Implementing FWSM with multiple context and failover
I will shortly be implementing a FWSM solution, consisting of 2x FWSMs and 2x 6500 Chassis. Each chassis will have a FWSM installed, and ideally I'd like to run active/active with 2 contexts (+ admin context) and failover. I have the standard license.
I want to acheive the following:
Active on FWSM A - Function is main flow of Traffic from inside to outside (internet traffic from inside network)
Active on FWSM B - Function is to host multiple DMZ interfaces for servers. Inside hosts will also need to communicate with these servers (inside being the same IP ranges using Context A for their internet traffic).
I would also require to configue failover between the contexts, and outside and inside VLANs for both contexts will be the same (same IP range).
When using multiple context mode, all of the configuration examples I have seen so far have the MSFC outside the FWSM, having the MSFC face the internet.
This is not the way I would like to implement the solution, I'd much rather have the FWSM facing the internet.
Is this indeed the case when running multi-context, that the MSFC must be 'outside' in this scenario?
Re: Implementing FWSM with multiple context and failover
Not sure if you are asking how to do the config or if your question is purely about the position of the MSFC.
Anyway in answer to your question about the MSFC, no it does not have to be in front of the FWSM. In fact when using multiple context you can have some contexts with MSFC in front and some with MSFC behind.
To configure with MSFC behind just make sure that the vlan on the outside of the FWSM towards the internet does not have an SVI for it on the MSFC ie. don't configure a layer 3 interface for that vlan on the 6500, just create it on the FWSM.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :