06-30-2008 01:57 AM - edited 03-05-2019 11:53 PM
Hi, I am trying to set up a FWSM to run in transparent/multi context mode. I have followed the example configuration in the Cisco configuration guide but I cannot get traffic to pass through from the inside to outside vlans (traverse the FWSM in other words). The vlans are created and allocated from the switch with the firewall vlan-group command and the interfaces have been allocated from the admin context on the FWSM. How does the FWSM/Switch know that the two VLANs are related in the transparent setup, i.e. when a host on the inside vlan sends a packet how does the switch know it is destined for the FWSM interface. I have a feeling I am missing some config here on the switch (Bridge groups maybe?) which were not included in the configuration guide.
Can anyone please advise on this.
Thanks for looking.
06-30-2008 03:21 AM
Could show the config?
06-30-2008 04:07 AM
Sure, the configs are as below:
FWSM Config:
FWSM/ContextA# sh run
: Saved
:
FWSM Version 4.0(1)
!
hostname ContextA
enable password xxx
names
dns-guard
!
interface Vlan10
nameif outside
security-level 10
ip address 192.168.10.100 255.255.255.0
!
interface Vlan20
nameif inside
security-level 90
no ip address
!
passwd xxx
access-list allow-all extended permit ip any any
access-list allow-all extended deny ip any any log
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group allow-all in interface outside
access-group allow-all in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.10.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-inContextAte 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
serContextAce-policy global_policy global
Cryptochecksum:xxx
: end
Switch Config:
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 1
firewall vlan-group 1 10,20
vlan 10
vlan 20
interface Vlan10
ip address 192.168.10.254 255.255.255.0
06-30-2008 04:11 AM
Also from the FWSM System Context:
FWSM/admin# sh firewall
Firewall mode: Transparent
FWSM/admin#
FWSM# sh vlan
10, 20
FWSM#
06-30-2008 04:13 AM
06-30-2008 11:57 AM
Your config is missing bridge-groups and BVI interfaces needed for Transparent mode. You dont assign Ip addresses on interfaces for transparent mode. IP addresses are just assigned to BVI interface (which is used for management traffic only)
firewall transparent
!
interface Vlan10
nameif outside
bridge-group 1
security-level 0
interface Vlan20
nameif inside
bridge-group 1
security-level 100
!
interface BVI1
ip address x.x.x.x 255.255.255.0
04-25-2013 03:43 PM
Iftekhar ,
I think that we will create the bridge-group for e.g bridge-group 1 on 6513 first then we assign this group inside the FWSM to the inside and outside interface and for BVI we will create interface BVI 10 inside FWSM and assign the IP address to it.
Thank you
Ambivert Skill
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide