FWSM Confusion

Unanswered Question
Nov 11th, 2007

Dear Guys

I need u r help in understanding the working of FWSM.I m confused about the interfaces in FWSM.How do we define the inside and outside interfaces as it doesnt have any physical interfaces.

And how the traffic flows if we are using FWSM.

Thanks

Mahmood

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
Jon Marshall Sun, 11/11/2007 - 23:36

Hi Mahmood

It's a bit like the vlan interfaces on a 6500 switch, they are virtual as well. Assuming FWSM is in slot 7 this is how you would setup a basic firewall with an inside vlan that is firewalled by the FWSM (vlan 100) and an outside vlan that is routed off the MSFC on the 6500.

1) decide which vlan will be used for the outside eg. vlan 100

2) which vlan will be used for the inside

eg. vlan 200

You then allocate these vlans to the FWSM eg. on the 6500

6500(config)# firewall vlan-group 7 100,200

Then create a L3 SVI for the outside interface

6500(config)# int vlan 100

6500(config-if)# ip address 192.168.5.1 255.255.255.128

You then go onto the FWSM module

sess slot 7 proc 1

Now it depends if you are in single context or multiple context - lets assume single context to keep things simple.

Once you are onto the FWSM you can now create interfaces as you would on a standalone pix

nameif vlan 100 outside security0

nameif vlan 200 inside security100

ip address outside 192.168.5.2 255.255.255.128

ip address inside 172.16.5.1 255.255.255.128

You can now add rules etc. as you would a standlone pix.

Routing - the FWSM can particpate in OSPF/RIP but if you don't want to use those then you need a static route on your MSFC

172.16.5.0 255.255.255.128 192.168.5.2

The one thing you need to be aware of is that on the FWSM traffic by default is not allowed in any direction so if you want to go from inside to outside you still need an access-list.

Multiple context mode is more complicated because you can share vlans between contexts and then you need to understand the classifier to know how the FWSM sends traffic to the right context.

Okay, that was a high level run through, please feel free to come back with any more questions.

HTH

Jon

mahmoodmkl Mon, 11/12/2007 - 00:07

Hi Jon

Thanks for the reply.

In u r example u mention vlan 200 ie the inside vlan firewalled by outside vlan ie.200,i didnt understand routed by msfc u can u plz explain this.

in u r exmaple is it like this that u want to protect the traffic in vlan 200 from vlan 100 ie outside vlan.

Thanks

Mahmood

Jon Marshall Mon, 11/12/2007 - 00:18

Mahmood

In the example you are protecting vlan 200 (the inside vlan) from all other traffic. Think of like this

You have a site that has a pair of 6500 switches. In this site you have some web servers you want to firewall. So you allocate these web servers into vlan 200 and add a rule allowing only port 80 access to these servers.

access-list inbound permit tcp any object-group web_servers eq 80

access-group inbound in interface outsde

Now how do your client PC's access these servers.

Whether the client PC's are directly attached to the 6500's on another vlan - eg vlan 500 or they are in a remote site the principle is the same. Lets assume they are directly attached. So they need to be able to route to vlan 200. That is what the route on the 6500 does

ip route 172.16.5.0 255.255.255.128 192.168.1.2

So a client on vlan 500 sends a http request to it's default-gateway and then the packet is routed to the OUTSIDE interface of the FWSM (192.168.5.2). As long as you have a rule to allow http access (and you have sorted out the NAT setup) the packet will be allowed through.

The other way you could use the FWSM is to not use the MSFC at all and have the clients on vlan 500 directly attached to the FWSM ie. there is an interface on the FWSM for vlan 500. You can do this but it gives less flexibility.

Hope this makes sense, appreciate the rating

Jon

royalblues Mon, 11/12/2007 - 00:20

Mahmood,

Since the VLAN interface has been defined under the FWSM, it needs to be routed to the MSFC similar to how you would route to any router.

The VLAN that is protected will be 200 something similar to having a dedicated firwall for that segment connecting to the L3 switch

HTH

Narayan

mahmoodmkl Mon, 11/12/2007 - 00:35

HI

Guys thanks for u r replies.

what does this command do

firewall group 1 vlan 100,200.

So u mean to say that any traffic coming from vlan 200 will not hit msfc rather it will go to FWSM and any traffic from other vlan will go to msfc in order to reach vlan 200 im i right in thinking this.

Thanks

Mahmood

Jon Marshall Mon, 11/12/2007 - 00:38

Mahmood

firewall group 1 vlan 100,200

You have to tell the 6500 switch which vlans you are allocating to the FWSM. If you don't do this then you cannot use these vlans on your FWSM.

Vlan 200 is really only used as a connection between the MSFC and the FWSM so there should be no clients on this vlan.

So traffic from any other vlan going to vlan 100 will have to across vlan 200 to get to the outside interface of the FWSM and then through to vlan 100.

Return traffic from vlan 100 will leave the outside interface of the FWSM on vlan 200 and go the vlan 200 L3 interface on the MSFC and then get routed off.

Jon

royalblues Mon, 11/12/2007 - 00:39

In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer. Each group can contain unlimited VLANs.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml

For your second question imagine you have another vlan 300 in additon to 100&200 and you define the SVI in the MSFC, all traffic from vlan 300 would hit the MSFC directly without passing the firewall but if access is needed to vlan 200, it will routed via the FWSM.

Edit: Sorry Jon didn't see your response again:-)

HTH

Narayan

Jon Marshall Mon, 11/12/2007 - 00:55

Narayan

No need to apologise, we were both answering at same time and it's good to get different explanations for the same thing.

Jon

mahmoodmkl Wed, 11/14/2007 - 02:28

Hi Guys

how do u define weather the MSFC is behind the firewall or in front.Please explain.

Thanks

Mahmood

Jon Marshall Wed, 11/14/2007 - 02:36

Hi Mahmood

You have 2 vlans -

vlan 100 is inside vlan in terms of the FWSM

vlan 200 is outside vlan in terms of the FWSM

If you want to have the MSFC on the outside of the FWSM then you would create a L3 SVI on your 6500 for vlan 200 and an outside interface on the FWSM in vlan 200.

For vlan 100 you would not have a L3 SVI, you would only create the interface on the FWSM.

If you want the MSFC on the inside you would not create a L3 SVI for vlan 200 on the 6500 only as an outside interface on the FWSM.

For vlan 100 you would create an inside interface on the FWSM in vlan 100 and also a L3 SVI on the 6500.

Does this make sense ?

Jon

mahmoodmkl Wed, 11/14/2007 - 02:51

Hi Jon,

thanks for u r reply.Sorry for my stupid understanding.

So as u have explain regarding the inside and outside.Putting in picture our scenario if we r defining the vlan 200 as outside and creating the SVI in switch for the same vlan then it means that any traffic from all the vlans going to vlan 100 will be protected and the inter communication among the rest of the vlans will unsecure i m right in thinking this and if we are defining the vlan 200 as inside and creating the SVI on the switch for it does it mean that any traffic from vlan 200 to the inside vlans is protected.

Thanks

Mahmood

Jon Marshall Wed, 11/14/2007 - 03:05

Mahmood

No need to apologise, this virtualisation takes a bit of getting used to and you should see the problems i'm having with MPLS at the moment :).

You are right in the first part.

Vlan 200 as the outside vlan of FWSM. Create a L3 SVI for vlan 200 and an outside interface on the FWSM in vlan 200. Vlan 100 is behind the FWSM.

In this scenario all traffic going to and from vlan 100 to any other vlan will have to go through the FWSM so vlan 100 is protected from all other vlans.

Any traffic between any other vlans on your 6500 switch will not go through the FWSM, ie. the traffic is just routed assuming they have L3 SVI's on the 6500.

The second part i'm not so sure i follow. If you defined vlan 200 as the inside interface on the FWSM and created a L3 SVI for it then the MSFC is effectively behind the FWSM. Any traffic from vlan 200 to any other vlan that has a L3 SVI on the 6500 would NOT go through the FWSM, it would just be routed.

Hope this explains. Please feel free to come back with any more questions. As i say it can take a while to get this right in your mind.

HTH

Jon

mahmoodmkl Wed, 11/14/2007 - 03:23

Hi Jon

Thanks for the reply.As i m posting here i was going through the documentation for FWSM.

Let me put this in my own words.

for eg.i have 3 vlans 100,200,300 and i want MSFC to be behind my firewall and i want to protect my indside vlan ie vlan 100 from outside vlan i.e 200.

now creating the SVI i have to configure for vlan 100 both on FWSM and MSFC i m i right.

So what is happening here is that my any traffic going to vlan 200 from vlan 100 and 300 will be protected i m i right.

From this discssion what i have undestand of defining the SVI on the MSFC and FWSM is like that u r assigning the FWSM in a particular vlan im i right in thinking this.

Please explain.

Thanks

Mahmood

Jon Marshall Wed, 11/14/2007 - 03:49

Mahmood

"now creating the SVI i have to configure for vlan 100 both on FWSM and MSFC i m i right"

Yes, you are spot on.

Any traffic going to vlan 200 from vlan 100, 300 or traffic going from vlan 200 to vlan 100,300 will have to go through the FWSM so you can apply access-lists in both directions to filter the traffic.

"From this discssion what i have undestand of defining the SVI on the MSFC and FWSM is like that u r assigning the FWSM in a particular vlan im i right in thinking this."

Not sure about this. If for a vlan, eg vlan 200, you only create an interface on the FWSM then the traffic from that vlan has to go to the FWSM eg. from my original response

nameif vlan 100 outside security0

nameif vlan 200 inside security100

The above 2 commands are how you allocate vlans to the FWSM interfaces.

if you create an SVI for vlan 100 then the MSFC is on the outside

if you create an SVI for vlan 200 then the MSFC is on the inside.

Can't help feeling i've not quite addressed your question ?

Jon

mahmoodmkl Wed, 11/14/2007 - 04:22

Hi Jon

Not sure about this. If for a vlan, eg vlan 200, you only create an interface on the FWSM then the traffic from that vlan has to go to the FWSM eg. from my original response

If we take this then how will the traffic go to other vlans unless we define any interface which is in the same subnet.

if you create an SVI for vlan 100 then the MSFC is on the outside

it means that all the vlan which are on MSFC are treated as outside network im i right.

if you create an SVI for vlan 200 then the MSFC is on the inside.

and for it means that all the vlans on the MSFC are inside networks and vlan 100 as outside.

Thanks

Mahmood

Jon Marshall Wed, 11/14/2007 - 05:25

Mahmood

"if you create an SVI for vlan 100 then the MSFC is on the outside

it means that all the vlan which are on MSFC are treated as outside network im i right.

if you create an SVI for vlan 200 then the MSFC is on the inside.

and for it means that all the vlans on the MSFC are inside networks and vlan 100 as outside."

Yes to the above.

It's a question of routing. If you only create the vlan at L2 on the 6500 and for that vlan have an interface on the FWSM, traffic to and from that vlan has to go through the FWSM. Remember in routed mode the FWSM will route between vlans.

Jon

RouterTech1 Thu, 12/06/2007 - 12:27

Hi Jon, I was following your advice and I'm trying to execute one of the commands you specified:

"nameif vlan 100 outside security0"

The VLAN is created on the switch side, and this was the next command to be executed on the FWSM. Except I get this error message:

FWSM(config)# nameif vlan 100 outside security0

^

ERROR: % Invalid input detected at '^' marker.

so, for some reason it's not letting me execute the nameif command in config mode. Not sure why. Any idea what I'm doing wrong?

I'm running:

FWSM Firewall Version 3.1(4)

Also, I tried creating the vlan on the switch config, but it shows manual/down/down.

These are the relevant parts of the config:

firewall vlan-group 4 747,748

vtp mode transparent

vlan 747

name to_FW

interface Vlan747

ip address 10.254.254.123 255.255.255.248

no ip redirects

RouterTech1 Fri, 12/07/2007 - 07:38

That's what I had guessed and tried to config from, but the interfaces remain down/down. I'm not sure how to bring them up without a phys connected interface that's up and attached to the vlan.

I've brought an interface up on the switch side for that vlan, but the FWSM Vlan still shows as down.

Actions

This Discussion