I have just setup a 6513 with a firewall module running 2.3(4) software.
I have configured the Vlans and put them in the Firewall Vlan group.
I assigned the IP's on the firewall.
What I do not understand is this
I have a DMZ that is VLAN 600
On the 6513 do I need to assign a default IP to this Vlan?
I have 10.15.32.2 at security 60 on the pix in Vlan 600
What steps do I need to take to make sure I have this setup correctly?
If this is a DMZ on the FWSM then all you want on the 6513 switch is a layer 2 vlan which you have already done and allocated to the FWSM and depending on how you are doing your routing you may need a static route on the 6513 for the DMZ subnet with the next hop being the outside interface of your FWSM.
What you don't want is a layer 3 SVI on your 6513 or traffic will route round the FWSM to get to the DMZ.
You would then need to redistribute that static route into your IGP that you use on your network.
If you are running your FWSM in single mode you can also run OSPF on it and allow it to dynamically advertise it's DMZ subnets.
Correct it is a DMZ for the FWSM only.
Here is my basic config of the FWSM.
FWSM Version 2.3(4)
nameif Vlan30 inside security100
nameif Vlan700 outside security0
nameif Vlan600 server security60
ip address inside 10.55.0.17 255.255.255.0
ip address outside 18.104.22.168 255.255.255.0
ip address server 10.55.32.2 255.255.255.0
icmp permit any inside
icmp permit any server
pdm location F51-DMZ 255.255.255.255 server
no pdm history enable
arp timeout 14400
global (outside) 1 22.214.171.124
global (server) 1 10.55.32.3
route inside 10.0.0.0 255.0.0.0 10.55.1.1 1
route outside 0.0.0.0 0.0.0.0 126.96.36.199 1
What route would I need to put on the 6513 to allow the inside network to be able to route correctly, and then it is my understanding that I now have to allow the inside network to talk to the lower security?
On a standlaone ASA/pix you don't need access-lists to go from a higher to a lower interface but as you rightly point out here with the FWSM.
As for routing where are your clients in relation the FWSM inside interface. If they are on the same subnet as the FWSM inside interface then you don't need a route.
If they are are on different vlans then you would need on your 6513
ip route 10.55.32.0 255.255.255.0 10.55.0.17
But this will only add it to the 6513. If all your clients are on the 6513 or the 6513 is responsible for all your intervlan routing then that will do it.
Ok I have this configued and I am new to the FWSM and I appreciate your help.
My next question for help, is I want to ping DMZ host from the inside network to the DMZ. I would love to see a simple config to allow me to do this.
Inside network = 10.55.0.0 255.255.0.0
DMZ host = 10.55.32.10
access-list acl_inside permit icmp 10.55.0.0 255.255.0.0 host 10.55.32.10 echo
access-group acl_inside in interface inside
access-list acl_dmz permit icmp host 10.55.32.10 10.55.0.0 255.255.0.0 echo-reply
access-group acl_dmz in interface server
nat (inside) 1 10.55.0.0
global (server) 1 interface
Glad you got it sorted.
As for a book. TO be honest i recommend you save the money and download the relevant configuration guide from Cisco web site.
Here is the one for FWSM 2.3.