[c-nsp] FWSM Question

Voll, Scott Scott.Voll at wesd.org
Thu Mar 22 11:19:09 EST 2007 

Then use a static nat:

IE>
Static (interface1, interface2) x.x.x.x x.x.x.x subnet 255.255.255.0

The FWSM works just like a Pix / ASA you have to translate even if its
one to one same address.

You will also need to add the ACL to the other interface.

IE>
Vlan 66 and vlan 99 will both need ACL applied.

Do you have Vlan 66 setup on your FWSM?  There has to be one Vlan that
is both on your FWSM and your MSFC for inter routing between the Cat and
the FWSM.

Scott

-----Original Message-----
From: Paul Stewart [mailto:paul at paulstewart.org] 
Sent: Thursday, March 22, 2007 9:12 AM
To: Voll, Scott; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] FWSM Question

Thanks for the reply....

MSFC: 12.2(18)SXF7

We don't want to use NAT at all if it's possible .. my understanding
from
reading is that it's an option or have I misunderstood this all
together?

For routing, with the MSFC and FWSM being in the same subnet (i believe
this
is correct) then I haven't done any routing yet... I want to implement
OSPF
across the "link" but wanted to prove layer3 first....

For ACL, I did put in the following and had no effect:

access-list outside extended permit ip any any
access-group outside in interface Outside
access-group outside out interface Outside

Thanks again,

Paul
 

-----Original Message-----
From: Voll, Scott [mailto:Scott.Voll at wesd.org] 
Sent: Thursday, March 22, 2007 12:03 PM
To: Paul Stewart; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] FWSM Question

To start with..... What version of IOS are you running on the MSFC?

Personally I would suggest upgrading your FWSM to 3.x code.  Much better
and
has the look and feel of ASA 7.x code.

Is it that it's just not passing traffic?  If that's the problem you
will
need three things:

NAT
Route
ACL

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Thursday, March 22, 2007 8:29 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] FWSM Question

Hi folks....

I'm trying to get a FWSM module up and running... can't get
communication
between the MSFC and the FWSM working yet.... figure I'm missing
something
simple..

FWSM Version 2.3(2)
nameif vlan99 Outside security0
same-security-traffic permit inter-interface mtu Outside 1500 ip address
Outside xx.xx.248.1 255.255.255.248 interface Outside



firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66,99

interface Vlan99
 description FWSM
 ip address xx.xx.248.2 255.255.255.248



Am I missing something really simple here? ;)   This will be for
management
and also for an outside interface ... finally it will also be used for
OSPF
communication between FSWM and MSFC...

VLAN66 is up and running for inter-chassis failover (active/standby) and
works fine....

Thanks in advance,

Paul

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list