6509 configuration with FWSM

Unanswered Question
Aug 28th, 2007

Hi all, Im very new to configuring networking equipment (only been working with it for about 8 months) and I have been given a cisco 6509 with the fwsm to configure. The problem is I cant get it to work properly and was wondering if there was anywhere where I could get some sample configurations? Im trying to set it up to sit on the edge of our network and use it as a firewall/router with the fwsm and the sup720.

What I am trying to do is have the firewall sit between 2 vlans 10 (inside) 113(outside) and all traffic should pass thru it.

Im not expecting someone to do the configs and then post them, I just learn quicker by looking at something for an example and Ive had zero luck with this for the past month, any help will be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 08/28/2007 - 22:17

Hi

Which version of code are you running on FWSM ? To see this run a "sh mod" on the 6500 switch.

Are you looking to use the FWSM in transparent or routed mode ?

Jon

amadeusri Wed, 08/29/2007 - 13:52

FWSM Firewall Version 2.3(4)

FWSM Device Manager Version 4.1(3)

I want to use it in routed mode.

Jon Marshall Wed, 08/29/2007 - 23:23

Hi

Okay i'll assume that the vlans are already created on your 6500 switches at layer 2.

I'll also assume, as i didn't ask !, that your are running in single context mode.

Mainly my fault because i didn't ask for enough info but it is unclear whether vlan 10 is an isolated vlan that only connects to the FWSM or whether this is a routed vlan off the MSFC. Lets assume it is isolated at present.

1) First thing do a "sh mod" and note down which slot the FWSM is in. lets assume slot 7

2) Allocate the vlans to the FWSM ie.

firewall vlan-group 7 10,13

Note that the vlan-group number (7 in this case) must match your slot number from 1)

If you have two 6500 chassis with a FWSM for failover you must do this on both switches as this config does not automatically replicate.

3) Connect to your FWSM - "sess slot 7 proc 1"

4) You now need to create you interfaces on the FWSM.

nameif vlan113 outside security0

nameif vlan10 inside security100

ip address outside 172.16.5.1 255.255.255.0

ip address inside 192.168.5.1 255.255.255.0

Note that this does not include the failover IP addresses. if you are running failover let me know and we can modify.

This now gives you a very basic setup.

From her you can apply access-lists to the interfaces to restrict the flow of traffic.

One thing we need to clear up is vlan 10. It is on the inside of your FWSM. Do you need to go through the firewall to the outside from any other vlan than vlan 10 ?. If so you will need to create a Layer 3 SVI on the MSFC for vlan 10.

You also need to think about routing.

Attached is a link to the FWSM 2.3 configuration guide. Have a quick look and together with the above config please come back if you need more assistance or you have further requirements.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/fwsm_cfg.html

HTH

Jon

amadeusri Fri, 09/28/2007 - 20:20

First let me say thank you, you have helped me figure a couple things out. Now for the next problem...

I have Vlan 10 setup as a SVI since there will be routing between vlans on the inside of the network. Right now I have a Cisco 3750 switch with a layer 3 interface setup for testing. I can ping this switch (192.168.113.10) from the Sup720 (10.1.0.11) thru the firewall. I can also ping the firewall (10.1.0.10) from this switch. The problem is I cant ping from the Switch to the sup720.

I have the access lists on the firewall set to allow everything thru, at least if Im not mistaken.

The access lists are as follows;

access-list TEST extended permit ip any any

access-list TEST extended permit icmp any any

access-group TEST in interface inside

access-group TEST out interface inside

access-group TEST in interface outside

access-group TEST out interface outside

I wanted to open it wide up so I could make sure I had everything set up correctly before I start allowing access to specific ranges.

I also have "icmp permit any inside" and "icmp permit any outside" in the config for the firewall. It is my understanding that this should allow everything thru, both ways, but I am getting stopped going in.

I do have default routes in also.

And just in case they're needed, ip addresses;

sup720 L3 vlan10 ip 10.1.0.11

inside interface ip 10.1.0.10

outside interface ip 192.168.113.8

3750 vlan 113 ip 192.168.113.10

Any ideas will help greatly, thank you in advance.

savijhero Wed, 03/26/2008 - 18:04

Jon,

I have a configuration close to this except that I have two different wan routers one which all of the vlans behind the FWSM will go out of and the other which all of the vlans attached to the MSFC(sup720) are attached to. So I want two interfaces that will attach to the fwsm. One which will be the outside interface of the FWSM and the other which would be a interface from the vlans behind the MSFC and the FWSM. for a little more info the vlans behind the MSFC are desktops and everything behind the FWSM are servers in a datacenter.

Jon Marshall Thu, 03/27/2008 - 02:36

David

Would it be possible to post a quick topology diagram of what you want to achieve. How are you ensuring that firewalled traffic goes out through one WAN router and non-firewalled through the other. Are you looking to use PBR or do you want to achieve this with the FWSM's.

Jon

savijhero Thu, 03/27/2008 - 12:26

No problem,

I want the traffic from the server network to go through the Production WAN router and I want the SUP to send all of the Wire closet traffic out to the ASA which will router to the Corporate Wan Router. I was thinking I would have a default route on the FWSM with the next hop being the Production Wan routers Ethernet interface. And on the 6509 Sup I would have a default route of the ASA inside interface. Let me know if my logic is wrong. If it is I would probably use a route-map to parse the traffic based on an access-list.

Jon Marshall Thu, 03/27/2008 - 13:51

David

Nice diagram :-)

The L2 links going from the 2 x 6500 to the Internet/Wan core block. Could you just clarify one point.

All server traffic to go through which of the 3 routers in your diagram.

And all wire closet traffic to go out of which router in your diagram.

If i read it right and the server router is left hand one, and wiring closet router is middle then i'm not sure how you are going to do this. If the links are layer 2 but NOT L2 trunks then the L3 termination on your 6500's is either the MSFC or the FWSM, it cannot be both.

So if it's the MSFC then a default-route on the FWSM could not point to the production WAN router as the next hop would have to be the MSFC.

If its the FWSM then a default-route on the MSFC could not point to the Corporate WAN router as the next hop would have to be the FWSM.

Does this make sense ?

It is also not clear how the addressing is working on your routers, are they both in the same subnet ?

Could you clear up the points of confusion. Apologies if i have misunderstood.

Jon

savijhero Thu, 03/27/2008 - 14:07

Jon,

You are correct the Production (Server Wan) router is on the left and the Corporate Router is in the middle.

As for the addressing the thought that the outside of the fwsm and the msfc and the production wan router were in the same subnet.

Thanks for getting back to me.

ps also in the diagram, the layer 2 and 3 part is a work in progress.

Jon Marshall Thu, 03/27/2008 - 14:26

David

That actually makes a lot more sense now.

Yes you could have the FWSM outside interface, MSFC interface, production router and ASA's (presumably), in the same subnet.

If you use static routing on the FWSM and the MSFC then you will obviously need a static route on your production router for the server vlan pointing back to the FWSM outside interface unless of course only server vlan traffic comes and goes through that router in which case your default-route on that router could point to the outside interface of the FWSM.

Could you explain why want the links to be L2 trunks ?

Jon

savijhero Thu, 03/27/2008 - 15:08

Actually no I cant, I was still working that part out. I was thinking that say I had vlan 300 which the fwsm, and the Production wan were in then I would just use the 6509 to switch the traffic. If you have another way to do it please let me know:)

savijhero Mon, 04/07/2008 - 10:58

John,

I was using layer 2 links because I am not sending the fwsm (server) through the ASA(s). I wanted the default route from the FWSM to to be the production internet router. Also I wanted the default route for the MSFC to be the inside interface of the ASA(s). Do you think that is correct?

thanks,

David

savijhero Thu, 03/27/2008 - 14:18

Also,

I wanted to run a trunk to the 3750 stack in my internet block from my MSFC.

Actions

This Discussion