cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2047
Views
19
Helpful
21
Replies

FWSM Confusion

mahmoodmkl
Level 7
Level 7

Dear Guys

I need u r help in understanding the working of FWSM.I m confused about the interfaces in FWSM.How do we define the inside and outside interfaces as it doesnt have any physical interfaces.

And how the traffic flows if we are using FWSM.

Thanks

Mahmood

21 Replies 21

Jon Marshall
Hall of Fame
Hall of Fame

Hi Mahmood

It's a bit like the vlan interfaces on a 6500 switch, they are virtual as well. Assuming FWSM is in slot 7 this is how you would setup a basic firewall with an inside vlan that is firewalled by the FWSM (vlan 100) and an outside vlan that is routed off the MSFC on the 6500.

1) decide which vlan will be used for the outside eg. vlan 100

2) which vlan will be used for the inside

eg. vlan 200

You then allocate these vlans to the FWSM eg. on the 6500

6500(config)# firewall vlan-group 7 100,200

Then create a L3 SVI for the outside interface

6500(config)# int vlan 100

6500(config-if)# ip address 192.168.5.1 255.255.255.128

You then go onto the FWSM module

sess slot 7 proc 1

Now it depends if you are in single context or multiple context - lets assume single context to keep things simple.

Once you are onto the FWSM you can now create interfaces as you would on a standalone pix

nameif vlan 100 outside security0

nameif vlan 200 inside security100

ip address outside 192.168.5.2 255.255.255.128

ip address inside 172.16.5.1 255.255.255.128

You can now add rules etc. as you would a standlone pix.

Routing - the FWSM can particpate in OSPF/RIP but if you don't want to use those then you need a static route on your MSFC

172.16.5.0 255.255.255.128 192.168.5.2

The one thing you need to be aware of is that on the FWSM traffic by default is not allowed in any direction so if you want to go from inside to outside you still need an access-list.

Multiple context mode is more complicated because you can share vlans between contexts and then you need to understand the classifier to know how the FWSM sends traffic to the right context.

Okay, that was a high level run through, please feel free to come back with any more questions.

HTH

Jon

Nice detailed explanation Jon.

rated :-)

Narayan

Thanks Narayan, much appreciated :)

Hi Jon

Thanks for the reply.

In u r example u mention vlan 200 ie the inside vlan firewalled by outside vlan ie.200,i didnt understand routed by msfc u can u plz explain this.

in u r exmaple is it like this that u want to protect the traffic in vlan 200 from vlan 100 ie outside vlan.

Thanks

Mahmood

Mahmood

In the example you are protecting vlan 200 (the inside vlan) from all other traffic. Think of like this

You have a site that has a pair of 6500 switches. In this site you have some web servers you want to firewall. So you allocate these web servers into vlan 200 and add a rule allowing only port 80 access to these servers.

access-list inbound permit tcp any object-group web_servers eq 80

access-group inbound in interface outsde

Now how do your client PC's access these servers.

Whether the client PC's are directly attached to the 6500's on another vlan - eg vlan 500 or they are in a remote site the principle is the same. Lets assume they are directly attached. So they need to be able to route to vlan 200. That is what the route on the 6500 does

ip route 172.16.5.0 255.255.255.128 192.168.1.2

So a client on vlan 500 sends a http request to it's default-gateway and then the packet is routed to the OUTSIDE interface of the FWSM (192.168.5.2). As long as you have a rule to allow http access (and you have sorted out the NAT setup) the packet will be allowed through.

The other way you could use the FWSM is to not use the MSFC at all and have the clients on vlan 500 directly attached to the FWSM ie. there is an interface on the FWSM for vlan 500. You can do this but it gives less flexibility.

Hope this makes sense, appreciate the rating

Jon

Mahmood,

Since the VLAN interface has been defined under the FWSM, it needs to be routed to the MSFC similar to how you would route to any router.

The VLAN that is protected will be 200 something similar to having a dedicated firwall for that segment connecting to the L3 switch

HTH

Narayan

HI

Guys thanks for u r replies.

what does this command do

firewall group 1 vlan 100,200.

So u mean to say that any traffic coming from vlan 200 will not hit msfc rather it will go to FWSM and any traffic from other vlan will go to msfc in order to reach vlan 200 im i right in thinking this.

Thanks

Mahmood

Mahmood

firewall group 1 vlan 100,200

You have to tell the 6500 switch which vlans you are allocating to the FWSM. If you don't do this then you cannot use these vlans on your FWSM.

Vlan 200 is really only used as a connection between the MSFC and the FWSM so there should be no clients on this vlan.

So traffic from any other vlan going to vlan 100 will have to across vlan 200 to get to the outside interface of the FWSM and then through to vlan 100.

Return traffic from vlan 100 will leave the outside interface of the FWSM on vlan 200 and go the vlan 200 L3 interface on the MSFC and then get routed off.

Jon

In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer. Each group can contain unlimited VLANs.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml

For your second question imagine you have another vlan 300 in additon to 100&200 and you define the SVI in the MSFC, all traffic from vlan 300 would hit the MSFC directly without passing the firewall but if access is needed to vlan 200, it will routed via the FWSM.

Edit: Sorry Jon didn't see your response again:-)

HTH

Narayan

Narayan

No need to apologise, we were both answering at same time and it's good to get different explanations for the same thing.

Jon

Hi Guys

how do u define weather the MSFC is behind the firewall or in front.Please explain.

Thanks

Mahmood

Hi Mahmood

You have 2 vlans -

vlan 100 is inside vlan in terms of the FWSM

vlan 200 is outside vlan in terms of the FWSM

If you want to have the MSFC on the outside of the FWSM then you would create a L3 SVI on your 6500 for vlan 200 and an outside interface on the FWSM in vlan 200.

For vlan 100 you would not have a L3 SVI, you would only create the interface on the FWSM.

If you want the MSFC on the inside you would not create a L3 SVI for vlan 200 on the 6500 only as an outside interface on the FWSM.

For vlan 100 you would create an inside interface on the FWSM in vlan 100 and also a L3 SVI on the 6500.

Does this make sense ?

Jon

Hi Jon,

thanks for u r reply.Sorry for my stupid understanding.

So as u have explain regarding the inside and outside.Putting in picture our scenario if we r defining the vlan 200 as outside and creating the SVI in switch for the same vlan then it means that any traffic from all the vlans going to vlan 100 will be protected and the inter communication among the rest of the vlans will unsecure i m right in thinking this and if we are defining the vlan 200 as inside and creating the SVI on the switch for it does it mean that any traffic from vlan 200 to the inside vlans is protected.

Thanks

Mahmood

Mahmood

No need to apologise, this virtualisation takes a bit of getting used to and you should see the problems i'm having with MPLS at the moment :).

You are right in the first part.

Vlan 200 as the outside vlan of FWSM. Create a L3 SVI for vlan 200 and an outside interface on the FWSM in vlan 200. Vlan 100 is behind the FWSM.

In this scenario all traffic going to and from vlan 100 to any other vlan will have to go through the FWSM so vlan 100 is protected from all other vlans.

Any traffic between any other vlans on your 6500 switch will not go through the FWSM, ie. the traffic is just routed assuming they have L3 SVI's on the 6500.

The second part i'm not so sure i follow. If you defined vlan 200 as the inside interface on the FWSM and created a L3 SVI for it then the MSFC is effectively behind the FWSM. Any traffic from vlan 200 to any other vlan that has a L3 SVI on the 6500 would NOT go through the FWSM, it would just be routed.

Hope this explains. Please feel free to come back with any more questions. As i say it can take a while to get this right in your mind.

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco