Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2168
Views
19
Helpful
21
Replies

FWSM Confusion

mahmoodmkl
Level 7
Level 7

‎11-11-2007 10:32 PM - edited ‎03-03-2019 05:47 AM

Dear Guys

I need u r help in understanding the working of FWSM.I m confused about the interfaces in FWSM.How do we define the inside and outside interfaces as it doesnt have any physical interfaces.

And how the traffic flows if we are using FWSM.

Thanks

Mahmood

Labels:
0 Helpful
21 Replies 21

mahmoodmkl
Level 7
Level 7
In response to Jon Marshall

‎11-14-2007 03:23 AM

Hi Jon

Thanks for the reply.As i m posting here i was going through the documentation for FWSM.

Let me put this in my own words.

for eg.i have 3 vlans 100,200,300 and i want MSFC to be behind my firewall and i want to protect my indside vlan ie vlan 100 from outside vlan i.e 200.

now creating the SVI i have to configure for vlan 100 both on FWSM and MSFC i m i right.

So what is happening here is that my any traffic going to vlan 200 from vlan 100 and 300 will be protected i m i right.

From this discssion what i have undestand of defining the SVI on the MSFC and FWSM is like that u r assigning the FWSM in a particular vlan im i right in thinking this.

Please explain.

Thanks

Mahmood

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mahmoodmkl

‎11-14-2007 03:49 AM

Mahmood

"now creating the SVI i have to configure for vlan 100 both on FWSM and MSFC i m i right"

Yes, you are spot on.

Any traffic going to vlan 200 from vlan 100, 300 or traffic going from vlan 200 to vlan 100,300 will have to go through the FWSM so you can apply access-lists in both directions to filter the traffic.

"From this discssion what i have undestand of defining the SVI on the MSFC and FWSM is like that u r assigning the FWSM in a particular vlan im i right in thinking this."

Not sure about this. If for a vlan, eg vlan 200, you only create an interface on the FWSM then the traffic from that vlan has to go to the FWSM eg. from my original response

nameif vlan 100 outside security0

nameif vlan 200 inside security100

The above 2 commands are how you allocate vlans to the FWSM interfaces.

if you create an SVI for vlan 100 then the MSFC is on the outside

if you create an SVI for vlan 200 then the MSFC is on the inside.

Can't help feeling i've not quite addressed your question ?

Jon

0 Helpful

mahmoodmkl
Level 7
Level 7
In response to Jon Marshall

‎11-14-2007 04:22 AM

Hi Jon

Not sure about this. If for a vlan, eg vlan 200, you only create an interface on the FWSM then the traffic from that vlan has to go to the FWSM eg. from my original response

If we take this then how will the traffic go to other vlans unless we define any interface which is in the same subnet.

if you create an SVI for vlan 100 then the MSFC is on the outside

it means that all the vlan which are on MSFC are treated as outside network im i right.

if you create an SVI for vlan 200 then the MSFC is on the inside.

and for it means that all the vlans on the MSFC are inside networks and vlan 100 as outside.

Thanks

Mahmood

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mahmoodmkl

‎11-14-2007 05:25 AM

Mahmood

"if you create an SVI for vlan 100 then the MSFC is on the outside

it means that all the vlan which are on MSFC are treated as outside network im i right.

if you create an SVI for vlan 200 then the MSFC is on the inside.

and for it means that all the vlans on the MSFC are inside networks and vlan 100 as outside."

Yes to the above.

It's a question of routing. If you only create the vlan at L2 on the 6500 and for that vlan have an interface on the FWSM, traffic to and from that vlan has to go through the FWSM. Remember in routed mode the FWSM will route between vlans.

Jon

0 Helpful

RouterTech1
Level 1
Level 1
In response to Jon Marshall

‎12-06-2007 12:27 PM

Hi Jon, I was following your advice and I'm trying to execute one of the commands you specified:

"nameif vlan 100 outside security0"

The VLAN is created on the switch side, and this was the next command to be executed on the FWSM. Except I get this error message:

FWSM(config)# nameif vlan 100 outside security0

^

ERROR: % Invalid input detected at '^' marker.

so, for some reason it's not letting me execute the nameif command in config mode. Not sure why. Any idea what I'm doing wrong?

I'm running:

FWSM Firewall Version 3.1(4)

Also, I tried creating the vlan on the switch config, but it shows manual/down/down.

These are the relevant parts of the config:

firewall vlan-group 4 747,748

vtp mode transparent

vlan 747

name to_FW

interface Vlan747

ip address 10.254.254.123 255.255.255.248

no ip redirects

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to RouterTech1

‎12-06-2007 01:17 PM

Hi

The command "nameif vlan 100 outside security0" will work on an FWSM running v2.x but not v3.x.

Please see this attached link for how to configure interfaces under v3.x

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/intfce_f.html

HTH

Jon

0 Helpful

RouterTech1
Level 1
Level 1
In response to Jon Marshall

‎12-07-2007 07:38 AM

That's what I had guessed and tried to config from, but the interfaces remain down/down. I'm not sure how to bring them up without a phys connected interface that's up and attached to the vlan.

I've brought an interface up on the switch side for that vlan, but the FWSM Vlan still shows as down.

0 Helpful
Customers Also Viewed These Support Documents