Integration Catalyst6513, IDSM2 and FWSM

Unanswered Question
Apr 4th, 2009

I have this type of topology:

Workstation >> Floor Switch >> Cat6513 >> ASA >> Internet

My Workstation is Vlan 123 and my ASA interface inside is Vlan 20

Here is my Vlan configuration:

!

interface Vlan123

ip address 172.21.123.254 255.255.255.0

end

C6513-Core1#sh ru int vlan 20

Building configuration...

Current configuration : 129 bytes

!

interface Vlan20

ip address 172.16.20.254 255.255.255.0

end

My Workstation is set to:

IP: 172.21.123.123/24

Gateway: 172.21.123.1

My inside ASA:

IP: 172.16.20.1/24

Now I want to activate both module IDSM-2 and FWSM reside in Cat6513. All packet coming from Workstation need to be monitor by IDS in inline mode and forwarded to inside FWSM. After passing our firewall policy this packet can go to the inside ASA interface. My question is:

1) My current configuration on Cat6513 is:

C6513-Core1#sh ru | i firewall

firewall autostate

firewall multiple-vlan-interfaces

firewall module 2 vlan-group 1,

firewall vlan-group 1 20,123

C6513-Core1#sh ru | i intrusion

intrusion-detection module 1 data-port 1 trunk allowed-vlan 20,123

Is my configuration on switch is correct?

2) My current setting on IDSM-2 is:

service interface

physical-interfaces GigabitEthernet0/7

subinterface-type inline-vlan-pair

subinterface 1

vlan1 123

vlan2 124

exit

exit

exit

bypass-mode off

exit

service analysis-engine

virtual-sensor vs0

physical-interface GigabitEthernet0/7 subinterface-number 1

inline-TCP-session-tracking-mode vlan-only

exit

exit

How to configure it correctly? Currently I'm testing to block YahooMessenger but IDS fail to block it, even no event occur while I'm monitoring via IME

3) My current FWSM configuration is:

!

interface Vlan20

nameif outside

security-level 0

ip address 172.16.20.247 255.255.255.0

!

interface Vlan123

nameif inside

security-level 100

ip address 172.21.123.1 255.255.255.0

!

same-security-traffic permit inter-interface

icmp permit any outside

icmp permit any inside

route outside 0.0.0.0 0.0.0.0 172.16.20.1 1

route inside 172.16.0.0 255.248.0.0 172.16.20.254 1

This configuration also didn't work. I try to deny tcp/80 packet coming from inside 172.21.123.0/24 to outside 0.0.0.0 0.0.0.0 but it stay passing the web traffic through FWSM.

I need some guide to configure these Cat6513, IDSM-2 and FWSM integration. Our goal is to filter traffic coming from Workstation and protect Workstation for incoming traffic from internet. Any input really appreciated. Thanks

./hasim

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
hasim.cnc Mon, 04/06/2009 - 17:06

Any response really appreciated. I already have sample configuration for these three individual items, I just need little more understanding to integrate these three items in integrated configurations file. Anybody pls help me to provide sample configuration for:

1) Catalyst6500 to redirect inside VLAN(s) traffic to IDSM-2 and FWSM module

2) IDSM-2 to analyze inside VLAN(s) traffic incoming before passing to FWSM in inline mode

3) FWSM in transparent mode to protect inside VLAN(s)zone and filter any incoming traffic from outside VLAN(s) zone.

Thanks.

./hasim

Farrukh Haroon Wed, 04/15/2009 - 23:23

Hasim, to run INLINE VLAN PAIR mode you need to modify your VLAN setting, it will not work the way you have it configured. Please have a look at these guidelines:

Lets say you have three user VLANs, your setup would be something like:

> Create 6 VLANs for users, 2,3,4, 22,33,44 (just examples), Create one OUTSIDE VLAN(you have VLAN b/w FWSM and MSFC already)

> On the access-switch set all ports in VLAN 2,3 and 4 (as appropriate)

> The IDSM has no 'physical' interfaces , it has a trunk with the catalyst backplane (if inline vlan pair is used).

Create three inline vlan pairs in the IDSM gui, 2 >> 22, 3 >> 33, 4 >> 44

Allow ALL 6 VLANs on the trunk (through the intrusion-detection

commands). The IDSM has to virtual sensing interfaces/ports named mod

x/7 and x/8 (where x is the slot number in which IDSM is installed).

Allow the VLANs on the trunk based on WHERE you created the

sub-interfaces/ Inline VLAN pairs in the IDSM gui (interface 7 or 8).

> Create three VLAN interfaces for VLAN 22,33 and 44 on the FWSM. These will be the default gateway of all machines in VLANs 2,3 and 4.

Allow ONLY VLANs 22,33 and 44 on the FWSM trunk (through the

firewall-xx command on the switch).

> Create another VLAN e.g OUTSIDE between the FWSM and MSFC. Make VLAN interface for it in FWSM, Create SVI in 65XX switch also.

> Add default route on FWSM pointing to switch SVI.

> Add static route on MSFC for all LAN subnets (VLAN 2, 3 and 4) pointing towards FWSM OUTSIDE VLAN interface.

> IDSM will have separate port for management, it can be any IP (from your management VLAN), this is port mod x/2.

So L2 flow will be

user vlan 2 >> access port >> core sw >> idsm >> vlan 22 >> fwsm >> msfc

Regards

Farrukh

Farrukh Haroon Wed, 04/15/2009 - 23:26

Now with regards to the configuration in case you have *multiple* IDSM-2 in the same chassis:

For the case with one FWSM in each chassis and multiple IDSM-2s, it is

pretty simple. You can have upto eight IDSM-2 modules in the same

chassis and they all can be stacked using etherchannel.

e.g. Lets say you have IDSM-2 modules installed on slot 4 and 5. And

VLANs 2 and 3 have sub-interfaces on interface gig x/7 and VLAN 4 has

sub-intefaces on gig x/8, you configuration will be something like:

intrusion-detection port-channel 10 trunk allowed-vlan 2-3, 22, 33

intrusion-detection port-channel 10 autostate include

intrusion-detection port-channel 10 portfast enable

intrusion-detection port-channel 11 trunk allowed-vlan 4,44

intrusion-detection port-channel 11 autostate include

intrusion-detection port-channel 11 portfast enable

intrusion-detection module 4 data-port 1 channel-group 5 (This is int

4/7 basically)

intrusion-detection module 4 data-port 2 channel-group 6 (This is int

4/8 basically)

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6

You are basically grouping FIRST sensing port of each IDSM into the

same Etherchannel. And the SECOND one in another.

Of course you have to manually replicate all your configurations on all IDSM-2s.

The FWSM configuration will be based on a failover LAN, which would be

carried between the inter-switch trunk between the two cores.

On the switch you would add:

firewall multiple-vlan-interfaces (IMPORTANT)

firewall module 3 vlan-group 1

firewall vlan-group 1 22,33,44

Whichever FWSM will be active, the IDSM-2s sharing the chassis with

that FWSM will serve traffic. This is based on MAC-ADDRESS learning.

The FWSM/IDSM-2 in the other chassis will sit and watch during this

time :)

Note: In FWSM you cannot pass any traffic unless you have 'incoming'

ACL on all VLAN interfaces....

Please rate if helpful

Regards

Farrukh

hasim.cnc Fri, 04/17/2009 - 19:35

Thanks Farrukh! Your explaination really help me a lot :)

Now I'm successfully integrate these three items into my testing environment. My current configuration consist of two chasis Catalyst6513 with two IDSM-2 modules and two FWSM which is one module per chasis. Both two Cat6513 is identical in term of software version including software version for IDSM-2 and FWSM reside in respective Cat6513 chasis. My next question is:

1) I'm using single context FWSM with active/standby failover. My FWSM failover running perfectly. How to implement redundancy on both IDSM-2 with inline-vlan-pair configuration?

2) On our production environment, we have certain vlan to be firewalled by FWSM and certain vlan no to be firewalled by FWSM. All vlan(s) firewalled by FWSM are routed to FWSM inside interface by changing their default gateway to FWSM inside interface IP address. The rest of vlan(s) that configured not to be firewalled by FWSM are configured to route directly to MFSC by changing their default gateway to their respective vlan interface IP address. How to allow these traffic communication between firewalled vlan and the rest of the other vlan?

Thanks again for your time.

./hasim

hasim.cnc Fri, 04/17/2009 - 20:03

Vlan 131: Firewalled vlan

Vlan 30: Other VLAN those not firewalled

Vlan 20: Outside interface FWSM

Vlan 132: Bridge Vlan between IDSM-2 and FWSM

Vlan 99: Failover trunk

Vlan 199: State Failover trunk

Here attached some interesting snap shot from my configuration files.

Actions

This Discussion