cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1040
Views
0
Helpful
4
Replies

FWSM: Route between multiple security contexts

gtankink
Level 1
Level 1

Is it possible to route between multiple security contexts on a FWSM?

In a campus environment we like to install a FWSM to secure vlans to replace the SVI on the MSFC. The vlans represents different departments with security requirements and are currently interface on the MSFC with ACLs are used for access.

In a test setup routing over the MSFC works fine but back to another security contexts not. How can we route between two (or more) security contexts?

3 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Depends exactly what you mean. To move between contexts on the FWSM you would need to do one of 2 things

1) Have a shared vlan with servers that all contexts need to access. Probably no what you want.

2) You could share the outside vlan between contexts. Each outside interface from each context would be on the same subnet. You would have to have an MSFC SVI for this subnet. Then you route between contexts via the MSFC SVI. It is still secure because you can't bypass the outside interface of any of the contexts.

HTH

Jon

View solution in original post

rob.kennedy
Level 1
Level 1

you can also setup dedicated VLANs for inetrconnecting contexts. For instance you can put an interface on each context on VLAN x and then route between them. You can also bypass the MSFC this way. Although if you are planning to do it with a alot of contexts a shared outside is probably the best approach.

To setup a shared VLAN just allocate the same vlan to both contexts -

context A

allocate-interface Vlan999

context B

allocate-interface Vlan999

Then give them an IP on the same subnet and an access-list on each context interface and put in your routes, also no nat-control to get rid of those terrible static nat commands.

View solution in original post

Adding what has been said above. You could user VRF feature of SUP-720 and put each virtual context in it's own routing domain and route accordingly

View solution in original post

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Depends exactly what you mean. To move between contexts on the FWSM you would need to do one of 2 things

1) Have a shared vlan with servers that all contexts need to access. Probably no what you want.

2) You could share the outside vlan between contexts. Each outside interface from each context would be on the same subnet. You would have to have an MSFC SVI for this subnet. Then you route between contexts via the MSFC SVI. It is still secure because you can't bypass the outside interface of any of the contexts.

HTH

Jon

rob.kennedy
Level 1
Level 1

you can also setup dedicated VLANs for inetrconnecting contexts. For instance you can put an interface on each context on VLAN x and then route between them. You can also bypass the MSFC this way. Although if you are planning to do it with a alot of contexts a shared outside is probably the best approach.

To setup a shared VLAN just allocate the same vlan to both contexts -

context A

allocate-interface Vlan999

context B

allocate-interface Vlan999

Then give them an IP on the same subnet and an access-list on each context interface and put in your routes, also no nat-control to get rid of those terrible static nat commands.

Adding what has been said above. You could user VRF feature of SUP-720 and put each virtual context in it's own routing domain and route accordingly

gtankink
Level 1
Level 1

The problem with routing between the security contexts was caused by an incomplete configuration. By adding the nat 0 for the right hosts solved this. Everyboby thanks for the quick response and help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: