[c-nsp] FWSM Question

Sam Stickland sam_mailinglists at spacething.org
Sun Mar 25 12:44:26 EST 2007 

Paul Stewart wrote:
> Thanks for the reply....
>
> Here's where I'm at now... and I think if someone can show me a solution I'd
> be most grateful... 
>
> I can ssh and manage the FSWM via VLAN66 no problem and OSPF is running and
> redistributing routes for my test VLAN95 if I don't have the SVI turned up
> on the MSFC:
>
> MSFC:
>
> firewall multiple-vlan-interfaces
> firewall module 8 vlan-group 1
> firewall vlan-group 1  66,95,99
>
> interface Vlan95
>  description TEST
>  ip address 66.79.248.10 255.255.255.248
>
> interface Vlan99
>  description FWSM-OSPF
>  ip address 66.79.248.2 255.255.255.248
>
> ---------------
>
> FWSM:
>
> interface Vlan95
>  nameif Test
>  security-level 0
>  ip address 66.79.248.9 255.255.255.248
>
> interface Vlan99
>  nameif Outside
>  security-level 0
>  ip address 66.79.248.1 255.255.255.248
>
> same-security-traffic permit inter-interface
> access-list outside extended permit ip any any
> access-list outside extended permit icmp any any
> access-list test extended permit ip any any
> access-list test extended permit icmp any any
> icmp permit any Outside
> access-group outside in interface Outside
> access-group outside out interface Outside
> access-group test in interface Test
> access-group test out interface Test
> router ospf 1
>  network 66.79.248.0 255.255.255.248 area 0
>  router-id 66.79.248.1
>  log-adj-changes
>  redistribute connected subnets
>
>
>
> Now, I thought according to the docs that for VLAN95 to function that didn't
> need a SVI on the MSFC card?  The only way I could make this work as to add
> a SVI on the MSFC which then makes me question how to ensure traffic is
> always hitting the FWSM instead of just the MSFC interface?  I have been
> reading the docs and confused now....
>
> What I want to accomplish (better way of explaining this) is to have the
> gateway of the VLAN95 on the FWSM only (which would force all traffic
> through the FWSM) and have no limits in place initially for testing.. I can
> mess with access-lists etc. after I prove this works.... also, I have "no
> nat-control" which should permit this traffic?
>
> Sorry to the list for all the questions but this has to be the most
> confusing situation I've ran into before...;)
>
> Paul
>   
Hi Paul,

You shouldn't need an SVI to make this work, but you'll still need to 
create the VLAN on the MSFC. Without the SVI for VLAN 95 what does "sh 
vlan id brief" show? Does VLAN 95 exist?

Try entering the following configuration on the MSFC:

vlan 95
  no shutdown

Sam

More information about the cisco-nsp mailing list