09-03-2009 05:38 AM - edited 03-11-2019 09:12 AM
I have a 6513 with a simple config setup with just two VLANs.
VLAN1- IP 10.210.36.1/24
VLAN2- IP 10.10.10.1/24
I just want to upgrade the code on the FWSM to the latest. I put Int VLAN2 on FWSM with IP of 10.10.10.2/24.
This is first time with FWSM. It seems like the FW does not have a route to the MSFC on the 6500.
Can someone give me the basic config to get the FWSM to talk to the switch?
Thanks.
James
Solved! Go to Solution.
09-03-2009 07:20 AM
James
Can you change vlan 2 interface to outside on the FWSM ie.
interface vlan 2
name outside
security-level 0
ip address 10.10.10.3 255.255.255.0
then can you also check you have vlan 2 created on the 6500 switch ie.
6500# sh vlan
do you see vlan 2 in the output ?
run a "sh interface" on the FWSM and see if vlan 2 interface is up.
If it is and vlan 2 is created try pinging again. If it still doesn't work add this to FWSM config -
icmp permit any outside
and try pinging again.
This doc covers the initial setup including the outside interface -
Jon
09-03-2009 05:41 AM
James
Have a look at this thread i did a while back and see if it helps. Feel free to come back with further questions -
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40.2cbef1c1/5#selected_message
Jon
09-03-2009 05:58 AM
Looks good. I am going to go try it now.
What it looks like is that the FWSM will contain the VLAN/IP address inforomation and in the IOS on the 6500 I will allocate certain VLANs to be handled by the FWSM.
So I could technically add a third VLAN on the FWSM. The routing on this is sort of fuzzy for me though.
If, for instance, I create the VLAN on the FWSM, allocate VLAN in my IOS, where is my static route pointing to? The FWSM won't know about any other VLAN besides the one I configure on it. And my IOS/MSFC wont have an IP on it to have the FWSM point to for routing. I think I am missing a small piece.
Thanks so far. Like I said, I am going to go change the config and see what happens.
James
09-03-2009 06:13 AM
James
You have to have a vlan that "connects" the MSFC to FWSM. So lets say you want to firewall vlan 10 and vlan 20 -
MSFC -> vlan 30 -> outside (FWSM) -> vlans 10/20
you would use a new vlan to simply connect the MSFC to the outside of the FWSM, in the above example vlan 30.
So lets assume you have
MSFC
int vlan 30
ip address 192.168.5.1 255.255.255.252
FWSM
outside interface -> 192.168.5.2 255.255.255.252
then on the MSFC you would simply add static routes for vlan 10 and vlan 20 subnets -
ip route v10-subnet
ip route v20-subnet
See other thread for more details on this.
Jon
09-03-2009 06:42 AM
I think you might be one step ahead of me here. I am unable to ping on VLAN2.
I have:
MSFC:
Interface VLAN 2
ip address 10.10.10.1 255.255.255.0
FWSM:
Interface VLAN 2
name MNGT
security-level 100
ip address 10.10.10.3 255.255.255.0
I cant ping between the two. I believe the IOS needs just to know that I have that IP on the FWSM...I am not sure how to make that happen. Your other examples showed how to allocate VLANs to the FWSM and how to route, but I think this is just the basic, "hey, we need to know you exist" kind of config that I am looking for.
The documentation I have seen seems to skip this basic step.
Thanks.
James
09-03-2009 07:20 AM
James
Can you change vlan 2 interface to outside on the FWSM ie.
interface vlan 2
name outside
security-level 0
ip address 10.10.10.3 255.255.255.0
then can you also check you have vlan 2 created on the 6500 switch ie.
6500# sh vlan
do you see vlan 2 in the output ?
run a "sh interface" on the FWSM and see if vlan 2 interface is up.
If it is and vlan 2 is created try pinging again. If it still doesn't work add this to FWSM config -
icmp permit any outside
and try pinging again.
This doc covers the initial setup including the outside interface -
Jon
09-03-2009 07:34 AM
I did a debug of the ICMP and it was being denied so I suspect it had to do with the ICMP permit any outside command. I had added an IP-ANY-ANY access group and put it on the Mngt interface but ICMP still came back as being denied.
The VLAN was created on the 6500 already so basically changing the name to "outside" and creating the correct access list did the trick.
Good times. Only three more of these things to upgrade!
09-03-2009 07:36 AM
Glad to have helped.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide