MSFC can't ping BVI interface address on transparent FWSM v3.1
I have configure the transparent fwsm(version 3.1) on Cat6500, I found I can't ping BVI interface from MSFC and I have some questions as below:
1, For transparent fwsm, are there other ways to access the fwsm module except "session slot # process 1", I mean can I telnet this fwsm by BVI interface?
2, I found access-group just can apply on the physical interface such as inside,outside or dmz, I can't apply it in BVI interface, am I right? I can't ping bvi interface from MSFC, anyone can tell me whether there are some wrong in my configuration or it can't ping actually?
3, CCO said It can have 8 bridge-group each context, what that mean? When I configure the fwsm, I found just 2 vlan interface per bridge-group. So how can I make make many interfaces in the inside or dmz interface? For example, I have HR, Finance, Market and RD 4 vlan, which is 10.1.1.0, 10.1.2.0, 10.1.3.0, 10.1.4.0 respectively. I want to make them protected by transparent fwsm. Anyone can give me the detail configuration?
And if one context just support 8 bridge-group, do it mean it can only support 8 inside vlan on the transparent firewall?
1) you should be able to access the FWSM using telnet, if you trying to connect to the FWSM from a location other than directly connected network, you will need to add a static route on the FWSM.
use the "telnet x.x.x.x <> <>" to restrict who can telnet to the device
2)pls post your config, you should be able to ping the BVI ip-address from your MSFC.
you can't apply access-list to a BVI.
3) 8 bridge-groups per context, but each bridge-group can have only two interfaces, In that way traffic from one bridge-group is isolated from another bridge-group. But all the 8 bridge-groups share the same AAA & Logging configuration.
you cannot have 8 inside vlans on the transparent firewall within in the same bridge-group.
My topology and configuration is as attached file.
1ï¼Server A can ping Server B, but MSFC cannot ping MSFC BVI interface;
2, If the second topology there are 3 inside vlan as HR, RD and market server, located in different vlan and different subnet networks. I want to protect them with the FWSM. Do I need to configure 3 pair vlan on MSFC and 3 pair vlan on FWSM and 3 bridge group?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...