07-10-2007 08:44 AM - edited 03-11-2019 03:42 AM
I have just setup a 6513 with a firewall module running 2.3(4) software.
I have configured the Vlans and put them in the Firewall Vlan group.
I assigned the IP's on the firewall.
What I do not understand is this
I have a DMZ that is VLAN 600
On the 6513 do I need to assign a default IP to this Vlan?
I have 10.15.32.2 at security 60 on the pix in Vlan 600
What steps do I need to take to make sure I have this setup correctly?
Mark
07-10-2007 09:05 AM
Hi Mark
If this is a DMZ on the FWSM then all you want on the 6513 switch is a layer 2 vlan which you have already done and allocated to the FWSM and depending on how you are doing your routing you may need a static route on the 6513 for the DMZ subnet with the next hop being the outside interface of your FWSM.
What you don't want is a layer 3 SVI on your 6513 or traffic will route round the FWSM to get to the DMZ.
You would then need to redistribute that static route into your IGP that you use on your network.
If you are running your FWSM in single mode you can also run OSPF on it and allow it to dynamically advertise it's DMZ subnets.
HTH
Jon
07-10-2007 09:24 AM
Correct it is a DMZ for the FWSM only.
Here is my basic config of the FWSM.
FWSM Version 2.3(4)
nameif Vlan30 inside security100
nameif Vlan700 outside security0
nameif Vlan600 server security60
ip address inside 10.55.0.17 255.255.255.0
ip address outside 156.47.55.8 255.255.255.0
ip address server 10.55.32.2 255.255.255.0
icmp permit any inside
icmp permit any server
pdm location F51-DMZ 255.255.255.255 server
no pdm history enable
arp timeout 14400
global (outside) 1 156.47.55.10
global (server) 1 10.55.32.3
route inside 10.0.0.0 255.0.0.0 10.55.1.1 1
route outside 0.0.0.0 0.0.0.0 156.47.55.1 1
What route would I need to put on the 6513 to allow the inside network to be able to route correctly, and then it is my understanding that I now have to allow the inside network to talk to the lower security?
07-10-2007 09:35 AM
Mark
On a standlaone ASA/pix you don't need access-lists to go from a higher to a lower interface but as you rightly point out here with the FWSM.
As for routing where are your clients in relation the FWSM inside interface. If they are on the same subnet as the FWSM inside interface then you don't need a route.
If they are are on different vlans then you would need on your 6513
ip route 10.55.32.0 255.255.255.0 10.55.0.17
But this will only add it to the 6513. If all your clients are on the 6513 or the 6513 is responsible for all your intervlan routing then that will do it.
HTH
Jon
07-10-2007 09:43 AM
Ok I have this configued and I am new to the FWSM and I appreciate your help.
My next question for help, is I want to ping DMZ host from the inside network to the DMZ. I would love to see a simple config to allow me to do this.
07-10-2007 09:56 AM
Mark
Inside network = 10.55.0.0 255.255.0.0
DMZ host = 10.55.32.10
access-list acl_inside permit icmp 10.55.0.0 255.255.0.0 host 10.55.32.10 echo
access-group acl_inside in interface inside
access-list acl_dmz permit icmp host 10.55.32.10 10.55.0.0 255.255.0.0 echo-reply
access-group acl_dmz in interface server
nat (inside) 1 10.55.0.0
global (server) 1 interface
HTH
Jon
07-10-2007 10:06 AM
Do I still need to apply the access list to an access group on this version?
07-10-2007 10:07 AM
Mark
Yes, sorry about that, i did edit the previous post to add those lines into the config.
Jon
07-10-2007 11:38 AM
I got it working. Thanks for your help.
I need to find a good book on the FWSM.
07-10-2007 10:36 PM
Mark
Glad you got it sorted.
As for a book. TO be honest i recommend you save the money and download the relevant configuration guide from Cisco web site.
Here is the one for FWSM 2.3.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/fwsm_cfg.html
HTH
Jon
07-19-2007 11:51 AM
My next question is what do I need to do on the DMZ interface to allow hosts to talk to each other in the DMZ?
07-19-2007 12:31 PM
I got it fixed, it was a load balance issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: