Avatar billede ibhansen Nybegynder
17. maj 2008 - 17:25 Der er 2 kommentarer

Trunk til Pix 515e

Jeg har et lille netværk, med 5 forskellige vlan konfiguret i en 3560, routning mellem vlans foregår i switchen, og der er så fra switchen konfiguret en trunk til en Pix 515e. Meningen var at der skulle være forbindelse til Internettet fra flere af vlan'ene igennem pixen, det virker bare ikke. Jeg har sat de to configureringsfiler ind neden under, og vil være meget taknemmelige hvis der var en der ville hjælpe.

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

interface ethernet1 vlan200 logical

interface ethernet1 vlan300 logical

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security4

nameif vlan200 lan1 security99

nameif vlan300 lan2 security98

enable password xxxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxx encrypted

hostname pix

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list acl_out permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside dhcp setroute

ip address inside 10.70.0.3 255.255.0.0

no ip address intf2

ip address lan1 10.71.0.3 255.255.0.0

ip address lan2 10.72.0.3 255.255.0.0

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.71.0.0 255.255.0.0 0 0

nat (lan1) 1 10.71.0.0 255.255.0.0 0 0

nat (lan2) 1 10.72.0.0 255.255.0.0 0 0

access-group acl_out in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:3cab990bb64ef968f1a5ae72de9e4832

: end





version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Switch

!

enable secret 5 xxxxxxxxxxxxxx

!

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa accounting dot1x default start-stop group radius

!

aaa session-id common

system mtu routing 1500

vtp domain test

vtp mode transparent

ip subnet-zero

ip routing

!

!

mls qos

!

!

dot1x system-auth-control

dot1x guest-vlan supplicant

no file verify auto

!

spanning-tree mode pvst

spanning-tree extend system-id

no spanning-tree vlan 1,100,200,300,400,500,1002-1005

!

!

vlan access-map DHCP 20

action forward

match ip address DHCP

vlan access-map Print 30

action forward

match ip address Print

vlan filter DHCP vlan-list 400

vlan filter Print vlan-list 500

vlan internal allocation policy ascending

!

vlan 100

name Server

!

vlan 200

name lan1

!

vlan 300

name lan2

!

vlan 400

name Usikkert

!

vlan 500

name Print

!

interface FastEthernet0/1

switchport access vlan 100

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/5

switchport access vlan 500

switchport mode access

spanning-tree portfast

!

interface FastEthernet0/17

switchport access vlan 400

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x reauthentication

dot1x guest-vlan 400

dot1x auth-fail vlan 400

spanning-tree portfast

!

interface FastEthernet0/47

description Trunk til PIX

switchport trunk encapsulation dot1q

switchport trunk native vlan 100

switchport trunk allowed vlan 100,200,300,400

switchport mode trunk

!

interface Vlan1

no ip address

!

interface Vlan100

ip address 10.70.0.1 255.255.0.0

!

interface Vlan200

ip address 10.71.0.1 255.255.0.0

ip helper-address 10.70.0.10

ip helper-address 10.70.0.11

!

interface Vlan300

ip address 10.72.0.1 255.255.0.0

ip helper-address 10.70.0.10

ip helper-address 10.70.0.11

!

interface Vlan400

ip address 10.73.0.1 255.255.0.0

ip helper-address 10.70.0.10

ip helper-address 10.70.0.11

!

interface Vlan500

ip address 10.74.0.1 255.255.0.0

ip helper-address 10.70.0.10

ip helper-address 10.70.0.11

!

ip classless

no ip route static inter-vrf

ip route 0.0.0.0 0.0.0.0 10.70.0.3

ip route 10.71.0.0 255.255.0.0 10.70.0.0

ip http server

!

ip access-list extended DHCP

permit udp any any eq bootpc

permit udp any any eq bootps

ip access-list extended Print

permit ip any host 10.70.0.12

permit ip host 10.70.0.12 any

!

radius-server host 10.70.0.13 auth-port 1812 acct-port 1646 key xxxxxxx

radius-server source-ports 1645-1646

!

control-plane

!

end
Avatar billede turboand Nybegynder
18. maj 2008 - 01:08 #1
Når nu switchen router alle dine VLAN's, hvorfor vil du så have en trunk mellem pix og switch? Du kunne nøjes med at have et "transit" VLAN og så bare lave en access port.

Du kan selvfølgelig have dine grunde, men ud fra dit spørgsmål forstår jeg det ikke.

AND
Avatar billede ibhansen Nybegynder
18. maj 2008 - 09:35 #2
Havde bare fået en ide om at det var sådan, tak for hjælpen, har fået det til at fungere.
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester