Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuring the FWSM Transparent mode.

Hi, I am trying to set up a FWSM to run in transparent/multi context mode. I have followed the example configuration in the Cisco configuration guide but I cannot get traffic to pass through from the inside to outside vlans (traverse the FWSM in other words). The vlans are created and allocated from the switch with the firewall vlan-group command and the interfaces have been allocated from the admin context on the FWSM. How does the FWSM/Switch know that the two VLANs are related in the transparent setup, i.e. when a host on the inside vlan sends a packet how does the switch know it is destined for the FWSM interface. I have a feeling I am missing some config here on the switch (Bridge groups maybe?) which were not included in the configuration guide.

Can anyone please advise on this.

Thanks for looking.


Re: Configuring the FWSM Transparent mode.

Could show the config?

New Member

Re: Configuring the FWSM Transparent mode.

Sure, the configs are as below:

FWSM Config:

FWSM/ContextA# sh run

: Saved


FWSM Version 4.0(1)


hostname ContextA

enable password xxx




interface Vlan10

nameif outside

security-level 10

ip address


interface Vlan20

nameif inside

security-level 90

no ip address


passwd xxx

access-list allow-all extended permit ip any any

access-list allow-all extended deny ip any any log

pager lines 24

logging enable

logging buffered debugging

mtu outside 1500

mtu inside 1500

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group allow-all in interface outside

access-group allow-all in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-inContextAte 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


serContextAce-policy global_policy global


: end

Switch Config:

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 1

firewall vlan-group 1 10,20

vlan 10

vlan 20

interface Vlan10

ip address

New Member

Re: Configuring the FWSM Transparent mode.

Also from the FWSM System Context:

FWSM/admin# sh firewall

Firewall mode: Transparent


FWSM# sh vlan

10, 20


Re: Configuring the FWSM Transparent mode.

Your config is missing bridge-groups and BVI interfaces needed for Transparent mode. You dont assign Ip addresses on interfaces for transparent mode. IP addresses are just assigned to BVI interface (which is used for management traffic only)

firewall transparent


interface Vlan10

nameif outside

bridge-group 1

security-level 0

interface Vlan20

nameif inside

bridge-group 1

security-level 100


interface BVI1

ip address x.x.x.x

New Member

Re: Configuring the FWSM Transparent mode.

Iftekhar ,

I think that we will create the bridge-group for e.g bridge-group 1 on 6513 first then we assign this group inside the FWSM to the inside and outside interface and for BVI we will create interface BVI 10 inside FWSM and assign the IP address to it.

Thank you

Ambivert Skill

CreatePlease to create content