FWSM Deployment issue.

Answered Question

Hi,


Please see the attached network diagram...


We are looking at a management firewall (admin context) with multiple client firewalls. The management firewall will have a number of management servers that will need to access servers on the client firewalls.


Is this a supported configuration for the FWSM?


At the moment there seem to be routing issues as pings can go from one server to the other but the ping reply is never seen.


Thanks,



Chris




Correct Answer by Jon Marshall about 10 years 2 months ago

Hi Chris


I'm not completely clear from the diagram on your setup but it is a bit early in the morning and i haven't had my 5 cups of coffee yet :-)


In answer to your question though, yes this is a supported design for the FWSM. You can achieve this in one of 2 ways


1) configure access on each of the client firewalls to allow the management servers access. This means updating access-lists on all contexts if you change or add management servers.


2) Have a shared vlan that all the contexts can access. This works but you have to understand how the FWSM classifier works. On our FSWM's we share the outside vlan but do not use any other shared vlans. As i say tho, you can do this.


The FWSM config guide has a good explanation of how the classifier works


http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802c6418.html#wp1105332



HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 03/14/2007 - 02:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Chris


I'm not completely clear from the diagram on your setup but it is a bit early in the morning and i haven't had my 5 cups of coffee yet :-)


In answer to your question though, yes this is a supported design for the FWSM. You can achieve this in one of 2 ways


1) configure access on each of the client firewalls to allow the management servers access. This means updating access-lists on all contexts if you change or add management servers.


2) Have a shared vlan that all the contexts can access. This works but you have to understand how the FWSM classifier works. On our FSWM's we share the outside vlan but do not use any other shared vlans. As i say tho, you can do this.


The FWSM config guide has a good explanation of how the classifier works


http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802c6418.html#wp1105332



HTH


Jon

s-andersson Mon, 04/16/2007 - 05:05
User Badges:

Hi


You can share the same network between two virtual firewall but you have to configure nat-control to deal with it. But the simples way to deal with this is to split the vlan101 and vlan16 with a router, if you have sup720 you can use vrf or you can use a new hardware.


Best regards Stefan (sweden)

Actions

This Discussion