FWSM MSFC vs. external router?

Unanswered Question
Mar 13th, 2010
User Badges:

Can I do the following using an external router instead of the MSFC?  I have the exact scenario that's discussed, but it's not clear as to whether I can use a dedicated router for that purpose?


(See Figure 1-3)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/overvw.html#wp1137474


Will the fwsm classifier still perform as expected if the ingress traffic is not coming from the msfc?


Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sat, 03/13/2010 - 02:48
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

robdog01 wrote:


Can I do the following using an external router instead of the MSFC?  I have the exact scenario that's discussed, but it's not clear as to whether I can use a dedicated router for that purpose?


(See Figure 1-3)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/overvw.html#wp1137474


Will the fwsm classifier still perform as expected if the ingress traffic is not coming from the msfc?


Thank you.


Yes you should be fine with that. The scenario in the link you gave is simply showing a shared outside vlan so a router with an interface in that vlan will do just the same as the MSFC.


Jon

robdog01 Sat, 03/13/2010 - 08:56
User Badges:

That's what I figured, but it's not working for me...  If I use the MSFC, everything works fine.  once I switch to an external router, I have really sporadic outbound access from behind the fwsm contexts.


From what I understood, the msfc and fwsm coordinate the ingress traffic so that it lands on the appropriate virtual context.  It certainly seems like that's what's happening, but I'm looking for others who have firsthand experience with this and can share in my frustration .



Here is the configuration on the switch:


interface GigabitEthernet4/47
description To xxx router, inside interface (Internet router)
switchport
switchport access vlan 2
switchport mode access
logging event link-status
speed 100
duplex full
end



On the upstream router (cat3750):


ip route 0.0.0.0 0.0.0.0 1.1.1.229


interface FastEthernet1/0/2
description ISP Uplink

no switchport
ip address 1.1.1.230 255.255.255.252
ip access-group 101 in
speed 100
duplex full
end

!
interface FastEthernet1/0/10
description Internet routable /24 subnet

no switchport
ip address 2.2.2.1 255.255.255.0
ip access-group 102 in
speed 100
duplex full
end



simple access lists to deny management traffic to those interfaces:

access-list 101 remark deny any management access to the external interface
access-list 101 deny   tcp any host 1.1.1.230 eq 22
access-list 101 deny   tcp any host 1.1.1.230 eq telnet
access-list 101 deny   tcp any host 1.1.1.230 eq www
access-list 101 deny   tcp any host 1.1.1.230 eq 443
access-list 101 deny   tcp any host 1.1.1.230 eq ftp
access-list 101 deny   tcp any host 1.1.1.230 eq ftp-data
access-list 101 deny   udp any host 1.1.1.230 eq snmp
access-list 101 deny   udp any host 1.1.1.230 eq snmptrap
access-list 101 remark deny any management access to the internal interface
access-list 101 deny   tcp any host 2.2.2.1 eq 22
access-list 101 deny   tcp any host 2.2.2.1 eq telnet
access-list 101 deny   tcp any host 2.2.2.1 eq www
access-list 101 deny   tcp any host 2.2.2.1 eq 443
access-list 101 deny   tcp any host 2.2.2.1 eq ftp-data
access-list 101 deny   tcp any host 2.2.2.1 eq ftp
access-list 101 deny   udp any host 2.2.2.1 eq snmp
access-list 101 deny   udp any host 2.2.2.1 eq snmptrap
access-list 101 permit ip any any


access-list 102 remark deny any management access to the internal interface
access-list 102 deny   tcp any host 2.2.2.1 eq 22
access-list 102 deny   tcp any host 2.2.2.1 eq telnet
access-list 102 deny   tcp any host 2.2.2.1 eq www
access-list 102 deny   tcp any host 2.2.2.1 eq 443
access-list 102 deny   tcp any host 2.2.2.1 eq ftp-data
access-list 102 deny   tcp any host 2.2.2.1 eq ftp
access-list 102 deny   udp any host 2.2.2.1 eq snmp
access-list 102 deny   udp any host 2.2.2.1 eq snmptrap
access-list 102 remark deny any management access to the external interface
access-list 102 deny   tcp any host 1.1.1.230 eq 22
access-list 102 deny   tcp any host 1.1.1.230 eq telnet
access-list 102 deny   tcp any host 1.1.1.230 eq www
access-list 102 deny   tcp any host 1.1.1.230 eq 443
access-list 102 deny   tcp any host 1.1.1.230 eq ftp
access-list 102 deny   tcp any host 1.1.1.230 eq ftp-data
access-list 102 deny   udp any host 1.1.1.230 eq snmp
access-list 102 deny   udp any host 1.1.1.230 eq snmptrap
access-list 102 permit ip any any


Thanks,

Rob.

Jon Marshall Sun, 03/14/2010 - 09:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Rob


Strange, my understanding was that classifier was an FWSM thing and not related to the MSFC at all. Let me do a little digging and see if i an come up with anything.


Jon

robdog01 Mon, 03/15/2010 - 16:15
User Badges:

Thanks.  For now, I'm using the MSFC, but will need to use an external router in the next few months due to needing to use subinterfaces as well as tying into other networks that I don't want the 6500 connected to.


Rob.

Actions

This Discussion