Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
3
Replies

Firewall Service Module Cat6k

miquel
Level 1
Level 1

‎01-29-2003 09:00 AM - edited ‎03-09-2019 01:53 AM

Hello,

We are trying to install a Firewall Service Module in a Cat6k with Sup2 and MSFC2. We must do it with CatOS (7.5(1)).

MSFC2 works like an inside router and routes traffic between its connected vlans. Firewall module routes traffic between secure segments (inside-outside, dmz-outside, etc...)

But we don't know how to connect msfc with firewall module. In other words, we need a default route in msfc pointing to inside IP of the firewall.

You can not configure a vlan in msfc if this vlan is a firewall-vlan, so how could we configure one vlan between msfc and firewall modules?

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

b.speltz
Level 4
Level 4

‎02-04-2003 12:51 PM

I think its possible to configure a firewall-Vlan, you must configure a controlled VLAN (SVI) on the MSFC or you will be unable to configure VLANs on the module. For a complete configuration step take a look at the following URL

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_installation_and_configuration_guide_chapter09186a00800e3b61.html

0 Helpful

hampton
Level 1
Level 1

‎02-04-2003 06:44 PM

Are you sure you wouldn't connect to the outside interface? If you think of it logically you are going from LAN->router->outside->inside->LAN right?

If that's the case you need to use the outside VLAN and create a route from that network to the inside network's VLAN.

Say your inside VLAN is VLAN 10 and your outside VLAN is VLAN 20.

Your private inside LAN is 192.168.1.0/24

(Sorry, this is IOS, not CatOS, but you should see the idea)

!

firewall module 6 vlan-group 10

firewall vlan-group 10 10,20

!

interface GigabitEthernet1/2

no ip address

switchport

switchport access vlan 10

!

interface Vlan10

no ip address

!

interface Vlan20

ip address 192.168.101.1 255.255.255.0

!

ip route 192.168.1.0 255.255.255.0 192.168.101.2

and in the FWSM PIX looks like this:

nameif vlan10 inside security100

nameif vlan20 outside security0

ip address inside 192.168.1.1 255.255.255.0

ip address outside 192.168.101.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.101.1 1

Whenever I need to get to the private LAN 192.168.1.0/24 I get routed through the 192.168.101.0/24 network, which is a network that's only used to route the traffic through the MSFC into the FWSM.

0 Helpful

miquel
Level 1
Level 1

‎02-11-2003 02:26 AM

Hello,

at last we have the solution, see above the steps for configuration:

1- Create routable VLAN interfaces in MSFC(interface vlan x) and put it to inactive state by shutdown.

2- Use "set vlan x firewall-vlan mod" to secure vlan x.

3- Makes a reset in the firewall module. (This was the step that we did not kneew)

4- Then, in MSFC, put vlan x to active state by "no shut".

Then, interface vlan 50 comes to up and we have connectivity between MSFC an FWSM.

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents