Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Assistance in FWSM Configuration


Execuse me, I am new to FWSM but I already have good experience with ASA; I have a deployment for FWSM as follows and I need to consult with you on certain points:

A- The requirement is to create two contexts "FWA" and "FWB" alongwith

Admin Context as "admin".

B- We want to share resources between contexts FWA and FWB. Requirement is that we want to have a production context (FWA) and a staging context (FWB) where staging context will be used to test any service before putting into production.

C- This way both the contexts will have exactly same configuration with same interfaces with identical VLANs and similar Access lists, except the IP


My queries are:

1- With FWSM, do I need to enable inter-VLAN routing in my core switch or the default gateway of my clients will be the FWSM intefaces?

2- I recall in ASA and PIX ver 7.x, the multiple context configuration had some limitations when configured to protect the same subnets (e.g. when configuring the same static NATing rule on the 1st context and configuring the same rule on the 2nd context, I used to get an error message related to duplicate rules), so have you come across a similar error and is this an issue with FWSM?

3- Can my requirements mentioned above be achieved with FWSM or will I come across some limitations? BTW, I run SW 2.3(2) in my FWSM.

Thanking in advance.


Hall of Fame Super Blue

Re: Assistance in FWSM Configuration

1) Any servers/clients that you need to firewall will have their default gateway on the FWSM and not on the MSFC. If you put the default gateway on the MSFC for a firewalled vlan then you are not firewalling it, you just route around the FWSM.

However any clients that need to access the firewalled servers will need to know how to route to the servers. If you are using multiple contexts you are restricted to static routing.

What we have here is 2 x 6500 each with an FWSM. We have one vlan shared for all the outside interfaces on our contexts eg.

Vlan 3 (shared vlan between MSFC's and FWSM's). Each MSFC has a vlan 3 interface with an address from the vlan 3's subnet range (+HSRP). Then each context uses two more addresses (1 active/1 failover) from the same vlan.

We then add static routes (redistributed into EIGRP) to the MSFC's for the firewalled vlans pointing to the outside interface of the relevant context.

2) Could you clarify a bit more. You say you want to use the same vlans but with different IP addressing. Not sure what you mean. If you use different IP addressing then why do you need to use identical vlans.

If you use the same vlans for the DMZ interfaces ie. share them, then you may well come across problems with the FWSM classifier. But if you are going to use separate addressing would you not use different vlan numbers ??


New Member

Re: Assistance in FWSM Configuration

Hi Jon,

Thanks for your response.. However, I need to clarify from you one thing regarding the 1st point and answer your question regarding the 2ns point:

1) I have 2 points:

1-a) Why do you need to add a static route here in your MSFC to point to the outside VLAN when this VLAN is directly connected?

1-b) Where do I need to configure routes when using FWSM, is it on the MSFC itself or in the FWSM?

2) Clarifying my point and answering your question:

I mean here by different IP addresses is that each conext will have a different IP address from the same VLAN, so the production servers will use the IP address of the 1st conext as their GW while the staging servers will use the 2nd context as their GW for testing purposes. Will this cause problems?



Hall of Fame Super Blue

Re: Assistance in FWSM Configuration


You don't need a static route for the outside vlan subnet.

An example might help: lets say you add a DMZ to context "A" on the FWSM with a subnet range of

Your outside vlan range is and the IP address that context "A" uses is

Now all your other routers will know about the network because as you rightly say the MSFC on the 6500 will advertise it.

But there is no MSFC interface for (your DMZ) because that interface only exists on the FWSM. So you would need the following on your MSFC

ip route

This static route would then need redistributing into whatever routing protocol you are running so that all your other routers know about the network.

If you were running the FWSM in single context mode you can use OSPF or RIP on the FWSM to propogate DMZ routes.

2) Yes it may well cause problems because if the vlan is the same the classifier has to use the destination IP address and going from behind the FWSM to the outside could cause problems. I would recommend having a read of the FWSM config manual (see link below )- look at the section on contexts and how the classfier works, it explains it quite well.

Let me know if any other issues.


CreatePlease to create content