FWSM - DMZ VLAN

Unanswered Question
Jul 10th, 2007

I have just setup a 6513 with a firewall module running 2.3(4) software.

I have configured the Vlans and put them in the Firewall Vlan group.

I assigned the IP's on the firewall.

What I do not understand is this

I have a DMZ that is VLAN 600

On the 6513 do I need to assign a default IP to this Vlan?

I have 10.15.32.2 at security 60 on the pix in Vlan 600

What steps do I need to take to make sure I have this setup correctly?

Mark

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 07/10/2007 - 09:05

Hi Mark

If this is a DMZ on the FWSM then all you want on the 6513 switch is a layer 2 vlan which you have already done and allocated to the FWSM and depending on how you are doing your routing you may need a static route on the 6513 for the DMZ subnet with the next hop being the outside interface of your FWSM.

What you don't want is a layer 3 SVI on your 6513 or traffic will route round the FWSM to get to the DMZ.

You would then need to redistribute that static route into your IGP that you use on your network.

If you are running your FWSM in single mode you can also run OSPF on it and allow it to dynamically advertise it's DMZ subnets.

HTH

Jon

markkingery Tue, 07/10/2007 - 09:24

Correct it is a DMZ for the FWSM only.

Here is my basic config of the FWSM.

FWSM Version 2.3(4)

nameif Vlan30 inside security100

nameif Vlan700 outside security0

nameif Vlan600 server security60

ip address inside 10.55.0.17 255.255.255.0

ip address outside 156.47.55.8 255.255.255.0

ip address server 10.55.32.2 255.255.255.0

icmp permit any inside

icmp permit any server

pdm location F51-DMZ 255.255.255.255 server

no pdm history enable

arp timeout 14400

global (outside) 1 156.47.55.10

global (server) 1 10.55.32.3

route inside 10.0.0.0 255.0.0.0 10.55.1.1 1

route outside 0.0.0.0 0.0.0.0 156.47.55.1 1

What route would I need to put on the 6513 to allow the inside network to be able to route correctly, and then it is my understanding that I now have to allow the inside network to talk to the lower security?

Jon Marshall Tue, 07/10/2007 - 09:35

Mark

On a standlaone ASA/pix you don't need access-lists to go from a higher to a lower interface but as you rightly point out here with the FWSM.

As for routing where are your clients in relation the FWSM inside interface. If they are on the same subnet as the FWSM inside interface then you don't need a route.

If they are are on different vlans then you would need on your 6513

ip route 10.55.32.0 255.255.255.0 10.55.0.17

But this will only add it to the 6513. If all your clients are on the 6513 or the 6513 is responsible for all your intervlan routing then that will do it.

HTH

Jon

markkingery Tue, 07/10/2007 - 09:43

Ok I have this configued and I am new to the FWSM and I appreciate your help.

My next question for help, is I want to ping DMZ host from the inside network to the DMZ. I would love to see a simple config to allow me to do this.

Jon Marshall Tue, 07/10/2007 - 09:56

Mark

Inside network = 10.55.0.0 255.255.0.0

DMZ host = 10.55.32.10

access-list acl_inside permit icmp 10.55.0.0 255.255.0.0 host 10.55.32.10 echo

access-group acl_inside in interface inside

access-list acl_dmz permit icmp host 10.55.32.10 10.55.0.0 255.255.0.0 echo-reply

access-group acl_dmz in interface server

nat (inside) 1 10.55.0.0

global (server) 1 interface

HTH

Jon

markkingery Tue, 07/10/2007 - 10:06

Do I still need to apply the access list to an access group on this version?

Jon Marshall Tue, 07/10/2007 - 10:07

Mark

Yes, sorry about that, i did edit the previous post to add those lines into the config.

Jon

markkingery Tue, 07/10/2007 - 11:38

I got it working. Thanks for your help.

I need to find a good book on the FWSM.

markkingery Thu, 07/19/2007 - 11:51

My next question is what do I need to do on the DMZ interface to allow hosts to talk to each other in the DMZ?

Actions

This Discussion