Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to remove a context from FWSM installed in a 6500 switch in transparent mode and still allow traffic pass over MSFC

Here is a quick summary of what I want to accomplish.

I have installed a FWSM with multiple context in a 6500 switch, some contexts are in route mode and I have 3 in transparent mode.

What I need to do is remove the transparent context and still allow all traffic that is going over this context to avoid disrupt any connection. Once I have this part done I need to do a re-partition of the module because I am running out of space in some context. Please help with the steps to perform this job.

Here is an example of one Context in transparent mode:

firewall transparent

names
name 1.1.1.37 MSFC_A
name 1.1.1.38 MSFC_B
name 1.1.1.36 MSFC_HSRP
name 1.1.1.32 Site1
name 1.1.1.35 Site2
name 1.1.1.33 Site_HSRP
!
interface Vlan8
 nameif outside
 bridge-group 76
 security-level 0
!
interface Vlan 9
 nameif inside
 bridge-group 76
 security-level 100
!             
interface BVI76
 ip address 1.1.1.45 255.255.255.240 standby 1.1.1.46 

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Good stuff, thanks for the

Good stuff, thanks for the feedback.  Glad you got it done.

--

Please remember to rate and select a correct answer
5 REPLIES
VIP Green

Do you have the FWSM set up

Do you have the FWSM set up in an active/standby failover?  If so, you should be able to do this with little or no down time.  If not then you will need to do a bit of planning and there will be some downtime.

What you could do, if it is not in an active/standby failover pair, is configure one of the other contexts to temporarily route the desired traffic, then move the interfaces in use by the context to the temporary context, then delete the transparent firewall and do what you need to do, and then later move the interfaces back.

Just keep in mind that once you remove the interfaces from the contexts you will need to reconfigure them. So before you do this I suggest creating scripts that will do everything for you and this should hopefully give you minimal down time.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

Yes is running active/standby

Yes is running active/standby, I was looking more an answer how to get rid of the transparent firewall and only forwarding the bridge group to a vlan in the switch or something similar.

VIP Green

So you want to go from

So you want to go from transparent to routed?  If that is the case, I don't think there is any easy way to do it without any down time.  You should be able to limit downtime because you have the active/standby failover setup. But it would take some planning, and you would have to  change some routing in your network so that traffic for the 1.1.1.0 network goes to the new outside IP of the ASA.

Do you have more subnets connected to the ASA other than the 1.1.1.0 subnet?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer
New Member

What I basically did was,

What I basically did was, remove the "out" vlan in the switch and replaced with exactly the same information, IP address, HRSP etc in the "in" vlan, this way I moved everything to the switch and get rid of the transparent context. Thanks for your input.

VIP Green

Good stuff, thanks for the

Good stuff, thanks for the feedback.  Glad you got it done.

--

Please remember to rate and select a correct answer
276
Views
0
Helpful
5
Replies
CreatePlease to create content