Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ws-svc-fwm config issue

Hi all,

   Basically I am taking my first stab at configuring a fwsm in a 6509 with a sup 720. The scenerio I need help with is this: I have 2 SVI interfaces coming into my layer 3 switch. I want to pass these 2 SVI interfaces and my ACS local SVI into the FWSM. I want to filter the 2 routable SVI interfaces and pass on what traffic that will be allowed into internal network . I have 10 other dead nets that do not need to be filtered. I have tried routed mode and transparent mode, and I cannot get any traffic to pass.

Currently I have erased the FWSM and left my basic config on my 6509 which I am including here.

firewall multiple-vlan-interfaces
firewall module 9 vlan-group 10
firewall vlan-group 10  20,597,950

4 REPLIES
Cisco Employee

Re: ws-svc-fwm config issue

I am guessing you have an SVI for the vlans you are pushing.

Start by going into the FWSM and configure ip addresses, names and security levels for these vlans. Then configure "icmp permit any " on the FWSM. And try to ping the SVI for each vlan from and to the switch.

If that works try pinging through the FWSM. Make sure you have icmp inspection enabled and that ACLs allow it.

I hope it helps.

PK

New Member

Re: ws-svc-fwm config issue

I am guessing you have an SVI for the vlans you are pushing.

YES. I had these working for months before the firewall. The ws-svc-fwm was added to pass a security audit coming up.

Start  by going into the FWSM and configure ip addresses, names and security  levels for these vlans. Then configure "icmp permit any " on the FWSM. And try to ping the SVI for each vlan from and to  the switch.

Ok I so I had:

int vlan 597

nameif outside security 50

ip address 169.69.x.x 255.255.255.255.0

no shut

int vlan 950

nameif outside2 security 49

ip add 10.128.x.x 255.255.255.0

no shut

int vlan 20

nameif acs security 1

ip add 192.168.2.126 255.255.255.128

I never had the icmp permit any set. Ill add those....  And they worked! Wow how did I miss that command.

If that works try pinging through the FWSM. Make sure you have icmp inspection enabled and that ACLs allow it.

For routed mode, dont you have to have ospf running between the MSFC and FWSM? I guess not, since I can now ping out to the gateways.

I hope it helps.

IT most certainly did!

PK

Thank you!

Scott

Cisco Employee

Re: ws-svc-fwm config issue

The FWSM is directly connected to these vlans now  so it can arp and ping all hosts in these vlans.

Please mark the thread as solved so that others can benefit from it in the future.

Rgs,

PK

New Member

Re: ws-svc-fwm config issue

I am not sure on this one. While I can ping the IP's I cannot see any of the traffic filtered at all. I have tried multiple things, I might have to put this into another thread, but ill bite the bullet and post it. I could see the hits to each of the access with the log functionality enabled on each access-list line. I am not sure I can see that now. I have specific lines left out, to test out the implicit deny at the end of the access-list. It did not block it. Traffic flow is from the 2 SVI interfaces 169.69.100.x and 10.128.142.x into the MSFC then into the FWSM, filter traffic, then allow whats allowed into the Lab areas or drop that traffic. Only the main interface 169.69.100.x can be pinged from the outside. The 192.168.2.x is not allowed to respond to pings, and my secondary 10.128.142.x does not respond, but I can ping all gateways from the FWSM.

My config is designed to block everything into 2 areas of a Lab.

Lab 1 block all except RDP, SSH, SFTP, ICMP to 2 seperate gateway servers. 169.69.100.28 and 48, and allow connectivity to their iLo's: IP's 169.69.100.49 and 52.

All else is blocked to and from these servers....

Lab 2: a more complicated scenerio .

169.69.100.5 and 6 are routers that i need access too.

169.69.100.27 - file server

169.69.100.29 - windows network build server

169.69.100.30 - training svr, this only allows RDP to it.

169.69.100.31 - workstation - full access

169.69.100.32 - logistics server

169.69.100.33 - Wiki web server

We also have 5 servers that do bootp builds. This is a must, to allow that functionality. Thanks in advance. This is all new to me, but I am trying. I am just better at route/switching.

Config as follows.

ese340fwsm# show run
: Saved
:
FWSM Version 3.1(10)0
!
hostname ese340fwsm
enable password xxxxxxxxxxx
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan20
nameif acs
security-level 10
ip address 192.168.2.126 255.255.255.128
!
interface Vlan597
nameif outside
security-level 50
ip address 169.69.100.254 255.255.255.0
!
interface Vlan950
nameif outside2
security-level 49
ip address 10.128.142.10 255.255.255.0
!
ftp mode passive
access-list ITRISK extended permit tcp any host 169.69.100.28 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq ftp log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq ftp log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq ssh log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq ssh log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq 115 log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq 115 log
access-list ITRISK extended permit ip any host 169.69.100.49 log
access-list ITRISK extended permit ip any host 169.69.100.52 log
access-list ITRISK extended deny ip any host 169.69.100.28 log
access-list ITRISK extended deny ip any host 169.69.100.48 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.90.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.30.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.70.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.75.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 any log
access-list ITRISK extended permit udp any any eq bootpc log
access-list ITRISK extended permit udp any any eq bootps log
access-list ITRISK extended permit tcp any host 169.69.100.30 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.31 eq 3389 log
access-list ITRISK extended permit ip any host 169.69.100.5 log
access-list ITRISK extended permit ip any host 169.69.100.6 log
access-list ITRISK extended permit ip any host 169.69.100.27 log
access-list ITRISK extended permit ip any host 169.69.100.29 log
access-list ITRISK extended permit ip any host 169.69.100.32 log
access-list ITRISK extended permit ip any host 169.69.100.50 log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.49 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.52 eq echo log
pager lines 24
logging timestamp
logging console critical
logging buffered debugging
mtu outside 1500
mtu outside2 1500
mtu acs 1500
no failover
icmp permit any outside
icmp permit any outside2
icmp permit any acs
no asdm history enable
arp timeout 14400
access-group ITRISK in interface outside   ========> tried out and tried in/out and just in.
access-group ITRISK in interface outside2 ========> Tried out and tried in/out and just in.
route outside 0.0.0.0 0.0.0.0 169.69.100.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect smtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context

ese340fwsm#

355
Views
0
Helpful
4
Replies
CreatePlease to create content