FWSM setup

Unanswered Question
Sep 9th, 2008

We placed a FWSM in our 6513 to replace our external PIX525. I'm able to session into the FWSM. We are not ready to switch over as yet. I just want to work with the FWSM a bit and get things ready. I created a VLAN15 on the 6513 and presented it to the FWSM. I created an interface and assigned an IP subnet on the 6513. I sessioned into the FWSM and assigned the presented VLAN an IP address. I named it inside and gave it a security level of 100. I setup a laptop on the VLAN and gave it an IP address on that subnet and added an icmp statement to allow the lpatop to ping the inside interface on the FWSM. Works. I added a telnet statement to the FWSM for the laptop. I can't telnet to the FWSM. I also tried enabling http for the laptop and that doesn't work as well. Not sure what I'm missing. I have not added any SVI outside interface to the FMSM as yet since we are not ready to switch over from the PIX. FWSM shows version 2.3(4). We are using only static NAT.

We have multiple VLANs on the 6513 that will all use the same outside interface on the FWSM. The VLANs route to each other inside the 6513. Some VLANs have more then one subnet defined as secondary on there interface.

Craig

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Loading.

Let's see your configs (you can attach them here as text files)

You have chosen "MSFC Inside" as your deployment design model. Microsoft actually has the best FWSM design guide on google; weird huh?

http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/FirewallServices/igfspg_4.mspx

Anyway, you will not then ALSO create SVI's on your MSFC, otherwise traffic could then route around the MSFC!

perhaps you meant SVI in a VRF? either way normally we just use a few ports in a VLAN on the 6500 with NO SVI as "outside vlan" ports where the FWSM outside ip interface meet border routers, etc. when using the MSFC "inside" model described on MSFT's link.

The concept of where to place the MSFC can be confusing but that doc clears it up.

Let us know if we can be of help as you move forward.

-Joe

Syed Iftekhar Ahmed Tue, 09/09/2008 - 10:48

Telnet doesn't not work on the least secured interface. If you have configured just one interface then it is he least secure one.

Use SSH and it will work.

Syed

Syed Iftekhar Ahmed Tue, 09/09/2008 - 12:20

Yes. Even if its inside (provided there is no high security interface available).

Key point is Telnet is not possible to the "lowest security level" interface.With just one interface defined it will be the lowest security interface.

Syed

Syed Iftekhar Ahmed Tue, 09/09/2008 - 12:23

Yes. Even if its inside (provided there is no high security interface available).

Key point is Telnet is not possible to the "lowest security level" interface.With just one interface defined it will be the lowest security interface.

Syed

cef2lion2 Tue, 09/09/2008 - 12:41

Thanks for the information. Will try SSH and or create a temp outside interface with lower security level. Just want another means to admin the FWSM besides sessioning into it from the 6513.

I think in our scenario we would want the MSFC inside. What commands place the MSFC on the inside or out?

Craig

Syed Iftekhar Ahmed Tue, 09/09/2008 - 12:52

Create an SVI for the vlan connecting FWSM on the inside interface.

Make sure that you dont have SVIs on vlans connected to insid e& outside interface. Otherwise you will end up bypassing FWSM.

Syed

cef2lion2 Tue, 09/09/2008 - 12:58

Thanks for tip on the SVIs. I created the outside interface with security level of 0 and I can now telnet into the FWSM inside interface.

Craig

Actions

This Discussion