FWSM: Route between multiple security contexts

Answered Question
Feb 5th, 2007

Is it possible to route between multiple security contexts on a FWSM?

In a campus environment we like to install a FWSM to secure vlans to replace the SVI on the MSFC. The vlans represents different departments with security requirements and are currently interface on the MSFC with ACLs are used for access.

In a test setup routing over the MSFC works fine but back to another security contexts not. How can we route between two (or more) security contexts?

I have this problem too.
0 votes
Correct Answer by varakantam about 9 years 7 months ago

Adding what has been said above. You could user VRF feature of SUP-720 and put each virtual context in it's own routing domain and route accordingly

Correct Answer by rob.kennedy about 9 years 7 months ago

you can also setup dedicated VLANs for inetrconnecting contexts. For instance you can put an interface on each context on VLAN x and then route between them. You can also bypass the MSFC this way. Although if you are planning to do it with a alot of contexts a shared outside is probably the best approach.

To setup a shared VLAN just allocate the same vlan to both contexts -

context A

allocate-interface Vlan999

context B

allocate-interface Vlan999

Then give them an IP on the same subnet and an access-list on each context interface and put in your routes, also no nat-control to get rid of those terrible static nat commands.

Correct Answer by Jon Marshall about 9 years 7 months ago

Hi

Depends exactly what you mean. To move between contexts on the FWSM you would need to do one of 2 things

1) Have a shared vlan with servers that all contexts need to access. Probably no what you want.

2) You could share the outside vlan between contexts. Each outside interface from each context would be on the same subnet. You would have to have an MSFC SVI for this subnet. Then you route between contexts via the MSFC SVI. It is still secure because you can't bypass the outside interface of any of the contexts.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.3 (3 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 02/05/2007 - 07:15

Hi

Depends exactly what you mean. To move between contexts on the FWSM you would need to do one of 2 things

1) Have a shared vlan with servers that all contexts need to access. Probably no what you want.

2) You could share the outside vlan between contexts. Each outside interface from each context would be on the same subnet. You would have to have an MSFC SVI for this subnet. Then you route between contexts via the MSFC SVI. It is still secure because you can't bypass the outside interface of any of the contexts.

HTH

Jon

Correct Answer
rob.kennedy Mon, 02/05/2007 - 10:06

you can also setup dedicated VLANs for inetrconnecting contexts. For instance you can put an interface on each context on VLAN x and then route between them. You can also bypass the MSFC this way. Although if you are planning to do it with a alot of contexts a shared outside is probably the best approach.

To setup a shared VLAN just allocate the same vlan to both contexts -

context A

allocate-interface Vlan999

context B

allocate-interface Vlan999

Then give them an IP on the same subnet and an access-list on each context interface and put in your routes, also no nat-control to get rid of those terrible static nat commands.

Correct Answer
varakantam Mon, 02/05/2007 - 10:28

Adding what has been said above. You could user VRF feature of SUP-720 and put each virtual context in it's own routing domain and route accordingly

gtankink Tue, 02/06/2007 - 04:24

The problem with routing between the security contexts was caused by an incomplete configuration. By adding the nat 0 for the right hosts solved this. Everyboby thanks for the quick response and help.

Actions

This Discussion