We have a FWSM in a 6513 for the core of our campus. It is not in prodcution as yet. Still using external PIX 525 at this time.
I was going to use a single context model with MSFC behind the firewall. Some of our recent needs will add VLANs for a DMZ and departments that need isolated. There is an example in the Intro to the firewall services module of the MSFC behind and in front of the FWSM. The diagram for the MSFC behind shows a DMZ and HR VLAN. How can those be secure with that model. I would have thought you would need to place the FWSM behind the MSFC to do that?
Insn't it true if you place the FWSM behind the MSFC you are limiting routing to the speed of the FWSM?
I had thoughts of moving to multi context mode. Then placing most of our VLAN that route between each other in one context with MSFC behind the FWSM. Then a context for each special application and have the FWSM behind the MSFC. But I read the multi context mode doesn't support multicast which we use.
My other option I have considered was to use the FWSM in single context with MSFC behind and use external ASA boxes in building that require deparment isolation.
It may be of use to make sure we are both talking about the same thing when we talk about behind and in front :).
WAN -> MSFC -> FWSM -> firewalled vlans
this is FWSM behind MSFC and for all the firewalled vlans you are "limited" by the FWSM. I say limited but remember you do get 5Gbps throughput from these things.
WAN -> FWSM -> MSFC -> vlans
this is FWSM in front of the MSFC. Now everything hanging off the MSFC can only be reached from the WAN by going through the FWSM. This setup is probably not as common as the first.
You would typically use the FWSM behind MSFC to firewall some important vlans but still have other vlans routed off the MSFC.
You would typically use the FWSM in front of the MSFC if you had a connection from an untrusted source and you did not want the first thing they reach to be the MSFC.
So in an internal setup eg. a data centre where you are firewalling vlans for security from bith external and WAN then i would always use FWSM behind MSFC. This presupposes that external access ie. not from your network, is firewalled by another device before being allowed through to the DC.
We are on the same page. Our 6513 with FWSM is the core of our campus LAN. Off the core is our WAN to Internet and our main campus. Untrusted. Seems like I would like to use the FWSM out front and MSFC behind that. Problem is we also need to secure some internal VLANs from the rest of the internal VLANs.
There is nothing to stop you putting the FWSM in front of the MSFC so the MSFC is reached by the inside interface of the FWSM. You could also then add DMZ's to the FWSM that are routed off the FWSM for the internal vlans you need to secure. The vlans you don't need to secure you can then just have routed off the MSFC.
My only concern with this is that you are still then firewalling from your main campus. This may or may not be an issue for you depending on throughput etc.
Jon, you last post sounds like an approach that might work best for us and makes sense for us.
Our WAN connection is a path to our main campus and the Internet over same link. As the main campus provides Internet access to all campus locations via there WAN link. We consider the main campus and the Internet untrusted. Right now we have a PIX external to our 6513 and it will be replaced by our FWSM.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :