White paper to set-up basic FWSM connectivity?

Answered Question
Jun 5th, 2009
User Badges:

I have the FWSM design and configuration guides, and feel like I'm buried in minutia regarding figuring out how to config for basic access into the module. Is there a "Quick Start Guide" or a white paper that describes BASIC things like how to set up access to the module from the 6500 and maybe a very SIMPLE example on settin up ports/vlan for passing traffic from a high-security side to a low-security side?


I first want to be able to just telnet into the module and upgrade the code on it. Then I'd like to begin very simply to work forward from there. I'm bogged down with trying to understand what is meant by 'before the MSCF' or 'after the MSCF' and can't even telnet into the module yet.

Correct Answer by Jon Marshall about 7 years 11 months ago

Jim


Firstly here's a link to a thread i was involved in some time ago that gives a basic setup. It may be of help to get you started -


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40.2cbef1c1/5#selected_message


To be able to telnet into it you need to access it initially from the CLI on the 6500. So lets say your FWSM is in slot 7 of your 6500 -


6500# session slot 7 proc 1


that should take you into the FWSM.


Before you telnet in you are going to have to setup the firewall - see link i provided.


I'm assuming to keep it simple you are using single context mode, if you want to use multiple context mode then things will be a bit more complicated.


Before or after the MSFC, altho personally i think behind an in front are more descriptive -


Before


FWSM -> MSFC -> vlans


After


MSFC -> FWSM -> vlans


Basically Before involves the FWSM protecting all routed vlans on the MSFC because to get to the MSFC you have to go through the firewall. Think internet type connectivity altho it doesn't have to be internet.



After would be used where you don't necessarily want to firewall all vlans on the 6500. Think datacentre setup where external access is still from within your company but you still want to secure certain vlans only.


Note the example i gave in the link is for behind (after) MSFC.


Happy to try and help as much as i can.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 06/05/2009 - 10:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


Firstly here's a link to a thread i was involved in some time ago that gives a basic setup. It may be of help to get you started -


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40.2cbef1c1/5#selected_message


To be able to telnet into it you need to access it initially from the CLI on the 6500. So lets say your FWSM is in slot 7 of your 6500 -


6500# session slot 7 proc 1


that should take you into the FWSM.


Before you telnet in you are going to have to setup the firewall - see link i provided.


I'm assuming to keep it simple you are using single context mode, if you want to use multiple context mode then things will be a bit more complicated.


Before or after the MSFC, altho personally i think behind an in front are more descriptive -


Before


FWSM -> MSFC -> vlans


After


MSFC -> FWSM -> vlans


Basically Before involves the FWSM protecting all routed vlans on the MSFC because to get to the MSFC you have to go through the firewall. Think internet type connectivity altho it doesn't have to be internet.



After would be used where you don't necessarily want to firewall all vlans on the 6500. Think datacentre setup where external access is still from within your company but you still want to secure certain vlans only.


Note the example i gave in the link is for behind (after) MSFC.


Happy to try and help as much as i can.


Jon

jkeeffe Fri, 06/05/2009 - 10:55
User Badges:

Excellent post - thanks Jon. You've de-mystified the MSFC concept for me. I'll check out your link to your previous thread and get to work.

jkeeffe Fri, 06/05/2009 - 11:05
User Badges:

Jon - I'll tell you a couple things we want to do with the FWSM.


We use 6500s as our access-layer switch with L3 uplinks for our server farms. On the 6500 we have more than one L3 SVI for the servers. In this scenario, I want to use the FWSM to restrict access to the L3 SVIs inbound from the uplinks, to just what is necessary for client to server activity, and for admin support to the servers. Also, I want to be able to restrict certain outbound access from the servers, like telnet, RDP, etc. This is to prevent someone who may have root access to a particular server from telneting from that server to other devices not on the 6500. (In a utopian world I'd like to restrict telnet from any server to any other server, even in the same vlan.)


So can I do both with the FWSM? Would this require it two be in multiple-context mode?

Jon Marshall Fri, 06/05/2009 - 11:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jim


Can you just clarify.


You have 6500s in the access-layer. When you say you have on the 6500 more than one L3 SVI for the servers is this a different 6500 than the access-layer 6500s ?


Could you just explain a bit more about your topology ie. which switches contain the FWSMs, where the clients are in relation to the FWSM 6500s and where the servers are in relation to the FWSM 6500s.


Apologies for this but i want to be sure i don't give you bad advice :-)


Jon

Actions

This Discussion