Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
25
Helpful
25
Replies

New DMZ in FWSM

Go to solution
Faisal Shabbir
Level 1
Level 1

‎01-13-2014 06:57 AM - edited ‎03-11-2019 08:28 PM

Hi Freinds,

we have two FWSMs on 6509 boxes, inside secuirty level is 100, outside is zero one dmz has security level  zero i want to create another dmz ..

could someone explain me the steps to create dmz in FWSM i am not expert on FWSM also the new DMZ should be to communicate with existing dmz,

ospf is running on fwsm

Regards,

Malik

Labels:
0 Helpful
6 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 10:57 AM

Let's say you want to connect to a server on the New DMZ from the old DMZ or the Outside interface.

You will be going from lower to higher so an ACL will be needed on the lower security interface in the IN direction.

Remember to rate all of the helpful posts  such as the ones I have provided Faisal

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 11:01 AM

Hello,

No problem Faisal.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 11:11 AM

Hello,

That's basically an Identity NAT.

That lets the FWSM know that the 10.9.2.0 will look like 10.9.2.0 on the outside interface ( A No Nat rule)

so as you said you do not have any NAT no worry is basically doing nothing hehe

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 11:16 AM

With the command:

show run access-group

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Faisal Shabbir

‎01-13-2014 11:35 AM

Malik

Not quite. There are a couple of steps before you configure the actual FWSM -

1) create the L2 vlan as in your config but do not create a L3 vlan interface, so you don't need the second bit of your above config. If you create a L3 SVI then the 6500 will simply route around the firewall so just

vlan 100

name ABC

2) you now need to assign the vlan to the FWSM. Do a "sh run" on your 6500 and near the top will be two lines like this -

firewall module 7 vlan-group 1  <-- the 7 in this line matches the slot your FWSM is in on the 6500

firewall vlan-group 1 10,11,12

so you need to add your vlan to the second line above ie

firewall vlan-group 100

that should do it. One other thing. If you have two 6500s interconnected each with an FWSM unless you are running VSS you will need to do step 2) on the other 6500 as well because from memory it is not replicated.

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Faisal Shabbir

‎01-13-2014 11:55 AM

Malik

My apologies in the example i gave i missed out the vlan group number so the command is -

firewall vlan-group  

ie. you reference the vlan-group number and then specify the vlan you want to add.

With VSS you only configure the active switch and the config is replicated for you so no need to configure these commands on both switches.

Jon

View solution in original post

0 Helpful
25 Replies 25

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-13-2014 10:22 AM

Hello Faisal,

Check the configuration with the show run and follow the same configuration commands

Interface vlan X

name if DMZ_2

ip address x.x.x.x x.x.x.x

Security level #

Then create the right NAT for the traffic between the vlans and ACL as needed

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Julio Carvajal

‎01-13-2014 10:32 AM

Thanks Julio for your reply my concern was what security level should i assign to new DMZ so it could  communication to existing vlan and servers in new DMZ will also accessed through SSL VPN from outside

inside interface security level 100

outside interface security level 0

existing dmz security level 0

new dmz security level ???

finally why we need NAT ??

Regards,

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 10:38 AM

Hello Faisai,

For that you will need to consider the servers/devices you will set on that interface.

If there are critical boxes then set a higher security level (100) so you can control traffic on a more responsible way (denying traffic from lower to higher by default) so you can modify as your needs instead of using a lower security level and allowing traffic to it by default.

So at the end it will all depend on what you host behind it.

Now depending on the security level you will configure NAT and ACLs.

NAT is needed in order to be able to communicate with Public IP address with a private IP address, Remember that for you to go through the internet you MUST have a public IP address.

NAT is here to do two things:

Preserver the IPv4 Address space

Allow you to communicate over the internet with another host

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Julio Carvajal

‎01-13-2014 10:46 AM

Thank for brief reply i am not natting anything on FWSM there is default route on outside interface connected to another vendor device, we are doing natting on that box not on FWSM,

NOW my question is if i set security level 50 for new DMZ do i need ACL to allow traffic to talk to existing DMZ which has security level zero as well as for outside interface??

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 10:52 AM

Then No Nat is needed here.

With a security level of 50 traffic from new DMZ to old DMZ will be allowed as well as going to Outside.

Now for traffic generated on the other side you WILL need an ACL.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Julio Carvajal

‎01-13-2014 10:55 AM

sorry Julio which other side ???

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 10:57 AM

Let's say you want to connect to a server on the New DMZ from the old DMZ or the Outside interface.

You will be going from lower to higher so an ACL will be needed on the lower security interface in the IN direction.

Remember to rate all of the helpful posts  such as the ones I have provided Faisal

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Julio Carvajal

‎01-13-2014 10:59 AM

Thanks Julio for your help

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 11:01 AM

Hello,

No problem Faisal.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Julio Carvajal

‎01-13-2014 11:09 AM

sorry to bother you again julio i fiound this line on running config could you tell me why its there

static (dmz-abc,outside) 10.9.2.0 10.9.2.0 netmask 255.255.255.0

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 11:11 AM

Hello,

That's basically an Identity NAT.

That lets the FWSM know that the 10.9.2.0 will look like 10.9.2.0 on the outside interface ( A No Nat rule)

so as you said you do not have any NAT no worry is basically doing nothing hehe

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Julio Carvajal

‎01-13-2014 11:12 AM

Thanks

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Faisal Shabbir

‎01-13-2014 11:13 AM

Sure,

And remember to rate the answers (let me know if you do not know how)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
Faisal Shabbir
Level 1
Level 1
In response to Faisal Shabbir

‎01-13-2014 11:14 AM

normaly you can an ineter sh run int vlan xyz to chekck the any ACL and rest of the config under any vlan how can you check in fwsm that is there any acl is under vlan

sh run int vlan xyz ??

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card