Configuring the FWSM Transparent mode.

Unanswered Question
Jun 30th, 2008

Hi, I am trying to set up a FWSM to run in transparent/multi context mode. I have followed the example configuration in the Cisco configuration guide but I cannot get traffic to pass through from the inside to outside vlans (traverse the FWSM in other words). The vlans are created and allocated from the switch with the firewall vlan-group command and the interfaces have been allocated from the admin context on the FWSM. How does the FWSM/Switch know that the two VLANs are related in the transparent setup, i.e. when a host on the inside vlan sends a packet how does the switch know it is destined for the FWSM interface. I have a feeling I am missing some config here on the switch (Bridge groups maybe?) which were not included in the configuration guide.

Can anyone please advise on this.

Thanks for looking.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
CSCO10576352 Mon, 06/30/2008 - 04:07

Sure, the configs are as below:

FWSM Config:

FWSM/ContextA# sh run

: Saved


FWSM Version 4.0(1)


hostname ContextA

enable password xxx




interface Vlan10

nameif outside

security-level 10

ip address


interface Vlan20

nameif inside

security-level 90

no ip address


passwd xxx

access-list allow-all extended permit ip any any

access-list allow-all extended deny ip any any log

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group allow-all in interface outside

access-group allow-all in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-inContextAte 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


serContextAce-policy global_policy global


: end

Switch Config:

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 1

firewall vlan-group 1 10,20

vlan 10

vlan 20

interface Vlan10

ip address

CSCO10576352 Mon, 06/30/2008 - 04:11

Also from the FWSM System Context:

FWSM/admin# sh firewall

Firewall mode: Transparent


FWSM# sh vlan

10, 20


Syed Iftekhar Ahmed Mon, 06/30/2008 - 11:57

Your config is missing bridge-groups and BVI interfaces needed for Transparent mode. You dont assign Ip addresses on interfaces for transparent mode. IP addresses are just assigned to BVI interface (which is used for management traffic only)

firewall transparent


interface Vlan10

nameif outside

bridge-group 1

security-level 0

interface Vlan20

nameif inside

bridge-group 1

security-level 100


interface BVI1

ip address x.x.x.x

ambivert skill Thu, 04/25/2013 - 15:43

Iftekhar ,

I think that we will create the bridge-group for e.g bridge-group 1 on 6513 first then we assign this group inside the FWSM to the inside and outside interface and for BVI we will create interface BVI 10 inside FWSM and assign the IP address to it.

Thank you

Ambivert Skill


This Discussion