Solved: Issue with FWSM configuration

sanjoy2006 · ‎09-24-2007

I have configure on switch 6509

firewall module 4 vlan-group 1

firewall vlan-group 1 2-100

interface Vlan100

description ### Outgoing ####

ip address 172.31.254.1 255.255.255.248

And below are FWSM conf

FWSM# sh run

: Saved

:

FWSM Version 3.1(3) <system>

!

resource acl-partition 12

hostname FWSM

enable password xxx

!

interface Vlan50

!

interface Vlan51

!

interface Vlan52

!

interface Vlan100

!

passwd xxx

class default

limit-resource All 0

limit-resource IPSec 5

limit-resource Mac-addresses 65535

limit-resource ASDM 5

limit-resource SSH 5

limit-resource Telnet 5

!

class gold

limit-resource rate Conns 2000

limit-resource Conns 20000

!

class silver

limit-resource rate Conns 1000

limit-resource Conns 10000

limit-resource ASDM 3.0%

!

class bronze

limit-resource rate Conns 500

limit-resource Conns 5000

!

ftp mode passive

pager lines 24

no failover

no asdm history enable

arp timeout 14400

console timeout 0

admin-context admin

context admin

member default

allocate-interface Vlan100

allocate-interface Vlan50

allocate-interface Vlan51

allocate-interface Vlan52

config-url disk:/admin.cfg

!

context customer1

description This is the context for customer 1

member gold

allocate-interface Vlan100

allocate-interface Vlan50

config-url disk:/context1.cfg

!

context customer2

description This is the context for customer 2

allocate-interface Vlan100

allocate-interface Vlan51

config-url disk:/context2.cfg

!

context customer3

description This is the context for customer 3

allocate-interface Vlan100

allocate-interface Vlan52

config-url disk:/context3.cfg

!

prompt hostname context

Cryptochecksum:xxx

: end

FWSM#

But am not able to put ip address and nameif in my FWSM vlan interface.Kindly suggest where is issue

Jon Marshall · ‎09-24-2007

Hi

Where are you trying to configure the nameif command ?

You need to do this within the context. So choose the context you want to configure and from the enable prompt

FWSM# change context context2

This should put you into context2 and from there you can configure the nameif, NAT, access-lists etc.

HTH

Jon

View solution in original post

Jon Marshall · ‎09-25-2007

Hi Sanjoy

Not sure what you mean about running config. When you use multiple contexts on the FWSM you have to change to each context to see the running config for that context. They are in effect separate firewalls.

In your original post your configuration was in system execution space ie. this is where you define your virtual firewalls, allocate vlans, set resources etc.

Once you have setup a context in system execution space you then have to change to the context to configure the firewall.

Not sure what you mean by map IOS vlan. Could you clarify.

HTH

Jon

View solution in original post

Jon Marshall · ‎09-25-2007

Sanjoy

Any vlan that is meant to be on the inside of the FWSM should not have an SVI (Layer 3 interface) on the switch.

If vlan 100 is the outside vlan this will have an SVI on the 6500 switch. If you then added an SVI for vlan 50 which is supposed to be the inside interface for one of your contexts, traffic would be routed around the FWSM from vlan 100 to vlan 50.

You are right to not enable firewall multiple-vlan-interfaces for this setup altho we have in our FWSM but for a different purpose.

Remember you need vlans 50,51,52,99 created at layer 2 on the switch but you do not want an SVI on the switch for these vlans. Their Layer 3 interface will be on the FWSM within their respective contexts.

Also note that with multiple context mode you will need static routes on your 6500 to get to the subnets behind the FWSM eg from your config above on the 6500

ip route 172.29.254.64 255.255.255.240 172.29.254.2

Does this make sense ?

Jon

View solution in original post

Jon Marshall · ‎09-25-2007

Sanjoy

Can you just confirm that you have created vlan 100 as a layer 2 vlan on your 6500 switch. if you do a "sh ip int br" on the 6500 is the vlan 100 interface up/up ?

Jon

View solution in original post

Jon Marshall · ‎09-24-2007

Hi

Where are you trying to configure the nameif command ?

You need to do this within the context. So choose the context you want to configure and from the enable prompt

FWSM# change context context2

This should put you into context2 and from there you can configure the nameif, NAT, access-lists etc.

HTH

Jon

sanjoy2006 · ‎09-25-2007

Thanks Jon,

Now am able to enter in each context and got for ip configuration command but it will not showing in main running config.

can u send me any template to use in multiple mode configuration and how to map with my IOS vlan.

Rgd

Sanjoy

Jon Marshall · ‎09-25-2007

Hi Sanjoy

Not sure what you mean about running config. When you use multiple contexts on the FWSM you have to change to each context to see the running config for that context. They are in effect separate firewalls.

In your original post your configuration was in system execution space ie. this is where you define your virtual firewalls, allocate vlans, set resources etc.

Once you have setup a context in system execution space you then have to change to the context to configure the firewall.

Not sure what you mean by map IOS vlan. Could you clarify.

HTH

Jon

sanjoy2006 · ‎09-25-2007

Hi Jon,

Suppose in main switch configuration (IOS)there is vlan 100 which is my traffic outgoing .

Now I have configured 3 context and 50,51,52,99 is my inside vlan and 100 is my common outside vlan .

Now when in IOS one vlan 100 is enable no issue but when we genarating vla 50 or 51

error comming

DC_Core_Switch_2(config-if)#no sh

Forcing SVI 50 to stay shutdown (SVI 100 tied to line card in slot 4.)

DC_Core_Switch_2(config-if)#

I haven't configure "firewall multiple-vlan-interfaces"

I have configure "firewall module 4 vlan-group 1

firewall vlan-group 1 50-100"

FWSM# changeto conte

FWSM# changeto context admin

FWSM/admin#

FWSM/admin# sh run

: Saved

:

FWSM Version 3.1(3)

!

hostname FWSM

domain-name show

enable password xxx

names

!

interface Vlan100

nameif outside

security-level 0

ip address 172.29.254.2 255.255.255.248

!

interface Vlan99

nameif inside

security-level 100

ip address 172.29.254.66 255.255.255.240

!

passwd xxx

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

nat-control

route outside 0.0.0.0 0.0.0.0 172.29.254.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

FWSM/admin#

but am not clear how to map main vlan which I configure in switch and which one is on my FWSM.

Rgd

Sanjoy

Jon Marshall · ‎09-25-2007

Sanjoy

Any vlan that is meant to be on the inside of the FWSM should not have an SVI (Layer 3 interface) on the switch.

If vlan 100 is the outside vlan this will have an SVI on the 6500 switch. If you then added an SVI for vlan 50 which is supposed to be the inside interface for one of your contexts, traffic would be routed around the FWSM from vlan 100 to vlan 50.

You are right to not enable firewall multiple-vlan-interfaces for this setup altho we have in our FWSM but for a different purpose.

Remember you need vlans 50,51,52,99 created at layer 2 on the switch but you do not want an SVI on the switch for these vlans. Their Layer 3 interface will be on the FWSM within their respective contexts.

Also note that with multiple context mode you will need static routes on your 6500 to get to the subnets behind the FWSM eg from your config above on the 6500

ip route 172.29.254.64 255.255.255.240 172.29.254.2

Does this make sense ?

Jon

sanjoy2006 · ‎09-25-2007

Jon

I from my switch i am not able to ping the switch vlan i.e 100. It is showing down to me.

sanjoy

sanjoy2006 · ‎09-25-2007

ya , I got it .

Dear Jon ,

I am attaching full configuration below because still now am not getting my outside vlan 100 UP ,

I AM NOT GETTING WHERE ACTUALY AM DOING MISTAKE

=========== SWITCH CONF ========

svclc vlan-group 1 50-100

firewall module 4 vlan-group 1

firewall vlan-group 1 50-100

vlan 50

name customer1

!

vlan 51

name customer2

!

vlan 52

name customer3

interface Vlan100

description ### Outgoing ####

ip address 172.29.254.1 255.255.255.240

====FWSM SYSTEM CONF===

resource acl-partition 12

hostname FWSM

enable password 9jNfZuG3TC5tCVH0 encrypted

!

interface Vlan50

!

interface Vlan51

!

interface Vlan52

!

interface Vlan99

!

interface Vlan100

!

passwd 2KFQnbNIdI.2KYOU encrypted

!

admin-context admin

context admin

allocate-interface Vlan100

allocate-interface Vlan99

allocate-acl-partition 0

config-url disk:/admin.cfg

!

context customer1

allocate-interface Vlan100

allocate-interface Vlan50

allocate-acl-partition 1

config-url disk:/context1.cfg

!

context customer2

allocate-interface Vlan100

allocate-interface Vlan51

allocate-acl-partition 2

config-url disk:/context2.cfg

!

context customer3

allocate-interface Vlan100

allocate-interface Vlan52

allocate-acl-partition 3

config-url disk:/context3.cfg

!

=========== admin context ==

FWSM/admin# sh run

enable password 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan100

nameif outside

security-level 0

ip address 172.29.254.2 255.255.255.240

!

interface Vlan99

nameif inside

security-level 100

ip address 172.29.254.66 255.255.255.240

!

passwd 2KFQnbNIdI.2KYOU encrypted

pager lines 24

mtu outside 1500

mtu inside 1500

no asdm history enable

arp timeout 14400

nat-control

route outside 0.0.0.0 0.0.0.0 172.29.254.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

FWSM/admin#

==== CUSTOMER1 CONTEXT

FWSM/customer1#

FWSM/customer1# sh run

names

!

interface Vlan100

nameif outside

security-level 0

ip address 172.29.254.3 255.255.255.240

!

interface Vlan50

nameif inside

security-level 100

ip address 172.29.254.17 255.255.255.240

!

passwd 2KFQnbNIdI.2KYOU encrypted

pager lines 24

mtu inside 1500

mtu outside 1500

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 172.29.254.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

!

Jon Marshall · ‎09-25-2007

Sanjoy

Can you just confirm that you have created vlan 100 as a layer 2 vlan on your 6500 switch. if you do a "sh ip int br" on the 6500 is the vlan 100 interface up/up ?

Jon

sanjoy2006 · ‎09-25-2007

Hi Jon

vlan 100 is not my l2 it's layer 3 because it's my outgoing int.

sh ip int brief

Vlan100 172.29.254.1 YES manual down/down

Rgd

Sanjoy

sanjoy2006 · ‎09-26-2007

Hi Jon,

Thanks a lot for ur great support from the begining my Switch (MSFC)vlan100 showing up now .

Vlan100 172.29.254.1 YES manual up up

Now we are able to ping from context too

rgd

Sanjoy

Jon Marshall · ‎09-27-2007

Hi Sanjoy

Glad to hear you got it working. Thanks for letting me know and i appreciate the ratings.

Jon

sanjoy2006 · ‎09-27-2007

Sorry but I have a question ,I am not ablt to ping switch l3 vlan ip from customer context but able to ping fwsm outside ip of admin context and outside ip of other cotext too.

is it ok or still now there is issue.