Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 FWSMs (FW,NAT) in C6509 chassis

Hi,

We have 2 FWSMs [versions: FWSM1: 2.3(4) & FWSM2: 2.3(3)] in C6509 chassis [with IOS version 12.2(18)SXF4]

We have 10Gbps link towards ISP and we would like to use full bandwidth with the 2 FWSMs.

FWSM1 is the main firewall have one inside and one ISP interface and both interface have one IP address.

FWSM1 firewalled our network thus far but we run out of IP addresses :(

We have to use the FWSM2 to NAT [translate roughly 1500 IPs/clients] but we have only one IP address towards ISP.

Can we configure the 2 FWSMs side-by-side in C6509 chassis to provide 10Gbps, and stay one IP address towards ISP?

Or we should ask more IP from ISP?

ISP's gw IP (etc.): 10.0.0.213 metric 1 (default gw)

My theory is: http://www.mehok.uni-miskolc.hu/~oreggin/1c6509-2fwsm.txt

Should it work? If won't, how to configure the C6509 & FWSMs to works side-by-side?

Thanks,

Gin

2 REPLIES
New Member

Re: 2 FWSMs (FW,NAT) in C6509 chassis

Configure the FWSM for either Active/Active or Active/Standby failover and on the primary, configure PAT since you only have one address.

nat (inside) 1 10.0.0.0 255.255.255.0

global (ISP) 1 10.0.0.212

..you can even use the IP address of the mapped interface

Please rate if you are satisfied.

Cheers!

New Member

Re: 2 FWSMs (FW,NAT) in C6509 chassis

Hi,

I worry about the fact one PAT is not enough to Translate ~1500 hosts but I have some theories to solve this problem.

The first chart is to represent the state of our network today and the extract about the configuration:

http://www.mehok.uni-miskolc.hu/~oreggin/now.png

http://www.mehok.uni-miskolc.hu/~oreggin/now.txt

Well, i don't want to modify FWSM1 config extremely. I wouldn't like to shut down, or reboot the FWSM1 till it is unavoidable.

The NA-Translation is allowed to work only on FWSM2. I would like to present my theories:

The first one was tried with PAT, but we were run outs of ports.

http://www.mehok.uni-miskolc.hu/~oreggin/theory1.png

http://www.mehok.uni-miskolc.hu/~oreggin/theory1.txt

To the second variation we need a second IP if it would operate.

http://www.mehok.uni-miskolc.hu/~oreggin/theory2.png

http://www.mehok.uni-miskolc.hu/~oreggin/theory2.txt

The third one was also tried but it did't operate, perhaps because of the bad configs.

http://www.mehok.uni-miskolc.hu/~oreggin/theory3.png

http://www.mehok.uni-miskolc.hu/~oreggin/theory3.txt

What is your opinion about these versions? which config is the nearest to the right solution?

If these theories wouldn't work, can I combine these configs to reach my goal: a well-working system?

Or could you send me a working example-config to create a third variation.

Thx,

Gin

113
Views
0
Helpful
2
Replies
CreatePlease to create content