FWSM outside interface

Unanswered Question
Jul 11th, 2007

i'm trying to make two outside interfaces in FWSM to talk to each other and i cant seem to make it work. any idea or sample configuration please

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 07/11/2007 - 23:12


What do you mean by talk to each other. Do you mean from interface to interface.

Are you running multiple contexts. Do the contexts share a vlan on the outside interface.

Please elaborate on what you need.


dennisopiso Wed, 07/11/2007 - 23:27

hi jon,yes the fwsm is running multiple contexts. in one of the contexts, i created multiple outside interfaces (e.g. vlan 500 and vlan 555).

i also attached a diagram to have a clearer view


Jon Marshall Wed, 07/11/2007 - 23:31

okay, so you have 2 interfaces on the outside within the same context. Are the client PC's in the same vlans as their relevant outside interface ?

Presumably you are trying to get connectivity between your PC's ?

Could you send a copy of your FWSM config ?


dennisopiso Wed, 07/11/2007 - 23:52

no, the client PCs are of different vlans with respect to their respective outside interfaces.

i dont have working config yet for this setup but here is my current config:

nameif vlan325 internet security0

nameif vlan555 fwtest security0

nameif vlan327 inside security100

access-list inside_access_in extended permit ip x.x.x.x [IP from inside] host y.y.y.y [PC1]

access-list internet_access_in extended permit ip host y.y.y.y [PC1] host x.x.x.x [IP from inside]

access-list fwtest_access_in extended permit ip any

ip address inside

ip address internet

ip address fwtest

icmp permit any inside

icmp permit any internet

icmp permit any fwtest

no pdm history enable

arp timeout 14400

global (inside) 1 interface

global (internet) 1 interface

global (fwtest) 3 interface

global (bdoextranetout) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

nat (internet) 1 access-list fwtest_nat0_outbound

nat (fwtest) 3 access-list bdoextranetin_pnat_outbound_V3


interface inside


interface internet



interface fwtest

Jon Marshall Wed, 07/11/2007 - 23:59


Okay, before we do anything else can you add the following if it isn't already in your config

same-security-traffic permit inter-interface

and let me know what happens.


dennisopiso Thu, 07/12/2007 - 00:03

already added

same-security-traffic permit inter-interface

but still nothing happens


Jon Marshall Thu, 07/12/2007 - 00:18

just thought i'd check :)

You say the PC are not on the same vlans as the FWSM outside interfaces.

Do you have Layer 3 SVI's for each outside interface of your FWSM on your switch ?

It would help if you could send the full config for this context plus the relevant firewall lines (firewall vlan-group etc) from your switch plus an output of a sh ip int br on your switch.



This Discussion