ACE/FWSM Design Question

Unanswered Question
Nov 25th, 2008

Question regarding design of an ACE with FWSM using multiple FWSM contexts. It's fairly straight forward, but here is the topology:

Client -> FWSM (Perimeter Context) -> ACE VIP -> FWSM -> Real Server

I'm asking for some feedback on running the FWSM on the inside segregating the Real Server in transparent mode vs. route mode.

In route mode, the traffic would get double NAT'd (ACE Real server points to NAT on outside of FWSM context) where as the transparent would obviously just inspect and pass the traffic without the rewrite.

Anyone have any thoughts/experience on this? Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Tue, 11/25/2008 - 14:39

In routed mode FWSM, you can use "no nat-control" on FWSM and just route the allowed traffic without NATting.

Try to avoid the situation where you have to share a VLAN between FWSM contexts.Unlike ASA's , FWSM doesnt support virtual MACs and hence each context uses the same MAC address. Sharing Inside VLANs is not an option & sharing outside VLANs requires Xlate Entries.

Syed Iftekhar Ahmed


This Discussion