[c-nsp] Issues with traffic flow through a FWSM

Brian Foulks brian.foulks at gmail.com
Thu Feb 3 18:37:46 EST 2011 

Hello,  we are trying to set up a new network.  We are trying to tie
several switches to a Cat6506 with the FWSM integrated.  We have the
switches going into the FWSM.  The outside interface is the MSFC of
the 6506.
 From there it goes to the outside world.  We are running OSPF between
everything.  All of the switches sees the networks of the other
switches.  The problem is that none of the switches can ping or pass
other traffic to the other switches.
The FWSM can only ping IPs off the MSFC card.  Those IPS can also ping
the FWSM but nothing else.  I do not need NAT (did a no nat-control).
Here are the config snipets.  What am I missing?  Thanks in advance
for the help.

Cat6506:
wfs-cz1-2201#
sh run
hostname wfs-cz1-2201
!
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 2,
firewall vlan-group 2  330,334,338,342,346,350,358,702
ip subnet-zero
no ip source-route
!
vlan 330
 name wfs-nmz-2201_uplink
!
vlan 334
 name wfs-sz1-2201_uplink
!
vlan 702
 name fwsm
!
interface Loopback0
 description Protocol Mgmt (OSPF,SNMP,TACACS,SYSLOG,NTP)
 ip address 10.241.158.254 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Port-channel1
 description EC to wfs-sz1-2201
 switchport
 switchport access vlan 334
 switchport mode access
!
interface Port-channel6
 description EC to wfs-nmz-2201
 switchport
 switchport access vlan 330
 switchport mode access
!
interface GigabitEthernet3/1
 description To wfs-sz1-2201 G1/45
 switchport
 switchport access vlan 334
 switchport mode access
 channel-group 1 mode on
!
interface GigabitEthernet3/2
 description To wfs-sz1-2201 G1/46
 switchport
 switchport access vlan 334
 switchport mode access
 channel-group 1 mode on
!
interface GigabitEthernet3/5
 description To wfs-nmz-2201 G1/45
 switchport
 switchport access vlan 330
 switchport mode access
 channel-group 6 mode on
!
interface GigabitEthernet3/6
 description To wfs-nmz-2201 G1/46
 switchport
 switchport access vlan 330
 switchport mode access
 channel-group 6 mode on
!
interface Vlan702
 description FWSM
 ip address 10.241.158.225 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip ospf message-digest-key 1 md5 xxxxxx
 ip ospf network point-to-point
 ip ospf priority 0
!
router ospf 1
 router-id 10.241.158.254
 log-adjacency-changes detail
 area 0 authentication message-digest
 area 1301 authentication message-digest
 redistribute static subnets
 network 10.241.158.128 0.0.0.0 area 0
 network 10.241.158.162 0.0.0.0 area 1301
 network 10.241.158.225 0.0.0.0 area 0
 network 10.241.158.234 0.0.0.0 area 0
 network 10.241.158.254 0.0.0.0 area 0
 network 143.57.156.254 0.0.0.0 area 0
 network 172.24.10.97 0.0.0.0 area 10
 default-information originate metric 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.241.158.238
!

FWSM:
hostname wfs-fx1-2201
!
interface Vlan330
 nameif wfs-nmz-2201
 security-level 100
 ip address 10.241.158.130 255.255.255.254
 ospf network point-to-point non-broadcast
 ospf message-digest-key 1 md5 <removed>
!
interface Vlan334
 nameif wfs-sz1-2201
 security-level 100
 ip address 10.241.158.134 255.255.255.254
 ospf network point-to-point non-broadcast
 ospf message-digest-key 1 md5 <removed>
!
interface Vlan702
 nameif enclave_uplink
 security-level 0
 ip address 10.241.158.226 255.255.255.252
 ospf network point-to-point non-broadcast
 ospf message-digest-key 1 md5 <removed>
!
same-security-traffic permit inter-interface
access-list ANY extended permit ip any any
access-list ANY extended permit tcp any any
access-list ANY extended permit udp any any
access-list ANY extended permit icmp any any
access-list NET extended permit ip any any
mtu wfs-nmz-2201 1500
mtu wfs-sz1-2201 1500
mtu enclave_uplink 1500
no failover
icmp permit any wfs-nmz-2201
icmp permit any wfs-sz1-2201
icmp permit any enclave_uplink
no asdm history enable
arp timeout 14400
access-group ANY in interface wfs-nmz-2201
access-group ANY out interface wfs-nmz-2201
access-group ANY in interface wfs-sz1-2201
access-group ANY out interface wfs-sz1-2201
access-group ANY in interface enclave_uplink
access-group ANY out interface enclave_uplink
!
router ospf 1
 network 0.0.0.0 0.0.0.0 area 0
 area 0 authentication message-digest
 neighbor 10.241.158.225
 neighbor 10.241.158.135
 neighbor 10.241.158.131
 log-adj-changes
 default-information originate metric 1
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect smtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context

One of the Switches (all are of similar config)
hostname wfs-sz1-2201

!

ip subnet-zero

no ip source-route

no ip dhcp use vrf connected

!

port-channel load-balance src-dst-port

!

vlan 2

 name SRV1

!

vlan 10

 name MGMT

!

vlan 20

 name LOM

!

vlan 64

 name SVR

!

interface Loopback0

 description Protocol Mgmt (OSPF,SNMP,TACACS,SYSLOG,NTP)

 ip address 10.241.158.246 255.255.255.255

 no ip redirects

 no ip proxy-arp

 no ip unreachables

!

interface Port-channel1

 description EC to wfs-cz1-2201

 ip address 10.241.158.135 255.255.255.254

 no ip redirects

 no ip proxy-arp

 ip ospf message-digest-key 1 md5 xxxx

 ip ospf network point-to-point

!

interface Port-channel2

 description EC to wfs-cz2-2201

 ip address 10.241.158.137 255.255.255.254

 no ip redirects

 no ip proxy-arp

  ip ospf message-digest-key 1 md5 xxxx

 ip ospf network point-to-point

!

interface GigabitEthernet1/45

 description To wfs-cz1-2201 port G3/1

 media-type sfp

 no switchport

 channel-group 1 mode on

!

interface GigabitEthernet1/46

 description To wfs-cz1-2201 port G3/2

 media-type sfp

 no switchport

 channel-group 1 mode on

!

router ospf 1

 router-id 10.241.158.246

 log-adjacency-changes detail

 area 0 authentication message-digest

 area 22011 authentication message-digest

 network 10.241.158.135 0.0.0.0 area 0

 network 10.241.158.137 0.0.0.0 area 0

 network 10.241.158.246 0.0.0.0 area 22011

 network 143.57.156.1 0.0.0.0 area 22011

 network 143.57.156.65 0.0.0.0 area 22011

 network 172.24.10.33 0.0.0.0 area 22011

 network 172.24.10.225 0.0.0.0 area 22011

 default-information originate metric 1

!

ip classless

More information about the cisco-nsp mailing list