inter vlan routing with pix 506e

Quick question
I have a pix 506e connected to a 2912xl switch. I have 2 vlans set up.
inside physical vlan 100
guest logical vlan 90

everything is working except intervlan routing. I want to be able to "talk" to vlan 90 from vlan 100. Valn 100 security is 100 and vlan 90 secuirty is 90.

What do I need for an access list and access group to be able to do this?

thanks

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

chmorin

What are you using to allow inter-vlan routing?

johnwest43

The pix itself. the cisco site says it can be done but you have to setup an access list.

chmorin

Is this what you have?

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/ps4336/product_data_sheet09186a0080091b13.pdf

Can you show me where you are getting your information from?

The most popular way to enable inter-vlan routing is using a router, with a method called router-on-a-stick.

From the overview of this manual, though the pix supports VLANs, it does not perform layer 3 routing.

You will need an actual router to enable inter-VLAN routing.

johnwest43

Here is one link that talks about it in a slighly differnet application but none the less it shows its possible the pix is a layer 3 device. pix email server dmz

chmorin

My point is you need a router to forward packets from one vlan to another. Perhaps I'm not understanding the issue. I'll eave it for someone else to help you, sorry.

Forsaken_GA

I vaguely recall being able to get this to work a few years ago, and I believe it was on a pix 515. If I remember right, I had to do some voodoo with internal static routes to get it playing nice.

Apologies I can't be more help, I moved away from hardware appliance firewalls years ago

johnwest43

I konw there is a way to do it, its just gonna take some trial and error. Hopefullly i can figure it out by the end of the week.

chmorin

johnwest43 wrote: »

I konw there is a way to do it, its just gonna take some trial and error. Hopefullly i can figure it out by the end of the week.

Let us know!

Bl8ckr0uter

johnwest43 wrote: »

I konw there is a way to do it, its just gonna take some trial and error. Hopefullly i can figure it out by the end of the week.

TO me it seems like all you would need to do is to make 2 static routes and it should work but I want to see what you come up with to make it work.

johnwest43

got it!!

global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

pretty simple!