Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
3
Replies

FWSM Deployment issue.

Go to solution
chris.duggan
Level 1
Level 1

‎03-13-2007 11:47 AM - edited ‎03-11-2019 02:45 AM

Hi,

Please see the attached network diagram...

We are looking at a management firewall (admin context) with multiple client firewalls. The management firewall will have a number of management servers that will need to access servers on the client firewalls.

Is this a supported configuration for the FWSM?

At the moment there seem to be routing issues as pings can go from one server to the other but the ping reply is never seen.

Thanks,

Chris

Labels:
Preview file
52 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-14-2007 02:28 AM

Hi Chris

I'm not completely clear from the diagram on your setup but it is a bit early in the morning and i haven't had my 5 cups of coffee yet :-)

In answer to your question though, yes this is a supported design for the FWSM. You can achieve this in one of 2 ways

1) configure access on each of the client firewalls to allow the management servers access. This means updating access-lists on all contexts if you change or add management servers.

2) Have a shared vlan that all the contexts can access. This works but you have to understand how the FWSM classifier works. On our FSWM's we share the outside vlan but do not use any other shared vlans. As i say tho, you can do this.

The FWSM config guide has a good explanation of how the classifier works

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802c6418.html#wp1105332

HTH

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-14-2007 02:28 AM

Hi Chris

I'm not completely clear from the diagram on your setup but it is a bit early in the morning and i haven't had my 5 cups of coffee yet :-)

In answer to your question though, yes this is a supported design for the FWSM. You can achieve this in one of 2 ways

1) configure access on each of the client firewalls to allow the management servers access. This means updating access-lists on all contexts if you change or add management servers.

2) Have a shared vlan that all the contexts can access. This works but you have to understand how the FWSM classifier works. On our FSWM's we share the outside vlan but do not use any other shared vlans. As i say tho, you can do this.

The FWSM config guide has a good explanation of how the classifier works

http://www.cisco.com/en/US/products/hw/switches/ps708/products_module_configuration_guide_chapter09186a00802c6418.html#wp1105332

HTH

Jon

0 Helpful

Go to solution
chris.duggan
Level 1
Level 1
In response to Jon Marshall

‎03-28-2007 06:24 AM

Looks like the problem was nat-control needed to be configured. This has now resolved all the problems.

0 Helpful

Go to solution
s-andersson
Level 1
Level 1

‎04-16-2007 05:05 AM

Hi

You can share the same network between two virtual firewall but you have to configure nat-control to deal with it. But the simples way to deal with this is to split the vlan101 and vlan16 with a router, if you have sup720 you can use vrf or you can use a new hardware.

Best regards Stefan (sweden)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card