Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
2
Replies

2 FWSMs (FW,NAT) in C6509 chassis

oreggin80
Level 1
Level 1

‎05-08-2007 01:59 AM - edited ‎03-11-2019 03:10 AM

Hi,

We have 2 FWSMs [versions: FWSM1: 2.3(4) & FWSM2: 2.3(3)] in C6509 chassis [with IOS version 12.2(18)SXF4]

We have 10Gbps link towards ISP and we would like to use full bandwidth with the 2 FWSMs.

FWSM1 is the main firewall have one inside and one ISP interface and both interface have one IP address.

FWSM1 firewalled our network thus far but we run out of IP addresses :(

We have to use the FWSM2 to NAT [translate roughly 1500 IPs/clients] but we have only one IP address towards ISP.

Can we configure the 2 FWSMs side-by-side in C6509 chassis to provide 10Gbps, and stay one IP address towards ISP?

Or we should ask more IP from ISP?

ISP's gw IP (etc.): 10.0.0.213 metric 1 (default gw)

My theory is: http://www.mehok.uni-miskolc.hu/~oreggin/1c6509-2fwsm.txt

Should it work? If won't, how to configure the C6509 & FWSMs to works side-by-side?

Thanks,

Gin

Labels:
0 Helpful
2 Replies 2

joshua.walton
Level 1
Level 1

‎05-12-2007 04:59 PM

Configure the FWSM for either Active/Active or Active/Standby failover and on the primary, configure PAT since you only have one address.

nat (inside) 1 10.0.0.0 255.255.255.0

global (ISP) 1 10.0.0.212

..you can even use the IP address of the mapped interface

Please rate if you are satisfied.

Cheers!

0 Helpful

oreggin80
Level 1
Level 1
In response to joshua.walton

‎05-15-2007 02:35 AM

Hi,

I worry about the fact one PAT is not enough to Translate ~1500 hosts but I have some theories to solve this problem.

The first chart is to represent the state of our network today and the extract about the configuration:

http://www.mehok.uni-miskolc.hu/~oreggin/now.png

http://www.mehok.uni-miskolc.hu/~oreggin/now.txt

Well, i don't want to modify FWSM1 config extremely. I wouldn't like to shut down, or reboot the FWSM1 till it is unavoidable.

The NA-Translation is allowed to work only on FWSM2. I would like to present my theories:

The first one was tried with PAT, but we were run outs of ports.

http://www.mehok.uni-miskolc.hu/~oreggin/theory1.png

http://www.mehok.uni-miskolc.hu/~oreggin/theory1.txt

To the second variation we need a second IP if it would operate.

http://www.mehok.uni-miskolc.hu/~oreggin/theory2.png

http://www.mehok.uni-miskolc.hu/~oreggin/theory2.txt

The third one was also tried but it did't operate, perhaps because of the bad configs.

http://www.mehok.uni-miskolc.hu/~oreggin/theory3.png

http://www.mehok.uni-miskolc.hu/~oreggin/theory3.txt

What is your opinion about these versions? which config is the nearest to the right solution?

If these theories wouldn't work, can I combine these configs to reach my goal: a well-working system?

Or could you send me a working example-config to create a third variation.

Thx,

Gin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card