MSFC can't ping BVI interface address on transparent FWSM v3.1

Answered Question
Mar 29th, 2009
User Badges:

Hello everyone,


I have configure the transparent fwsm(version 3.1) on Cat6500, I found I can't ping BVI interface from MSFC and I have some questions as below:


1, For transparent fwsm, are there other ways to access the fwsm module except "session slot # process 1", I mean can I telnet this fwsm by BVI interface?


2, I found access-group just can apply on the physical interface such as inside,outside or dmz, I can't apply it in BVI interface, am I right? I can't ping bvi interface from MSFC, anyone can tell me whether there are some wrong in my configuration or it can't ping actually?


3, CCO said It can have 8 bridge-group each context, what that mean? When I configure the fwsm, I found just 2 vlan interface per bridge-group. So how can I make make many interfaces in the inside or dmz interface? For example, I have HR, Finance, Market and RD 4 vlan, which is 10.1.1.0, 10.1.2.0, 10.1.3.0, 10.1.4.0 respectively. I want to make them protected by transparent fwsm. Anyone can give me the detail configuration?

And if one context just support 8 bridge-group, do it mean it can only support 8 inside vlan on the transparent firewall?


Very Thanks


Tao

Correct Answer by vikram_anumukonda about 7 years 12 months ago


1. The config's look good, I am not sure why you are not able to ping the BVI ip-address, R u able to ping from the FWSM to any host/server ??


I suggest you enable debugging.


for telnet to work , you need to configure the " telnet 10.1.10.0 255.255.255.0 inside " and see if telnet works.


2. you are correct - need to have 3 pairs of vlan on MSFC and 3 bridge-groups.


This is a restricition in transparent mode , you can have only 2 interfaces ( one inside and one outside).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
vikram_anumukonda Sun, 03/29/2009 - 10:10
User Badges:
  • Bronze, 100 points or more

1) you should be able to access the FWSM using telnet, if you trying to connect to the FWSM from a location other than directly connected network, you will need to add a static route on the FWSM.


use the "telnet x.x.x.x <> <>" to restrict who can telnet to the device


2)pls post your config, you should be able to ping the BVI ip-address from your MSFC.


you can't apply access-list to a BVI.



3) 8 bridge-groups per context, but each bridge-group can have only two interfaces, In that way traffic from one bridge-group is isolated from another bridge-group. But all the 8 bridge-groups share the same AAA & Logging configuration.


you cannot have 8 inside vlans on the transparent firewall within in the same bridge-group.



you can find some config examples at


http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html


HTH


Vikram


hetao Sun, 03/29/2009 - 19:56
User Badges:

Dear Vikram,


Very thanks for your reply.


My topology and configuration is as attached file.


1,Server A can ping Server B, but MSFC cannot ping MSFC BVI interface;

2, If the second topology there are 3 inside vlan as HR, RD and market server, located in different vlan and different subnet networks. I want to protect them with the FWSM. Do I need to configure 3 pair vlan on MSFC and 3 pair vlan on FWSM and 3 bridge group?


Very Thanks


Tao



Correct Answer
vikram_anumukonda Sun, 03/29/2009 - 23:30
User Badges:
  • Bronze, 100 points or more


1. The config's look good, I am not sure why you are not able to ping the BVI ip-address, R u able to ping from the FWSM to any host/server ??


I suggest you enable debugging.


for telnet to work , you need to configure the " telnet 10.1.10.0 255.255.255.0 inside " and see if telnet works.


2. you are correct - need to have 3 pairs of vlan on MSFC and 3 bridge-groups.


This is a restricition in transparent mode , you can have only 2 interfaces ( one inside and one outside).

hetao Mon, 03/30/2009 - 00:38
User Badges:

Thanks for Vikram's reply.


I have slove the icmp ping problem. After add two icmp commands directly to outside interface, not in ACL, Ping can work.


But the problem is telnet didn't work for the bvi interface, even though I have configure "telnet 0.0.0.0 0.0.0.0 inside", I still can't telnet 10.1.10.2 from 10.1.10.10.


Any one know how to solve this problem?


Another question, does it mean FWSM can just support 8 inside vlans protected by FWSM? I thinks it's too few for a campus LAN design,am I right?


Very Thanks


Tao

Actions

This Discussion