Mapping VLANs on MSFC

Answered Question
Oct 2nd, 2008


1. ASA inside connects to Cat 6500 Switch.

2. Cat 6500 switch has all servers connected to it.


a) should the inside of the ASA map to one of the vlans on MSFC i.e. same subnet.

b) Secondly, if there is FWSM placed after MSFC, should the outside VLAN of FWSM be the same vlan as mentioned in point a) i.e. the inside of the perimeter ASA.


I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 3 months ago

No they could be the same if you wanted ie. you could have


but it really does depend on what you are trying to protect with both your ASA device and your FWSM. It can also make a difference if you are using other service modules in the 6500 such as a CSM/ACE module for load-balancing.

Perhaps if you expand on your requirements i could point you in the right direction.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Jon Marshall Thu, 10/02/2008 - 07:06

Again it depends on what you are trying to do.

a) I would use a dedicated subnet for this so use a new vlan.

b) this entirely depends on what you want the FWSM to achieve. Bear in mind if it looks like this


then you have a router between your ASA and your FWSM so your FWSM may get bypassed. What are you trying to achieve with the FWSM ?


new_networker Thu, 10/02/2008 - 09:42

The incoming traffic flow is as you have stated i.e. ASA -> MSFC -> FWSM

So lets say for incoming flow I would have a vlan on MSFC (VLAN 100) which would map to ASA inside (i.e. same subnet) and I would also have a vlan on MSFC (vlan 101) which would map to FWSM outside vlan (i.e. same vlan/subnet).

Is it correct?

I am assuming both the vlans can never be the same due to the router in the way or can it be the same


Correct Answer
Jon Marshall Thu, 10/02/2008 - 10:23

No they could be the same if you wanted ie. you could have


but it really does depend on what you are trying to protect with both your ASA device and your FWSM. It can also make a difference if you are using other service modules in the 6500 such as a CSM/ACE module for load-balancing.

Perhaps if you expand on your requirements i could point you in the right direction.


new_networker Fri, 10/03/2008 - 03:13


Design 1:


Now the Front end servers should be connected to the ASA and the backend server should be connected to FWSM. Ideally, front end servers should be on the DMZ of perimeter firewall.

If I were to follow that, then wouldn't two links terminate from ASA on Cat 6500 switchports i.e. (inside as well as DMZ). Or should I ignore the DMZ and just connect servers to CAT 6500 switchports on the inside of ASA.

Jon Marshall Fri, 10/03/2008 - 13:17

Front end servers - if accessed from internet i would have on their own DMZ. To be very secure a separate dedicated switch would be the way to go. Nothing wrong with collapsing onto 6500 chassis but you need to be very careful with configuration changes !!

Now if the front-end servers are only ever going to communicate with the backend servers i would not have the MSFC in between - just not needed. You could just go straight to the outside of the FWSM. This would be a more secure setup. Bear in mind with FWSM even with base license you get 2 contexts to play with which means you could have

context1 - ASA - MSFC - FWSM (or maybe not bother with the ASA at all in this context)

context2 - ASA - FWSM - MSFC


new_networker Sat, 10/04/2008 - 00:23


What could be the drawback if I only have one link out of ASA (i.e. INSIDE) terminating on Cat 6500 and connect the front end servers to it.

And the INSIDE gets connected to the FWSM OUTSIDE vlan.

Marwan ALshawi Sat, 10/04/2008 - 01:41

if u mean that u creat inside L2 VLAN lets say vlan 100 which is the vlan that front end servers and inside ASA in

then here u need another vlan and ASA interface to let the FWSM and/MSFC communicat with forntend server securly through the ASA

or u might make the metioned vlan vlan 100 the vlan between ASA and FWSM directly in this case as JON told u u dont need the MSFC in between becuase u will might bypass one of the firewalls

good luck

Jon Marshall Sat, 10/04/2008 - 02:37

No huge drawback although it is still unclear if these servers are to be accessed from the internet.

Anyway assuming they are and that you only want one interface from the ASA connecting to the 6500 then i would have the inside interface of the ASA on a L2 vlan that has no SVI on the MSFC. Place your front-end servers into that and then put the outside interface of your FWSM into that vlan as well. You can then do what you like behind the FWSM ie. you could have just DMZ's for the backend servers or you could allow traffic to hit the MSFC.

ASA - front-end servers - FWSM -> internal network.

The above would work but i'm not sure it's the optimal solution. It is difficult to recommend a good solution without seeing all the design requirements because what you do here could have a massive influence on other parts of your network.


Marwan ALshawi Sat, 10/04/2008 - 02:46

good that my suggestion agree exactly with Jon's sugisstion

howerver i do agree with Jon that we need to know the whole requiremnts to be able to give u the logical design that suit ur requiremnts

as u have seen u can do it in several ways but u cant consider best one among them unless u know what u wanna achieve

thank you

new_networker Sat, 10/04/2008 - 04:28

Thanks all.

The front end servers shall be exposed to the internet traffic. It hosts web application getting approx. 100,000 hits every day.

My concern is that if the front end servers are connected to ASA Inside i.e. mapped to FWSM outside, then isn't it insecure, as all the internet traffic will only be one hop away from the backend. Whereas if the front end servers are placed in the DMZ (ASA), then internet traffic hitting front end will be two hops away from the backend. Could there possibily other loopholes/issues.


Jon Marshall Sat, 10/04/2008 - 09:47

With the information you have provided i would recommend that

1) The front-end servers should be on a DMZ of their own.

2) That this DMZ is on a dedicated switch that is not connected to the 6500.

3) That the inside of the ASA devices connects to a vlan that also has an SVI and which also connects to the outside interface

of your FWSM ie.


4) That the backend servers live behind the FWSM

Points to Note

1) There is an assumption that internal users will need access to the backend servers. This is why the MSFC is between the ASA which services the Internet and the FWSM which services both the internet and the internal users. If this is not the case and you have dedicated backend servers for the Internet connectivity then i would remove the MSFC from the equation. But bear in mind even if you do have dedicated backend servers, any other servers they rely on for normal operation would also have to dedicated eg. DNS - if these backend servers were dedicated to the Internet but they used your corporate internal DNS servers then you may well need to introduce the MSFC again so they can get to the DNS servers.

2) As mentioned previously there is a big advantage to having the DMZ on a separate switch. Yes you can collapse it all onto the 6500 chassis but it really only takes a slight misconfiguration and you have granted access where you didn't want to.

3) There is no mention of load-balancing although i suspect you are going to be using it. If so, are the load-balancing devices standalone or intergrated into the 6500 chassis. If intergrated this could explain why you might want to collapse the DMZ onto the 6500 chassis.

There are a lot of other things to consider with these sort of designs eg. IDS/IPS placement, load-balancing setup ie. routed/bridged/one-armed mode, FWSM setup ie. routed/transparent etc. but the above should hopefully be enough to get you started.


new_networker Sat, 10/04/2008 - 11:27


This was quite benficial.

I would still like to know what will I be missing if

1. Front end servers are on the inside of ASA

2. Inside of ASA is directly mapped to outside of FWSM.

3. Single physical link from ASA to the Cat 6500

i.e. not having a DMZ (for front end servers) on ASA.


1) The front-end servers should be on a DMZ of their own.


Why is it so ? Isn't inside only enough.

Yes, ACE module is used as load balancer on Cat 6500.


Jon Marshall Sun, 10/05/2008 - 01:10

Okay, if you are definitely not going to have the MSFC in between the ASA and the FWSM then that would be fine. But you need to factor in what will and won't work in that scenario, that's really all i was trying to explain.

What you describe is a quite common deployment in large enterprises with front-end and back-end firewall and secure subnets in between.

If you do have this setup then the backend servers would only be accessible from the internet unless you had a separate interface on the FWSM that did share a vlan with the MSFC for your internal users.



This Discussion