I have configure on switch 6509
firewall module 4 vlan-group 1
firewall vlan-group 1 2-100
description ### Outgoing ####
ip address 172.31.254.1 255.255.255.248
And below are FWSM conf
FWSM# sh run
FWSM Version 3.1(3) <system>
resource acl-partition 12
enable password xxx
limit-resource All 0
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource rate Conns 2000
limit-resource Conns 20000
limit-resource rate Conns 1000
limit-resource Conns 10000
limit-resource ASDM 3.0%
limit-resource rate Conns 500
limit-resource Conns 5000
ftp mode passive
pager lines 24
no asdm history enable
arp timeout 14400
console timeout 0
description This is the context for customer 1
description This is the context for customer 2
description This is the context for customer 3
prompt hostname context
But am not able to put ip address and nameif in my FWSM vlan interface.Kindly suggest where is issue
Can you just confirm that you have created vlan 100 as a layer 2 vlan on your 6500 switch. if you do a "sh ip int br" on the 6500 is the vlan 100 interface up/up ?
Any vlan that is meant to be on the inside of the FWSM should not have an SVI (Layer 3 interface) on the switch.
If vlan 100 is the outside vlan this will have an SVI on the 6500 switch. If you then added an SVI for vlan 50 which is supposed to be the inside interface for one of your contexts, traffic would be routed around the FWSM from vlan 100 to vlan 50.
You are right to not enable firewall multiple-vlan-interfaces for this setup altho we have in our FWSM but for a different purpose.
Remember you need vlans 50,51,52,99 created at layer 2 on the switch but you do not want an SVI on the switch for these vlans. Their Layer 3 interface will be on the FWSM within their respective contexts.
Also note that with multiple context mode you will need static routes on your 6500 to get to the subnets behind the FWSM eg from your config above on the 6500
ip route 172.29.254.64 255.255.255.240 172.29.254.2
Does this make sense ?
Not sure what you mean about running config. When you use multiple contexts on the FWSM you have to change to each context to see the running config for that context. They are in effect separate firewalls.
In your original post your configuration was in system execution space ie. this is where you define your virtual firewalls, allocate vlans, set resources etc.
Once you have setup a context in system execution space you then have to change to the context to configure the firewall.
Not sure what you mean by map IOS vlan. Could you clarify.
Where are you trying to configure the nameif command ?
You need to do this within the context. So choose the context you want to configure and from the enable prompt
FWSM# change context context2
This should put you into context2 and from there you can configure the nameif, NAT, access-lists etc.