[c-nsp] FWSM Question

Paul Stewart paul at paulstewart.org
Thu Mar 22 11:40:12 EST 2007


Thanks... I need to do some more reading..;)  I understand what you're
saying... at this point all I'm trying to do is get remote access to the
FWSM itself running so that I can upgrade the OS etc...

VLAN66 is setup between the two 6500's with failover and seems to be working
fine ... testing it out etc....

I was hoping to use VLAN69 for remote access to the FWSM and for OSPF
routing.... so if I wanted to be able to ping the "outside" interface and
also ssh into it for management how would the static mapping work?  Sorry
for the confusion - once I get it upgraded to 7.x type code it'll help me as
well... limited exposure to PIX/ASA but we do have some in production
today....  I thought that if the MSFC VLAN interface (SVI) and the "Outside"
interface were on the same VLAN and had IP addresses they could just
talk...? 

Appreciate it,

Paul
 

-----Original Message-----
From: Voll, Scott [mailto:Scott.Voll at wesd.org] 
Sent: Thursday, March 22, 2007 12:19 PM
To: Paul Stewart; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] FWSM Question

Then use a static nat:

IE>
Static (interface1, interface2) x.x.x.x x.x.x.x subnet 255.255.255.0

The FWSM works just like a Pix / ASA you have to translate even if its one
to one same address.

You will also need to add the ACL to the other interface.

IE>
Vlan 66 and vlan 99 will both need ACL applied.

Do you have Vlan 66 setup on your FWSM?  There has to be one Vlan that is
both on your FWSM and your MSFC for inter routing between the Cat and the
FWSM.

Scott

-----Original Message-----
From: Paul Stewart [mailto:paul at paulstewart.org]
Sent: Thursday, March 22, 2007 9:12 AM
To: Voll, Scott; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] FWSM Question

Thanks for the reply....

MSFC: 12.2(18)SXF7

We don't want to use NAT at all if it's possible .. my understanding from
reading is that it's an option or have I misunderstood this all together?

For routing, with the MSFC and FWSM being in the same subnet (i believe this
is correct) then I haven't done any routing yet... I want to implement OSPF
across the "link" but wanted to prove layer3 first....

For ACL, I did put in the following and had no effect:

access-list outside extended permit ip any any access-group outside in
interface Outside access-group outside out interface Outside

Thanks again,

Paul
 

-----Original Message-----
From: Voll, Scott [mailto:Scott.Voll at wesd.org]
Sent: Thursday, March 22, 2007 12:03 PM
To: Paul Stewart; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] FWSM Question

To start with..... What version of IOS are you running on the MSFC?

Personally I would suggest upgrading your FWSM to 3.x code.  Much better and
has the look and feel of ASA 7.x code.

Is it that it's just not passing traffic?  If that's the problem you will
need three things:

NAT
Route
ACL

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Thursday, March 22, 2007 8:29 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] FWSM Question

Hi folks....

I'm trying to get a FWSM module up and running... can't get communication
between the MSFC and the FWSM working yet.... figure I'm missing something
simple..

FWSM Version 2.3(2)
nameif vlan99 Outside security0
same-security-traffic permit inter-interface mtu Outside 1500 ip address
Outside xx.xx.248.1 255.255.255.248 interface Outside



firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66,99

interface Vlan99
 description FWSM
 ip address xx.xx.248.2 255.255.255.248



Am I missing something really simple here? ;)   This will be for
management
and also for an outside interface ... finally it will also be used for OSPF
communication between FSWM and MSFC...

VLAN66 is up and running for inter-chassis failover (active/standby) and
works fine....

Thanks in advance,

Paul

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list