Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM: Route between multiple security contexts

Is it possible to route between multiple security contexts on a FWSM?

In a campus environment we like to install a FWSM to secure vlans to replace the SVI on the MSFC. The vlans represents different departments with security requirements and are currently interface on the MSFC with ACLs are used for access.

In a test setup routing over the MSFC works fine but back to another security contexts not. How can we route between two (or more) security contexts?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: FWSM: Route between multiple security contexts

Hi

Depends exactly what you mean. To move between contexts on the FWSM you would need to do one of 2 things

1) Have a shared vlan with servers that all contexts need to access. Probably no what you want.

2) You could share the outside vlan between contexts. Each outside interface from each context would be on the same subnet. You would have to have an MSFC SVI for this subnet. Then you route between contexts via the MSFC SVI. It is still secure because you can't bypass the outside interface of any of the contexts.

HTH

Jon

Community Member

Re: FWSM: Route between multiple security contexts

you can also setup dedicated VLANs for inetrconnecting contexts. For instance you can put an interface on each context on VLAN x and then route between them. You can also bypass the MSFC this way. Although if you are planning to do it with a alot of contexts a shared outside is probably the best approach.

To setup a shared VLAN just allocate the same vlan to both contexts -

context A

allocate-interface Vlan999

context B

allocate-interface Vlan999

Then give them an IP on the same subnet and an access-list on each context interface and put in your routes, also no nat-control to get rid of those terrible static nat commands.

Community Member

Re: FWSM: Route between multiple security contexts

Adding what has been said above. You could user VRF feature of SUP-720 and put each virtual context in it's own routing domain and route accordingly

4 REPLIES
Hall of Fame Super Blue

Re: FWSM: Route between multiple security contexts

Hi

Depends exactly what you mean. To move between contexts on the FWSM you would need to do one of 2 things

1) Have a shared vlan with servers that all contexts need to access. Probably no what you want.

2) You could share the outside vlan between contexts. Each outside interface from each context would be on the same subnet. You would have to have an MSFC SVI for this subnet. Then you route between contexts via the MSFC SVI. It is still secure because you can't bypass the outside interface of any of the contexts.

HTH

Jon

Community Member

Re: FWSM: Route between multiple security contexts

you can also setup dedicated VLANs for inetrconnecting contexts. For instance you can put an interface on each context on VLAN x and then route between them. You can also bypass the MSFC this way. Although if you are planning to do it with a alot of contexts a shared outside is probably the best approach.

To setup a shared VLAN just allocate the same vlan to both contexts -

context A

allocate-interface Vlan999

context B

allocate-interface Vlan999

Then give them an IP on the same subnet and an access-list on each context interface and put in your routes, also no nat-control to get rid of those terrible static nat commands.

Community Member

Re: FWSM: Route between multiple security contexts

Adding what has been said above. You could user VRF feature of SUP-720 and put each virtual context in it's own routing domain and route accordingly

Community Member

Re: FWSM: Route between multiple security contexts

The problem with routing between the security contexts was caused by an incomplete configuration. By adding the nat 0 for the right hosts solved this. Everyboby thanks for the quick response and help.

496
Views
0
Helpful
4
Replies
CreatePlease to create content