Workstation >> Floor Switch >> Cat6513 >> ASA >> Internet
My Workstation is Vlan 123 and my ASA interface inside is Vlan 20
Here is my Vlan configuration:
ip address 172.21.123.254 255.255.255.0
C6513-Core1#sh ru int vlan 20
Current configuration : 129 bytes
ip address 172.16.20.254 255.255.255.0
My Workstation is set to:
My inside ASA:
Now I want to activate both module IDSM-2 and FWSM reside in Cat6513. All packet coming from Workstation need to be monitor by IDS in inline mode and forwarded to inside FWSM. After passing our firewall policy this packet can go to the inside ASA interface. My question is:
This configuration also didn't work. I try to deny tcp/80 packet coming from inside 172.21.123.0/24 to outside 0.0.0.0 0.0.0.0 but it stay passing the web traffic through FWSM.
I need some guide to configure these Cat6513, IDSM-2 and FWSM integration. Our goal is to filter traffic coming from Workstation and protect Workstation for incoming traffic from internet. Any input really appreciated. Thanks
Any response really appreciated. I already have sample configuration for these three individual items, I just need little more understanding to integrate these three items in integrated configurations file. Anybody pls help me to provide sample configuration for:
1) Catalyst6500 to redirect inside VLAN(s) traffic to IDSM-2 and FWSM module
2) IDSM-2 to analyze inside VLAN(s) traffic incoming before passing to FWSM in inline mode
3) FWSM in transparent mode to protect inside VLAN(s)zone and filter any incoming traffic from outside VLAN(s) zone.
Thanks Farrukh! Your explaination really help me a lot :)
Now I'm successfully integrate these three items into my testing environment. My current configuration consist of two chasis Catalyst6513 with two IDSM-2 modules and two FWSM which is one module per chasis. Both two Cat6513 is identical in term of software version including software version for IDSM-2 and FWSM reside in respective Cat6513 chasis. My next question is:
1) I'm using single context FWSM with active/standby failover. My FWSM failover running perfectly. How to implement redundancy on both IDSM-2 with inline-vlan-pair configuration?
2) On our production environment, we have certain vlan to be firewalled by FWSM and certain vlan no to be firewalled by FWSM. All vlan(s) firewalled by FWSM are routed to FWSM inside interface by changing their default gateway to FWSM inside interface IP address. The rest of vlan(s) that configured not to be firewalled by FWSM are configured to route directly to MFSC by changing their default gateway to their respective vlan interface IP address. How to allow these traffic communication between firewalled vlan and the rest of the other vlan?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...