tdennehy wrote:
Are there any pros and cons to the way an FWSM can be implemented in a 6509?
For instance, our WLAN deployment sits on four WiSMs in a 6509. We have a FWSM in the 6509 with an inside and outside VLAN, and a static route pointing to the inside of the FWSM from the 6509. All traffic goes to the interface of the FWSM, gets PAT'd out through one IP address and that's it.
I have been reading that I can move the gateway addresses to the FWSM from the 6509 and PAT each range out through the FWSM, but this time I would PAT each VLAN out through its own IP address.
I'm wondering if there are any advantages or disadvantages. The latter description would be a lot more work, but provide more granularity. I can also simply change our current deployment to PAT each VLAN out through its own mapped IP address.
Either way will result in traffic flowing, but is there a "more right" way to do this?
Thanks,
Tim
Tim
So you have -
vlans -> (inside) FWSM (outside) -> MSFC ?
Edit - sorry meant to be -
vlans -> MSFC -> (inside) FWSM (outside)
If so the deployment o the FWSM is nothing really to do with PAT. You wouldn't need to move the gateways to the FWSM to be able to PAT each vlan to a different PAT address ie.
nat (inside) 1 172.16.5.0 255.255.255.0
nat (inside) 2 172.16.6.0 255.255.255.0
global (outside) 1 PAT1
global (outside) 2 PAT2
the above would translate the 2 separate vlans to different PAT addresses.
Whether to have the gateways for the vlans on the FWSM or the MSFC is to do with whether you want/need to firewall between those vlans. If you don't then you don't need to have their gateways on the FWSM.
If i have misunderstood your topology or question then please clarify.
Jon
