[c-nsp] FWSM Question

Fri Mar 23 12:48:06 EST 2007

You are correct there should only be 1 SVI shared between the MSFC and
the FWSM.

You may have to create the VLAN on the Cat but you DO NOT want more then
one SVI shared between the two.

Scott

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Friday, March 23, 2007 10:19 AM
To: 'Sam Stickland'
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM Question

Thanks for the reply....

Here's where I'm at now... and I think if someone can show me a solution
I'd
be most grateful... 

I can ssh and manage the FSWM via VLAN66 no problem and OSPF is running
and
redistributing routes for my test VLAN95 if I don't have the SVI turned
up
on the MSFC:

MSFC:

firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66,95,99

interface Vlan95
 description TEST
 ip address 66.79.248.10 255.255.255.248

interface Vlan99
 description FWSM-OSPF
 ip address 66.79.248.2 255.255.255.248

---------------

FWSM:

interface Vlan95
 nameif Test
 security-level 0
 ip address 66.79.248.9 255.255.255.248

interface Vlan99
 nameif Outside
 security-level 0
 ip address 66.79.248.1 255.255.255.248

same-security-traffic permit inter-interface
access-list outside extended permit ip any any
access-list outside extended permit icmp any any
access-list test extended permit ip any any
access-list test extended permit icmp any any
icmp permit any Outside
access-group outside in interface Outside
access-group outside out interface Outside
access-group test in interface Test
access-group test out interface Test
router ospf 1
 network 66.79.248.0 255.255.255.248 area 0
 router-id 66.79.248.1
 log-adj-changes
 redistribute connected subnets

Now, I thought according to the docs that for VLAN95 to function that
didn't
need a SVI on the MSFC card?  The only way I could make this work as to
add
a SVI on the MSFC which then makes me question how to ensure traffic is
always hitting the FWSM instead of just the MSFC interface?  I have been
reading the docs and confused now....

What I want to accomplish (better way of explaining this) is to have the
gateway of the VLAN95 on the FWSM only (which would force all traffic
through the FWSM) and have no limits in place initially for testing.. I
can
mess with access-lists etc. after I prove this works.... also, I have
"no
nat-control" which should permit this traffic?

Sorry to the list for all the questions but this has to be the most
confusing situation I've ran into before...;)

Paul

-----Original Message-----
From: Sam Stickland [mailto:sam_mailinglists at spacething.org] 
Sent: Thursday, March 22, 2007 7:28 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FWSM Question

Yeah, keep in mind that the ACLs are only for traffic that transit the
FWSM.
There's a seperate set of commands (icmp, ssh etc) for traffic that's
aimed
at it. If you've enabled "no nat control" you might also want to do
"fixup
protocol icmp" and "fixup protocol icmp error" so that you can
traceroute
through it as well.

Keep in mind that even with "no nat control" turned on, that the FWSM
still
does NAT translation. It just automatically adds 1-to-1 identity NATs to
the
translation table. You need to be aware of this because it can turn
against
you under some circumstance.

Imagine you've set up a PAT such as, 1.1.1.1:80 -> 2.2.2.2:80, and host
X is
talking to 1.1.1.1 on port 80. Now, if X trys to talk to 1.1.1.1 on a
port
other than 80 it doesn't match the PAT statement, so the PIX
automatically
adds an identity NAT statement for host X. This identity NAT statement
will
take precedence and the PAT will no longer function. 
Watch out!

S

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/