[c-nsp] FWSM Question

Paul Stewart paul at paulstewart.org
Fri Mar 23 12:18:39 EST 2007


Thanks for the reply....

Here's where I'm at now... and I think if someone can show me a solution I'd
be most grateful... 

I can ssh and manage the FSWM via VLAN66 no problem and OSPF is running and
redistributing routes for my test VLAN95 if I don't have the SVI turned up
on the MSFC:

MSFC:

firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66,95,99

interface Vlan95
 description TEST
 ip address 66.79.248.10 255.255.255.248

interface Vlan99
 description FWSM-OSPF
 ip address 66.79.248.2 255.255.255.248

---------------

FWSM:

interface Vlan95
 nameif Test
 security-level 0
 ip address 66.79.248.9 255.255.255.248

interface Vlan99
 nameif Outside
 security-level 0
 ip address 66.79.248.1 255.255.255.248

same-security-traffic permit inter-interface
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
access-list test extended permit ip any any
access-list test extended permit icmp any any
icmp permit any Outside
access-group outside in interface Outside
access-group outside out interface Outside
access-group test in interface Test
access-group test out interface Test
router ospf 1
 network 66.79.248.0 255.255.255.248 area 0
 router-id 66.79.248.1
 log-adj-changes
 redistribute connected subnets



Now, I thought according to the docs that for VLAN95 to function that didn't
need a SVI on the MSFC card?  The only way I could make this work as to add
a SVI on the MSFC which then makes me question how to ensure traffic is
always hitting the FWSM instead of just the MSFC interface?  I have been
reading the docs and confused now....

What I want to accomplish (better way of explaining this) is to have the
gateway of the VLAN95 on the FWSM only (which would force all traffic
through the FWSM) and have no limits in place initially for testing.. I can
mess with access-lists etc. after I prove this works.... also, I have "no
nat-control" which should permit this traffic?

Sorry to the list for all the questions but this has to be the most
confusing situation I've ran into before...;)

Paul



-----Original Message-----
From: Sam Stickland [mailto:sam_mailinglists at spacething.org] 
Sent: Thursday, March 22, 2007 7:28 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM Question

Yeah, keep in mind that the ACLs are only for traffic that transit the FWSM.
There's a seperate set of commands (icmp, ssh etc) for traffic that's aimed
at it. If you've enabled "no nat control" you might also want to do "fixup
protocol icmp" and "fixup protocol icmp error" so that you can traceroute
through it as well.

Keep in mind that even with "no nat control" turned on, that the FWSM still
does NAT translation. It just automatically adds 1-to-1 identity NATs to the
translation table. You need to be aware of this because it can turn against
you under some circumstance.

Imagine you've set up a PAT such as, 1.1.1.1:80 -> 2.2.2.2:80, and host X is
talking to 1.1.1.1 on port 80. Now, if X trys to talk to 1.1.1.1 on a port
other than 80 it doesn't match the PAT statement, so the PIX automatically
adds an identity NAT statement for host X. This identity NAT statement will
take precedence and the PAT will no longer function. 
Watch out!

S



More information about the cisco-nsp mailing list