09-09-2008 09:11 AM - edited 03-11-2019 06:41 AM
We placed a FWSM in our 6513 to replace our external PIX525. I'm able to session into the FWSM. We are not ready to switch over as yet. I just want to work with the FWSM a bit and get things ready. I created a VLAN15 on the 6513 and presented it to the FWSM. I created an interface and assigned an IP subnet on the 6513. I sessioned into the FWSM and assigned the presented VLAN an IP address. I named it inside and gave it a security level of 100. I setup a laptop on the VLAN and gave it an IP address on that subnet and added an icmp statement to allow the lpatop to ping the inside interface on the FWSM. Works. I added a telnet statement to the FWSM for the laptop. I can't telnet to the FWSM. I also tried enabling http for the laptop and that doesn't work as well. Not sure what I'm missing. I have not added any SVI outside interface to the FMSM as yet since we are not ready to switch over from the PIX. FWSM shows version 2.3(4). We are using only static NAT.
We have multiple VLANs on the 6513 that will all use the same outside interface on the FWSM. The VLANs route to each other inside the 6513. Some VLANs have more then one subnet defined as secondary on there interface.
Craig
09-09-2008 10:47 AM
Let's see your configs (you can attach them here as text files)
You have chosen "MSFC Inside" as your deployment design model. Microsoft actually has the best FWSM design guide on google; weird huh?
http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/FirewallServices/igfspg_4.mspx
Anyway, you will not then ALSO create SVI's on your MSFC, otherwise traffic could then route around the MSFC!
perhaps you meant SVI in a VRF? either way normally we just use a few ports in a VLAN on the 6500 with NO SVI as "outside vlan" ports where the FWSM outside ip interface meet border routers, etc. when using the MSFC "inside" model described on MSFT's link.
The concept of where to place the MSFC can be confusing but that doc clears it up.
Let us know if we can be of help as you move forward.
-Joe
09-09-2008 10:48 AM
Telnet doesn't not work on the least secured interface. If you have configured just one interface then it is he least secure one.
Use SSH and it will work.
Syed
09-09-2008 10:55 AM
even if its named "inside" syed?
09-09-2008 12:20 PM
Yes. Even if its inside (provided there is no high security interface available).
Key point is Telnet is not possible to the "lowest security level" interface.With just one interface defined it will be the lowest security interface.
Syed
09-09-2008 12:23 PM
Yes. Even if its inside (provided there is no high security interface available).
Key point is Telnet is not possible to the "lowest security level" interface.With just one interface defined it will be the lowest security interface.
Syed
09-09-2008 12:41 PM
Thanks for the information. Will try SSH and or create a temp outside interface with lower security level. Just want another means to admin the FWSM besides sessioning into it from the 6513.
I think in our scenario we would want the MSFC inside. What commands place the MSFC on the inside or out?
Craig
09-09-2008 12:52 PM
Create an SVI for the vlan connecting FWSM on the inside interface.
Make sure that you dont have SVIs on vlans connected to insid e& outside interface. Otherwise you will end up bypassing FWSM.
Syed
09-09-2008 12:58 PM
Thanks for tip on the SVIs. I created the outside interface with security level of 0 and I can now telnet into the FWSM inside interface.
Craig
09-09-2008 12:59 PM
to reach the contexts themselves without using telnet/ssh you can just
session slot 4 proc 1 on the 6513
(where slot 4 is the location of the FWSM).
you will then be in the SYSTEM context.
from there you can type
changeto context wan
and you will be logged into the virtual-fw context named "wan".
See this doc for more information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide