Solved: Re: Sup720 communicating with fwsm

amadeusri · ‎06-27-2007

Hi, I have a 6509 switch with the Sup720 and a fwsm. I cannot get these two modules to communicate. When I ping the fwsm from the sup720 I get no response, and when I ping the sup720 from the fwsm I get no response. This is my first experience with the fwsm and the 6509 series switch.

I have added the vlans into the firewall so it can communicate with those and the interfaces have the correct ips.

the sup720 has ip 10.1.0.2 on vlan10

the fwsm has ip 10.1.0.1 on vlan10

I am just looking for some advice and any will be appreciated, this is holding up the upgrade to our network. Thank you.

Jon Marshall · ‎06-27-2007

Hi

Can you add the following in your config

icmp permit any "pix interface"

where pix interface is the name of the interface with the 10.1.0.1 ip address.

If this does not work can you send a copy of your config.

HTH

Jon

View solution in original post

Jon Marshall · ‎06-27-2007

Hi

Can you add the following in your config

icmp permit any "pix interface"

where pix interface is the name of the interface with the 10.1.0.1 ip address.

If this does not work can you send a copy of your config.

HTH

Jon

amadeusri · ‎06-29-2007

Ok, so that last post fixed my problem but now I have one more. Traffic is bypassing the firewall module and going straight out of the switch. If anyone has any ideas on this I would appreciate the help, thank you!

Jon Marshall · ‎06-30-2007

Hi

Coudl you send some more details as to how you have setup your FWSM etc and how you know traffic is bypassing the FWSM.

If traffic is not going through the FWSM it sounds the MSFC is routing traffic around it.

Jon

glynnd · ‎07-01-2007

you probably created more than one SVI's. Other than the one inside interface, which in your case is vlan 10. For any other vlans on your FWSM, you do NOT want to create layer 3 vlan interfaces in IOS.

jlhainy · ‎07-01-2007

On my 6500 & FWSM, I configured the FWSM is routed mode. Each firewall interface is actually a vlan that sits on the 6500. To link a vlan to your FWSM, you need to use the firewall vlan-group command. So for example, if you have vlan 100 as your Inside interface and vlan 101 as the outside interface, you would use the command (config)#firewall vlan-group 1 100,101.

This will link those vlans to the FWSM. You can then go into the fwsm and link a firewall interface to one of those vlans. You need to do the same if you want to create DMZ interfaces and have them link to vlans.

Once that is done, I just created a static default route to the "inside" interface of the FWSM, thus forcing all of my traffic to go through the firewall.

Hopefully that will give you some ideas.

ibrahim.shareef · ‎02-26-2008

Hi Dear

My name is Ibrahim and i want your help as you configured FWSM before, in my work i have 6509-E switch with sup720 & FWSM & i already created 5 Vlans on the switch & i need those Vlans to talk to each other through the FWSM SO PLEASE advice me about the design that i should work with (summary steps)

my e-mail is:

ib_cims@yahoo.com

Jon Marshall · ‎02-26-2008

Hi

Have a look at this previous post

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.2cbef1c1/5#selected_message

HTH

Jon