Solved: Reg:FWSM router mode issue

cisco.anubhav · ‎06-02-2012

Hi,

I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,

7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29]

Here we created a p2p link between 7613 gig port and switch3560 gig port (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.

Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.

We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .

router config:

Router#sh firewall module

Module Vlan-groups

------ -----------

04 1,2

Router#sh firewall vlan-group

Display vlan-groups created by both ACE module and FWSM

Group Created by vlans

----- ---------- -----

1 ACE 100-101,200-202

2 <empty>

Router#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.225.62.145 - 001d.a156.9300 ARPA GigabitEthernet10/1

Internet 10.225.62.146 107 001d.a1a5.fbc1 ARPA GigabitEthernet10/1

Internet 192.168.2.1 - 001d.a156.9300 ARPA Vlan200

Internet 192.168.2.2 7 0007.0e5c.3d00 ARPA Vlan200

Internet 192.168.3.1 4 0007.0e5c.3d00 ARPA Vlan201

Internet 192.168.3.2 - 001d.a156.9300 ARPA Vlan201

Fwsm config:

hostname FWSM

interface Vlan200

nameif outside

security-level 0

ip address 192.168.2.2 255.255.255.0

!

interface Vlan201

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9

: end

FWSM#

FWSM# sh arp

outside 192.168.2.1 001d.a156.9300

inside 192.168.3.2 001d.a156.9300

eobc 127.0.0.81 0000.1800.0000

FWSM# sh int

Interface Vlan200 "outside", is up, line protocol is up

Hardware is EtherSVI

MAC address 0007.0e5c.3d00, MTU 1500

IP address 192.168.2.2, subnet mask 255.255.255.0

Traffic Statistics for "outside":

6 packets input, 658 bytes

12 packets output, 1316 bytes

474 packets dropped

Interface Vlan201 "inside", is up, line protocol is up

Hardware is EtherSVI

MAC address 0007.0e5c.3d00, MTU 1500

IP address 192.168.3.1, subnet mask 255.255.255.0

Traffic Statistics for "inside":

6 packets input, 658 bytes

7 packets output, 726 bytes

107 packets dropped

Jennifer Halim · ‎06-02-2012

Can you please advise what you are trying to ping and where you are trying to ping from?

Can you ping 192.168.2.1 from 192.168.2.2 and vice versa, and also can you ping 192.168.3.1 from 192.168.3.2 and vice versa?

View solution in original post

Jennifer Halim · ‎06-03-2012

The FWSM configuration looks OK so far.

Can you add the following:

icmp permit any outside

icmp permit any inside

Then try to ping again.

BTW, does VLAN 200 and 201 exist in the vlan database on the 7600?

Also, which device does the ip address of 192.168.2.1 and 192.168.3.2 belong to?

If it's not the 7600, can you try by creating a vlan interface 200 and 201 and configure ip address in that subnet and try to see if you can ping.

View solution in original post

Jennifer Halim · ‎06-03-2012

What sort of NAT do you need, and/or what is the direction of the traffic? from outside to inside, or inside to outside, or both?

With FWSM, you would need to configure access-list on the interface to allow access through the FWSM.

Also, what version is your FWSM?

View solution in original post

Jennifer Halim · ‎06-03-2012

To send traffic towards the FWSM, you would need to make the FWSM your next hop.

For your internal network 10.0.0.0 to reach the internet, it would need to pass through the FWSM, ie: the route needs to point towards the FWSM inside interface as the gateway, then the traffic will be routed towards the FWSM.

Likewise, for incoming traffic from the Internet, you would also need to route the traffic towards the FWSM outside interface.

Since you have both private IP addresses on your inside and outside interface, I assume that you have another device in front of the FWSM that will be performing the NAT/PAT to public IP? If that is the case, then you don't actually have to configure NAT on the FWSM, just have to configure static NAT to itself.

View solution in original post

Jennifer Halim · ‎06-04-2012

Do you have route for the 10.220.2.0 network pointing back via the FWSM inside interface?

You would need to have the following route:

route inside 10.220.2.0 255.255.255.0 192.168.3.2

You won't be able to telnet to the lowest security interface on FWSM, and outside interface has the lowest security level. This is the behaviour by design. You can however SSH to the outside interface, and you need to configure the following;

ssh 0 0 outside

The above command will allow any IP Address to ssh to the outside interface IP.

Please also generate RSA keypair for SSH as SSH is encrypted session: crypto key generate rsa

View solution in original post

Jennifer Halim · ‎06-04-2012

Yes, that is the correct behaviour of FWSM, ie: you can only ping the inbound interface of FWSM, not the cross interface. Eg: if you are pinging towards the outside interface, you can only ping the outside, not the inside interface, and vice versa.

In regards to the SSH, what username did you try to SSH with? by default if you haven't configured any AAA, username will be pix, and password would be the one that you configure with the "passwd" command.

View solution in original post

Jennifer Halim · ‎06-04-2012

Well, you can't really disable "route outside 0 0" on the FWSM, otherwise, how is the FWSM supposed to route the traffic.

Can you please advise where you are trying to ping to and from? and how are the host connected?

FWSM is just like a route hop, same as router. So if you need traffic to go through the FWSM, just think of it as traffic going through the router and configure the routing the same way.

Further more, you would need to configure access-list on the inside interface if you are sending traffic towards the inside interface.

When you say the traffic was going through, where exactly is it going through? FWSM? 7600? and how do you test it?

View solution in original post

Jennifer Halim · ‎06-04-2012

Ahh ok, makes sense now. Thanks for the picture.

Base on that, i assume that you don't have 192.168.3.0/24 subnet on the 3560 switch, right?

If that is the case, that means traffic from 3560 will be routed next to the 7600 since you have the P2P link. What was the original default gateway on the 3560? is it 10.225.62.145?

If that is the case, then you would need to change the default gateway on the 7600 to be the FWSM inside interface since you don't have a VLAN on 3560 that is in the same subnet as the FWSM inside interface.

View solution in original post

Jennifer Halim · ‎06-04-2012

Do you have physical access to your switches?

If you do, the best way is to create VLAN 201 on your 3560 and configure IP Address in the 192.168.3.0/24 subnet, then configure default route to be the FWSM inside interface 192.168.3.1.

Then connect an interface on 3560 to 7600 and assign them to VLAN 201.

View solution in original post

Jennifer Halim · ‎06-05-2012

do you have a trunk port between the 3560 and the 7600? because as per your diagram, it seems that you only have p2p link therefore it's a routed connection (layer 3) instead of layer 2 connection between the 2 devices.

if you do have trunk port, or access vlan connected between the 2 apart from the P2P link, then yes, you can put the inside interface of the FWSM in the same vlan as the 3560 vlan. You would also need to change the vlan assign to the fwsm inside interface to the same vlan as the 3560 vlan that you are going to use.

To get all the routers traffic to the fwsm inside, as long as the routers next hop is to the fwsm inside instead of the 7600(b), then the traffic will be routed towards the fwsm. The router that is connected directly to the 7600 (b) needs to have an interface in the same subnet as the fwsm inside interface so you can configure the default route on that router to be the fwsm inside.

View solution in original post

Jennifer Halim · ‎06-06-2012

Pls configure the following command on the 7600;

firewall multiple-vlan-interfaces

View solution in original post

Jennifer Halim · ‎06-06-2012

No, you can't have a P2P connection with router serial interface to be on the FWSM as well.

If you have P2P link between the switch and the router, then the FWSM needs to be configured as the next hop on a different subnet/VLAN on the router.

View solution in original post

Jennifer Halim · ‎06-02-2012

Can you please advise what you are trying to ping and where you are trying to ping from?

Can you ping 192.168.2.1 from 192.168.2.2 and vice versa, and also can you ping 192.168.3.1 from 192.168.3.2 and vice versa?

cisco.anubhav · ‎06-03-2012

Hi,

Thanks for the response, kindly let me know if the config is ok.I must respond to your query that i cannot ping from 192.168.2.1 from 192.168.2.2 and vicce versa.Also i cannot ping 192.168.3.1 from 192.168.3.2 and vice versa.

thanks.

Jennifer Halim · ‎06-03-2012

The FWSM configuration looks OK so far.

Can you add the following:

icmp permit any outside

icmp permit any inside

Then try to ping again.

BTW, does VLAN 200 and 201 exist in the vlan database on the 7600?

Also, which device does the ip address of 192.168.2.1 and 192.168.3.2 belong to?

If it's not the 7600, can you try by creating a vlan interface 200 and 201 and configure ip address in that subnet and try to see if you can ping.

cisco.anubhav · ‎06-03-2012

Hi,

this is to mention that both vlan exist on 7600 as well and have ip configured on.

and thanks for the icmp access list as i can now ping all for ips from both 7600 and fwsm.

thanks.

now i hav a point to point link configred btwn 7600 and 3560(several vlans).how should i configure NAT on it,can NAT be avoided.

thanks.

Jennifer Halim · ‎06-03-2012

What sort of NAT do you need, and/or what is the direction of the traffic? from outside to inside, or inside to outside, or both?

With FWSM, you would need to configure access-list on the interface to allow access through the FWSM.

Also, what version is your FWSM?

cisco.anubhav · ‎06-03-2012

hi,

Our desogn is that of a triangle,three 7600 at three corners but one is connected to internet directly.What type of NAT wud be right here,i wish to keep my FWSM at front on 7600(b),so that all traffic coming from/to (a) may pass through firewall.

How to start sending traffic through FWSM as my netwrk is of 10.0.0.0 range and i put 192.168.3.0 ip adds on inside interface of FWSM.

[Internet cloud}

|

(a) 7613(further network x.x.x.x/14)

7613 (b) 7613(c)

(further network x.x.x.x/14) (further network x.x.x.x/14)

Jennifer Halim · ‎06-03-2012

To send traffic towards the FWSM, you would need to make the FWSM your next hop.

For your internal network 10.0.0.0 to reach the internet, it would need to pass through the FWSM, ie: the route needs to point towards the FWSM inside interface as the gateway, then the traffic will be routed towards the FWSM.

Likewise, for incoming traffic from the Internet, you would also need to route the traffic towards the FWSM outside interface.

Since you have both private IP addresses on your inside and outside interface, I assume that you have another device in front of the FWSM that will be performing the NAT/PAT to public IP? If that is the case, then you don't actually have to configure NAT on the FWSM, just have to configure static NAT to itself.

cisco.anubhav · ‎06-03-2012

hi,

thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .

thanks.

Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,

FWSM# debug icmp trace 255

debug icmp trace enabled at level 255

FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2

ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2

ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2

ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2

ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2

Kindly suggest what could be done.

thanks.

Jennifer Halim · ‎06-04-2012

Do you have route for the 10.220.2.0 network pointing back via the FWSM inside interface?

You would need to have the following route:

route inside 10.220.2.0 255.255.255.0 192.168.3.2

You won't be able to telnet to the lowest security interface on FWSM, and outside interface has the lowest security level. This is the behaviour by design. You can however SSH to the outside interface, and you need to configure the following;

ssh 0 0 outside

The above command will allow any IP Address to ssh to the outside interface IP.

Please also generate RSA keypair for SSH as SSH is encrypted session: crypto key generate rsa

cisco.anubhav · ‎06-04-2012

Hi,

Thanks for the response,i wish to mention that i have my client outside of ouside interface,whatever i searched i got the we may not be able to ping inside interface from outside client,is it so.Also,did what is mentioned above for ssh fwsm had an rsa key generated ,i tried to connect 192.168.2.2 outside intrface through ssh client but following debug msg appeared on fwsm,kindly take a look,

SSH0: SSH client: IP = '10.220.2.2' interface # = 1

SSH: host key initialised

SSH: license supports 3DES: 2

SSH: license supports DES: 2

SSH0: starting SSH control process

SSH0: Exchanging versions - SSH-1.99-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25SSH0: receive SSH message: 83 (83)

SSH0: client version is - SSH-1.99-3.2.5 SSH Secure Shell for Windows

client version string:SSH-1.99-3.2.5 SSH Secure Shell for WindowsSSH0: begin server key generation

SSH0: complete server key generation, elapsed time = 590 ms

SSH2 0: SSH2_MSG_KEXINIT sent

SSH2 0: SSH2_MSG_KEXINIT received

SSH2: kex: client->server aes128-cbc hmac-md5 none

SSH2: kex: server->client aes128-cbc hmac-md5 none

SSH2 0: expecting SSH2_MSG_KEXDH_INIT

SSH2 0: SSH2_MSG_KEXDH_INIT received

SSH2 0: signature length 143

SSH2: kex_derive_keys complete

SSH2 0: newkeys: mode 1

SSH2 0: SSH2_MSG_NEWKEYS sent

SSH2 0: waiting for SSH2_MSG_NEWKEYS

SSH2 0: newkeys: mode 0

SSH2 0: SSH2_MSG_NEWKEYS receivedSSH(cisco): user authen method is 'no AAA', aaa server group ID = 0

SSH0: TCP read failed, error code = 0x86300003 "TCP connection closed"

SSH0: receive SSH message: [no message ID: variable *data is NULL]

SSH0: Session disconnected by SSH server - error 0x00 "Internal error"

FWSM#

Jennifer Halim · ‎06-04-2012

Yes, that is the correct behaviour of FWSM, ie: you can only ping the inbound interface of FWSM, not the cross interface. Eg: if you are pinging towards the outside interface, you can only ping the outside, not the inside interface, and vice versa.

In regards to the SSH, what username did you try to SSH with? by default if you haven't configured any AAA, username will be pix, and password would be the one that you configure with the "passwd" command.

cisco.anubhav · ‎06-04-2012

hi,

gr8 ,i got the ssh seeion going usin the credentials you suggested.thanks a lot.

I now try to divert the traffic to fwsm, let me tell your that i hav 10 more routers connected to this 7600(which is a core router) and as many Lans also communicating through this 7600.we are using static routing at branch level (between 7613 and 10 routers) where all branch traffic comes to 7600 through default routes and ospf between our three 7600 routers.

further i have the LAN of this 7600(10.225.2.0) and (10.225.5.0) connected to a 3560 connected to gigabit interface of this 7600.the link between 7600 and 3560 is point to point.

to divert traffic coming from 3560 i set its default route to 0.0.0.0 0.0.0.0 192.168.3.1(inside at FWSM),but i had to give a static route as well for 192.168.2.0/3.0 on 3560.Then i disabled route outside 0 0 on fwsm,still the traffic was going through .

Kindly suggest how to divert traffic to FWSM .our 7600 and 3560 hav p2p link of 10.225.62.144/30.If any other information is required kindly let me know.

Jennifer Halim · ‎06-04-2012

Well, you can't really disable "route outside 0 0" on the FWSM, otherwise, how is the FWSM supposed to route the traffic.

Can you please advise where you are trying to ping to and from? and how are the host connected?

FWSM is just like a route hop, same as router. So if you need traffic to go through the FWSM, just think of it as traffic going through the router and configure the routing the same way.

Further more, you would need to configure access-list on the inside interface if you are sending traffic towards the inside interface.

When you say the traffic was going through, where exactly is it going through? FWSM? 7600? and how do you test it?

cisco.anubhav · ‎06-04-2012

Hi,

I removed outside route to see if the traffic that was coming from 3560 is still going through FWSM,because if i set default route to fwsm inside interface at 3560 ,traffic must come to fwsm and halt in the absence of outside route.I am trying to give My N/W structure here,to clear thing more

[Internet cloud}

|

(a) 7613 ------router 1-12

(further network x.x.x.x/14)

7613 (b) -----router 1-10connected down the line. 7613(c)| ----------router 1-10

(further network x.x.x.x/14) (further network x.x.x.x/14)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

further i describe 7600(b) LAN segment,

7600(b)

| (10.225.62.145)/30(P2P Link)

| (10.225.62.146)/30

3560

/\

/ \

vlan2 vlan 5(10.225.5.x)

(10.225.2.x)

hope the Picture is a li'll clear now, kindly suggest how must i route traffic coming from down the line routers and barious LANs connected through 3560.