cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
744
Views
0
Helpful
4
Replies

FWSM MSFC vs. external router?

robdog01
Level 1
Level 1

Can I do the following using an external router instead of the MSFC?  I have the exact scenario that's discussed, but it's not clear as to whether I can use a dedicated router for that purpose?

(See Figure 1-3)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/overvw.html#wp1137474

Will the fwsm classifier still perform as expected if the ingress traffic is not coming from the msfc?

Thank you.

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

robdog01 wrote:

Can I do the following using an external router instead of the MSFC?  I have the exact scenario that's discussed, but it's not clear as to whether I can use a dedicated router for that purpose?

(See Figure 1-3)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/overvw.html#wp1137474

Will the fwsm classifier still perform as expected if the ingress traffic is not coming from the msfc?

Thank you.

Yes you should be fine with that. The scenario in the link you gave is simply showing a shared outside vlan so a router with an interface in that vlan will do just the same as the MSFC.

Jon

That's what I figured, but it's not working for me...  If I use the MSFC, everything works fine.  once I switch to an external router, I have really sporadic outbound access from behind the fwsm contexts.

From what I understood, the msfc and fwsm coordinate the ingress traffic so that it lands on the appropriate virtual context.  It certainly seems like that's what's happening, but I'm looking for others who have firsthand experience with this and can share in my frustration .

Here is the configuration on the switch:

interface GigabitEthernet4/47
description To xxx router, inside interface (Internet router)
switchport
switchport access vlan 2
switchport mode access
logging event link-status
speed 100
duplex full
end

On the upstream router (cat3750):

ip route 0.0.0.0 0.0.0.0 1.1.1.229

interface FastEthernet1/0/2
description ISP Uplink

no switchport
ip address 1.1.1.230 255.255.255.252
ip access-group 101 in
speed 100
duplex full
end

!
interface FastEthernet1/0/10
description Internet routable /24 subnet

no switchport
ip address 2.2.2.1 255.255.255.0
ip access-group 102 in
speed 100
duplex full
end

simple access lists to deny management traffic to those interfaces:

access-list 101 remark deny any management access to the external interface
access-list 101 deny   tcp any host 1.1.1.230 eq 22
access-list 101 deny   tcp any host 1.1.1.230 eq telnet
access-list 101 deny   tcp any host 1.1.1.230 eq www
access-list 101 deny   tcp any host 1.1.1.230 eq 443
access-list 101 deny   tcp any host 1.1.1.230 eq ftp
access-list 101 deny   tcp any host 1.1.1.230 eq ftp-data
access-list 101 deny   udp any host 1.1.1.230 eq snmp
access-list 101 deny   udp any host 1.1.1.230 eq snmptrap
access-list 101 remark deny any management access to the internal interface
access-list 101 deny   tcp any host 2.2.2.1 eq 22
access-list 101 deny   tcp any host 2.2.2.1 eq telnet
access-list 101 deny   tcp any host 2.2.2.1 eq www
access-list 101 deny   tcp any host 2.2.2.1 eq 443
access-list 101 deny   tcp any host 2.2.2.1 eq ftp-data
access-list 101 deny   tcp any host 2.2.2.1 eq ftp
access-list 101 deny   udp any host 2.2.2.1 eq snmp
access-list 101 deny   udp any host 2.2.2.1 eq snmptrap
access-list 101 permit ip any any

access-list 102 remark deny any management access to the internal interface
access-list 102 deny   tcp any host 2.2.2.1 eq 22
access-list 102 deny   tcp any host 2.2.2.1 eq telnet
access-list 102 deny   tcp any host 2.2.2.1 eq www
access-list 102 deny   tcp any host 2.2.2.1 eq 443
access-list 102 deny   tcp any host 2.2.2.1 eq ftp-data
access-list 102 deny   tcp any host 2.2.2.1 eq ftp
access-list 102 deny   udp any host 2.2.2.1 eq snmp
access-list 102 deny   udp any host 2.2.2.1 eq snmptrap
access-list 102 remark deny any management access to the external interface
access-list 102 deny   tcp any host 1.1.1.230 eq 22
access-list 102 deny   tcp any host 1.1.1.230 eq telnet
access-list 102 deny   tcp any host 1.1.1.230 eq www
access-list 102 deny   tcp any host 1.1.1.230 eq 443
access-list 102 deny   tcp any host 1.1.1.230 eq ftp
access-list 102 deny   tcp any host 1.1.1.230 eq ftp-data
access-list 102 deny   udp any host 1.1.1.230 eq snmp
access-list 102 deny   udp any host 1.1.1.230 eq snmptrap
access-list 102 permit ip any any

Thanks,

Rob.

Rob

Strange, my understanding was that classifier was an FWSM thing and not related to the MSFC at all. Let me do a little digging and see if i an come up with anything.

Jon

Thanks.  For now, I'm using the MSFC, but will need to use an external router in the next few months due to needing to use subinterfaces as well as tying into other networks that I don't want the 6500 connected to.

Rob.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: