11-11-2007 10:32 PM - edited 03-03-2019 05:47 AM
Dear Guys
I need u r help in understanding the working of FWSM.I m confused about the interfaces in FWSM.How do we define the inside and outside interfaces as it doesnt have any physical interfaces.
And how the traffic flows if we are using FWSM.
Thanks
Mahmood
11-11-2007 11:36 PM
Hi Mahmood
It's a bit like the vlan interfaces on a 6500 switch, they are virtual as well. Assuming FWSM is in slot 7 this is how you would setup a basic firewall with an inside vlan that is firewalled by the FWSM (vlan 100) and an outside vlan that is routed off the MSFC on the 6500.
1) decide which vlan will be used for the outside eg. vlan 100
2) which vlan will be used for the inside
eg. vlan 200
You then allocate these vlans to the FWSM eg. on the 6500
6500(config)# firewall vlan-group 7 100,200
Then create a L3 SVI for the outside interface
6500(config)# int vlan 100
6500(config-if)# ip address 192.168.5.1 255.255.255.128
You then go onto the FWSM module
sess slot 7 proc 1
Now it depends if you are in single context or multiple context - lets assume single context to keep things simple.
Once you are onto the FWSM you can now create interfaces as you would on a standalone pix
nameif vlan 100 outside security0
nameif vlan 200 inside security100
ip address outside 192.168.5.2 255.255.255.128
ip address inside 172.16.5.1 255.255.255.128
You can now add rules etc. as you would a standlone pix.
Routing - the FWSM can particpate in OSPF/RIP but if you don't want to use those then you need a static route on your MSFC
172.16.5.0 255.255.255.128 192.168.5.2
The one thing you need to be aware of is that on the FWSM traffic by default is not allowed in any direction so if you want to go from inside to outside you still need an access-list.
Multiple context mode is more complicated because you can share vlans between contexts and then you need to understand the classifier to know how the FWSM sends traffic to the right context.
Okay, that was a high level run through, please feel free to come back with any more questions.
HTH
Jon
11-12-2007 12:01 AM
Nice detailed explanation Jon.
rated :-)
Narayan
11-12-2007 12:03 AM
Thanks Narayan, much appreciated :)
11-12-2007 12:07 AM
Hi Jon
Thanks for the reply.
In u r example u mention vlan 200 ie the inside vlan firewalled by outside vlan ie.200,i didnt understand routed by msfc u can u plz explain this.
in u r exmaple is it like this that u want to protect the traffic in vlan 200 from vlan 100 ie outside vlan.
Thanks
Mahmood
11-12-2007 12:18 AM
Mahmood
In the example you are protecting vlan 200 (the inside vlan) from all other traffic. Think of like this
You have a site that has a pair of 6500 switches. In this site you have some web servers you want to firewall. So you allocate these web servers into vlan 200 and add a rule allowing only port 80 access to these servers.
access-list inbound permit tcp any object-group web_servers eq 80
access-group inbound in interface outsde
Now how do your client PC's access these servers.
Whether the client PC's are directly attached to the 6500's on another vlan - eg vlan 500 or they are in a remote site the principle is the same. Lets assume they are directly attached. So they need to be able to route to vlan 200. That is what the route on the 6500 does
ip route 172.16.5.0 255.255.255.128 192.168.1.2
So a client on vlan 500 sends a http request to it's default-gateway and then the packet is routed to the OUTSIDE interface of the FWSM (192.168.5.2). As long as you have a rule to allow http access (and you have sorted out the NAT setup) the packet will be allowed through.
The other way you could use the FWSM is to not use the MSFC at all and have the clients on vlan 500 directly attached to the FWSM ie. there is an interface on the FWSM for vlan 500. You can do this but it gives less flexibility.
Hope this makes sense, appreciate the rating
Jon
11-12-2007 12:20 AM
Mahmood,
Since the VLAN interface has been defined under the FWSM, it needs to be routed to the MSFC similar to how you would route to any router.
The VLAN that is protected will be 200 something similar to having a dedicated firwall for that segment connecting to the L3 switch
HTH
Narayan
11-12-2007 12:35 AM
HI
Guys thanks for u r replies.
what does this command do
firewall group 1 vlan 100,200.
So u mean to say that any traffic coming from vlan 200 will not hit msfc rather it will go to FWSM and any traffic from other vlan will go to msfc in order to reach vlan 200 im i right in thinking this.
Thanks
Mahmood
11-12-2007 12:38 AM
Mahmood
firewall group 1 vlan 100,200
You have to tell the 6500 switch which vlans you are allocating to the FWSM. If you don't do this then you cannot use these vlans on your FWSM.
Vlan 200 is really only used as a connection between the MSFC and the FWSM so there should be no clients on this vlan.
So traffic from any other vlan going to vlan 100 will have to across vlan 200 to get to the outside interface of the FWSM and then through to vlan 100.
Return traffic from vlan 100 will leave the outside interface of the FWSM on vlan 200 and go the vlan 200 L3 interface on the MSFC and then get routed off.
Jon
11-12-2007 12:39 AM
In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer. Each group can contain unlimited VLANs.
For your second question imagine you have another vlan 300 in additon to 100&200 and you define the SVI in the MSFC, all traffic from vlan 300 would hit the MSFC directly without passing the firewall but if access is needed to vlan 200, it will routed via the FWSM.
Edit: Sorry Jon didn't see your response again:-)
HTH
Narayan
11-12-2007 12:55 AM
Narayan
No need to apologise, we were both answering at same time and it's good to get different explanations for the same thing.
Jon
11-14-2007 02:28 AM
Hi Guys
how do u define weather the MSFC is behind the firewall or in front.Please explain.
Thanks
Mahmood
11-14-2007 02:36 AM
Hi Mahmood
You have 2 vlans -
vlan 100 is inside vlan in terms of the FWSM
vlan 200 is outside vlan in terms of the FWSM
If you want to have the MSFC on the outside of the FWSM then you would create a L3 SVI on your 6500 for vlan 200 and an outside interface on the FWSM in vlan 200.
For vlan 100 you would not have a L3 SVI, you would only create the interface on the FWSM.
If you want the MSFC on the inside you would not create a L3 SVI for vlan 200 on the 6500 only as an outside interface on the FWSM.
For vlan 100 you would create an inside interface on the FWSM in vlan 100 and also a L3 SVI on the 6500.
Does this make sense ?
Jon
11-14-2007 02:51 AM
Hi Jon,
thanks for u r reply.Sorry for my stupid understanding.
So as u have explain regarding the inside and outside.Putting in picture our scenario if we r defining the vlan 200 as outside and creating the SVI in switch for the same vlan then it means that any traffic from all the vlans going to vlan 100 will be protected and the inter communication among the rest of the vlans will unsecure i m right in thinking this and if we are defining the vlan 200 as inside and creating the SVI on the switch for it does it mean that any traffic from vlan 200 to the inside vlans is protected.
Thanks
Mahmood
11-14-2007 03:05 AM
Mahmood
No need to apologise, this virtualisation takes a bit of getting used to and you should see the problems i'm having with MPLS at the moment :).
You are right in the first part.
Vlan 200 as the outside vlan of FWSM. Create a L3 SVI for vlan 200 and an outside interface on the FWSM in vlan 200. Vlan 100 is behind the FWSM.
In this scenario all traffic going to and from vlan 100 to any other vlan will have to go through the FWSM so vlan 100 is protected from all other vlans.
Any traffic between any other vlans on your 6500 switch will not go through the FWSM, ie. the traffic is just routed assuming they have L3 SVI's on the 6500.
The second part i'm not so sure i follow. If you defined vlan 200 as the inside interface on the FWSM and created a L3 SVI for it then the MSFC is effectively behind the FWSM. Any traffic from vlan 200 to any other vlan that has a L3 SVI on the 6500 would NOT go through the FWSM, it would just be routed.
Hope this explains. Please feel free to come back with any more questions. As i say it can take a while to get this right in your mind.
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: