I have 2 6509E switch with FWSM. There is 2 valn for the fwsm also. inside vlan 101 and outside vla 95. Outside will be the virtual connection to the MSFC for fwsm to msfc routing and on 101 vlan connects the server Farm, int gig1/1-40 on the same switch.
The Problem what i am facing now is - both my interfaces on the fwsm is showing down
int vlan 95 outside
int vlan 101 inside
I read in many places that you need a up/up interface or active trunk to make the SVI up. What i should do in thios case, if i want to conect the msfc to FWSM???
also if i want to create a Managment SVI for the devices, i will not assign any port just for management access only.
Thanks for the Link
Sure, i will go through the file. i have configured up to this as of now.
My connectivity is as follows-
ASA Inside -> connect to 6509E MSFC on int vlan 90
int vlan 90
des *** connect to 6509E MSFC ***
ip add 192.168.90.1 255.255.255.224
6509E - (L3 SVI)
int vlan 91
des *** MSFC connect to ASA Inside ***
ip add 192.168.90.5 255.255.255.224
6509E MSFC-> connect to FWSM int vlan 95.
(NO L2 VALN created in the MSFC only SVI)
int vlan 95
des *** routing Vlan to FWSM ***
ip add 192.168.95.5 255.255.255.224
FWSM interface Outisde
int vlan 95
des *** Routing to 6509E MSFC ***
ip add 192.168.95.1 255.255.255.224
FWSM interface insde-
(Int Vlan 101 Inside to connect Servers)
int vlan 101
des *** Connect to Inside Servers ***
ip add 192.168.101.1 255.255.255.0
is it correct??? If no L2 for the vlan 95 on the MSFC how will it work?
Need your kind input please
All vlans must exist at layer 2 on the 6500 switch.
For vlan 95 you need
1) For the vlan to exist at L2 ie. a "sh vlan" would show vlan 95
2) A L3 SVI on the MSFC for vlan 95
For vlan 101 you need the vlan to exist at L2 ONLY on the 6500 switch. No L3 SVI should be created on the MSFC.
Also have you allocated the vlans to the FWSM with the "firewall vlan-group .." command on the 6500 switches.
Thanks to all,
I am attaching the configuration of the Switch and the FWSM. Thanks Jon, now my vlan 95 is showing up on the FWSM. But still my inside interface vlan 101 is showing down. i have added one port to the inside vlan 101. but still its showing down.
In the third file i have mentioned about the configuration i prepared for the switch can any one please validate that also?
Do you see vlna 101 (inside vlan)in layer 2 VLAN database ? Do "show vlan" you should have vlan 101. If you don't have , VLAN 101 will be down unless you have in layer 2 daatabase.
Your 6500 switch is running in VTP transparent mode but it shows no sign of vlan 95 or vlan 101. The only vlans it shows are vlans 90 & 100.
On the 6500 switch if you do
6500# sh vlan
do you see entries for vlans 95 & 101. If not you need to create them ie.
6500(config)# vlan 95
6500(config-vlan)# name FWSM_outside
6500(config)# vlan 101
6500(config-vlan)# name FWSM_inside
Jon is correct. you have not created VLAN 101 on MSFC L2 VLAN database. you only have vlna 9 and 100. Please create VLAN 101 in global config mode, you should have vlna 101 up/up state :).
I am sorry, by mistake i attached the previouse file. I am attaching the latest config.
Also i missed to create the inside L2 vlan on the msfc (101) just now i created that and the inside vlan also showing up.
But... again i am not able to ping the vlan interface 192.168.101.1 from the msfc also not able to ping the inside hopst 192.168.101.10 to the gateway 192.168.101.1 any thing .. missing??
"am not able to ping the vlan interface 192.168.101.1 from the msfc"
add this to your config
FWSM-Pri(config)# management-access inside
"also not able to ping the inside hopst 192.168.101.10 to the gateway 192.168.101.1 any thing"
do you mean you can't ping the host from the gateway or the gateway from the host. Have you assigned the switch port that the host is connected to into vlan 101 ?
Do we have to add any route in the 6509 Switch for 192.168.101.x?
NAT - in fwsm i just did the NAT for (inside) only, do we need the same for outside also?
FWSM i have added a default route only, it is Connected interface so think no need to add any route for 101.x there?
I have added one port, Gig 1/2, to 101 vlan. and from the host
IP 192.168.101.10 /24
I am not able to ping the gateway from the Host. Also I am not able to ping from the msfc to the outside interface (192.168.95.1 to 192.168.95.5) and reverse also.
For the pinging of the interfaces see Chintan's response ie. you need to allow icmp to the FWSM interfaces.
You will need to add a route to the FWSM for the vlan on the inside ie.
ip route 192.168.101.0 255.255.255.0
Also bear in mind with the FWSM traffic is not allowed through from inside to outside by default. You need to allow it with an acl. This is contrary to the behaviour of standalone pix/asa firewalls.
Not sure what you mean by NAT. if you want o connect to the inside host from outside then you will need
static (inside,outside) 192.168.101.10 192.168.101.10
By nature , FWSM doens't allow to ping inside interface from MSFC(outside).
Are you able to ping outside interface of FWSM from MSFC?
Can you try folloiwng configuration on FWSM :
Then try pingging inside interface (GW) from host .
Dear Chintan / Jon
Thaks a lot, after adding the icmp permit now the host is able to ping the GW and msfc to fwsm outside interface also.
Jon about NAT, do we need to add NAT statement in FWSM as like we do in the traditional Pix. i dont need any NATing here, i mean to ask do we need to add this statement?
nat (inside) 0 x x
nat (outside) 0 x x
NAT works pretty much the same way it does on traditional Pix. Yes you can use
nat (inside) 0 192.168.101.0 255.255.255.0
which tells the FWSM not to NAT. You would only need a static if you wanted to initiate the connection from the outside to the 192.168.101.10 host - see previous post.
Glad you got it working.
Dear Jon / Chintan,
Thanks for the Help...am still keeping the querry open ... since I have to createa a statefull failover between the fwsm i may please need your help when i do the faiover for FWSM. now i will check the whole scenario with out failover... and later...update you guysss...
thanks so much.....
No problem. Just a quick point. When configuring the failover make sure your "firewall vlan-group ..." configuration on the 6500 switches match each other exactly in terms of vlans assigned to the FWSM or the failover doesn't work properly.
Hi Jon / Chintan
Thanks a lot for you guyss..... i did the failover also, seems working fine.
thanks a lot for the support.. it was a very good experience..
Dear Jon / Chintan
One more point to add.. on MSFC in the interface vlan 95 ( connecting to the outside fwsm) i did standby config.
int vlan 95
ip add 192.168.95.2 255.25.255.248
standby ip 192.168.95.1
standby pri 110
int vlan 95
ip add 192.168.95.3 255.25.255.248
standby ip 192.168.95.1
standby pri 105
is it correct ? will it make any issue?
This is exactly what you should do for failover to work properly. Obviously the default route on the FWSM should point to 192.168.95.1.
Glad it's all working now and appreciate the ratings.
Yes, Jon is correct, you should be using HSRP and route on MSFC pointing to HSRP Virtual IP for servr farm.
What is FWSM software and 6500 IOS you use ?
Are you plan to use multiplex context or single context ?
Thanks its working fine. Chintan it is 3.1(4).
Yes it is working as single context mode as of now.
Infact i dont have much idea about the multiple context mode. Multiple Context mode means multiple VLAN group assigned in the switch so it iwll work as a different firewall groups, am i right.... ??? can you please just give some clarity on this???
As of now i am connecting only my server on vlan 101, whihc is the inside. If i have to create muiltiple DMZ's it is the same proces we did for the other interfaces only right? If so I will try this later.
Multiple context mode is kind of using virutal firewall with diff policy in single physical firewall..
so say for example you have diff Server farm needs diff security policy you can use multiple context mode. like DMZ which has diff security requirement than interna private network...
you have to configure Firewall in multiple mode and start creating diff context ( i.e virtual firewall) , allocated vlan to them and so on....
Even you can also achive kind of load-sharing by having active/active mode for FWSM so that some context willbe active on SW1 and some of on SW2 and that way can share load on both switches with resiliency....
Chintan, surely i will try for that..
I sent one mail on ur gmail account. Can u please find some time to have a look on that.
I ran in to one desing issue and finding solution.
I have 6500 with FWSM running multiple context in routed mode...
I have setup like this :
Now behind Int-FW1 ( one of context) there are muliteple server and same behind Inter-FW2.
I don't se shared outside valn between Int-FW and VRF-lite rather i have one to one VLAN between each context and VRF.
I might have to use lots of static routes on VRF for server subnect pointing to each int-FW context.
To avoid that, I thought of using RHI but got to know that RHI doesn't support injection VRF ( FWSM 4.0), other alterantive is BGP STUB. But i understood taht BGP stub require outside vlan is shared interface between all context ( i.e i-fw) and VRF.
So, with my desing when i have no shared vlan rather one to one vlan for each context. Can i still use BGP stub between FWSM and VRF ?
Any help apprecieated.