07-28-2007 12:31 AM - edited 03-11-2019 03:50 AM
Hello guys,
Yesterday, I was configuring a FWSM located at 6509's slot 2, which was setup between a Catalyst 4507R Switch and C6509's MSFC for filtering packets!
The FWSM was deployed in multi context transparent mode! The problem is that I can ping the FWSM Mgmt address from 4507R and 6509 MSFC, but when i ping from 4507R to 6509 MSFC, it didn't reply!
When I see the arp table in 4507R and 6509 MSFC, i can see the each other's item! I has set the acl "permit ip any any" in both direction for testing, but it still didn't work! when I type the command: "show ip ospf neighbor" , the Ospf Neighbor relationship for 4507R and 6509 MSFC was stuck in Exchange mode!
Does someone got any ideas! Help, please!
The following is the configuration:
Native IOS:
Firewall multiple-vlan-interface
Filewall module 2 vlan-group 1
Firewall vlan-group 1 500-503
Vlan 500
Name ?Context Server Inside To 4507R?
Vlan 501
Name ?Context Server outside To 6509 MSFC?
Int gi 7/4
Switchport
Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport trunk allowed vlan 500,501
4507R:
Vlan 500
Name ?To 6509 FWSM?
interface vlan 500
desc ?To 6509 FWSM?
ip address 10.137.0.142 255.255.255.248
Int gi 5/17
Switchport
Switchport trunk encapsulation dot1q
Switchport mode trunk
Switchport trunk allowed vlan 500,501
FWSM:
Mode multiple
Firewall transparent
Hostname XXXX
Passwd cisco
Enable password cisco
Admin-context Server
Context Server
Allocate-interface vlan500
Allocate-interface vlan501
Config-url disk:Server.cfg
Context Internet
Allocate-interface vlan502
Allocate-interface vlan503
Config-url disk:Internet.cfg
changeto context Server
hostname Server
nameif vlan501 outside security0
nameif vlan500 inside security100
passwd cisco
enable password cisco
ip address 10.137.0.143 255.255.255.248
route outside 0 0 10.137.0.141
icmp permit any inside
icmp permit any outside
telnet 0 0 inside
access-list inside_in extended permit icmp any any
access-list inside_in extended permit 89 any any
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-list outside_in extended permit 89 any any
access-list outside_in extended permit ip any any
access-group inside_in in interface inside
access-group outside_in in interface outside
Thanks!
07-29-2007 08:34 AM
clear all configruation and set each context to run in transparent firewall mode (the default routed firewall mode).
fwsm(config)# firewall transparent
The transpare firewall is layer2 firewall without ip address participate except the management IP address for fwsm.
!CLI
!assign a bridge group interface
fwsm(config-if)# interface bvi 1
!assign interface to bridge group
fwsm(config)# interface vlan 500
fwsm(config-if)# nameif inside
fwsm(config-if)# security-level 100
fwsm(config-if)# bridge-group 1
fwsm(config-if)# interface vlan 501
fwsm(config-if)# nameif outside
fwsm(config-if)# security-level 0
fwsm(config-if)# bridge-group 1
!assign ip address for management ONLY
fwsm(config-if)# ip address 10.77.77.7 255.255.255.0 standby 10.77.77.17
Remember that no ip address involve such nat ,dhcp relay, dynamic routing etc.
07-29-2007 05:35 PM
Thanks pccw258103,
but my fwsm's software version is 2.3, does it support the command "bridge-group"!
07-30-2007 05:28 PM
Someone help please!
07-30-2007 07:29 PM
Hi
Can you send
1) output of "sh ip int br" from 4507R and 6500.
2) output of
"sh run int vlan 500" from 4507R
"sh run int vlan 501" from 6500
Jon
07-30-2007 08:57 PM
Thank you jon.marshall ,
Because customer's network is a private one,
I cann't telnet to the device right now! But I am sure both SVIs on 4507R and 6500 are up, and the addresses are on the same subnet!
I could see the address of SVI on 6500 at 4507R's arp-cache, and the address of SVI on 4507R at 6509's arp-cache!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide