Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Cisco FWSM in 6500 VSS environment

Hello,

I have a production environment working with 2 Cisco 6500 series configured as VSS. We have One supervisor and multiple SVI interfaces on MSFC card.  Each of the two 6500 has one FWSM module mount but not configured. I have 45 SVI interfaces (VLAN) and I want to filter traffic between them. 

I have tried to log on FWSM and configure management access (SSH, ASDM) but I am not able to ping the 6500 switch and I am not able to ping the FWSM on 6500. 

 

Receive the configure of the FWSM. Only one FWSM have been configured. 

 

FWSM Version 3.1(10)
!
firewall transparent
hostname T2SA-FWSM1
domain-name local.local
enable password WRG3g.xDNrBVh.tO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan9
 nameif inside
 bridge-group 1
 security-level 100
!
interface Vlan17
 nameif outside
 bridge-group 1
 security-level 0
!
interface BVI1
 description ##int in out BRIDGE#
 ip address 10.100.17.253 255.255.255.0
!
ftp mode passive
access-list 100 extended permit ip any any
access-list 100 extended permit udp any any
access-list 101 ethertype permit bpdu
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
access-group 100 in interface outside
access-group 100 out interface outside
access-group 101 in interface inside
access-group 100 in interface inside
access-group 100 out interface inside
route outside 10.100.17.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.100.17.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username afritec password b4jmWIHeWj8bgNpV encrypted
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect smtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7d847012a52b6445011e40f1f9cdd4b2

 

On the 6500, I have done this: 

6500(config)#firewall multiple-vlan

6500(config)#firewall switch 1 module 7 vlan-group 1 17,9

6500(config)#firewall switch 1 slot 7 vlan-group 1

6500(config)#interface vlan 9

6500(config-if)#ip address 10.100.1.254 255.255.255.0

6500(config-if)#exit

6500(config)#interface vlan 17

6500(config)#ip address 10.100.17.254 255.255.255.0

 

 

6500#ping 10.100.17.253

no answer 

fwsm#ping 10.100.17.23

success

fwsm#ping 10.100.17.254 

no answer . 

 

Any helps would be really apreciated. 

 

 

 

4 REPLIES
Hall of Fame Super Silver

In a transparent mode

In a transparent mode firewall (FWSM or otherwise), both the inside and outside VLAN should be on the same subnet.

New Member

Thanks you,Please what are

Thanks you,

Please what are the best steps to get ip connectivity between FWSM and 6500 while virtualized ? 

Just to connect for management. What are the good steps after, to implement the FWSM in failover mode and to manage 46 SVI(Vlans). Transparent firewall is not an issue because it only uses 2 (vlan) pper BVI. the best practice please 

 

Hall of Fame Super Silver

Best practices are not

Best practices are not explicitly defined for your particular configuration. I would just follow the configuration guide and consult the configuration examples on the product support page. 

Note that the FWSM limits you to 8 bridge groups in a given context. To support the number of VLANs you're talking about, you'd need to be licensed for and run in multiple context mode.

One other thing you should consider (assuming you still have maintenance coverage on this product that hasn't been sold for over two years) is to upgrade your software. You are running 3.1(10) from April 2008 and there were 10 later maintenance releases just in the 3.1 train. The last release for the FWSM was 4.1(15) from October 2013.

New Member

Thanks you very much, I will

Thanks you very much, I will first try to update the firmware. Please there is no adjustment in my configuration to get Ip connectivity with the 6500 ? in routed or transparent mode.

I just to want to get Ip connectivity and ASDM and SSH working fine. 

 

Thanks,

80
Views
10
Helpful
4
Replies
CreatePlease to create content