09-24-2007 12:19 PM - edited 03-11-2019 04:16 AM
I have configure on switch 6509
firewall module 4 vlan-group 1
firewall vlan-group 1 2-100
interface Vlan100
description ### Outgoing ####
ip address 172.31.254.1 255.255.255.248
And below are FWSM conf
FWSM# sh run
: Saved
:
FWSM Version 3.1(3) <system>
!
resource acl-partition 12
hostname FWSM
enable password xxx
!
interface Vlan50
!
interface Vlan51
!
interface Vlan52
!
interface Vlan100
!
passwd xxx
class default
limit-resource All 0
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
class gold
limit-resource rate Conns 2000
limit-resource Conns 20000
!
class silver
limit-resource rate Conns 1000
limit-resource Conns 10000
limit-resource ASDM 3.0%
!
class bronze
limit-resource rate Conns 500
limit-resource Conns 5000
!
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
member default
allocate-interface Vlan100
allocate-interface Vlan50
allocate-interface Vlan51
allocate-interface Vlan52
config-url disk:/admin.cfg
!
context customer1
description This is the context for customer 1
member gold
allocate-interface Vlan100
allocate-interface Vlan50
config-url disk:/context1.cfg
!
context customer2
description This is the context for customer 2
allocate-interface Vlan100
allocate-interface Vlan51
config-url disk:/context2.cfg
!
context customer3
description This is the context for customer 3
allocate-interface Vlan100
allocate-interface Vlan52
config-url disk:/context3.cfg
!
prompt hostname context
Cryptochecksum:xxx
: end
FWSM#
But am not able to put ip address and nameif in my FWSM vlan interface.Kindly suggest where is issue
Solved! Go to Solution.
09-24-2007 12:29 PM
Hi
Where are you trying to configure the nameif command ?
You need to do this within the context. So choose the context you want to configure and from the enable prompt
FWSM# change context context2
This should put you into context2 and from there you can configure the nameif, NAT, access-lists etc.
HTH
Jon
09-25-2007 02:34 AM
Hi Sanjoy
Not sure what you mean about running config. When you use multiple contexts on the FWSM you have to change to each context to see the running config for that context. They are in effect separate firewalls.
In your original post your configuration was in system execution space ie. this is where you define your virtual firewalls, allocate vlans, set resources etc.
Once you have setup a context in system execution space you then have to change to the context to configure the firewall.
Not sure what you mean by map IOS vlan. Could you clarify.
HTH
Jon
09-25-2007 04:03 AM
Sanjoy
Any vlan that is meant to be on the inside of the FWSM should not have an SVI (Layer 3 interface) on the switch.
If vlan 100 is the outside vlan this will have an SVI on the 6500 switch. If you then added an SVI for vlan 50 which is supposed to be the inside interface for one of your contexts, traffic would be routed around the FWSM from vlan 100 to vlan 50.
You are right to not enable firewall multiple-vlan-interfaces for this setup altho we have in our FWSM but for a different purpose.
Remember you need vlans 50,51,52,99 created at layer 2 on the switch but you do not want an SVI on the switch for these vlans. Their Layer 3 interface will be on the FWSM within their respective contexts.
Also note that with multiple context mode you will need static routes on your 6500 to get to the subnets behind the FWSM eg from your config above on the 6500
ip route 172.29.254.64 255.255.255.240 172.29.254.2
Does this make sense ?
Jon
09-25-2007 02:05 PM
Sanjoy
Can you just confirm that you have created vlan 100 as a layer 2 vlan on your 6500 switch. if you do a "sh ip int br" on the 6500 is the vlan 100 interface up/up ?
Jon
09-24-2007 12:29 PM
Hi
Where are you trying to configure the nameif command ?
You need to do this within the context. So choose the context you want to configure and from the enable prompt
FWSM# change context context2
This should put you into context2 and from there you can configure the nameif, NAT, access-lists etc.
HTH
Jon
09-25-2007 01:20 AM
Thanks Jon,
Now am able to enter in each context and got for ip configuration command but it will not showing in main running config.
can u send me any template to use in multiple mode configuration and how to map with my IOS vlan.
Rgd
Sanjoy
09-25-2007 02:34 AM
Hi Sanjoy
Not sure what you mean about running config. When you use multiple contexts on the FWSM you have to change to each context to see the running config for that context. They are in effect separate firewalls.
In your original post your configuration was in system execution space ie. this is where you define your virtual firewalls, allocate vlans, set resources etc.
Once you have setup a context in system execution space you then have to change to the context to configure the firewall.
Not sure what you mean by map IOS vlan. Could you clarify.
HTH
Jon
09-25-2007 03:29 AM
Hi Jon,
Suppose in main switch configuration (IOS)there is vlan 100 which is my traffic outgoing .
Now I have configured 3 context and 50,51,52,99 is my inside vlan and 100 is my common outside vlan .
Now when in IOS one vlan 100 is enable no issue but when we genarating vla 50 or 51
error comming
DC_Core_Switch_2(config-if)#no sh
Forcing SVI 50 to stay shutdown (SVI 100 tied to line card in slot 4.)
DC_Core_Switch_2(config-if)#
I haven't configure "firewall multiple-vlan-interfaces"
I have configure "firewall module 4 vlan-group 1
firewall vlan-group 1 50-100"
FWSM# changeto conte
FWSM# changeto context admin
FWSM/admin#
FWSM/admin#
FWSM/admin# sh run
: Saved
:
FWSM Version 3.1(3)
!
hostname FWSM
domain-name show
enable password xxx
names
!
interface Vlan100
nameif outside
security-level 0
ip address 172.29.254.2 255.255.255.248
!
interface Vlan99
nameif inside
security-level 100
ip address 172.29.254.66 255.255.255.240
!
passwd xxx
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
nat-control
route outside 0.0.0.0 0.0.0.0 172.29.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
FWSM/admin#
but am not clear how to map main vlan which I configure in switch and which one is on my FWSM.
Rgd
Sanjoy
09-25-2007 04:03 AM
Sanjoy
Any vlan that is meant to be on the inside of the FWSM should not have an SVI (Layer 3 interface) on the switch.
If vlan 100 is the outside vlan this will have an SVI on the 6500 switch. If you then added an SVI for vlan 50 which is supposed to be the inside interface for one of your contexts, traffic would be routed around the FWSM from vlan 100 to vlan 50.
You are right to not enable firewall multiple-vlan-interfaces for this setup altho we have in our FWSM but for a different purpose.
Remember you need vlans 50,51,52,99 created at layer 2 on the switch but you do not want an SVI on the switch for these vlans. Their Layer 3 interface will be on the FWSM within their respective contexts.
Also note that with multiple context mode you will need static routes on your 6500 to get to the subnets behind the FWSM eg from your config above on the 6500
ip route 172.29.254.64 255.255.255.240 172.29.254.2
Does this make sense ?
Jon
09-25-2007 09:59 AM
Jon
I from my switch i am not able to ping the switch vlan i.e 100. It is showing down to me.
sanjoy
09-25-2007 01:48 PM
ya , I got it .
Dear Jon ,
I am attaching full configuration below because still now am not getting my outside vlan 100 UP ,
I AM NOT GETTING WHERE ACTUALY AM DOING MISTAKE
=========== SWITCH CONF ========
svclc vlan-group 1 50-100
firewall module 4 vlan-group 1
firewall vlan-group 1 50-100
vlan 50
name customer1
!
vlan 51
name customer2
!
vlan 52
name customer3
interface Vlan100
description ### Outgoing ####
ip address 172.29.254.1 255.255.255.240
====FWSM SYSTEM CONF===
resource acl-partition 12
hostname FWSM
enable password 9jNfZuG3TC5tCVH0 encrypted
!
interface Vlan50
!
interface Vlan51
!
interface Vlan52
!
interface Vlan99
!
interface Vlan100
!
passwd 2KFQnbNIdI.2KYOU encrypted
!
admin-context admin
context admin
allocate-interface Vlan100
allocate-interface Vlan99
allocate-acl-partition 0
config-url disk:/admin.cfg
!
context customer1
allocate-interface Vlan100
allocate-interface Vlan50
allocate-acl-partition 1
config-url disk:/context1.cfg
!
context customer2
allocate-interface Vlan100
allocate-interface Vlan51
allocate-acl-partition 2
config-url disk:/context2.cfg
!
context customer3
allocate-interface Vlan100
allocate-interface Vlan52
allocate-acl-partition 3
config-url disk:/context3.cfg
!
=========== admin context ==
FWSM/admin# sh run
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan100
nameif outside
security-level 0
ip address 172.29.254.2 255.255.255.240
!
interface Vlan99
nameif inside
security-level 100
ip address 172.29.254.66 255.255.255.240
!
passwd 2KFQnbNIdI.2KYOU encrypted
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
nat-control
route outside 0.0.0.0 0.0.0.0 172.29.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
FWSM/admin#
==== CUSTOMER1 CONTEXT
FWSM/customer1#
FWSM/customer1# sh run
names
!
interface Vlan100
nameif outside
security-level 0
ip address 172.29.254.3 255.255.255.240
!
interface Vlan50
nameif inside
security-level 100
ip address 172.29.254.17 255.255.255.240
!
passwd 2KFQnbNIdI.2KYOU encrypted
pager lines 24
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.29.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
!
09-25-2007 02:05 PM
Sanjoy
Can you just confirm that you have created vlan 100 as a layer 2 vlan on your 6500 switch. if you do a "sh ip int br" on the 6500 is the vlan 100 interface up/up ?
Jon
09-25-2007 09:26 PM
Hi Jon
vlan 100 is not my l2 it's layer 3 because it's my outgoing int.
sh ip int brief
Vlan100 172.29.254.1 YES manual down/down
Rgd
Sanjoy
09-26-2007 02:55 AM
Hi Jon,
Thanks a lot for ur great support from the begining my Switch (MSFC)vlan100 showing up now .
Vlan100 172.29.254.1 YES manual up up
Now we are able to ping from context too
rgd
Sanjoy
09-27-2007 08:01 AM
Hi Sanjoy
Glad to hear you got it working. Thanks for letting me know and i appreciate the ratings.
Jon
09-27-2007 07:04 PM
Sorry but I have a question ,I am not ablt to ping switch l3 vlan ip from customer context but able to ping fwsm outside ip of admin context and outside ip of other cotext too.
is it ok or still now there is issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: