Inter VLAN routing with 6024 and PIX

Question

I have a PIX with 3 interfaces.  eth1 has a physical address of 10.1.0.201 / 24 and a logical address of 10.3.0.201 / 24.   Then I have a Powerconnect 6024 setup for Inter VLAN routing between 10.1.0.0 and 10.3.0.0 networks.  The 6024 has a route of 0.0.0.0 0.0.0.0 10.1.0.201.  All devices use the 6024 as their Gateway (10.1.0.200 & 10.3.0.200).   With this setup I can properly route traffic between VLANs.   I  cannot get out to the Internet from the 10.3.0.0 network.  After talking to Cisco, it seems that this is due to the 6024 sending all traffic with a destination other than the 10.1.0.0 or 10.3.0.0 to the 10.1.0.201 interface on the PIX.  Therefor when the traffic comes back to the PIX, the PIX tries to route it to the 10.1.0.0 network instead of 10.3.0.0.  Cisco recommended Policy Based Routing, but the 6024 does not support that.   I really do not want to use the PIX as a router...that is why I bought the 6024.  Can anyone assist me with configuring this properly?   Your help is greatly appreciated.   -Keith

HaldoL · Answer

jedforr...right on! Thanks for the response. As it turns out, I was on the phone with Cisco when your post showed up. The Cisco guy was telling me the same thing.

To summarize. I removed the logical int on the PIX. Added: ip route 10.3.0.0 255.255.255.0 10.1.0.200 (ip of 6024). Now I can add access rules in the pix for the 10.3.0.0 network...and also added a PAT rule for outbound traffic from 10.3.0.0.

All my devices use the 6024 as their Default GW...it routes between VLANS. Only traffic outside the 10.1.0.0 and 10.3.0.0 is routed to the PIX.

Everything works great!!!

Thanks again.

jedforr · Answer

@HaldoL wrote:

I have a PIX with 3 interfaces. eth1 has a physical address of 10.1.0.201 / 24 and a logical address of 10.3.0.201 / 24.

Then I have a Powerconnect 6024 setup for Inter VLAN routing between 10.1.0.0 and 10.3.0.0 networks. The 6024 has a route of 0.0.0.0 0.0.0.0 10.1.0.201. All devices use the 6024 as their Gateway (10.1.0.200 & 10.3.0.200).

With this setup I can properly route traffic between VLANs. I cannot get out to the Internet from the 10.3.0.0 network. After talking to Cisco, it seems that this is due to the 6024 sending all traffic with a destination other than the 10.1.0.0 or 10.3.0.0 to the 10.1.0.201 interface on the PIX. Therefor when the traffic comes back to the PIX, the PIX tries to route it to the 10.1.0.0 network instead of 10.3.0.0. Cisco recommended Policy Based Routing, but the 6024 does not support that.

I really do not want to use the PIX as a router...that is why I bought the 6024. Can anyone assist me with configuring this properly?

Your help is greatly appreciated.

-Keith

Not using PIX as a router...PIX is a layer 3+ device and to use it properly, you are going to need it to do some layer 3 functionality. Plus, the PIX is a firewall -- use it as such.

I am assuming the PIX is on the perimeter with an external ip on teh outside. PIX will have as its gateway the next hop address out to the internet (your ISP router, or ISP cable modem, etc.).

The simpliest configuration would be to have the PIX have an internal ip of 10.1.0.201/24 on Eth1 and have an associated vlan on the 6024 with an ip on that network (10.1.0.200\ 24 for example).

Create a summary route on the PIX to account for all subnets connected to 6024 so that it knows where to send traffic to 10.1.0.200 or whatever is the ip of the 6024 connected to the PIX subnet.

Your default route on teh 6024 looks ok.

To be honest...think about configuring your network differently and using more network design best practices. You will actually find that the config above is far more simple than the one you are trying to do.

Hope this helps.

Jed, CCNA, CCAI

Networking General

Inter VLAN routing with 6024 and PIX

Was this post helpful?