Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2279
Views
0
Helpful
6
Replies

MSFC can't ping BVI interface address on transparent FWSM v3.1

Go to solution
hetao
Level 1
Level 1

‎03-29-2009 09:00 AM - edited ‎03-11-2019 08:11 AM

Hello everyone,

I have configure the transparent fwsm(version 3.1) on Cat6500, I found I can't ping BVI interface from MSFC and I have some questions as below:

1, For transparent fwsm, are there other ways to access the fwsm module except "session slot # process 1", I mean can I telnet this fwsm by BVI interface?

2, I found access-group just can apply on the physical interface such as inside,outside or dmz, I can't apply it in BVI interface, am I right? I can't ping bvi interface from MSFC, anyone can tell me whether there are some wrong in my configuration or it can't ping actually?

3, CCO said It can have 8 bridge-group each context, what that mean? When I configure the fwsm, I found just 2 vlan interface per bridge-group. So how can I make make many interfaces in the inside or dmz interface? For example, I have HR, Finance, Market and RD 4 vlan, which is 10.1.1.0, 10.1.2.0, 10.1.3.0, 10.1.4.0 respectively. I want to make them protected by transparent fwsm. Anyone can give me the detail configuration?

And if one context just support 8 bridge-group, do it mean it can only support 8 inside vlan on the transparent firewall?

Very Thanks

Tao

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vikram_anumukonda
Level 3
Level 3
In response to hetao

‎03-29-2009 11:30 PM

1. The config's look good, I am not sure why you are not able to ping the BVI ip-address, R u able to ping from the FWSM to any host/server ??

I suggest you enable debugging.

for telnet to work , you need to configure the " telnet 10.1.10.0 255.255.255.0 inside " and see if telnet works.

2. you are correct - need to have 3 pairs of vlan on MSFC and 3 bridge-groups.

This is a restricition in transparent mode , you can have only 2 interfaces ( one inside and one outside).

View solution in original post

0 Helpful
6 Replies 6

Go to solution
vikram_anumukonda
Level 3
Level 3

‎03-29-2009 10:10 AM

1) you should be able to access the FWSM using telnet, if you trying to connect to the FWSM from a location other than directly connected network, you will need to add a static route on the FWSM.

use the "telnet x.x.x.x <> <>" to restrict who can telnet to the device

2)pls post your config, you should be able to ping the BVI ip-address from your MSFC.

you can't apply access-list to a BVI.

3) 8 bridge-groups per context, but each bridge-group can have only two interfaces, In that way traffic from one bridge-group is isolated from another bridge-group. But all the 8 bridge-groups share the same AAA & Logging configuration.

you cannot have 8 inside vlans on the transparent firewall within in the same bridge-group.

you can find some config examples at

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

HTH

Vikram

0 Helpful

Go to solution
hetao
Level 1
Level 1
In response to vikram_anumukonda

‎03-29-2009 07:56 PM

Dear Vikram,

Very thanks for your reply.

My topology and configuration is as attached file.

1,Server A can ping Server B, but MSFC cannot ping MSFC BVI interface;

2, If the second topology there are 3 inside vlan as HR, RD and market server, located in different vlan and different subnet networks. I want to protect them with the FWSM. Do I need to configure 3 pair vlan on MSFC and 3 pair vlan on FWSM and 3 bridge group?

Very Thanks

Tao

0 Helpful

Go to solution
hetao
Level 1
Level 1
In response to hetao

‎03-29-2009 07:59 PM

The configuration is as attached files.

Preview file
2 KB
0 Helpful

Go to solution
hetao
Level 1
Level 1
In response to hetao

‎03-29-2009 08:18 PM

Sorry for topology again

Preview file
81 KB
0 Helpful

Go to solution
vikram_anumukonda
Level 3
Level 3
In response to hetao

‎03-29-2009 11:30 PM

1. The config's look good, I am not sure why you are not able to ping the BVI ip-address, R u able to ping from the FWSM to any host/server ??

I suggest you enable debugging.

for telnet to work , you need to configure the " telnet 10.1.10.0 255.255.255.0 inside " and see if telnet works.

2. you are correct - need to have 3 pairs of vlan on MSFC and 3 bridge-groups.

This is a restricition in transparent mode , you can have only 2 interfaces ( one inside and one outside).

0 Helpful

Go to solution
hetao
Level 1
Level 1
In response to vikram_anumukonda

‎03-30-2009 12:38 AM

Thanks for Vikram's reply.

I have slove the icmp ping problem. After add two icmp commands directly to outside interface, not in ACL, Ping can work.

But the problem is telnet didn't work for the bvi interface, even though I have configure "telnet 0.0.0.0 0.0.0.0 inside", I still can't telnet 10.1.10.2 from 10.1.10.10.

Any one know how to solve this problem?

Another question, does it mean FWSM can just support 8 inside vlans protected by FWSM? I thinks it's too few for a campus LAN design,am I right?

Very Thanks

Tao

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card