FWSM With multi Context in transparent mode

Unanswered Question
Jul 28th, 2007
User Badges:

Hello guys,

Yesterday, I was configuring a FWSM located at 6509's slot 2, which was setup between a Catalyst 4507R Switch and C6509's MSFC for filtering packets!

The FWSM was deployed in multi context transparent mode! The problem is that I can ping the FWSM Mgmt address from 4507R and 6509 MSFC, but when i ping from 4507R to 6509 MSFC, it didn't reply!

When I see the arp table in 4507R and 6509 MSFC, i can see the each other's item! I has set the acl "permit ip any any" in both direction for testing, but it still didn't work! when I type the command: "show ip ospf neighbor" , the Ospf Neighbor relationship for 4507R and 6509 MSFC was stuck in Exchange mode!

Does someone got any ideas! Help, please!


The following is the configuration:


Native IOS:


Firewall multiple-vlan-interface

Filewall module 2 vlan-group 1

Firewall vlan-group 1 500-503

Vlan 500

Name ?Context Server Inside To 4507R?

Vlan 501

Name ?Context Server outside To 6509 MSFC?


Int gi 7/4

Switchport

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk allowed vlan 500,501



4507R:

Vlan 500

Name ?To 6509 FWSM?

interface vlan 500

desc ?To 6509 FWSM?

ip address 10.137.0.142 255.255.255.248



Int gi 5/17

Switchport

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk allowed vlan 500,501



FWSM:


Mode multiple

Firewall transparent

Hostname XXXX

Passwd cisco

Enable password cisco

Admin-context Server


Context Server

Allocate-interface vlan500

Allocate-interface vlan501

Config-url disk:Server.cfg


Context Internet

Allocate-interface vlan502

Allocate-interface vlan503

Config-url disk:Internet.cfg


changeto context Server

hostname Server

nameif vlan501 outside security0

nameif vlan500 inside security100

passwd cisco

enable password cisco

ip address 10.137.0.143 255.255.255.248

route outside 0 0 10.137.0.141

icmp permit any inside

icmp permit any outside

telnet 0 0 inside


access-list inside_in extended permit icmp any any

access-list inside_in extended permit 89 any any

access-list inside_in extended permit ip any any


access-list inside_in extended permit icmp any any

access-list outside_in extended permit 89 any any

access-list outside_in extended permit ip any any


access-group inside_in in interface inside

access-group outside_in in interface outside



Thanks!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pccw258103 Sun, 07/29/2007 - 08:34
User Badges:

clear all configruation and set each context to run in transparent firewall mode (the default routed firewall mode).

fwsm(config)# firewall transparent


The transpare firewall is layer2 firewall without ip address participate except the management IP address for fwsm.

!CLI

!assign a bridge group interface

fwsm(config-if)# interface bvi 1

!assign interface to bridge group

fwsm(config)# interface vlan 500

fwsm(config-if)# nameif inside

fwsm(config-if)# security-level 100

fwsm(config-if)# bridge-group 1

fwsm(config-if)# interface vlan 501

fwsm(config-if)# nameif outside

fwsm(config-if)# security-level 0

fwsm(config-if)# bridge-group 1

!assign ip address for management ONLY

fwsm(config-if)# ip address 10.77.77.7 255.255.255.0 standby 10.77.77.17


Remember that no ip address involve such nat ,dhcp relay, dynamic routing etc.

wanglifeng Sun, 07/29/2007 - 17:35
User Badges:

Thanks pccw258103,

but my fwsm's software version is 2.3, does it support the command "bridge-group"!

Jon Marshall Mon, 07/30/2007 - 19:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Can you send


1) output of "sh ip int br" from 4507R and 6500.

2) output of


"sh run int vlan 500" from 4507R

"sh run int vlan 501" from 6500


Jon

wanglifeng Mon, 07/30/2007 - 20:57
User Badges:

Thank you jon.marshall ,

Because customer's network is a private one,

I cann't telnet to the device right now! But I am sure both SVIs on 4507R and 6500 are up, and the addresses are on the same subnet!

I could see the address of SVI on 6500 at 4507R's arp-cache, and the address of SVI on 4507R at 6509's arp-cache!


Actions

This Discussion