Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM implementation

Hi,

The FWSM does not include any external physical interfaces

what are the risks ?

9 REPLIES
Hall of Fame Super Blue

Re: FWSM implementation

The risks are primarily logical and configuration issues.

1) Logical. Because it is virtualised it can sometimes be quite difficult to visualise what you are trying to do. And if you do not visualise it correctly then there is a very good chance that you could setup it incorrectly and introduce security risks into your environment.

2) Configuration. Again because it is virtualised and uses vlans within the same chassis to create DMZ's a mistake in configuration can have inadvertant consequences. A good example is contained here from a recent discussion.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&topicID=.ee6e1fa&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc0a239

To be honest, although i'm sure there may be people doing this i would not feel comfortable using the FWSM as my primary firewall for connecting to the Internet. But if you have firewalling requirements within your data centre for example and you already have a 6500 infrastructure then the FWSM can be a very good choice.

Jon

Bronze

Re: FWSM implementation

Typically I use the FWSM to firewall of servers from the internal network. Otherwise, for internet protection you'll need to L2 VLAN off your internet on your core switches which isn't the best idea.

The times that I have use the FWSM as a primary firewall, the client had another firewall in front of it for protection as well that wasn't NATting..

New Member

Re: FWSM implementation

Dear both

many thanks for your comments.

What do you mean by " you'll need to L2 VLAN off your internet on your core switches " ?

thanks

Bronze

Re: FWSM implementation

You can create a VLAN on the switches, if you don't create an interface for the VLAN it stays in a L2 state rather than creating a L3 interface for it. Once you type interface vlan 10 and put an ip address on this it creates a L3 interface, if you don't do that then the VLAN stays at L2 without a L3 interface, effectively staying at L2 rather than going to L3.

New Member

Re: FWSM implementation

you'll need to L2 VLAN off your internet on your core switches .

Why it's not good ?

New Member

Re: FWSM implementation

you'll need to L2 VLAN off your internet on your core switches .

Why it's not good ?

New Member

Re: FWSM implementation

We use a FWSM for all connectivity to/from the internet. It's no different than a PIX or ASA if you implement it correctly.

One of the tricks we used was to create a VRF on the 'outside' of the FWSM. Placing the serial interface from the provider and the VLAN that becomes your 'outside' interface. We used the same techniques for the DMZs and Inside Interface. We also have a number of customer circuits riding Frame PVCs into our router (it's in a 7609). We also create VRFs for those customers and place the PVC/VLAN into the VRF. This ensures complete isolation.

I look at it as a PIX/ASA with up to 255 Interfaces this way. Each VRF becomes a 'bastion' router for each in/out interface on the firewall. This simplifies routing and subnetting.

I feel, after configuring as we have, we are using a more versatile and managable router than I ever had with a PIX. The risks are mitigated to a very low level using it the way we have (VRFs are your friend). If you have the capability to use it in this way, you'll see the benefits as well.

BTW, a 6500 does not support VRFs. It must be in a 7600 chassis to work in the manner I have implemented.

HTH

Jim

New Member

Re: FWSM implementation

you'll need to L2 VLAN off your internet on your core switches .

Why it's not good ?

New Member

Re: FWSM implementation

Hi All,

Correct me if i am wrong---

Two things,

1- External link---In-FWSM-Out---MSFC-- or

2- External link----MSFC---In-FWSM-Out---

for solution one you will have FWSM as a front end for external link. and for solution 2 you will have MSFC as a front end for external link.

While configuring solution 1, place you external link on L2 VLAN and assign IP add inside the FW context. For Solution 2 configure VLAN interface assign IP address on switch itself.

226
Views
12
Helpful
9
Replies
CreatePlease login to create content