Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM outside interface

i'm trying to make two outside interfaces in FWSM to talk to each other and i cant seem to make it work. any idea or sample configuration please

7 REPLIES
Hall of Fame Super Blue

Re: FWSM outside interface

Hi

What do you mean by talk to each other. Do you mean from interface to interface.

Are you running multiple contexts. Do the contexts share a vlan on the outside interface.

Please elaborate on what you need.

Jon

Community Member

Re: FWSM outside interface

hi jon,yes the fwsm is running multiple contexts. in one of the contexts, i created multiple outside interfaces (e.g. vlan 500 and vlan 555).

i also attached a diagram to have a clearer view

thanks

Hall of Fame Super Blue

Re: FWSM outside interface

okay, so you have 2 interfaces on the outside within the same context. Are the client PC's in the same vlans as their relevant outside interface ?

Presumably you are trying to get connectivity between your PC's ?

Could you send a copy of your FWSM config ?

Jon

Community Member

Re: FWSM outside interface

no, the client PCs are of different vlans with respect to their respective outside interfaces.

i dont have working config yet for this setup but here is my current config:

nameif vlan325 internet security0

nameif vlan555 fwtest security0

nameif vlan327 inside security100

access-list inside_access_in extended permit ip x.x.x.x [IP from inside] host y.y.y.y [PC1]

access-list internet_access_in extended permit ip host y.y.y.y [PC1] host x.x.x.x [IP from inside]

access-list fwtest_access_in extended permit ip any

ip address inside

ip address internet

ip address fwtest

icmp permit any inside

icmp permit any internet

icmp permit any fwtest

no pdm history enable

arp timeout 14400

global (inside) 1 interface

global (internet) 1 interface

global (fwtest) 3 interface

global (bdoextranetout) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (internet) 1 access-list fwtest_nat0_outbound

nat (fwtest) 3 access-list bdoextranetin_pnat_outbound_V3

!

interface inside

!

interface internet

!

!

interface fwtest

Hall of Fame Super Blue

Re: FWSM outside interface

Hi

Okay, before we do anything else can you add the following if it isn't already in your config

same-security-traffic permit inter-interface

and let me know what happens.

Jon

Community Member

Re: FWSM outside interface

already added

same-security-traffic permit inter-interface

but still nothing happens

thanks

Hall of Fame Super Blue

Re: FWSM outside interface

just thought i'd check :)

You say the PC are not on the same vlans as the FWSM outside interfaces.

Do you have Layer 3 SVI's for each outside interface of your FWSM on your switch ?

It would help if you could send the full config for this context plus the relevant firewall lines (firewall vlan-group etc) from your switch plus an output of a sh ip int br on your switch.

Jon

181
Views
0
Helpful
7
Replies
CreatePlease to create content