×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Firewall Service Module Cat6k

Unanswered Question
Jan 29th, 2003
User Badges:

Hello,

We are trying to install a Firewall Service Module in a Cat6k with Sup2 and MSFC2. We must do it with CatOS (7.5(1)).

MSFC2 works like an inside router and routes traffic between its connected vlans. Firewall module routes traffic between secure segments (inside-outside, dmz-outside, etc...)

But we don't know how to connect msfc with firewall module. In other words, we need a default route in msfc pointing to inside IP of the firewall.

You can not configure a vlan in msfc if this vlan is a firewall-vlan, so how could we configure one vlan between msfc and firewall modules?

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
b.speltz Tue, 02/04/2003 - 12:51
User Badges:
  • Bronze, 100 points or more

I think its possible to configure a firewall-Vlan, you must configure a controlled VLAN (SVI) on the MSFC or you will be unable to configure VLANs on the module. For a complete configuration step take a look at the following URL


http://www.cisco.com/en/US/products/hw/modules/ps2706/products_installation_and_configuration_guide_chapter09186a00800e3b61.html

hampton Tue, 02/04/2003 - 18:44
User Badges:

Are you sure you wouldn't connect to the outside interface? If you think of it logically you are going from LAN->router->outside->inside->LAN right?

If that's the case you need to use the outside VLAN and create a route from that network to the inside network's VLAN.

Say your inside VLAN is VLAN 10 and your outside VLAN is VLAN 20.

Your private inside LAN is 192.168.1.0/24

(Sorry, this is IOS, not CatOS, but you should see the idea)


!

firewall module 6 vlan-group 10

firewall vlan-group 10 10,20

!

interface GigabitEthernet1/2

no ip address

switchport

switchport access vlan 10

!

interface Vlan10

no ip address

!

interface Vlan20

ip address 192.168.101.1 255.255.255.0

!

ip route 192.168.1.0 255.255.255.0 192.168.101.2

and in the FWSM PIX looks like this:

nameif vlan10 inside security100

nameif vlan20 outside security0

ip address inside 192.168.1.1 255.255.255.0

ip address outside 192.168.101.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.101.1 1

Whenever I need to get to the private LAN 192.168.1.0/24 I get routed through the 192.168.101.0/24 network, which is a network that's only used to route the traffic through the MSFC into the FWSM.

miquel Tue, 02/11/2003 - 02:26
User Badges:

Hello,


at last we have the solution, see above the steps for configuration:


1- Create routable VLAN interfaces in MSFC(interface vlan x) and put it to inactive state by shutdown.

2- Use "set vlan x firewall-vlan mod" to secure vlan x.

3- Makes a reset in the firewall module. (This was the step that we did not kneew)

4- Then, in MSFC, put vlan x to active state by "no shut".

Then, interface vlan 50 comes to up and we have connectivity between MSFC an FWSM.


Thanks.

Actions

This Discussion