Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Adding a firewall to the FW MC which sits on the outside zone

Hi All,

Is it possible to add a firewall to the FW MC which sits on the outside interface of that firewall?? if yes, what commands do you need on this firewall??

thanks and best regards,

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Adding a firewall to the FW MC which sits on the outside zon

Hi,

Theoritically maybe possible, as what VMS Svr (FW MC) need is a communication channel to the target device, the outside firewall (EXTERNAL FIREWALL).

You can try the following, to confrm.

Your topology/flow most probably as follow:

inside intf:EXTERNAL FIREWALL:ouside intf<->internet router<->INTERNET CLOUD<->internet router<->outside intf:PERIMETER FIREWALL:inside intf<->VMS:FW MC

A. For EXTERNAL FIREWALL, configure:

1. enable https & ssh access to/from VMS server. Access to VMS Svr must be via a public IP that mapped to the server in PERIMETER FIREWALL.

2. open access for https & ssh (tcp 443 & 22). SSH maybe optional, but you can enable it as well. HTTPS is required to communicate with VMS Svr.

http server enable

http 255.255.255.255 outside

2. for ssh, generate a key for the firewall. The requirement is as follow:

- define hostname: "hostname abc123"

- define domain name: "domain name xyz"

- generate key: "ca generate rsa key ". The modulus key is between 512, 768, 1024, and 2048

- save key: "ca save all"

B. For PERIMETER FIREWALL, configure:

1. static map of VMS FW MC Svr to a public IP for External Firewall mgt traffic

static (inside,outside) xx.xx.xx.10 aa.aa.aa.50 netmask 255.255.255.255

2. open access (ACL on outside interface) to VMS FW MC's public IP from External Firewall

access-list outside permit tcp host yy.yy.yy.100 host xx.xx.xx.10 eq https

access-list outside permit tcp host yy.yy.yy.100 host xx.xx.xx.10 eq ssh

access-group outside in interface outside

*yy.yy.yy.100 is EXTERNAL FIREWALL outside interface IP

3. By default, as configuring the VMS Svr statically with a public IP, it should be able to go out to internet. But if you have ACL on the inside interface, you need to allow it to access EXTERNAL FIREWALL via https & ssh (tcp 443 & 22).

access-list inside permit tcp host xx.xx.xx.100 host yy.yy.yy.10 eq https

access-list inside permit tcp host xx.xx.xx.100 host yy.yy.yy.10 eq ssh

access-group inside in interface inside

Also, allow/add ICMP on both outside & inside to test reachability for both devices. If you have ACL on internet router, make sure you allow both EXTERNAL FIREWALL and VMS Svr to pass thru.

This is only a theoritical configuration. It may or may not work, or need some modification.

Rgds,

AK

3 REPLIES

Re: Adding a firewall to the FW MC which sits on the outside zon

Hi,

Theoritically maybe possible, as what VMS Svr (FW MC) need is a communication channel to the target device, the outside firewall (EXTERNAL FIREWALL).

You can try the following, to confrm.

Your topology/flow most probably as follow:

inside intf:EXTERNAL FIREWALL:ouside intf<->internet router<->INTERNET CLOUD<->internet router<->outside intf:PERIMETER FIREWALL:inside intf<->VMS:FW MC

A. For EXTERNAL FIREWALL, configure:

1. enable https & ssh access to/from VMS server. Access to VMS Svr must be via a public IP that mapped to the server in PERIMETER FIREWALL.

2. open access for https & ssh (tcp 443 & 22). SSH maybe optional, but you can enable it as well. HTTPS is required to communicate with VMS Svr.

http server enable

http 255.255.255.255 outside

2. for ssh, generate a key for the firewall. The requirement is as follow:

- define hostname: "hostname abc123"

- define domain name: "domain name xyz"

- generate key: "ca generate rsa key ". The modulus key is between 512, 768, 1024, and 2048

- save key: "ca save all"

B. For PERIMETER FIREWALL, configure:

1. static map of VMS FW MC Svr to a public IP for External Firewall mgt traffic

static (inside,outside) xx.xx.xx.10 aa.aa.aa.50 netmask 255.255.255.255

2. open access (ACL on outside interface) to VMS FW MC's public IP from External Firewall

access-list outside permit tcp host yy.yy.yy.100 host xx.xx.xx.10 eq https

access-list outside permit tcp host yy.yy.yy.100 host xx.xx.xx.10 eq ssh

access-group outside in interface outside

*yy.yy.yy.100 is EXTERNAL FIREWALL outside interface IP

3. By default, as configuring the VMS Svr statically with a public IP, it should be able to go out to internet. But if you have ACL on the inside interface, you need to allow it to access EXTERNAL FIREWALL via https & ssh (tcp 443 & 22).

access-list inside permit tcp host xx.xx.xx.100 host yy.yy.yy.10 eq https

access-list inside permit tcp host xx.xx.xx.100 host yy.yy.yy.10 eq ssh

access-group inside in interface inside

Also, allow/add ICMP on both outside & inside to test reachability for both devices. If you have ACL on internet router, make sure you allow both EXTERNAL FIREWALL and VMS Svr to pass thru.

This is only a theoritical configuration. It may or may not work, or need some modification.

Rgds,

AK

Bronze

Re: Adding a firewall to the FW MC which sits on the outside zon

Thanks AK...

I was actually doing it this morning and it worked fine... I was worried that it would be like the concept of telnet that you can telnet from outside unless you have IPSec running...

The required commands were:

http server enable

http 255.255.255.255 outside

Thanks any way! Is there anybody to vote for me :) :)

Regards

Re: Adding a firewall to the FW MC which sits on the outside zon

I'll vote for you...

Cheers!

AK

100
Views
5
Helpful
3
Replies
CreatePlease to create content