FWSM setup

cef2lion2 · ‎09-09-2008

We placed a FWSM in our 6513 to replace our external PIX525. I'm able to session into the FWSM. We are not ready to switch over as yet. I just want to work with the FWSM a bit and get things ready. I created a VLAN15 on the 6513 and presented it to the FWSM. I created an interface and assigned an IP subnet on the 6513. I sessioned into the FWSM and assigned the presented VLAN an IP address. I named it inside and gave it a security level of 100. I setup a laptop on the VLAN and gave it an IP address on that subnet and added an icmp statement to allow the lpatop to ping the inside interface on the FWSM. Works. I added a telnet statement to the FWSM for the laptop. I can't telnet to the FWSM. I also tried enabling http for the laptop and that doesn't work as well. Not sure what I'm missing. I have not added any SVI outside interface to the FMSM as yet since we are not ready to switch over from the PIX. FWSM shows version 2.3(4). We are using only static NAT.

We have multiple VLANs on the 6513 that will all use the same outside interface on the FWSM. The VLANs route to each other inside the 6513. Some VLANs have more then one subnet defined as secondary on there interface.

Craig

joe19366 · ‎09-09-2008

Let's see your configs (you can attach them here as text files)

You have chosen "MSFC Inside" as your deployment design model. Microsoft actually has the best FWSM design guide on google; weird huh?

http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/FirewallServices/igfspg_4.mspx

Anyway, you will not then ALSO create SVI's on your MSFC, otherwise traffic could then route around the MSFC!

perhaps you meant SVI in a VRF? either way normally we just use a few ports in a VLAN on the 6500 with NO SVI as "outside vlan" ports where the FWSM outside ip interface meet border routers, etc. when using the MSFC "inside" model described on MSFT's link.

The concept of where to place the MSFC can be confusing but that doc clears it up.

Let us know if we can be of help as you move forward.

-Joe

Syed Iftekhar Ahmed · ‎09-09-2008

Telnet doesn't not work on the least secured interface. If you have configured just one interface then it is he least secure one.

Use SSH and it will work.

Syed

joe19366 · ‎09-09-2008

even if its named "inside" syed?

Syed Iftekhar Ahmed · ‎09-09-2008

Yes. Even if its inside (provided there is no high security interface available).

Key point is Telnet is not possible to the "lowest security level" interface.With just one interface defined it will be the lowest security interface.

Syed

Syed Iftekhar Ahmed · ‎09-09-2008

Yes. Even if its inside (provided there is no high security interface available).

Key point is Telnet is not possible to the "lowest security level" interface.With just one interface defined it will be the lowest security interface.

Syed

cef2lion2 · ‎09-09-2008

Thanks for the information. Will try SSH and or create a temp outside interface with lower security level. Just want another means to admin the FWSM besides sessioning into it from the 6513.

I think in our scenario we would want the MSFC inside. What commands place the MSFC on the inside or out?

Craig

Syed Iftekhar Ahmed · ‎09-09-2008

Create an SVI for the vlan connecting FWSM on the inside interface.

Make sure that you dont have SVIs on vlans connected to insid e& outside interface. Otherwise you will end up bypassing FWSM.

Syed

cef2lion2 · ‎09-09-2008

Thanks for tip on the SVIs. I created the outside interface with security level of 0 and I can now telnet into the FWSM inside interface.

Craig

joe19366 · ‎09-09-2008

to reach the contexts themselves without using telnet/ssh you can just

session slot 4 proc 1 on the 6513

(where slot 4 is the location of the FWSM).

you will then be in the SYSTEM context.

from there you can type

changeto context wan

and you will be logged into the virtual-fw context named "wan".

See this doc for more information.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml