Configuring the FWSM Transparent mode.

CSCO10576352 · ‎06-30-2008

Hi, I am trying to set up a FWSM to run in transparent/multi context mode. I have followed the example configuration in the Cisco configuration guide but I cannot get traffic to pass through from the inside to outside vlans (traverse the FWSM in other words). The vlans are created and allocated from the switch with the firewall vlan-group command and the interfaces have been allocated from the admin context on the FWSM. How does the FWSM/Switch know that the two VLANs are related in the transparent setup, i.e. when a host on the inside vlan sends a packet how does the switch know it is destined for the FWSM interface. I have a feeling I am missing some config here on the switch (Bridge groups maybe?) which were not included in the configuration guide.

Can anyone please advise on this.

Thanks for looking.

a.alekseev · ‎06-30-2008

Could show the config?

CSCO10576352 · ‎06-30-2008

Sure, the configs are as below:

FWSM Config:

FWSM/ContextA# sh run

: Saved

:

FWSM Version 4.0(1)

!

hostname ContextA

enable password xxx

names

dns-guard

!

interface Vlan10

nameif outside

security-level 10

ip address 192.168.10.100 255.255.255.0

!

interface Vlan20

nameif inside

security-level 90

no ip address

!

passwd xxx

access-list allow-all extended permit ip any any

access-list allow-all extended deny ip any any log

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group allow-all in interface outside

access-group allow-all in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.10.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-inContextAte 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

serContextAce-policy global_policy global

Cryptochecksum:xxx

: end

Switch Config:

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 1

firewall vlan-group 1 10,20

vlan 10

vlan 20

interface Vlan10

ip address 192.168.10.254 255.255.255.0

CSCO10576352 · ‎06-30-2008

Also from the FWSM System Context:

FWSM/admin# sh firewall

Firewall mode: Transparent

FWSM/admin#

FWSM# sh vlan

10, 20

FWSM#

a.alekseev · ‎06-30-2008

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.html#wp1029042

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fwmode_f.html#wp1201980

Syed Iftekhar Ahmed · ‎06-30-2008

Your config is missing bridge-groups and BVI interfaces needed for Transparent mode. You dont assign Ip addresses on interfaces for transparent mode. IP addresses are just assigned to BVI interface (which is used for management traffic only)

firewall transparent

!

interface Vlan10

nameif outside

bridge-group 1

security-level 0

interface Vlan20

nameif inside

bridge-group 1

security-level 100

!

interface BVI1

ip address x.x.x.x 255.255.255.0

ambivert skill · ‎04-25-2013

Iftekhar ,

I think that we will create the bridge-group for e.g bridge-group 1 on 6513 first then we assign this group inside the FWSM to the inside and outside interface and for BVI we will create interface BVI 10 inside FWSM and assign the IP address to it.

Thank you

Ambivert Skill