[c-nsp] FWSM vs. stand alone FW
Henry Anslinger
fortmreza at yahoo.com.au
Tue Mar 14 21:21:46 EST 2006
thanks Scott, I imagine it will be a pain in the a55. We have dual VCs per customer, so lots of config to be done
cheers
Ivan
"Voll, Scott" <Scott.Voll at wesd.org> wrote: v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} 6 isn’t bad, try 20+
You have to setup new Vlans (one per WAN interface) with /30 subnets and route-map all traffic from your WAN ATM PVC to that new VLAN that is setup as a FWSM VLAN.
Then you have to setup Static routes to the Customer on the FWSM to that vlan and on the Cat back to the customer on the ATM WAN. I don’t’ have a clue how you would do it if you had multiple links to the customer since you have to run statics.
Good luck and make sure you get it right the first time. Troubleshooting is a bear.
Scott
---------------------------------
From: Henry Anslinger [mailto:fortmreza at yahoo.com.au]
Sent: Tuesday, March 14, 2006 4:11 PM
To: Voll, Scott; matthew zeier; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] FWSM vs. stand alone FW
yep, we will doing ATM WAN interfaces, spliting 6 customers traffic up. PIX management is crap, so I am not looking forward to the config nor the maintenance.
thanks
Ivan
"Voll, Scott" <Scott.Voll at wesd.org> wrote:
On the Cat you need the following commands
firewall multiple-vlan-interfaces
firewall module 2 vlan-group 2,500 <-- this attaches the Vlan groups to
the FWSM in slot 2
firewall vlan-group 2 2,254 <-- these are your groups and which Vlan's
are in each group.
firewall vlan-group 500 500,501
on the FWSM:
you will need to setup names like you do on the Pix
nameif vlan2 security100
setup
passwords
fixups
access-lists
nat / pat
ip addresses
statics
routes
If you can setup a Pix it's not much different.
Scott
PS. If you're trying to do WAN interfaces it gets complicated quick.
Troubleshooting is a pain.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Henry Anslinger
Sent: Tuesday, March 14, 2006 2:50 PM
To: matthew zeier; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM vs. stand alone FW
Does anyone have any good how tos for the FWSM they will share?
thanks
Ivan
matthew zeier wrote:
Anyone have constructive comparisons between a FWSM in a 6509 vs using
an external firewall - PIX or Netscreen ? I'll mostly be hit with
simultaneous connection limits before I hit bandwidth issues but
certainly something that can do well in excess of 200Mbps.
thanks.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
---------------------------------
On Yahoo!7
Dancing With the Stars: Win tickets to the Grand Final!
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
---------------------------------
On Yahoo!7
Music: Create your own personalised radio station.
Send instant messages to your online friends http://au.messenger.yahoo.com
More information about the cisco-nsp
mailing list