6509 FWSM configuration

Answered Question
Jun 16th, 2008

How can I configure a 6509 switch with a FWSM to use an outside address of 10.1.1.1 and a inside address of 192.168.1.1? I would like to create a NAT that will resolve to several servers on the inside. How do you configure the inside and outside interfaces to a port on the switch? I know you do it via vlans, but when I create the vlan does both vlans get assigned to the firewall vlan-group or just one?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 7 months ago

Yes you will see it listed. The vlan has to exist on the 6500 at Layer 2 so you can allocate it to the FWSM.

Edit - just to clarify. You do a sh vlan on the switch not the MSFC. If you are running Native then "sh vlan" can be run from anywhere.

If you are running in hybrid "sh vlan" must be done from the switch prompt ie. not the MSFC.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Mon, 06/16/2008 - 12:20

If the vlan is to be routed off the FWSM then you need to assign it to the FWSM via the firewall vlan-group ... command on the 6500.

So if vlan 10 is your inside vlan then yes you assign this to the FWSM.

If vlan 11 is your outside vlan and the FWSM has it's outside interface in this vlan and there is also a L3 SVI for vlan 11 on the MSFC then you don't need to allocate this to the FWSM.

See link for more config details:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbef1c1/5#selected_message

Jon

wheeler930 Mon, 06/16/2008 - 13:05

Thanks, I believe I have it setup properly, but how do you setup a interface for the inside vlan. The outside vlan is the vlan on the MSFC, but where do you configure the interface for the inside vlan interface? Also from inside when i try to ping I get ????? any reason why?

bitonw Tue, 06/17/2008 - 06:48

did you inlcude that vlan in the fwsm?

like this on the 6500 box

firewall module 1 vlan-group 1

firewall vlan-group 1 96-990

and than created that vlan on the fwsm?

wheeler930 Tue, 06/17/2008 - 06:57

Yes, I did that. Maybe I am asking the wrong question. I am use to setting up PIX 515e, You have E0 and E1. Each interface is designated to be inside or outside. When using the 6509 the SVI, I am assuming is the outside interface.

What is the inside interface? and How is it configure to specify an interface?

Jon Marshall Tue, 06/17/2008 - 07:47

The SVI on your MSFC is not the outside interface of your FWSM. It should look something like this

MSFC SVI (192.168.2.1) -> (192.168.2.2) outside FWSM inside (192.168.3.1 )

The outside interface of your FWSM is in the same vlan as the MSFC SVI. The inside interface is only on the FWSM ie. there is no L3 SVI for the inside interface.

As for creating the outside and inside interfaces you would do this on the FWSM and is very similiar to what you would do on a standalone device. Attached is a basic getting started guide for the FWSM.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml

Jon

wheeler930 Tue, 06/17/2008 - 10:14

So, does the whole switch with the exception of the outside interface SVI, become the inside vlan?

How do you add systems to the inside vlan?

Jon Marshall Tue, 06/17/2008 - 10:23

"So, does the whole switch with the exception of the outside interface SVI, become the inside vlan?"

No it doesn't. The inside vlan is simply the vlan you have allocated to the inside interface on your FWSM.

So lets say you have vlans 10 - 20 on your 6500.

Until you allocate any of these vlans to the FWSM with the firewall vlan-group ... command they are just vlans on the 6500, nothing to do with the FWSM.

If you then allocate vlan 11 as the inside vlan on the FWSM then all the other vlans 10,12 - 20 are still vlans on the 6500, nothing to do with the FWSM.

You add systems to the inside vlans by simply adding ports into that vlan. So if you have connected 2 servers to gi2/1 & gi2/1

6500(config)# int range gi2/1 - 2

6500(config-if)# switchport access vlan 11

These servers are now in vlan 11 and will be on the inside vlan of the FWSM.

Jon

wheeler930 Tue, 06/17/2008 - 10:34

Got you, man thanks.

So what you are saying is the vlan 11 will not have a SVI right?

Jon Marshall Tue, 06/17/2008 - 10:37

Correct, vlan 11 will not have an SVI on the 6500. This applies to all interfaces on the FWSM ie. DMZ's etc. except for the outside interface in your scenario which will have a L3 SVI on the 6500.

Jon

wheeler930 Tue, 06/17/2008 - 11:05

So if I do a sh vlan on the MSFC, should I see the "inside" vlan listed?

Correct Answer
Jon Marshall Tue, 06/17/2008 - 11:06

Yes you will see it listed. The vlan has to exist on the 6500 at Layer 2 so you can allocate it to the FWSM.

Edit - just to clarify. You do a sh vlan on the switch not the MSFC. If you are running Native then "sh vlan" can be run from anywhere.

If you are running in hybrid "sh vlan" must be done from the switch prompt ie. not the MSFC.

Jon

wheeler930 Tue, 06/17/2008 - 11:31

I turned on rip passive and default on the inside, but I am not able to ping any systems on the inside. Any reason why?

Actions

This Discussion