cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1104
Views
0
Helpful
2
Replies

FWSM - default route per bridge group in transparent mode

bpwlee999
Level 1
Level 1

Hi,

I want to set up FWSM 4.1 on Cat6509 with multiple bridge groups in one transparent context. (as the manual says it can support up to 8 bridge-groups and the intent is to save security contexts) For a host in VLAN21 (b1_inside) to talk to a host in VLAN41 (b2_inside), traffic needs to be go out to MSFC which routed back the traffic through the FWSM. My question is how can I define a default route per bridge-group, I would assume FWSM should take the following two default routes per bridge-group interface but it won't;

route b1_outside 0.0.0.0 0.0.0.0 10.11.75.1 1

route b2_outside 0.0.0.0 0.0.0.0 10.11.76.1 1

seems like it allows only one default route per the context and gives me an error - "ERROR: Cannot add route entry, possible conflict with existing route"

How can I achieve outside per individual bridge-group? Help is greatly appreciated.

FWSM  context config:

Interface VLAN11

nameif b1_outside

bridge-group 1

security-level 0

!

Interface VLAN21

nameif b1_inside

bridge-group 1

security-level 100

!

Interface VLAN31

nameif b2_outside

bridge-group 2

security-level 0

!

Interface VLAN41

nameif b2_inside

bridge-group 2

security-level 100

!

Interface VLAN11

nameif b1_outside

bridge-group 1

security-level 0

!

Interface VLAN21

nameif b1_inside

bridge-group 1

security-level 100

!

interface BVI1

ip address 10.11.75.254 255.255.255.0

!

interface BVI2

ip address 10.11.76.254 255.255.255.0

!

The 6509 has the following SVIs defined and all VLANs assigned to Firewall:

interface vlan11

ip address 10.11.75.1 255.255.255.0

no shut

!

interface vlan31

ip addresss 10.11.76.1 255.255.255.0

no shut

!

1 Accepted Solution

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hello,

In transparent mode, the FWSM is not routing the VLAN's traffic. Instead, think of the firewall as a layer 2 bridge between 2 VLANs in the bridge-group. The static routes that you configure in transparent mode are only used for management traffic and for certain functionality in application inspections, not for routing of user traffic.

Instead, you need to set the default gateway of your clients to be the MSFC's IP address. This IP will be in the same layer 3 subnet as the client's IP, but will be on a different VLAN bridged together by the FWSM. The hosts will send ARP requests for the gateway IP to resolve the MAC address and the FWSM will forward the traffic on strictly at layer 2 (assuming your ACLs/security policy allow it).

Hope that helps.

-Mike

View solution in original post

2 Replies 2

mirober2
Cisco Employee
Cisco Employee

Hello,

In transparent mode, the FWSM is not routing the VLAN's traffic. Instead, think of the firewall as a layer 2 bridge between 2 VLANs in the bridge-group. The static routes that you configure in transparent mode are only used for management traffic and for certain functionality in application inspections, not for routing of user traffic.

Instead, you need to set the default gateway of your clients to be the MSFC's IP address. This IP will be in the same layer 3 subnet as the client's IP, but will be on a different VLAN bridged together by the FWSM. The hosts will send ARP requests for the gateway IP to resolve the MAC address and the FWSM will forward the traffic on strictly at layer 2 (assuming your ACLs/security policy allow it).

Hope that helps.

-Mike

Thanks very much. I figured out the default gateway was just for the switch management only, just before you replied. But thanks anyway, it makes sense.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: