Need Basic Setup Help for 6500 FWSM

Answered Question
Sep 3rd, 2009

I have a 6513 with a simple config setup with just two VLANs.

VLAN1- IP 10.210.36.1/24

VLAN2- IP 10.10.10.1/24

I just want to upgrade the code on the FWSM to the latest. I put Int VLAN2 on FWSM with IP of 10.10.10.2/24.

This is first time with FWSM. It seems like the FW does not have a route to the MSFC on the 6500.

Can someone give me the basic config to get the FWSM to talk to the switch?

Thanks.

James

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 4 months ago

James

Can you change vlan 2 interface to outside on the FWSM ie.

interface vlan 2

name outside

security-level 0

ip address 10.10.10.3 255.255.255.0

then can you also check you have vlan 2 created on the 6500 switch ie.

6500# sh vlan

do you see vlan 2 in the output ?

run a "sh interface" on the FWSM and see if vlan 2 interface is up.

If it is and vlan 2 is created try pinging again. If it still doesn't work add this to FWSM config -

icmp permit any outside

and try pinging again.

This doc covers the initial setup including the outside interface -

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jfraasch Thu, 09/03/2009 - 05:58

Looks good. I am going to go try it now.

What it looks like is that the FWSM will contain the VLAN/IP address inforomation and in the IOS on the 6500 I will allocate certain VLANs to be handled by the FWSM.

So I could technically add a third VLAN on the FWSM. The routing on this is sort of fuzzy for me though.

If, for instance, I create the VLAN on the FWSM, allocate VLAN in my IOS, where is my static route pointing to? The FWSM won't know about any other VLAN besides the one I configure on it. And my IOS/MSFC wont have an IP on it to have the FWSM point to for routing. I think I am missing a small piece.

Thanks so far. Like I said, I am going to go change the config and see what happens.

James

Jon Marshall Thu, 09/03/2009 - 06:13

James

You have to have a vlan that "connects" the MSFC to FWSM. So lets say you want to firewall vlan 10 and vlan 20 -

MSFC -> vlan 30 -> outside (FWSM) -> vlans 10/20

you would use a new vlan to simply connect the MSFC to the outside of the FWSM, in the above example vlan 30.

So lets assume you have

MSFC

int vlan 30

ip address 192.168.5.1 255.255.255.252

FWSM

outside interface -> 192.168.5.2 255.255.255.252

then on the MSFC you would simply add static routes for vlan 10 and vlan 20 subnets -

ip route v10-subnet 192.168.5.2

ip route v20-subnet 192.168.5.2

See other thread for more details on this.

Jon

jfraasch Thu, 09/03/2009 - 06:42

I think you might be one step ahead of me here. I am unable to ping on VLAN2.

I have:

MSFC:

Interface VLAN 2

ip address 10.10.10.1 255.255.255.0

FWSM:

Interface VLAN 2

name MNGT

security-level 100

ip address 10.10.10.3 255.255.255.0

I cant ping between the two. I believe the IOS needs just to know that I have that IP on the FWSM...I am not sure how to make that happen. Your other examples showed how to allocate VLANs to the FWSM and how to route, but I think this is just the basic, "hey, we need to know you exist" kind of config that I am looking for.

The documentation I have seen seems to skip this basic step.

Thanks.

James

Correct Answer
Jon Marshall Thu, 09/03/2009 - 07:20

James

Can you change vlan 2 interface to outside on the FWSM ie.

interface vlan 2

name outside

security-level 0

ip address 10.10.10.3 255.255.255.0

then can you also check you have vlan 2 created on the 6500 switch ie.

6500# sh vlan

do you see vlan 2 in the output ?

run a "sh interface" on the FWSM and see if vlan 2 interface is up.

If it is and vlan 2 is created try pinging again. If it still doesn't work add this to FWSM config -

icmp permit any outside

and try pinging again.

This doc covers the initial setup including the outside interface -

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml

Jon

jfraasch Thu, 09/03/2009 - 07:34

I did a debug of the ICMP and it was being denied so I suspect it had to do with the ICMP permit any outside command. I had added an IP-ANY-ANY access group and put it on the Mngt interface but ICMP still came back as being denied.

The VLAN was created on the 6500 already so basically changing the name to "outside" and creating the correct access list did the trick.

Good times. Only three more of these things to upgrade!

Actions

This Discussion