Re: FWSM on a 6509-E in Transparent mode

apereida · ‎08-21-2007

I do have a 6509-E with the FWSM module, I created two context within the FWSM, context A and context B, both in transparent mode.

Context A is "conected" to the MSFC via BVI with the IP 192.168.180.2, the MSFC IP for VLAN180 is 192.168.180.1, in context A VLAN180 is binded to the BVI. So far until this point I have a connection between the MSFC and Context A.

Now, if I want to put a server behind context A with server IP=192.168.180.100, and be able to apply some ACLs to allow certain traffic to the server, how I would achieve this?

I know that in this mode the context need two logical interfaces, one is VLAN180 already binded to the BVI, but what about the logical interface where I'm supposed to connect to the server?

Thanks in advance

Alex

rigoberto.cintron · ‎08-21-2007

Can you post your config?

apereida · ‎08-21-2007

Here is the config for the MSFC:

=========

NEW-CORE3#sh run

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

redundancy

mode sso

main-cpu

auto-sync running-config

auto-sync standard

!

vlan internal allocation policy ascending

vlan access-log ratelimit 2000

!

interface Port-channel1

ip address 192.168.220.105 255.255.255.248

!

interface GigabitEthernet1/1

no ip address

shutdown

**( the rest of the physical ports config has been ommited to save space)

!

interface Vlan1

no ip address

shutdown

!

interface Vlan180

ip address 192.168.180.1 255.255.255.0

!

interface Vlan185

ip address 192.168.185.1 255.255.255.0

!

interface Vlan186

description "Logical Interface for ADMIN context firewall"

ip address 192.168.186.1 255.255.255.0

!

interface Vlan190

ip address 192.168.190.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.220.106

no ip http server

!

control-plane

!

dial-peer cor custom

!

line con 0

line vty 0 4

login local

transport input telnet ssh

transport output telnet ssh

!

end

=================================

Configuration on the FWSM:

CORE3-FWSM# sh run

: Saved

:

FWSM Version 3.1(6)

!

resource acl-partition 12

hostname CORE3-FWSM

interface Vlan180

!

interface Vlan186

!

interface Vlan188

!

interface Vlan190

!

passwd 2KFQnbNIdI.2KYOU encrypted

class default

limit-resource All 0

limit-resource IPSec 5

limit-resource Mac-addresses 65535

limit-resource ASDM 5

limit-resource SSH 5

limit-resource Telnet 5

!

no failover

no asdm history enable

arp timeout 14400

console timeout 0

admin-context ADMIN

context ADMIN

description "ADMIN Context"

allocate-interface Vlan186

config-url disk:/contextADMIN

!

context A

description "Unix Servers Farm"

allocate-interface Vlan180

allocate-interface Vlan188

config-url disk:/contextA.cfg

!

context B

description "WINTEL Servers Farm"

allocate-interface Vlan190

config-url disk:/contextB.cfg

!

prompt hostname context

Cryptochecksum:e89a1aaa37e2559418bdb042dbd6543d

: end

========================

Configuration on Context A:

CORE3-FWSM/A# sh run

: Saved

:

FWSM Version 3.1(6)

!

firewall transparent

hostname A

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan180

nameif OUTSIDE

bridge-group 1

security-level 0

!

interface Vlan188

nameif INSIDE

bridge-group 1

security-level 100

!

interface BVI1

description "L3 interface for Context A"

ip address 192.168.180.2 255.255.255.0

!

access-list 101 extended permit icmp any host 192.168.180.100

access-list 102 extended permit icmp host 192.168.180.100 any

access-list 102 extended permit icmp any host 192.168.180.100

pager lines 24

logging monitor debugging

mtu OUTSIDE 1500

mtu INSIDE 1500

icmp permit any OUTSIDE

no asdm history enable

arp timeout 14400

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.180.1 1

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.180.1 255.255.255.255 OUTSIDE

telnet timeout 5

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:0878547f1b30fa39dbb0ff38806f88a7

: end

===========================

As you can see I created vlan 188 for the "INSIDE' of the Context A but if the server is inside the same subnet as the MFSC vlan 180 then by having a different vlan for the inside part of the context breaks up the act that two hosts on the same subnet must also belong to the same vlan.

rigoberto.cintron · ‎08-21-2007

You will have different vlan's but the vlan's will use the same ip subnet because the vlan's are bridge by a BVI interface. It's the way it work in the FWSM because the FWSM use SVI (Virtual interfaces). If you had a PIX/ASA you won't see a BVI because the PIX/ASA automatically bridge the physical inside and outside interfaces.

rigoberto.cintron · ‎08-21-2007

Remember that the BVI's are create in the FWSM to bridge the inside and outside interfaces. Then you assign vlan's to the ports where you are going to connect your servers or any other network device.

i.e.

Inside interface is interface vlan 180.

Outside interface is interface vlan 150.

You want your mail server in the inside. You assign the port where the mail server is connected to vlan 180. If you want it in the outside you use vlan 150.

Take a look at this:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/exampl_f.html#wp1029042