Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuring FWSM - Many internal vlans on one FWSM inferface

Hi,

We are replaing the PIX 520 with FWSM module. I would like to put all the vlans in my internal network and one outside and two DMZ network. I am doing Single context mode.

First step is to group the vlans in the switch to the firewall module.

But in the FWSM - nameif command I am not able to give the group of vlans. Any advice on how to configure this stuff is really appreciated.

Thanks

raymond

3 REPLIES
New Member

Re: Configuring FWSM - Many internal vlans on one FWSM inferface

All the internal VLANs in - Internal interface (Inside)

DMZ interface (DMZ1)

DMZ interface (DMZ2)

Outside interface

I am not be able to assign more than one VLAN on the inside network. How to add more than one VLAN to the same interface ?

please let me know

Thanks

New Member

Re: Configuring FWSM - Many internal vlans on one FWSM inferface

you have to configure this on your catalyst switch

assume that your fwsm is installed on slot 9 of catlayst switch

1. creating vlan 10-12 on your switch

2. config vlan to fwsm

firewall module 9 vlan-group 1

firewall vlan-group 1 10-12

in this configuration will assign vlan 10-12 to fwsm.

3. after that you have to assign vlan to firewall context

admin-context admin

context admin

config-url disk:/admin.cfg

!

context inside-server

allocate-interface vlan10-vlan12

config-url disk:/inside_server.cfg

4. after that you changeto context inside-server

and you can nameif your vlan to dmz as your need.

nameif vlan10 outside security0

nameif vlan11 DMZ1 security100

nameif vlan12 DMZ2 security90

Good luck.

Silver

Re: Configuring FWSM - Many internal vlans on one FWSM inferface

The rule of thumb is as follows:

- Each VLAN gets its own interface

In your specific case, you would have the following options:

a) Put all your internal VLAN's on the supervisor/MSFC and just make a link-VLAN into the FWSM

b) Put all your internal VLAN's on the FWSM at different interfaces

With option b) you have two more options:

b1) Let each interface have it's own security-level and configure your static's and nat's accordingly

b2) Let each internal interface share the same security-level and use the "same-security-traffic permit inter-interface" command to let them talk together without needing the static's and nat's between them.

You'll need the static's and nat's for communication to/from the internet/dmz's unless you put them also at the same security-levels.. (which you shouldn't do for the internet-interface at least..)

Did it help?

172
Views
0
Helpful
3
Replies
CreatePlease to create content