06-02-2012 07:21 AM - edited 03-11-2019 04:14 PM
Hi,
I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,
7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29]
Here we created a p2p link between 7613 gig port and switch3560 gig port (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.
Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.
We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .
router config:
Router#sh firewall module
Module Vlan-groups
------ -----------
04 1,2
Router#sh firewall vlan-group
Display vlan-groups created by both ACE module and FWSM
Group Created by vlans
----- ---------- -----
1 ACE 100-101,200-202
2 <empty>
Router#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.225.62.145 - 001d.a156.9300 ARPA GigabitEthernet10/1
Internet 10.225.62.146 107 001d.a1a5.fbc1 ARPA GigabitEthernet10/1
Internet 192.168.2.1 - 001d.a156.9300 ARPA Vlan200
Internet 192.168.2.2 7 0007.0e5c.3d00 ARPA Vlan200
Internet 192.168.3.1 4 0007.0e5c.3d00 ARPA Vlan201
Internet 192.168.3.2 - 001d.a156.9300 ARPA Vlan201
Fwsm config:
hostname FWSM
interface Vlan200
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Vlan201
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9
: end
FWSM#
FWSM# sh arp
outside 192.168.2.1 001d.a156.9300
inside 192.168.3.2 001d.a156.9300
eobc 127.0.0.81 0000.1800.0000
FWSM# sh int
Interface Vlan200 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 0007.0e5c.3d00, MTU 1500
IP address 192.168.2.2, subnet mask 255.255.255.0
Traffic Statistics for "outside":
6 packets input, 658 bytes
12 packets output, 1316 bytes
474 packets dropped
Interface Vlan201 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 0007.0e5c.3d00, MTU 1500
IP address 192.168.3.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
6 packets input, 658 bytes
7 packets output, 726 bytes
107 packets dropped
Solved! Go to Solution.
06-02-2012 08:39 PM
Can you please advise what you are trying to ping and where you are trying to ping from?
Can you ping 192.168.2.1 from 192.168.2.2 and vice versa, and also can you ping 192.168.3.1 from 192.168.3.2 and vice versa?
06-03-2012 02:23 AM
The FWSM configuration looks OK so far.
Can you add the following:
icmp permit any outside
icmp permit any inside
Then try to ping again.
BTW, does VLAN 200 and 201 exist in the vlan database on the 7600?
Also, which device does the ip address of 192.168.2.1 and 192.168.3.2 belong to?
If it's not the 7600, can you try by creating a vlan interface 200 and 201 and configure ip address in that subnet and try to see if you can ping.
06-03-2012 02:39 AM
What sort of NAT do you need, and/or what is the direction of the traffic? from outside to inside, or inside to outside, or both?
With FWSM, you would need to configure access-list on the interface to allow access through the FWSM.
Also, what version is your FWSM?
06-03-2012 04:52 AM
To send traffic towards the FWSM, you would need to make the FWSM your next hop.
For your internal network 10.0.0.0 to reach the internet, it would need to pass through the FWSM, ie: the route needs to point towards the FWSM inside interface as the gateway, then the traffic will be routed towards the FWSM.
Likewise, for incoming traffic from the Internet, you would also need to route the traffic towards the FWSM outside interface.
Since you have both private IP addresses on your inside and outside interface, I assume that you have another device in front of the FWSM that will be performing the NAT/PAT to public IP? If that is the case, then you don't actually have to configure NAT on the FWSM, just have to configure static NAT to itself.
06-04-2012 01:36 AM
Do you have route for the 10.220.2.0 network pointing back via the FWSM inside interface?
You would need to have the following route:
route inside 10.220.2.0 255.255.255.0 192.168.3.2
You won't be able to telnet to the lowest security interface on FWSM, and outside interface has the lowest security level. This is the behaviour by design. You can however SSH to the outside interface, and you need to configure the following;
ssh 0 0 outside
The above command will allow any IP Address to ssh to the outside interface IP.
Please also generate RSA keypair for SSH as SSH is encrypted session: crypto key generate rsa
06-04-2012 04:31 AM
Yes, that is the correct behaviour of FWSM, ie: you can only ping the inbound interface of FWSM, not the cross interface. Eg: if you are pinging towards the outside interface, you can only ping the outside, not the inside interface, and vice versa.
In regards to the SSH, what username did you try to SSH with? by default if you haven't configured any AAA, username will be pix, and password would be the one that you configure with the "passwd" command.
06-04-2012 05:44 AM
Well, you can't really disable "route outside 0 0" on the FWSM, otherwise, how is the FWSM supposed to route the traffic.
Can you please advise where you are trying to ping to and from? and how are the host connected?
FWSM is just like a route hop, same as router. So if you need traffic to go through the FWSM, just think of it as traffic going through the router and configure the routing the same way.
Further more, you would need to configure access-list on the inside interface if you are sending traffic towards the inside interface.
When you say the traffic was going through, where exactly is it going through? FWSM? 7600? and how do you test it?
06-04-2012 06:29 AM
Ahh ok, makes sense now. Thanks for the picture.
Base on that, i assume that you don't have 192.168.3.0/24 subnet on the 3560 switch, right?
If that is the case, that means traffic from 3560 will be routed next to the 7600 since you have the P2P link. What was the original default gateway on the 3560? is it 10.225.62.145?
If that is the case, then you would need to change the default gateway on the 7600 to be the FWSM inside interface since you don't have a VLAN on 3560 that is in the same subnet as the FWSM inside interface.
06-04-2012 07:45 AM
Do you have physical access to your switches?
If you do, the best way is to create VLAN 201 on your 3560 and configure IP Address in the 192.168.3.0/24 subnet, then configure default route to be the FWSM inside interface 192.168.3.1.
Then connect an interface on 3560 to 7600 and assign them to VLAN 201.
06-05-2012 07:19 AM
do you have a trunk port between the 3560 and the 7600? because as per your diagram, it seems that you only have p2p link therefore it's a routed connection (layer 3) instead of layer 2 connection between the 2 devices.
if you do have trunk port, or access vlan connected between the 2 apart from the P2P link, then yes, you can put the inside interface of the FWSM in the same vlan as the 3560 vlan. You would also need to change the vlan assign to the fwsm inside interface to the same vlan as the 3560 vlan that you are going to use.
To get all the routers traffic to the fwsm inside, as long as the routers next hop is to the fwsm inside instead of the 7600(b), then the traffic will be routed towards the fwsm. The router that is connected directly to the 7600 (b) needs to have an interface in the same subnet as the fwsm inside interface so you can configure the default route on that router to be the fwsm inside.
06-06-2012 06:47 AM
Pls configure the following command on the 7600;
firewall multiple-vlan-interfaces
06-06-2012 11:29 PM
No, you can't have a P2P connection with router serial interface to be on the FWSM as well.
If you have P2P link between the switch and the router, then the FWSM needs to be configured as the next hop on a different subnet/VLAN on the router.
06-02-2012 08:39 PM
Can you please advise what you are trying to ping and where you are trying to ping from?
Can you ping 192.168.2.1 from 192.168.2.2 and vice versa, and also can you ping 192.168.3.1 from 192.168.3.2 and vice versa?
06-03-2012 02:12 AM
Hi,
Thanks for the response, kindly let me know if the config is ok.I must respond to your query that i cannot ping from 192.168.2.1 from 192.168.2.2 and vicce versa.Also i cannot ping 192.168.3.1 from 192.168.3.2 and vice versa.
thanks.
06-03-2012 02:23 AM
The FWSM configuration looks OK so far.
Can you add the following:
icmp permit any outside
icmp permit any inside
Then try to ping again.
BTW, does VLAN 200 and 201 exist in the vlan database on the 7600?
Also, which device does the ip address of 192.168.2.1 and 192.168.3.2 belong to?
If it's not the 7600, can you try by creating a vlan interface 200 and 201 and configure ip address in that subnet and try to see if you can ping.
06-03-2012 02:35 AM
Hi,
this is to mention that both vlan exist on 7600 as well and have ip configured on.
and thanks for the icmp access list as i can now ping all for ips from both 7600 and fwsm.
thanks.
now i hav a point to point link configred btwn 7600 and 3560(several vlans).how should i configure NAT on it,can NAT be avoided.
thanks.
06-03-2012 02:39 AM
What sort of NAT do you need, and/or what is the direction of the traffic? from outside to inside, or inside to outside, or both?
With FWSM, you would need to configure access-list on the interface to allow access through the FWSM.
Also, what version is your FWSM?
06-03-2012 03:06 AM
hi,
Our desogn is that of a triangle,three 7600 at three corners but one is connected to internet directly.What type of NAT wud be right here,i wish to keep my FWSM at front on 7600(b),so that all traffic coming from/to (a) may pass through firewall.
How to start sending traffic through FWSM as my netwrk is of 10.0.0.0 range and i put 192.168.3.0 ip adds on inside interface of FWSM.
[Internet cloud}
|
(a) 7613(further network x.x.x.x/14)
7613 (b) 7613(c)
(further network x.x.x.x/14) (further network x.x.x.x/14)
06-03-2012 04:52 AM
To send traffic towards the FWSM, you would need to make the FWSM your next hop.
For your internal network 10.0.0.0 to reach the internet, it would need to pass through the FWSM, ie: the route needs to point towards the FWSM inside interface as the gateway, then the traffic will be routed towards the FWSM.
Likewise, for incoming traffic from the Internet, you would also need to route the traffic towards the FWSM outside interface.
Since you have both private IP addresses on your inside and outside interface, I assume that you have another device in front of the FWSM that will be performing the NAT/PAT to public IP? If that is the case, then you don't actually have to configure NAT on the FWSM, just have to configure static NAT to itself.
06-03-2012 11:31 PM
hi,
thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .
thanks.
Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,
FWSM# debug icmp trace 255
debug icmp trace enabled at level 255
FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2
Kindly suggest what could be done.
thanks.
06-04-2012 01:36 AM
Do you have route for the 10.220.2.0 network pointing back via the FWSM inside interface?
You would need to have the following route:
route inside 10.220.2.0 255.255.255.0 192.168.3.2
You won't be able to telnet to the lowest security interface on FWSM, and outside interface has the lowest security level. This is the behaviour by design. You can however SSH to the outside interface, and you need to configure the following;
ssh 0 0 outside
The above command will allow any IP Address to ssh to the outside interface IP.
Please also generate RSA keypair for SSH as SSH is encrypted session: crypto key generate rsa
06-04-2012 02:02 AM
Hi,
Thanks for the response,i wish to mention that i have my client outside of ouside interface,whatever i searched i got the we may not be able to ping inside interface from outside client,is it so.Also,did what is mentioned above for ssh fwsm had an rsa key generated ,i tried to connect 192.168.2.2 outside intrface through ssh client but following debug msg appeared on fwsm,kindly take a look,
SSH0: SSH client: IP = '10.220.2.2' interface # = 1
SSH: host key initialised
SSH: license supports 3DES: 2
SSH: license supports DES: 2
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.99-Cisco-1.25
SSH0: send SSH message: outdata is NULL
server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-1.99-3.2.5 SSH Secure Shell for Windows
client version string:SSH-1.99-3.2.5 SSH Secure Shell for WindowsSSH0: begin server key generation
SSH0: complete server key generation, elapsed time = 590 ms
SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-cbc hmac-md5 none
SSH2: kex: server->client aes128-cbc hmac-md5 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 143
SSH2: kex_derive_keys complete
SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: newkeys: mode 0
SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(cisco): user authen method is 'no AAA', aaa server group ID = 0
SSH0: TCP read failed, error code = 0x86300003 "TCP connection closed"
SSH0: receive SSH message: [no message ID: variable *data is NULL]
SSH0: Session disconnected by SSH server - error 0x00 "Internal error"
FWSM#
06-04-2012 04:31 AM
Yes, that is the correct behaviour of FWSM, ie: you can only ping the inbound interface of FWSM, not the cross interface. Eg: if you are pinging towards the outside interface, you can only ping the outside, not the inside interface, and vice versa.
In regards to the SSH, what username did you try to SSH with? by default if you haven't configured any AAA, username will be pix, and password would be the one that you configure with the "passwd" command.
06-04-2012 05:26 AM
hi,
gr8 ,i got the ssh seeion going usin the credentials you suggested.thanks a lot.
I now try to divert the traffic to fwsm, let me tell your that i hav 10 more routers connected to this 7600(which is a core router) and as many Lans also communicating through this 7600.we are using static routing at branch level (between 7613 and 10 routers) where all branch traffic comes to 7600 through default routes and ospf between our three 7600 routers.
further i have the LAN of this 7600(10.225.2.0) and (10.225.5.0) connected to a 3560 connected to gigabit interface of this 7600.the link between 7600 and 3560 is point to point.
to divert traffic coming from 3560 i set its default route to 0.0.0.0 0.0.0.0 192.168.3.1(inside at FWSM),but i had to give a static route as well for 192.168.2.0/3.0 on 3560.Then i disabled route outside 0 0 on fwsm,still the traffic was going through .
Kindly suggest how to divert traffic to FWSM .our 7600 and 3560 hav p2p link of 10.225.62.144/30.If any other information is required kindly let me know.
06-04-2012 05:44 AM
Well, you can't really disable "route outside 0 0" on the FWSM, otherwise, how is the FWSM supposed to route the traffic.
Can you please advise where you are trying to ping to and from? and how are the host connected?
FWSM is just like a route hop, same as router. So if you need traffic to go through the FWSM, just think of it as traffic going through the router and configure the routing the same way.
Further more, you would need to configure access-list on the inside interface if you are sending traffic towards the inside interface.
When you say the traffic was going through, where exactly is it going through? FWSM? 7600? and how do you test it?
06-04-2012 06:16 AM
Hi,
I removed outside route to see if the traffic that was coming from 3560 is still going through FWSM,because if i set default route to fwsm inside interface at 3560 ,traffic must come to fwsm and halt in the absence of outside route.I am trying to give My N/W structure here,to clear thing more
[Internet cloud}
|
(a) 7613 ------router 1-12
(further network x.x.x.x/14)
7613 (b) -----router 1-10connected down the line. 7613(c)| ----------router 1-10
(further network x.x.x.x/14) (further network x.x.x.x/14)
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
further i describe 7600(b) LAN segment,
7600(b)
| (10.225.62.145)/30(P2P Link)
| (10.225.62.146)/30
3560
/\
/ \
vlan2 vlan 5(10.225.5.x)
(10.225.2.x)
hope the Picture is a li'll clear now, kindly suggest how must i route traffic coming from down the line routers and barious LANs connected through 3560.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide