Re: FWSM With multi Context in transparent mode

wanglifeng · ‎07-28-2007

Hello guys,

Yesterday, I was configuring a FWSM located at 6509's slot 2, which was setup between a Catalyst 4507R Switch and C6509's MSFC for filtering packets!

The FWSM was deployed in multi context transparent mode! The problem is that I can ping the FWSM Mgmt address from 4507R and 6509 MSFC, but when i ping from 4507R to 6509 MSFC, it didn't reply!

When I see the arp table in 4507R and 6509 MSFC, i can see the each other's item! I has set the acl "permit ip any any" in both direction for testing, but it still didn't work! when I type the command: "show ip ospf neighbor" , the Ospf Neighbor relationship for 4507R and 6509 MSFC was stuck in Exchange mode!

Does someone got any ideas! Help, please!

The following is the configuration:

Native IOS：

Firewall multiple-vlan-interface

Filewall module 2 vlan-group 1

Firewall vlan-group 1 500-503

Vlan 500

Name ?Context Server Inside To 4507R?

Vlan 501

Name ?Context Server outside To 6509 MSFC?

Int gi 7/4

Switchport

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk allowed vlan 500,501

4507R：

Vlan 500

Name ?To 6509 FWSM?

interface vlan 500

desc ?To 6509 FWSM?

ip address 10.137.0.142 255.255.255.248

Int gi 5/17

Switchport

Switchport trunk encapsulation dot1q

Switchport mode trunk

Switchport trunk allowed vlan 500,501

FWSM：

Mode multiple

Firewall transparent

Hostname XXXX

Passwd cisco

Enable password cisco

Admin-context Server

Context Server

Allocate-interface vlan500

Allocate-interface vlan501

Config-url disk:Server.cfg

Context Internet

Allocate-interface vlan502

Allocate-interface vlan503

Config-url disk:Internet.cfg

changeto context Server

hostname Server

nameif vlan501 outside security0

nameif vlan500 inside security100

passwd cisco

enable password cisco

ip address 10.137.0.143 255.255.255.248

route outside 0 0 10.137.0.141

icmp permit any inside

icmp permit any outside

telnet 0 0 inside

access-list inside_in extended permit icmp any any

access-list inside_in extended permit 89 any any

access-list inside_in extended permit ip any any

access-list inside_in extended permit icmp any any

access-list outside_in extended permit 89 any any

access-list outside_in extended permit ip any any

access-group inside_in in interface inside

access-group outside_in in interface outside

Thanks!

pccw258103 · ‎07-29-2007

clear all configruation and set each context to run in transparent firewall mode (the default routed firewall mode).

fwsm(config)# firewall transparent

The transpare firewall is layer2 firewall without ip address participate except the management IP address for fwsm.

!CLI

!assign a bridge group interface

fwsm(config-if)# interface bvi 1

!assign interface to bridge group

fwsm(config)# interface vlan 500

fwsm(config-if)# nameif inside

fwsm(config-if)# security-level 100

fwsm(config-if)# bridge-group 1

fwsm(config-if)# interface vlan 501

fwsm(config-if)# nameif outside

fwsm(config-if)# security-level 0

fwsm(config-if)# bridge-group 1

!assign ip address for management ONLY

fwsm(config-if)# ip address 10.77.77.7 255.255.255.0 standby 10.77.77.17

Remember that no ip address involve such nat ,dhcp relay, dynamic routing etc.

wanglifeng · ‎07-29-2007

Thanks pccw258103,

but my fwsm's software version is 2.3, does it support the command "bridge-group"!

wanglifeng · ‎07-30-2007

Someone help please!

Jon Marshall · ‎07-30-2007

Hi

Can you send

1) output of "sh ip int br" from 4507R and 6500.

2) output of

"sh run int vlan 500" from 4507R

"sh run int vlan 501" from 6500

Jon

wanglifeng · ‎07-30-2007

Thank you jon.marshall ,

Because customer's network is a private one,

I cann't telnet to the device right now! But I am sure both SVIs on 4507R and 6500 are up, and the addresses are on the same subnet!

I could see the address of SVI on 6500 at 4507R's arp-cache, and the address of SVI on 4507R at 6509's arp-cache!