Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Traffic bypassing FWSM - 6513 (12.2.17) FWSM (2.3)

We've got a 6513 running IOS 12.2.17 and FWSM running 2.3. Transparent, single context mode.

We're configuring the MSFC to be outside the FWSM. We have created VLAN100 as FWSM inside and VLAN200 as the FWSM/MSFC link. VLANs 300-500 support traffic on the outside. We've assigned specific ports to each VLAN and directly attached test systems.

The problem is it appears we have traffic bypassing the FWSM. A host on VLAN100 can ping any other host connected to the 6513. The docs state that the FWSM denies all traffic by default but we're not seeing that behavior. The docs also show an example of routing around the FWSM, which we do not want and we have not performed those steps.

We can find no examples of a transparent, single context setup. The transparent, multiple context examples appear to have steps not necessary for a single context configuration. We've left out the multiple context config items and haven't met with success yet. I"m pretty sure we're missing something simple.

Does anyone have a sample config for a transparent, single context setup?

5 REPLIES
Community Member

Re: Traffic bypassing FWSM - 6513 (12.2.17) FWSM (2.3)

Update: Tore down and rebuilt for the umpteenth time. Traffic between inside (vlan100) and outside (vlan300-500) is now successfully controlled by the FWSM. Remaining issue is that traffic on VLAN100 (inside VLAN) is not being controlled by the FWSM. Even an explicit deny rule has no affect.

I have a sneaking suspicision that the document statements that no traffic is permitted by default through the FWSM is incorrect or, traffic within VLAN100 does not traverse the FWSM as advertised, Or we're missing something else.

Community Member

Re: Traffic bypassing FWSM - 6513 (12.2.17) FWSM (2.3)

Update: TAC support says internal vlan traffic does not reach the FWSM unless it is heading out the outside interface. We'll get a confirmation monday from the FWSM expert. Somewhat annoying as it contradicts what we were told the FWSM could do.

Community Member

Re: Traffic bypassing FWSM - 6513 (12.2.17) FWSM (2.3)

Update: TAC confirms that switched traffic does not reach the FWSM unless it is for an outside destination.

Logical diagrams of the FWSM and MSFC could include a SWitch that is positioned inside the FWSM, in our configuration. Any local traffic on the SWitch does not reach the FWSM. The only option for controlling traffic on the inside is to setup multiple contexts.

Community Member

Re: Traffic bypassing FWSM - 6513 (12.2.17) FWSM (2.3)

Update: FWSM 3.1 is supposed to support a configuration that will have all the traffic on the internal VLAN crossing the firewall. We're in the process of updating the IOS on our 6513 to 12.2.18SXF3, 12.2.18SXF is a minimum requirement for this configuration according to the documentation we have.

Community Member

Re: Traffic bypassing FWSM - 6513 (12.2.17) FWSM (2.3)

Update: The TAC provided configuration works nicely. Private, primary, secondary vlans, private host and a couple other switch configs are needed, but it works. So far so good.

The Sup7203B doesn't have enough flash memory for the 12.2(18)SXF3 IOS. We ended up using a 256mb compact flash to boot from.

During the process of figuring this out we had a corrupt boot image. To resolve we booted to romon and booted off the compact flash. We copied the old IOS image from the standby sup to the compact flash.

213
Views
5
Helpful
5
Replies
CreatePlease to create content