Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM MSFC vs. external router?

Can I do the following using an external router instead of the MSFC?  I have the exact scenario that's discussed, but it's not clear as to whether I can use a dedicated router for that purpose?

(See Figure 1-3)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/overvw.html#wp1137474

Will the fwsm classifier still perform as expected if the ingress traffic is not coming from the msfc?

Thank you.

4 REPLIES
Hall of Fame Super Blue

Re: FWSM MSFC vs. external router?

robdog01 wrote:

Can I do the following using an external router instead of the MSFC?  I have the exact scenario that's discussed, but it's not clear as to whether I can use a dedicated router for that purpose?

(See Figure 1-3)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/overvw.html#wp1137474

Will the fwsm classifier still perform as expected if the ingress traffic is not coming from the msfc?

Thank you.

Yes you should be fine with that. The scenario in the link you gave is simply showing a shared outside vlan so a router with an interface in that vlan will do just the same as the MSFC.

Jon

New Member

Re: FWSM MSFC vs. external router?

That's what I figured, but it's not working for me...  If I use the MSFC, everything works fine.  once I switch to an external router, I have really sporadic outbound access from behind the fwsm contexts.

From what I understood, the msfc and fwsm coordinate the ingress traffic so that it lands on the appropriate virtual context.  It certainly seems like that's what's happening, but I'm looking for others who have firsthand experience with this and can share in my frustration .

Here is the configuration on the switch:

interface GigabitEthernet4/47
description To xxx router, inside interface (Internet router)
switchport
switchport access vlan 2
switchport mode access
logging event link-status
speed 100
duplex full
end

On the upstream router (cat3750):

ip route 0.0.0.0 0.0.0.0 1.1.1.229

interface FastEthernet1/0/2
description ISP Uplink

no switchport
ip address 1.1.1.230 255.255.255.252
ip access-group 101 in
speed 100
duplex full
end

!
interface FastEthernet1/0/10
description Internet routable /24 subnet

no switchport
ip address 2.2.2.1 255.255.255.0
ip access-group 102 in
speed 100
duplex full
end

simple access lists to deny management traffic to those interfaces:

access-list 101 remark deny any management access to the external interface
access-list 101 deny   tcp any host 1.1.1.230 eq 22
access-list 101 deny   tcp any host 1.1.1.230 eq telnet
access-list 101 deny   tcp any host 1.1.1.230 eq www
access-list 101 deny   tcp any host 1.1.1.230 eq 443
access-list 101 deny   tcp any host 1.1.1.230 eq ftp
access-list 101 deny   tcp any host 1.1.1.230 eq ftp-data
access-list 101 deny   udp any host 1.1.1.230 eq snmp
access-list 101 deny   udp any host 1.1.1.230 eq snmptrap
access-list 101 remark deny any management access to the internal interface
access-list 101 deny   tcp any host 2.2.2.1 eq 22
access-list 101 deny   tcp any host 2.2.2.1 eq telnet
access-list 101 deny   tcp any host 2.2.2.1 eq www
access-list 101 deny   tcp any host 2.2.2.1 eq 443
access-list 101 deny   tcp any host 2.2.2.1 eq ftp-data
access-list 101 deny   tcp any host 2.2.2.1 eq ftp
access-list 101 deny   udp any host 2.2.2.1 eq snmp
access-list 101 deny   udp any host 2.2.2.1 eq snmptrap
access-list 101 permit ip any any

access-list 102 remark deny any management access to the internal interface
access-list 102 deny   tcp any host 2.2.2.1 eq 22
access-list 102 deny   tcp any host 2.2.2.1 eq telnet
access-list 102 deny   tcp any host 2.2.2.1 eq www
access-list 102 deny   tcp any host 2.2.2.1 eq 443
access-list 102 deny   tcp any host 2.2.2.1 eq ftp-data
access-list 102 deny   tcp any host 2.2.2.1 eq ftp
access-list 102 deny   udp any host 2.2.2.1 eq snmp
access-list 102 deny   udp any host 2.2.2.1 eq snmptrap
access-list 102 remark deny any management access to the external interface
access-list 102 deny   tcp any host 1.1.1.230 eq 22
access-list 102 deny   tcp any host 1.1.1.230 eq telnet
access-list 102 deny   tcp any host 1.1.1.230 eq www
access-list 102 deny   tcp any host 1.1.1.230 eq 443
access-list 102 deny   tcp any host 1.1.1.230 eq ftp
access-list 102 deny   tcp any host 1.1.1.230 eq ftp-data
access-list 102 deny   udp any host 1.1.1.230 eq snmp
access-list 102 deny   udp any host 1.1.1.230 eq snmptrap
access-list 102 permit ip any any

Thanks,

Rob.

Hall of Fame Super Blue

Re: FWSM MSFC vs. external router?

Rob

Strange, my understanding was that classifier was an FWSM thing and not related to the MSFC at all. Let me do a little digging and see if i an come up with anything.

Jon

New Member

Re: FWSM MSFC vs. external router?

Thanks.  For now, I'm using the MSFC, but will need to use an external router in the next few months due to needing to use subinterfaces as well as tying into other networks that I don't want the 6500 connected to.

Rob.

416
Views
0
Helpful
4
Replies