VLANs on Cisco PIX 506e

Discussion in 'Cisco' started by dilan.weerasinghe@gmail.com, Sep 2, 2006.

  1. Guest

    Good morning

    We currently have a Cisco PIX 506e connected to a couple of managed
    3Com switches. We also have a PIX-PIX VPN to our HQ in Africa, and
    users can VPN to the network using the VPN client on their Windows XP
    laptop.

    I'd like to implement VLAN's on our network.

    We're going to upgrade to 6.3(4) to faciliate this.

    http://www.cisco.com/en/US/products...od_release_note09186a008059fccf.html#wp159177

    However, quoting from the document;

    "When 506 and 506E are used as VPN hardware clients, logical interfaces
    on the 506/506E cannot be used to initiate a VPN tunnel."

    Does this mean that we would be unable to carry on with our PIX-PIX VPN
    to HQ, or is there a way around this?

    Many thanks in advance.
     
    , Sep 2, 2006
    #1
    1. Advertising

  2. In article <>,
    <> wrote:

    >We currently have a Cisco PIX 506e connected to a couple of managed
    >3Com switches. We also have a PIX-PIX VPN to our HQ in Africa, and
    >users can VPN to the network using the VPN client on their Windows XP
    >laptop.



    >I'd like to implement VLAN's on our network.


    >We're going to upgrade to 6.3(4) to faciliate this.


    No, upgrade to 6.3(5)112 --
    http://www.cisco.com/en/US/products...oducts_security_response09186a00806824ec.html


    >However, quoting from the document;
    >"When 506 and 506E are used as VPN hardware clients, logical interfaces
    >on the 506/506E cannot be used to initiate a VPN tunnel."


    >Does this mean that we would be unable to carry on with our PIX-PIX VPN
    >to HQ, or is there a way around this?


    The line is saying that you would be able to start a VPN tunnel
    from an interface which is not a VLAN.

    Tunnels to remote location are always connected to a lower security
    interface, usually the outside interface. If you were planning on
    configuring your switches so that the lower security interface was
    connected to the switch -only- through the tagged VLAN (e.g., you
    would not configure an IP address on ethernet0, only on
    the VLAN that you have overlaying ethernet0), then Don't Do That ;-)

    Configure an IP address on ethernet0 (the "outside" interface) and
    connect it to the 3COM switch. If that is the only broadcast domain
    (vlan) configured on that wire, then configure that port on the 3COM
    as an access port -- a non-tagged interface, which you can make a
    part of any necessary VLAN at the 3COM level. For inbound traffic,
    the 3COM would strip the VLAN tag off before sending it to the PIX
    outside interface and the PIX doesn't need to have any idea that
    further out in your infrastructure that there is VLANing going on.

    If there are multiple broadcast domains (vlans) configured on the
    wire that connects the PIX outside interface to the 3COM, then
    configure that port on the 3COM as a trunk port, but take the
    VLAN number that is carrying the inbound internet traffic and
    configure that on the 3COM as the "native" VLAN for that trunk port.
    802.1Q -requires- that the VLAN tag be stripped off of the
    "native" VLAN for any port; this gets you back to the situation
    above, except allowing you to add one or more VLANs onto
    ethernet0 at the PIX level and that the tags for those would *not* be
    stripped off (because they wouldn't be the native vlan number for the
    trunk.)

    Keep in mind, by the way, that the PIX 506 and 506E only support
    2 VLANs in addition to the 2 physical interfaces.
     
    Walter Roberson, Sep 2, 2006
    #2
    1. Advertising

  3. Guest

    Walter Roberson wrote:
    > In article <>,
    > <> wrote:
    >
    > >We currently have a Cisco PIX 506e connected to a couple of managed
    > >3Com switches. We also have a PIX-PIX VPN to our HQ in Africa, and
    > >users can VPN to the network using the VPN client on their Windows XP
    > >laptop.

    >
    >
    > >I'd like to implement VLAN's on our network.

    >
    > >We're going to upgrade to 6.3(4) to faciliate this.

    >
    > No, upgrade to 6.3(5)112 --
    > http://www.cisco.com/en/US/products...oducts_security_response09186a00806824ec.html
    >
    >
    > >However, quoting from the document;
    > >"When 506 and 506E are used as VPN hardware clients, logical interfaces
    > >on the 506/506E cannot be used to initiate a VPN tunnel."

    >
    > >Does this mean that we would be unable to carry on with our PIX-PIX VPN
    > >to HQ, or is there a way around this?

    >
    > The line is saying that you would be able to start a VPN tunnel
    > from an interface which is not a VLAN.


    I read it as meaning that I couldn't start a VPN tunnel on an interface
    that was on a VLAN? I know this is similar to what you're saying, but
    am I thinking along the right lines?

    >
    > Tunnels to remote location are always connected to a lower security
    > interface, usually the outside interface. If you were planning on
    > configuring your switches so that the lower security interface was
    > connected to the switch -only- through the tagged VLAN (e.g., you
    > would not configure an IP address on ethernet0, only on
    > the VLAN that you have overlaying ethernet0), then Don't Do That ;-)
    >
    > Configure an IP address on ethernet0 (the "outside" interface) and
    > connect it to the 3COM switch. If that is the only broadcast domain
    > (vlan) configured on that wire, then configure that port on the 3COM
    > as an access port -- a non-tagged interface, which you can make a
    > part of any necessary VLAN at the 3COM level. For inbound traffic,
    > the 3COM would strip the VLAN tag off before sending it to the PIX
    > outside interface and the PIX doesn't need to have any idea that
    > further out in your infrastructure that there is VLANing going on.
    >
    > If there are multiple broadcast domains (vlans) configured on the
    > wire that connects the PIX outside interface to the 3COM, then
    > configure that port on the 3COM as a trunk port, but take the
    > VLAN number that is carrying the inbound internet traffic and
    > configure that on the 3COM as the "native" VLAN for that trunk port.
    > 802.1Q -requires- that the VLAN tag be stripped off of the
    > "native" VLAN for any port; this gets you back to the situation
    > above, except allowing you to add one or more VLANs onto
    > ethernet0 at the PIX level and that the tags for those would *not* be
    > stripped off (because they wouldn't be the native vlan number for the
    > trunk.)
    >
    > Keep in mind, by the way, that the PIX 506 and 506E only support
    > 2 VLANs in addition to the 2 physical interfaces.


    I'm hoping to set up 2 VLAN's on the inside (i.e LAN) interface of the
    PIX. One VLAN will be for the the general network and one VLAN for our
    wireless network. Seeing as I'm setting up the VLAN's on the inside
    interface (VPN tunnels are configured for the outside interface), I'm
    assuming that this will be ok in relation to our VPN tunnel to Africa
    and the Cisco quote does not apply here?

    Thanks,
    Dilan
     
    , Sep 2, 2006
    #3
  4. In article <>,
    <> wrote:
    >I'm hoping to set up 2 VLAN's on the inside (i.e LAN) interface of the
    >PIX. One VLAN will be for the the general network and one VLAN for our
    >wireless network. Seeing as I'm setting up the VLAN's on the inside
    >interface (VPN tunnels are configured for the outside interface), I'm
    >assuming that this will be ok in relation to our VPN tunnel to Africa
    >and the Cisco quote does not apply here?


    Correct.

    The effect is this:

    Any cryptomap policy you attach to a vlanXXX interface must not have
    a 'set peer' statement. But you could attach a cryptomap
    policy with a 'set peer' to the underlying ethernet interface
     
    Walter Roberson, Sep 2, 2006
    #4
  5. john smith Guest

    On Sat, 02 Sep 2006 02:47:48 -0700, dilan.weerasinghe wrote:

    > Good morning
    >
    > We currently have a Cisco PIX 506e connected to a couple of managed
    > 3Com switches. We also have a PIX-PIX VPN to our HQ in Africa, and
    > users can VPN to the network using the VPN client on their Windows XP
    > laptop.
    >
    > I'd like to implement VLAN's on our network.
    >
    > We're going to upgrade to 6.3(4) to faciliate this.
    >
    > http://www.cisco.com/en/US/products...od_release_note09186a008059fccf.html#wp159177
    >
    > However, quoting from the document;
    >
    > "When 506 and 506E are used as VPN hardware clients, logical interfaces
    > on the 506/506E cannot be used to initiate a VPN tunnel."
    >
    > Does this mean that we would be unable to carry on with our PIX-PIX VPN
    > to HQ, or is there a way around this?
    >
    > Many thanks in advance.



    if you implement internal vlans, do you have a way to route between each
    vlan if you need to? can the pix do this with static route statements?
    its my understanding the pix cannot send traffic out an interface from
    which it was received - but i have no experience w/ pix vlan/logical
    interfaces so i dont know if this rule applies.
    just something to also consider.

    if you only are using a 506e, do you have enough inside hosts to require
    seperate vlans, or is this mainly a change mandated through policy?
     
    john smith, Sep 3, 2006
    #5
  6. In article <>,
    john smith <> wrote:

    >if you implement internal vlans, do you have a way to route between each
    >vlan if you need to?


    Yes.

    > can the pix do this with static route statements?


    It will automatically add the static route.


    >its my understanding the pix cannot send traffic out an interface from
    >which it was received - but i have no experience w/ pix vlan/logical
    >interfaces so i dont know if this rule applies.


    It does not apply in this case. It might be easier to think of the
    rule as being the one the prohibits transmission between interfaces
    of the same security level: an interface going to exactly the same
    interface would be an attempt to go to the same security level, but
    going from an interface to a vlan overlaying the interface would be
    changing security levels.
     
    Walter Roberson, Sep 3, 2006
    #6
  7. AM Guest

    Walter Roberson wrote:

    > It does not apply in this case. It might be easier to think of the
    > rule as being the one the prohibits transmission between interfaces
    > of the same security level: an interface going to exactly the same
    > interface would be an attempt to go to the same security level, but
    > going from an interface to a vlan overlaying the interface would be
    > changing security levels.


    I just think of the VLAN interfaces as simply interfaces as the physical ones.
    They are required to have a security level (different from any other security level already configured) so traffic will
    be flowing among interfaces with different security levels.

    Alex.
     
    AM, Sep 4, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Walter Roberson

    PIX 6.3(4), 506/506E vlans

    Walter Roberson, Jul 25, 2004, in forum: Cisco
    Replies:
    1
    Views:
    531
    Hugo Drax
    Jul 25, 2004
  2. Richard R. Field

    PIX 506e and VLANs?

    Richard R. Field, Dec 8, 2004, in forum: Cisco
    Replies:
    3
    Views:
    3,338
    Richard R. Field
    Dec 9, 2004
  3. Replies:
    0
    Views:
    590
  4. punisher
    Replies:
    2
    Views:
    2,107
    Charles Deling
    Nov 17, 2005
  5. Pix 506e, VLANs, etc.

    , Feb 21, 2007, in forum: Cisco
    Replies:
    0
    Views:
    401
Loading...

Share This Page