cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
3
Helpful
8
Replies

ACE and FWSM Deployment design

sathappan
Level 1
Level 1

Hi,

I have a new deployment with FWSM in single context and ACE in multiple context. I need actually 3 contexts. what is the best mode of deployment of FWSm with ACE. I want to have the gateway of all real servers as the Firewall.

shall it be something like this - MSFC-> Fwsm -> ACE -> Real servers.

what mode the FWSM should be?

with regards

sathappan.s

8 Replies 8

Jon Marshall
Hall of Fame
Hall of Fame

Hi

If you want to have the gateway of all the real servers as the FWSM then you should use the FWSM in routed mode and the ACE module in bridged mode.

You should look to match contexts if you can depending on licenses/cost ie. one firewall context to one ACE module context.

HTH

Jon

Hi Jon,

Thanks for the information. What about the Trasparent Mode ?. will it help me in anyway?

with regards

sathappan.s

Hi,

I have a clarification.Why do we need to match FWSM context to ACE context.

Setup:

MSFC--Routed Mode--FWSM---Bridged Mode( multiple VLANs)---ACE (multiple context)

lets say FWSM uses one context.ACE uses 3 context.FWSM to ACE in bridged mode.Is it not possible?

Hi

You don't need to match FWSM contexts to ACE contexts. You are quite right in what you say in that you could use one routed context on the FWSM use different interfaces in that context for each ACE context.

It all depends on hwo you want to organise it. For example it could be argued that having matching contexts allows for easier adminstration having both the FW ruleset and the ACE rules "tied" to each other. Also if you have separate depts. managing their firewalls/load balancers contexts are the way to go.

As i said before it often comes down to licenses/cost but yes it is possible to use only one FWSM context.

Jon

Hi jon,

Thanks for your vlauable response. We will test and update it here

-rkumares

Hi

If you want the gateway to be on the firewall for the servers then you can't use transparent mode. If you do then your gateway would need to be either the MSFC or maybe the ACE module itself and insert the FWSM in transparent mode between the real servers and the gateway on the FWSM.

I haven't used it in that way so if you are looking to go this way i would stringly suggest testing.

Jon

Hello Jon, are there any docs available that describe the setup of the FWSM in routed mode, and the ACE in bridged mode?

I found a few but they have not had the detail I was looking for.

Thank you.

Dmitry.

did you guys find anything. i deployed this design msfc-fwsm (routed and gateway)--ace (bridge)---hp enclosers with servers

the prblm i m facing i have to do client based nat on bridge interface facing servers or else the traffic goes to FWSM without being intercepted by ACE. dont want to do any nat.

any ideas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: