[c-nsp] FWSM Question

Jason Lixfeld jason at lixfeld.ca
Thu Mar 22 11:48:15 EST 2007


Any reason you're not running 3.x, Paul?

On 22-Mar-07, at 12:40 PM, Paul Stewart wrote:

> Thanks... I need to do some more reading..;)  I understand what you're
> saying... at this point all I'm trying to do is get remote access  
> to the
> FWSM itself running so that I can upgrade the OS etc...
>
> VLAN66 is setup between the two 6500's with failover and seems to  
> be working
> fine ... testing it out etc....
>
> I was hoping to use VLAN69 for remote access to the FWSM and for OSPF
> routing.... so if I wanted to be able to ping the "outside"  
> interface and
> also ssh into it for management how would the static mapping work?   
> Sorry
> for the confusion - once I get it upgraded to 7.x type code it'll  
> help me as
> well... limited exposure to PIX/ASA but we do have some in production
> today....  I thought that if the MSFC VLAN interface (SVI) and the  
> "Outside"
> interface were on the same VLAN and had IP addresses they could just
> talk...?
>
> Appreciate it,
>
> Paul
>
>
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Thursday, March 22, 2007 12:19 PM
> To: Paul Stewart; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] FWSM Question
>
> Then use a static nat:
>
> IE>
> Static (interface1, interface2) x.x.x.x x.x.x.x subnet 255.255.255.0
>
> The FWSM works just like a Pix / ASA you have to translate even if  
> its one
> to one same address.
>
> You will also need to add the ACL to the other interface.
>
> IE>
> Vlan 66 and vlan 99 will both need ACL applied.
>
> Do you have Vlan 66 setup on your FWSM?  There has to be one Vlan  
> that is
> both on your FWSM and your MSFC for inter routing between the Cat  
> and the
> FWSM.
>
> Scott
>
> -----Original Message-----
> From: Paul Stewart [mailto:paul at paulstewart.org]
> Sent: Thursday, March 22, 2007 9:12 AM
> To: Voll, Scott; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] FWSM Question
>
> Thanks for the reply....
>
> MSFC: 12.2(18)SXF7
>
> We don't want to use NAT at all if it's possible .. my  
> understanding from
> reading is that it's an option or have I misunderstood this all  
> together?
>
> For routing, with the MSFC and FWSM being in the same subnet (i  
> believe this
> is correct) then I haven't done any routing yet... I want to  
> implement OSPF
> across the "link" but wanted to prove layer3 first....
>
> For ACL, I did put in the following and had no effect:
>
> access-list outside extended permit ip any any access-group outside in
> interface Outside access-group outside out interface Outside
>
> Thanks again,
>
> Paul
>
>
> -----Original Message-----
> From: Voll, Scott [mailto:Scott.Voll at wesd.org]
> Sent: Thursday, March 22, 2007 12:03 PM
> To: Paul Stewart; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] FWSM Question
>
> To start with..... What version of IOS are you running on the MSFC?
>
> Personally I would suggest upgrading your FWSM to 3.x code.  Much  
> better and
> has the look and feel of ASA 7.x code.
>
> Is it that it's just not passing traffic?  If that's the problem  
> you will
> need three things:
>
> NAT
> Route
> ACL
>
> Scott
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
> Sent: Thursday, March 22, 2007 8:29 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] FWSM Question
>
> Hi folks....
>
> I'm trying to get a FWSM module up and running... can't get  
> communication
> between the MSFC and the FWSM working yet.... figure I'm missing  
> something
> simple..
>
> FWSM Version 2.3(2)
> nameif vlan99 Outside security0
> same-security-traffic permit inter-interface mtu Outside 1500 ip  
> address
> Outside xx.xx.248.1 255.255.255.248 interface Outside
>
>
>
> firewall multiple-vlan-interfaces
> firewall module 8 vlan-group 1
> firewall vlan-group 1  66,99
>
> interface Vlan99
>  description FWSM
>  ip address xx.xx.248.2 255.255.255.248
>
>
>
> Am I missing something really simple here? ;)   This will be for
> management
> and also for an outside interface ... finally it will also be used  
> for OSPF
> communication between FSWM and MSFC...
>
> VLAN66 is up and running for inter-chassis failover (active/ 
> standby) and
> works fine....
>
> Thanks in advance,
>
> Paul
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list