the 3COM as the "native" VLAN for that trunk port.
> 802.1Q -requires- that the VLAN tag be stripped off of the
> "native" VLAN for any port; this gets you back to the situation
> above, except allowing you to add one or more VLANs onto
> ethernet0 at the PIX level and that the tags for those would *not* be
> stripped off (because they wouldn't be the native vlan number for the
> trunk.)
>
> Keep in mind, by the way, that the PIX 506 and 506E only support
> 2 VLANs in addition to the 2 physical interfaces.


I'm hoping to set up 2 VLAN's on the inside (i.e LAN) interface of the
PIX. One VLAN will be for the the general network and one VLAN for our
wireless network. Seeing as I'm setting up the VLAN's on the inside
interface (VPN tunnels are configured for the outside interface), I'm
assuming that this will be ok in relation to our VPN tunnel to Africa
and the Cisco quote does not apply here?

Thanks,
Dilan

 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-02-2006
In article <(E-Mail Removed) .com>,
<(E-Mail Removed)> wrote:
>I'm hoping to set up 2 VLAN's on the inside (i.e LAN) interface of the
>PIX. One VLAN will be for the the general network and one VLAN for our
>wireless network. Seeing as I'm setting up the VLAN's on the inside
>interface (VPN tunnels are configured for the outside interface), I'm
>assuming that this will be ok in relation to our VPN tunnel to Africa
>and the Cisco quote does not apply here?


Correct.

The effect is this:

Any cryptomap policy you attach to a vlanXXX interface must not have
a 'set peer' statement. But you could attach a cryptomap
policy with a 'set peer' to the underlying ethernet interface
 
Reply With Quote
 
john smith
Guest
Posts: n/a
 
      09-03-2006
On Sat, 02 Sep 2006 02:47:48 -0700, dilan.weerasinghe wrote:

> Good morning
>
> We currently have a Cisco PIX 506e connected to a couple of managed
> 3Com switches. We also have a PIX-PIX VPN to our HQ in Africa, and
> users can VPN to the network using the VPN client on their Windows XP
> laptop.
>
> I'd like to implement VLAN's on our network.
>
> We're going to upgrade to 6.3(4) to faciliate this.
>
> http://www.cisco.com/en/US/products/....html#wp159177
>
> However, quoting from the document;
>
> "When 506 and 506E are used as VPN hardware clients, logical interfaces
> on the 506/506E cannot be used to initiate a VPN tunnel."
>
> Does this mean that we would be unable to carry on with our PIX-PIX VPN
> to HQ, or is there a way around this?
>
> Many thanks in advance.



if you implement internal vlans, do you have a way to route between each
vlan if you need to? can the pix do this with static route statements?
its my understanding the pix cannot send traffic out an interface from
which it was received - but i have no experience w/ pix vlan/logical
interfaces so i dont know if this rule applies.
just something to also consider.

if you only are using a 506e, do you have enough inside hosts to require
seperate vlans, or is this mainly a change mandated through policy?
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      09-03-2006
In article <(E-Mail Removed)>,
john smith <(E-Mail Removed)> wrote:

>if you implement internal vlans, do you have a way to route between each
>vlan if you need to?


Yes.

> can the pix do this with static route statements?


It will automatically add the static route.


>its my understanding the pix cannot send traffic out an interface from
>which it was received - but i have no experience w/ pix vlan/logical
>interfaces so i dont know if this rule applies.


It does not apply in this case. It might be easier to think of the
rule as being the one the prohibits transmission between interfaces
of the same security level: an interface going to exactly the same
interface would be an attempt to go to the same security level, but
going from an interface to a vlan overlaying the interface would be
changing security levels.
 
Reply With Quote
 
AM
Guest
Posts: n/a
 
      09-04-2006
Walter Roberson wrote:

> It does not apply in this case. It might be easier to think of the
> rule as being the one the prohibits transmission between interfaces
> of the same security level: an interface going to exactly the same
> interface would be an attempt to go to the same security level, but
> going from an interface to a vlan overlaying the interface would be
> changing security levels.


I just think of the VLAN interfaces as simply interfaces as the physical ones.
They are required to have a security level (different from any other security level already configured) so traffic will
be flowing among interfaces with different security levels.

Alex.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Pix 506e, VLANs, etc. starman7@hotmail.com Cisco 0 02-21-2007 04:53 PM
VPN Connection Problems between Cisco PIX 506E and Cisco VPN Concentrator 3005 Kai Cisco 0 02-15-2005 02:03 PM
PIX 506e and VLANs? Richard R. Field Cisco 3 12-09-2004 03:53 AM
PIX 6.3(4), 506/506E vlans Walter Roberson Cisco 1 07-25-2004 10:16 PM
VOIP using Cisco PIX 506e and Cisco 837 paul tomlinson Cisco 1 01-21-2004 11:09 PM



Advertisments