Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

White paper to set-up basic FWSM connectivity?

I have the FWSM design and configuration guides, and feel like I'm buried in minutia regarding figuring out how to config for basic access into the module. Is there a "Quick Start Guide" or a white paper that describes BASIC things like how to set up access to the module from the 6500 and maybe a very SIMPLE example on settin up ports/vlan for passing traffic from a high-security side to a low-security side?

I first want to be able to just telnet into the module and upgrade the code on it. Then I'd like to begin very simply to work forward from there. I'm bogged down with trying to understand what is meant by 'before the MSCF' or 'after the MSCF' and can't even telnet into the module yet.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: White paper to set-up basic FWSM connectivity?

Jim

Firstly here's a link to a thread i was involved in some time ago that gives a basic setup. It may be of help to get you started -

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40.2cbef1c1/5#selected_message

To be able to telnet into it you need to access it initially from the CLI on the 6500. So lets say your FWSM is in slot 7 of your 6500 -

6500# session slot 7 proc 1

that should take you into the FWSM.

Before you telnet in you are going to have to setup the firewall - see link i provided.

I'm assuming to keep it simple you are using single context mode, if you want to use multiple context mode then things will be a bit more complicated.

Before or after the MSFC, altho personally i think behind an in front are more descriptive -

Before

FWSM -> MSFC -> vlans

After

MSFC -> FWSM -> vlans

Basically Before involves the FWSM protecting all routed vlans on the MSFC because to get to the MSFC you have to go through the firewall. Think internet type connectivity altho it doesn't have to be internet.

After would be used where you don't necessarily want to firewall all vlans on the 6500. Think datacentre setup where external access is still from within your company but you still want to secure certain vlans only.

Note the example i gave in the link is for behind (after) MSFC.

Happy to try and help as much as i can.

Jon

4 REPLIES
Hall of Fame Super Blue

Re: White paper to set-up basic FWSM connectivity?

Jim

Firstly here's a link to a thread i was involved in some time ago that gives a basic setup. It may be of help to get you started -

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40.2cbef1c1/5#selected_message

To be able to telnet into it you need to access it initially from the CLI on the 6500. So lets say your FWSM is in slot 7 of your 6500 -

6500# session slot 7 proc 1

that should take you into the FWSM.

Before you telnet in you are going to have to setup the firewall - see link i provided.

I'm assuming to keep it simple you are using single context mode, if you want to use multiple context mode then things will be a bit more complicated.

Before or after the MSFC, altho personally i think behind an in front are more descriptive -

Before

FWSM -> MSFC -> vlans

After

MSFC -> FWSM -> vlans

Basically Before involves the FWSM protecting all routed vlans on the MSFC because to get to the MSFC you have to go through the firewall. Think internet type connectivity altho it doesn't have to be internet.

After would be used where you don't necessarily want to firewall all vlans on the 6500. Think datacentre setup where external access is still from within your company but you still want to secure certain vlans only.

Note the example i gave in the link is for behind (after) MSFC.

Happy to try and help as much as i can.

Jon

New Member

Re: White paper to set-up basic FWSM connectivity?

Excellent post - thanks Jon. You've de-mystified the MSFC concept for me. I'll check out your link to your previous thread and get to work.

New Member

Re: White paper to set-up basic FWSM connectivity?

Jon - I'll tell you a couple things we want to do with the FWSM.

We use 6500s as our access-layer switch with L3 uplinks for our server farms. On the 6500 we have more than one L3 SVI for the servers. In this scenario, I want to use the FWSM to restrict access to the L3 SVIs inbound from the uplinks, to just what is necessary for client to server activity, and for admin support to the servers. Also, I want to be able to restrict certain outbound access from the servers, like telnet, RDP, etc. This is to prevent someone who may have root access to a particular server from telneting from that server to other devices not on the 6500. (In a utopian world I'd like to restrict telnet from any server to any other server, even in the same vlan.)

So can I do both with the FWSM? Would this require it two be in multiple-context mode?

Hall of Fame Super Blue

Re: White paper to set-up basic FWSM connectivity?

Jim

Can you just clarify.

You have 6500s in the access-layer. When you say you have on the 6500 more than one L3 SVI for the servers is this a different 6500 than the access-layer 6500s ?

Could you just explain a bit more about your topology ie. which switches contain the FWSMs, where the clients are in relation to the FWSM 6500s and where the servers are in relation to the FWSM 6500s.

Apologies for this but i want to be sure i don't give you bad advice :-)

Jon

294
Views
0
Helpful
4
Replies