Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Reg:FWSM router mode issue

Hi,

I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,

        7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29] 

Here  we created a p2p link between 7613 gig port and switch3560 gig port  (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches  ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.

Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.

We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .

router config:

Router#sh firewall module

Module Vlan-groups

------ -----------

  04   1,2

Router#sh firewall vlan-group

Display vlan-groups created by both ACE module and FWSM

Group    Created by      vlans

-----    ----------      -----

    1           ACE      100-101,200-202

    2                    <empty>

Router#sh arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.225.62.145           -   001d.a156.9300  ARPA   GigabitEthernet10/1

Internet  10.225.62.146         107   001d.a1a5.fbc1  ARPA   GigabitEthernet10/1

Internet  192.168.2.1             -   001d.a156.9300  ARPA   Vlan200

Internet  192.168.2.2             7   0007.0e5c.3d00  ARPA   Vlan200

Internet  192.168.3.1             4   0007.0e5c.3d00  ARPA   Vlan201

Internet  192.168.3.2             -   001d.a156.9300  ARPA   Vlan201

Fwsm config:

hostname FWSM

interface Vlan200

nameif outside

security-level 0

ip address 192.168.2.2 255.255.255.0

!

interface Vlan201

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9

: end

FWSM#

FWSM# sh arp

        outside 192.168.2.1 001d.a156.9300

        inside 192.168.3.2 001d.a156.9300

        eobc 127.0.0.81 0000.1800.0000

FWSM# sh int

Interface Vlan200 "outside", is up, line protocol is up

  Hardware is EtherSVI

        MAC address 0007.0e5c.3d00, MTU 1500

        IP address 192.168.2.2, subnet mask 255.255.255.0

  Traffic Statistics for "outside":

        6 packets input, 658 bytes

        12 packets output, 1316 bytes

        474 packets dropped

Interface Vlan201 "inside", is up, line protocol is up

  Hardware is EtherSVI

        MAC address 0007.0e5c.3d00, MTU 1500

        IP address 192.168.3.1, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

        6 packets input, 658 bytes

        7 packets output, 726 bytes

        107 packets dropped

  • Firewalling
12 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Reg:FWSM router mode issue

Can you please advise what you are trying to ping and where you are trying to ping from?

Can you ping 192.168.2.1 from 192.168.2.2 and vice versa, and also can you ping 192.168.3.1 from 192.168.3.2 and vice versa?

Cisco Employee

Reg:FWSM router mode issue

The FWSM configuration looks OK so far.

Can you add the following:

icmp permit any outside

icmp permit any inside

Then try to ping again.

BTW, does VLAN 200 and 201 exist in the vlan database on the 7600?

Also, which device does the ip address of 192.168.2.1 and 192.168.3.2 belong to?

If it's not the 7600, can you try by creating a vlan interface 200 and 201 and configure ip address in that subnet and try to see if you can ping.

Cisco Employee

Reg:FWSM router mode issue

What sort of NAT do you need, and/or what is the direction of the traffic? from outside to inside, or inside to outside, or both?

With FWSM, you would need to configure access-list on the interface to allow access through the FWSM.

Also, what version is your FWSM?

Cisco Employee

Reg:FWSM router mode issue

To send traffic towards the FWSM, you would need to make the FWSM your next hop.

For your internal network 10.0.0.0 to reach the internet, it would need to pass through the FWSM, ie: the route needs to point towards the FWSM inside interface as the gateway, then the traffic will be routed towards the FWSM.

Likewise, for incoming traffic from the Internet, you would also need to route the traffic towards the FWSM outside interface.

Since you have both private IP addresses on your inside and outside interface, I assume that you have another device in front of the FWSM that will be performing the NAT/PAT to public IP? If that is the case, then you don't actually have to configure NAT on the FWSM, just have to configure static NAT to itself.

Cisco Employee

Re: Reg:FWSM router mode issue

Do you have route for the 10.220.2.0 network pointing back via the FWSM inside interface?

You would need to have the following route:

route inside 10.220.2.0 255.255.255.0 192.168.3.2

You won't be able to telnet to the lowest security interface on FWSM, and outside interface has the lowest security level. This is the behaviour by design. You can however SSH to the outside interface, and you need to configure the following;

ssh 0 0 outside

The above command will allow any IP Address to ssh to the outside interface IP.

Please also generate RSA keypair for SSH as SSH is encrypted session: crypto key generate rsa

Cisco Employee

Re: Reg:FWSM router mode issue

Yes, that is the correct behaviour of FWSM, ie: you can only ping the inbound interface of FWSM, not the cross interface. Eg: if you are pinging towards the outside interface, you can only ping the outside, not the inside interface, and vice versa.

In regards to the SSH, what username did you try to SSH with? by default if you haven't configured any AAA, username will be pix, and password would be the one that you configure with the "passwd" command.

Cisco Employee

Re: Reg:FWSM router mode issue

Well, you can't really disable "route outside 0 0" on the FWSM, otherwise, how is the FWSM supposed to route the traffic.

Can you please advise where you are trying to ping to and from? and how are the host connected?

FWSM is just like a route hop, same as router. So if you need traffic to go through the FWSM, just think of it as traffic going through the router and configure the routing the same way.

Further more, you would need to configure access-list on the inside interface if you are sending traffic towards the inside interface.

When you say the traffic was going through, where exactly is it going through? FWSM? 7600? and how do you test it?

Cisco Employee

Re: Reg:FWSM router mode issue

Ahh ok, makes sense now. Thanks for the picture.

Base on that, i assume that you don't have 192.168.3.0/24 subnet on the 3560 switch, right?

If that is the case, that means traffic from 3560 will be routed next to the 7600 since you have the P2P link. What was the original default gateway on the 3560? is it 10.225.62.145?

If that is the case, then you would need to change the default gateway on the 7600 to be the FWSM inside interface since you don't have a VLAN on 3560 that is in the same subnet as the FWSM inside interface.

Cisco Employee

Re: Reg:FWSM router mode issue

Do you have physical access to your switches?

If you do, the best way is to create VLAN 201 on your 3560 and configure IP Address in the 192.168.3.0/24 subnet, then configure default route to be the FWSM inside interface 192.168.3.1.

Then connect an interface on 3560 to 7600 and assign them to VLAN 201.

Cisco Employee

Re: Reg:FWSM router mode issue

do you have a trunk port between the 3560 and the 7600? because as per your diagram, it seems that you only have p2p link therefore it's a routed connection (layer 3) instead of layer 2 connection between the 2 devices.

if you do have trunk port, or access vlan connected between the 2 apart from the P2P link, then yes, you can put the inside interface of the FWSM in the same vlan as the 3560 vlan. You would also need to change the vlan assign to the fwsm inside interface to the same vlan as the 3560 vlan that you are going to use.

To get all the routers traffic to the fwsm inside, as long as the routers next hop is to the fwsm inside instead of the 7600(b), then the traffic will be routed towards the fwsm. The router that is connected directly to the 7600 (b) needs to have an interface in the same subnet as the fwsm inside interface so you can configure the default route on that router to be the fwsm inside.

Cisco Employee

Re: Reg:FWSM router mode issue

Pls configure the following command on the 7600;

firewall multiple-vlan-interfaces
Cisco Employee

Re: Reg:FWSM router mode issue

No, you can't have a P2P connection with router serial interface to be on the FWSM as well.

If you have P2P link between the switch and the router, then the FWSM needs to be configured as the next hop on a different subnet/VLAN on the router.

23 REPLIES
Cisco Employee

Re: Reg:FWSM router mode issue

Can you please advise what you are trying to ping and where you are trying to ping from?

Can you ping 192.168.2.1 from 192.168.2.2 and vice versa, and also can you ping 192.168.3.1 from 192.168.3.2 and vice versa?

New Member

Reg:FWSM router mode issue

Hi,

Thanks for the response, kindly let me know if the config is ok.I must respond to your query that i cannot ping from 192.168.2.1 from 192.168.2.2 and vicce versa.Also i cannot ping 192.168.3.1 from 192.168.3.2 and vice versa.

thanks.

Cisco Employee

Reg:FWSM router mode issue

The FWSM configuration looks OK so far.

Can you add the following:

icmp permit any outside

icmp permit any inside

Then try to ping again.

BTW, does VLAN 200 and 201 exist in the vlan database on the 7600?

Also, which device does the ip address of 192.168.2.1 and 192.168.3.2 belong to?

If it's not the 7600, can you try by creating a vlan interface 200 and 201 and configure ip address in that subnet and try to see if you can ping.

New Member

Reg:FWSM router mode issue

Hi,

this is to mention that both vlan exist on 7600 as well and have ip configured on.

and thanks for the icmp access list as i can now ping all for ips from both 7600 and fwsm.

thanks.

now i hav a point to point link configred btwn 7600 and 3560(several vlans).how should i configure NAT on it,can NAT be avoided.

thanks.

Cisco Employee

Reg:FWSM router mode issue

What sort of NAT do you need, and/or what is the direction of the traffic? from outside to inside, or inside to outside, or both?

With FWSM, you would need to configure access-list on the interface to allow access through the FWSM.

Also, what version is your FWSM?

New Member

Reg:FWSM router mode issue

hi,

Our desogn is that of a triangle,three 7600 at three corners but one is connected to internet directly.What type of NAT wud be right here,i wish to keep my FWSM at front on 7600(b),so that all traffic coming from/to  (a) may pass through firewall.

How to start sending traffic through FWSM as my netwrk is of 10.0.0.0 range and i put 192.168.3.0 ip adds on inside interface of FWSM.

                                                 [Internet cloud}

                                                         |

                                                    (a) 7613(further network x.x.x.x/14)

7613 (b)                                                                                                7613(c)

(further network  x.x.x.x/14)                                                            (further network x.x.x.x/14)

Cisco Employee

Reg:FWSM router mode issue

To send traffic towards the FWSM, you would need to make the FWSM your next hop.

For your internal network 10.0.0.0 to reach the internet, it would need to pass through the FWSM, ie: the route needs to point towards the FWSM inside interface as the gateway, then the traffic will be routed towards the FWSM.

Likewise, for incoming traffic from the Internet, you would also need to route the traffic towards the FWSM outside interface.

Since you have both private IP addresses on your inside and outside interface, I assume that you have another device in front of the FWSM that will be performing the NAT/PAT to public IP? If that is the case, then you don't actually have to configure NAT on the FWSM, just have to configure static NAT to itself.

New Member

Re: Reg:FWSM router mode issue

hi,

thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .

thanks.

Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,

FWSM# debug icmp trace 255

debug icmp trace enabled at level 255

FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2

ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2

ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2

ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2

ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2

ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1

ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2

Kindly suggest what could be done.

thanks.

Cisco Employee

Re: Reg:FWSM router mode issue

Do you have route for the 10.220.2.0 network pointing back via the FWSM inside interface?

You would need to have the following route:

route inside 10.220.2.0 255.255.255.0 192.168.3.2

You won't be able to telnet to the lowest security interface on FWSM, and outside interface has the lowest security level. This is the behaviour by design. You can however SSH to the outside interface, and you need to configure the following;

ssh 0 0 outside

The above command will allow any IP Address to ssh to the outside interface IP.

Please also generate RSA keypair for SSH as SSH is encrypted session: crypto key generate rsa

1140
Views
0
Helpful
23
Replies