Jacob

For the pinging of the interfaces see Chintan's response ie. you need to allow icmp to the FWSM interfaces.

You will need to add a route to the FWSM for the vlan on the inside ie.

ip route 192.168.101.0 255.255.255.0

Also bear in mind with the FWSM traffic is not allowed through from inside to outside by default. You need to allow it with an acl. This is contrary to the behaviour of standalone pix/asa firewalls.

Not sure what you mean by NAT. if you want o connect to the inside host from outside then you will need

static (inside,outside) 192.168.101.10 192.168.101.10

Jon

hi Jacob,

By nature , FWSM doens't allow to ping inside interface from MSFC(outside).

Are you able to ping outside interface of FWSM from MSFC?

Can you try folloiwng configuration on FWSM :

icmp permit

icmp permit

Then try pingging inside interface (GW) from host .

Regards,

Chintan

Dear Chintan / Jon

Thaks a lot, after adding the icmp permit now the host is able to ping the GW and msfc to fwsm outside interface also.

Jon about NAT, do we need to add NAT statement in FWSM as like we do in the traditional Pix. i dont need any NATing here, i mean to ask do we need to add this statement?

nat (inside) 0 x x

nat (outside) 0 x x

regards

Jacob

Jacob

NAT works pretty much the same way it does on traditional Pix. Yes you can use

nat (inside) 0 192.168.101.0 255.255.255.0

which tells the FWSM not to NAT. You would only need a static if you wanted to initiate the connection from the outside to the 192.168.101.10 host - see previous post.

Glad you got it working.

Jon

Dear Jon / Chintan,

Thanks for the Help...am still keeping the querry open ... since I have to createa a statefull failover between the fwsm i may please need your help when i do the faiover for FWSM. now i will check the whole scenario with out failover... and later...update you guysss...

thanks so much.....

regards...

Jacob

Jacob

No problem. Just a quick point. When configuring the failover make sure your "firewall vlan-group ..." configuration on the 6500 switches match each other exactly in terms of vlans assigned to the FWSM or the failover doesn't work properly.

Jon

Hi Jon / Chintan

Thanks a lot for you guyss..... i did the failover also, seems working fine.

thanks a lot for the support.. it was a very good experience..

regards

Jacob

Dear Jon / Chintan

One more point to add.. on MSFC in the interface vlan 95 ( connecting to the outside fwsm) i did standby config.

6509E-SW01

int vlan 95

ip add 192.168.95.2 255.25.255.248

standby ip 192.168.95.1

standby pri 110

stand pre

!

6509E-SW02

int vlan 95

ip add 192.168.95.3 255.25.255.248

standby ip 192.168.95.1

standby pri 105

stand pre

!

is it correct ? will it make any issue?

regards

Jacob

Jacob

This is exactly what you should do for failover to work properly. Obviously the default route on the FWSM should point to 192.168.95.1.

Glad it's all working now and appreciate the ratings.

Jon

Hi Jacob,

Yes, Jon is correct, you should be using HSRP and route on MSFC pointing to HSRP Virtual IP for servr farm.

What is FWSM software and 6500 IOS you use ?

Are you plan to use multiplex context or single context ?

Regards,

Chintan

Jon/Chintan,

Thanks its working fine. Chintan it is 3.1(4).

Yes it is working as single context mode as of now.

Infact i dont have much idea about the multiple context mode. Multiple Context mode means multiple VLAN group assigned in the switch so it iwll work as a different firewall groups, am i right.... ??? can you please just give some clarity on this???

As of now i am connecting only my server on vlan 101, whihc is the inside. If i have to create muiltiple DMZ's it is the same proces we did for the other interfaces only right? If so I will try this later.

regards

Jaocb

Hi jacob,

Multiple context mode is kind of using virutal firewall with diff policy in single physical firewall..

so say for example you have diff Server farm needs diff security policy you can use multiple context mode. like DMZ which has diff security requirement than interna private network...

you have to configure Firewall in multiple mode and start creating diff context ( i.e virtual firewall) , allocated vlan to them and so on....

Even you can also achive kind of load-sharing by having active/active mode for FWSM so that some context willbe active on SW1 and some of on SW2 and that way can share load on both switches with resiliency....

Chintan

Chintan, surely i will try for that..

thanks

Jacob

I sent one mail on ur gmail account. Can u please find some time to have a look on that.

Hi Jon,

I ran in to one desing issue and finding solution.

I have 6500 with FWSM running multiple context in routed mode...

I have setup like this :

MSFC--Ext-FW ---VRF-lite----Int-FW1-server1

----Int-FW2-server2

Now behind Int-FW1 ( one of context) there are muliteple server and same behind Inter-FW2.

I don't se shared outside valn between Int-FW and VRF-lite rather i have one to one VLAN between each context and VRF.

I might have to use lots of static routes on VRF for server subnect pointing to each int-FW context.

To avoid that, I thought of using RHI but got to know that RHI doesn't support injection VRF ( FWSM 4.0), other alterantive is BGP STUB. But i understood taht BGP stub require outside vlan is shared interface between all context ( i.e i-fw) and VRF.

So, with my desing when i have no shared vlan rather one to one vlan for each context. Can i still use BGP stub between FWSM and VRF ?

Any help apprecieated.

Chintan