Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM Configuration

Hi All,

I have been reading for some time now, all related to the FWSM configuration, but i cant find a step-by-step guide on how to configure it in Transparent Mode on a Cisco 6509 Switch.

The main thing i need help with, is how to get it to communicate with the Cisco 6509.

 

If anybody can point me to the right direction/link/article/KB, would be great.

 

Thanks,

 

Ezequiel

4 REPLIES
Hall of Fame Super Blue

EzequielHave you looked at

Ezequiel

Have you looked at the configuration guide ? -

http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm41/configuration/guide/fwsm_cfg/intfce_f.html

Jon

Community Member

Hi Jon, Thanks for the reply

Hi Jon,

 

Thanks for the reply.

I have read two documents, one was 180 pages and the other one was over 400. I am not able to understand how to get the 6509 to communicate with the FWSM.

This is my Scenario:

I have to issue the "session slot 3 processor 1" command in order to get to the FWSM.

When there, i can see the following:

 

Version: Device Manager Version 5.2(4)F

Firewall Status:

FWSM# sho fire
    Context                 Mode
admin                       Transparent
FWSM#

This is what I'm trying to do:

 

I have A client is renting a server and he is expecting some DDoS and so forth, i want to put him behind the FWSM.

He is right now sitting on vlan 473. This is a L3 Switch, so vlan 473 exists on L2 and obviously an SVI (interface vlan) with the following configuration:

Router.(config-if)#do svlan 473
Building configuration...

Current configuration : 201 bytes
!
interface Vlan473
 description 04001021613.PRIVATELAYER.CH
 ip address 31.7.61.177 255.255.255.240
 ip access-group SPAM out
 no ip redirects
 no ip proxy-arp
 ipv6 address 2A02:29B8:2118::1/48
end

Router.(config-if)#

I am aware that in routed mode you have to add the same vlans to the FWSM and so forth, but in transparent mode, honestly i am clueless.

Its stated that i have to use TWO interfaces and configure the same IPs on each (...) in routed mode i know its not possible, but in transparent mode it is somehow.

NOTE: I am only a CCNA but have done a LOT of research on the topic, I have not found a step-by-step guide not even in the CCNP or CCIE training videos out there. (i have over 40GB of Cisco videos...getting frustrated)

Any help is appreciated.

Thanks,

Ezequiel

 

 

 

 

 

 

Hall of Fame Super Blue

It's been a while since i did

It's been a while since i did this but basically you need to bridge two vlans together.

So you have two vlans but they use the same IP subnet ie. no need to readdress the server.

You do not need two interfaces with the same IP because you only have a BVI with the IP and that is used for management ie. it does not affect traffic passing through the firewall.

Because vlan 473 is routed on the MSFC then you need a new vlan for the other side of the FWSM and your server would need allocating into this new vlan. So it would basically look like -

MSFC -> vlan 473 -> FWSM -> new vlan -> server

but the same IP subnet is used for both vlans.

The MSFC and the server in effect do not know about the FWSM.

What i am not sure about (can't remember) is how it works if there are other servers in vlan 473 ie. can you just leave them in vlan 473 which means they are not firewalled.

I believe you can but unfortunately can't say for sure.

My main concern is about allocating vlan 473 to the FWSM ie. in L3 mode  you do not have to allocate the vlan between the FWSM and the MSFC

Hopefully someone else can contribute to clear that point up.

Sorry i can only be of limited help.

Jon

 

 

Community Member

Hi Jon, Thanks for your help

Hi Jon,

 

Thanks for your help.

And yes, i have those questions, i will read further and tryu to come up with a solution.

As the the vlan 473, it only handles that one server, every server has its own vlan, and we keep it like that in order to isolate traffic from each other.

I will post in the future if i come up with the solution.

Thanks,

Ezequiel

63
Views
0
Helpful
4
Replies
CreatePlease to create content