Cisco PIX 506 and 2950

[cfike]

I've been trying to get an existing 2950 switch with 2 vlans (10 & 20) to talk with a PIX 506 firewall.

PIX s/w version 6.3(4)
Switch 12.1

The PIX has a static IP of 172.30.40.254.
The switch has a static ip of 172.30.40.15

The switch has vlan10 - 172.30.40.0
vlan20 - 172.30.70.0

When I plug the PIX into the switch, I can see the interface on the switch come up, but I can't ping the PIX from anything connected to the switch.

If I plug directly into the PIX, I can ping the router & get on the internet.

I believe I need to configure sub interfaces on the PIX, but the commands are just different enough on the PIX to make it very trying.

Any help would be appreciated

 

[fredweston]

If you are going to be using subinterfaces on the PIX, then you need to make sure the port it is plugged into on the switch is set for trunking. Otherwise, the PIX won't be able to see all the VLAN info coming across. As for setting up the subinterfaces, you should be able to find out how to do it with a bit of Googling. If that doesn't work you could always call the TAC.

 

[Zakkas]

Hi there Cfike,

I poked around on Cisco's site for you and found this: Firewall version 6.3 configuration guide.

It looks like you have the one of the first verions of IOS on the PIX that supported trunking. With 6.3 IOS though I don't see a way to configure subinterfaces on the PIX. That link should be able to help you do what you want.

Heh, yeah the PIX command set is completely different from a routers or switches.

Let me know how it goes.

Thanks

 

[gstrother1]

The above posted talked about the trunk port not being configured. this was the first thing i thought about.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35xu/scg/kivlan.htm#xtocid2442336

#conf t
(config)#int fa0/1 (or whatever port is plugged into the pix)
(config-if)#switchport mode trunk

you will probably need to configure sub-interface ips (fa0/1.1 & fa0/1.2) and vlan assignments if you havnt done so already

and check your firewall rules on the pix to make sure your allowing connections from both internal networks.

 

[Zakkas]

I think the biggest problem you'll have is getting the PIX to work the way you want it to. A PIX isn't a router and shouldn't be used as one because of how it handles packets.

If you can try to find a cisco router that you can configure the subinterfaces on and setup the vlans accordingly. Unless you can download the new IOS image from Cisco for your PIX. I don't think subinterfaces are supported on pre-7.0 IOS.

Also the "switchport mode trunk" command is used when you are stacking switches and have vlan's configured on multiple switches.