Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

New DMZ in FWSM

Hi Freinds,

we have two FWSMs on 6509 boxes, inside secuirty level is 100, outside is zero one dmz has security level  zero i want to create another dmz ..

could someone explain me the steps to create dmz in FWSM i am not expert on FWSM also the new DMZ should be to communicate with existing dmz,

ospf is running on fwsm

Regards,

Malik

6 ACCEPTED SOLUTIONS

Accepted Solutions

New DMZ in FWSM

Let's say you want to connect to a server on the New DMZ from the old DMZ or the Outside interface.

You will be going from lower to higher so an ACL will be needed on the lower security interface in the IN direction.

Remember to rate all of the helpful posts  such as the ones I have provided Faisal

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

New DMZ in FWSM

Hello,

No problem Faisal.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

New DMZ in FWSM

Hello,

That's basically an Identity NAT.

That lets the FWSM know that the 10.9.2.0 will look like 10.9.2.0 on the outside interface ( A No Nat rule)

so as you said you do not have any NAT no worry is basically doing nothing hehe

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

New DMZ in FWSM

With the command:

show run access-group

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Hall of Fame Super Blue

Re: New DMZ in FWSM

Malik

Not quite. There are a couple of steps before you configure the actual FWSM -

1) create the L2 vlan as in your config but do not create a L3 vlan interface, so you don't need the second bit of your above config. If you create a L3 SVI then the 6500 will simply route around the firewall so just

vlan 100

name ABC

2) you now need to assign the vlan to the FWSM. Do a "sh run" on your 6500 and near the top will be two lines like this -

firewall module 7 vlan-group 1  <-- the 7 in this line matches the slot your FWSM is in on the 6500

firewall vlan-group 1 10,11,12

so you need to add your vlan to the second line above ie

firewall vlan-group 100

that should do it. One other thing. If you have two 6500s interconnected each with an FWSM unless you are running VSS you will need to do step 2) on the other 6500 as well because from memory it is not replicated.

Jon

Hall of Fame Super Blue

Re: New DMZ in FWSM

Malik

My apologies in the example i gave i missed out the vlan group number so the command is -

firewall vlan-group  

ie. you reference the vlan-group number and then specify the vlan you want to add.

With VSS you only configure the active switch and the config is replicated for you so no need to configure these commands on both switches.

Jon

25 REPLIES

New DMZ in FWSM

Hello Faisal,

Check the configuration with the show run and follow the same configuration commands

Interface vlan X

name if DMZ_2

ip address x.x.x.x x.x.x.x

Security level #

Then create the right NAT for the traffic between the vlans and ACL as needed

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

New DMZ in FWSM

Thanks Julio for your reply my concern was what security level should i assign to new DMZ so it could  communication to existing vlan and servers in new DMZ will also accessed through SSL VPN from outside

inside interface security level 100

outside interface security level 0

existing dmz security level 0

new dmz security level ???

finally why we need NAT ??

Regards,

New DMZ in FWSM

Hello Faisai,

For that you will need to consider the servers/devices you will set on that interface.

If there are critical boxes then set a higher security level (100) so you can control traffic on a more responsible way (denying traffic from lower to higher by default) so you can modify as your needs instead of using a lower security level and allowing traffic to it by default.

So at the end it will all depend on what you host behind it.

Now depending on the security level you will configure NAT and ACLs.

NAT is needed in order to be able to communicate with Public IP address with a private IP address, Remember that for you to go through the internet you MUST have a public IP address.

NAT is here to do two things:

Preserver the IPv4 Address space

Allow you to communicate over the internet with another host

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

New DMZ in FWSM

Thank for brief reply i am not natting anything on FWSM there is default route on outside interface connected to another vendor device, we are doing natting on that box not on FWSM,

NOW my question is if i set security level 50 for new DMZ do i need ACL to allow traffic to talk to existing DMZ which has security level zero as well as for outside interface??

New DMZ in FWSM

Then No Nat is needed here.

With a security level of 50 traffic from new DMZ to old DMZ will be allowed as well as going to Outside.

Now for traffic generated on the other side you WILL need an ACL.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

New DMZ in FWSM

sorry Julio which other side ???

New DMZ in FWSM

Let's say you want to connect to a server on the New DMZ from the old DMZ or the Outside interface.

You will be going from lower to higher so an ACL will be needed on the lower security interface in the IN direction.

Remember to rate all of the helpful posts  such as the ones I have provided Faisal

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

New DMZ in FWSM

Thanks Julio for your help

New DMZ in FWSM

Hello,

No problem Faisal.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

New DMZ in FWSM

sorry to bother you again julio i fiound this line on running config could you tell me why its there

static (dmz-abc,outside) 10.9.2.0 10.9.2.0 netmask 255.255.255.0

New DMZ in FWSM

Hello,

That's basically an Identity NAT.

That lets the FWSM know that the 10.9.2.0 will look like 10.9.2.0 on the outside interface ( A No Nat rule)

so as you said you do not have any NAT no worry is basically doing nothing hehe

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

New DMZ in FWSM

Thanks

New DMZ in FWSM

Sure,

And remember to rate the answers (let me know if you do not know how)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

New DMZ in FWSM

normaly you can an ineter sh run int vlan xyz to chekck the any ACL and rest of the config under any vlan how can you check in fwsm that is there any acl is under vlan

sh run int vlan xyz ??

New DMZ in FWSM

With the command:

show run access-group

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

New DMZ in FWSM

you have made my day Julio bundle of thanks

New DMZ in FWSM

Hello.

LOL

No problem bud

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
Hall of Fame Super Blue

Re: New DMZ in FWSM

Malik

Julio has done a great job of provding you the config for the actual FWSM. Before you configure that though you need to create a L2 vlan on the 6500 and assign that vlan to the FWSM.

Are you okay with doing that ?

Jon

New Member

New DMZ in FWSM

yeah Jon i guess its should be like that

vlan 100

name ABC

int vlan 100

no shut down

correct ??

Hall of Fame Super Blue

Re: New DMZ in FWSM

Malik

Not quite. There are a couple of steps before you configure the actual FWSM -

1) create the L2 vlan as in your config but do not create a L3 vlan interface, so you don't need the second bit of your above config. If you create a L3 SVI then the 6500 will simply route around the firewall so just

vlan 100

name ABC

2) you now need to assign the vlan to the FWSM. Do a "sh run" on your 6500 and near the top will be two lines like this -

firewall module 7 vlan-group 1  <-- the 7 in this line matches the slot your FWSM is in on the 6500

firewall vlan-group 1 10,11,12

so you need to add your vlan to the second line above ie

firewall vlan-group 100

that should do it. One other thing. If you have two 6500s interconnected each with an FWSM unless you are running VSS you will need to do step 2) on the other 6500 as well because from memory it is not replicated.

Jon

New Member

New DMZ in FWSM

great informartion  jon we are using VSS

New Member

New DMZ in FWSM

in global config it should be like that

(config)# firewall vlan-group 100 10

?????

New Member

New DMZ in FWSM

on both VSS switches ???

Hall of Fame Super Blue

Re: New DMZ in FWSM

Malik

My apologies in the example i gave i missed out the vlan group number so the command is -

firewall vlan-group  

ie. you reference the vlan-group number and then specify the vlan you want to add.

With VSS you only configure the active switch and the config is replicated for you so no need to configure these commands on both switches.

Jon

New Member

Re: New DMZ in FWSM

Many Thanks jon

214
Views
25
Helpful
25
Replies