[c-nsp] FWSM Questions

Nick Payton npayton at microsoft.com
Wed Nov 22 21:17:35 EST 2006 

Piggybacking off of Edoardo's response. The key is where you place the
FWSM logically within your environment. If the FWSM is going to act as
your hosts default gateway (which is what it looks like here) then all
you need to do is assign VLAN200 to the FWSM for routing purposes
(assuming you are going to use routed mode) and create an SVI for
routing between the FWSM and the MSFC. If the FWSM is acting as an
aggregation point for policy that serves multiple networks downstream
from it then you might want to consider firewalling the uplinks which
would mean the firewall is facing the GSR in this example. But directly
to your question this is all you would need to do:

On the MSFC

vlan 200
name FWSM_HOST_LAN
vlan 299
name FWSM_MSFC
!
firewall module X vlan-group X
firewall vlan-group X  200,299

Where module X is obviously the slot the FWSM is in. VLAN-group is any
number you want and isn't a real concern from the way you explained your
situation. Lastly, map the VLAN's the firewall will route for (again,
assuming you are doing a routed firewall here).

You will need at least two VLAN's; one for the host LAN and the other to
communicate with the rest of the network (traditional inside/outside -
but the FWSM doesn't care about security contexts like the PIX does with
the noted exception of how it relates to managing the firewall). High
level FWSM config is as follows:


nameif vlan200 inside security100
nameif vlan299 outside security0
!
ip address vlan200 192.168.0.1 255.255.255.0 
ip address vlan299 X.X.X.X 255.255.255.248 <-- would assign a /29 in
case you ever decide to do failover
!
nat (vlan200) 0 0 0 
!
route outside 0 0 X.X.X.X <-- where this IP = the IP assigned on the
MSFC side of VLAN299
!

I wouldn't run OSPF with the firewall since you only have one egress
point, and you are not doing failover. Your HSRP statement needs
clarification as this could mean that you have to go to a failover
design depending on where you plan on providing L3 redundancy so feel
free to ping me directly. There is obviously more to consider and
configure than I put in here (a big one being management of the FWSM),
but I hope this helps all the same.

Regards,
Nick

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Edoardo Martelli
Sent: Wednesday, November 22, 2006 12:18 AM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM Questions

Hi Paul

You have to imagine the fwsm as a complete independent box.
If you go for non-transparent mode, on the fwsm you have to assign ip
addresses to the vlan interfaces and define the routing, like in the
pix.

In the hosting catalyst, you have to define the same vlans of the fwsm
to communicate with it. But here you have to be careful: if you define
IP addresses on the vlan interfaces, the catalyst will start routing
between them, and can bypass the fwsm (unless you use policy based
routing to avoid the short-cut).

hope it answers your question
Edoardo


On 21/11/06 14:45, Paul Stewart wrote:
> Hi folks...
> 
> This is a "high level" question ... we are moving towards FWSM's in
our
> 6509's in the new year....
> 
> I understand Cisco PIX fairly well so the command structure shouldn't
be
> a major issue for me...
> 
> My question centers around passing traffic through the FWSM itself.  I
> understand that traffic must go VLAN to VLAN (same as the PIX must go
> interface to interface).
> 
> In our setup, we have OSPF running across multiple interfaces using
> loopback etc.
> 
> So, for example:
> 
> 6509-A
> 
> GigE1/1 - 10.10.10.1/30
> GigE1/2 - 10.10.0.1/30
> Loopback0 - 192.168.254.1/32
> 
> 6509-B
> 
> GigE1/1 - 10.10.10.2/30
> Loopback0 - 192.168.254.2/32
> 
> GSR12000
> 
> GigE5/1 - 10.10.0.2/30
> Loopback0 - 192.168.254.3/32
> 
> So, on 6509-A I will have VLAN200 setup as 192.168.0.1/24
> 
> How do I tell the FSWM module to pass traffic from VLAN200 on the
6509-A
> router to the GSR for example?  Do I need to make interface GigE1/1 a
> member of a new VLAN so I can pass VLAN to VLAN via the FWSM??
> 
> To complicate matters, we will be putting HSRP into the mix during the
> migration as well... but I don't believe that will be a big issue
after
> I get my head around passing the FWSM traffic...;)
> 
> Thanks in advance,
> 
> Paul
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list