11-11-2009 05:19 AM - edited 03-06-2019 08:33 AM
I have a bunch of VLANs configured on my 6513 FWSM. I wanted all my VLANs to be on there but just found out a requirement to run IRDP. Since IRDP can only be run on a router interface, I had to take this VLAN off the FWSM and put it on the MSFC.
How now do I connect to the servers on in the VLANS on the FWSM?
I have VLAN2 on both the MSFC and the FWSM and they can ping. But from the MSFC I cannot ping any of the other VLAN interfaces on the FWSM.
I put a static route on the MSFC to point to the VLAN2 interface on the FWSM for the subnet but to no avail.
I have attached the relevant show run output for the 6513 and the entire show run from the FWSM.
The goal is to allow vlan 150 on the MSFC to have access to all the vlans on the FWSM.
James
11-11-2009 05:24 AM
Hi James
Just to cover some basics, as the FWSM is just a moduled version of the ASA, have you checked security levels on the interfaces and if you have ACL's have you checked icmp is allowed.
Could you dump as much of the FWSM config as possible so we can check it out aswell.
11-11-2009 05:26 AM
The config for both 6513 and the FWSM (just scroll down a bit) are attached.
I hadn't changed the security level on the interfaces to match yet but will do that now.
My initial concern was just trying to ping the VLAN100 interface on the FWSM from the MSFC or from the user VLAN150 on the MSFC.
11-11-2009 05:28 AM
Hello James,
>> I have VLAN2 on both the MSFC and the FWSM and they can ping. But from the MSFC I cannot ping any of the other VLAN interfaces on the FWSM.
this is correct because it is a firewall.
on the MSFC you need specific static routes for all IP subnets on vlans on other FWSM interfaces.
you then need on the ACL applied to outside interface vlan 2 to permit what you need
example net 10.0.0.0/8 can access WEB servers 10.72.25.0
access-list outside permit line 1 tcp 10.0.0.0 255.0.0.0 10.72.25.0 255.255.255.0 eq www
most of job on FWSM then becomes opening connections to servers inside.
the same idea applies to FWSM in multicontext mode where it needs to be replicated in each context.
Edit:
to ping vlan 100 you need to allow it on access-list applied to outside vlan2 interface
Hope to help
Giuseppe
11-11-2009 05:31 AM
Giuseppe,
Thanks for the reply.
I do have the static route in place (pointed to the VLAN2 interface and that pings fine).
Also, I have an ip any any access list on the outside interface to allow any ip.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide