Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2 FWSMs (FW,NAT) in C6509 chassis


We have 2 FWSMs [versions: FWSM1: 2.3(4) & FWSM2: 2.3(3)] in C6509 chassis [with IOS version 12.2(18)SXF4]

We have 10Gbps link towards ISP and we would like to use full bandwidth with the 2 FWSMs.

FWSM1 is the main firewall have one inside and one ISP interface and both interface have one IP address.

FWSM1 firewalled our network thus far but we run out of IP addresses :(

We have to use the FWSM2 to NAT [translate roughly 1500 IPs/clients] but we have only one IP address towards ISP.

Can we configure the 2 FWSMs side-by-side in C6509 chassis to provide 10Gbps, and stay one IP address towards ISP?

Or we should ask more IP from ISP?

ISP's gw IP (etc.): metric 1 (default gw)

My theory is:

Should it work? If won't, how to configure the C6509 & FWSMs to works side-by-side?



New Member

Re: 2 FWSMs (FW,NAT) in C6509 chassis

Configure the FWSM for either Active/Active or Active/Standby failover and on the primary, configure PAT since you only have one address.

nat (inside) 1

global (ISP) 1 can even use the IP address of the mapped interface

Please rate if you are satisfied.


New Member

Re: 2 FWSMs (FW,NAT) in C6509 chassis


I worry about the fact one PAT is not enough to Translate ~1500 hosts but I have some theories to solve this problem.

The first chart is to represent the state of our network today and the extract about the configuration:

Well, i don't want to modify FWSM1 config extremely. I wouldn't like to shut down, or reboot the FWSM1 till it is unavoidable.

The NA-Translation is allowed to work only on FWSM2. I would like to present my theories:

The first one was tried with PAT, but we were run outs of ports.

To the second variation we need a second IP if it would operate.

The third one was also tried but it did't operate, perhaps because of the bad configs.

What is your opinion about these versions? which config is the nearest to the right solution?

If these theories wouldn't work, can I combine these configs to reach my goal: a well-working system?

Or could you send me a working example-config to create a third variation.



CreatePlease to create content