topic Re: FWSM - DMZ VLAN in Network Security

FWSM - DMZ VLAN

markkingery — Mon, 11 Mar 2019 10:42:50 GMT

I have just setup a 6513 with a firewall module running 2.3(4) software.

I have configured the Vlans and put them in the Firewall Vlan group.

I assigned the IP's on the firewall.

What I do not understand is this

I have a DMZ that is VLAN 600

On the 6513 do I need to assign a default IP to this Vlan?

I have 10.15.32.2 at security 60 on the pix in Vlan 600

What steps do I need to take to make sure I have this setup correctly?

Mark

Re: FWSM - DMZ VLAN

Jon Marshall — Tue, 10 Jul 2007 16:05:07 GMT

Hi Mark

If this is a DMZ on the FWSM then all you want on the 6513 switch is a layer 2 vlan which you have already done and allocated to the FWSM and depending on how you are doing your routing you may need a static route on the 6513 for the DMZ subnet with the next hop being the outside interface of your FWSM.

What you don't want is a layer 3 SVI on your 6513 or traffic will route round the FWSM to get to the DMZ.

You would then need to redistribute that static route into your IGP that you use on your network.

If you are running your FWSM in single mode you can also run OSPF on it and allow it to dynamically advertise it's DMZ subnets.

HTH

Jon

Re: FWSM - DMZ VLAN

markkingery — Tue, 10 Jul 2007 16:24:39 GMT

Correct it is a DMZ for the FWSM only.

Here is my basic config of the FWSM.

FWSM Version 2.3(4)

nameif Vlan30 inside security100

nameif Vlan700 outside security0

nameif Vlan600 server security60

ip address inside 10.55.0.17 255.255.255.0

ip address outside 156.47.55.8 255.255.255.0

ip address server 10.55.32.2 255.255.255.0

icmp permit any inside

icmp permit any server

pdm location F51-DMZ 255.255.255.255 server

no pdm history enable

arp timeout 14400

global (outside) 1 156.47.55.10

global (server) 1 10.55.32.3

route inside 10.0.0.0 255.0.0.0 10.55.1.1 1

route outside 0.0.0.0 0.0.0.0 156.47.55.1 1

What route would I need to put on the 6513 to allow the inside network to be able to route correctly, and then it is my understanding that I now have to allow the inside network to talk to the lower security?

Re: FWSM - DMZ VLAN

Jon Marshall — Tue, 10 Jul 2007 16:35:57 GMT

Mark

On a standlaone ASA/pix you don't need access-lists to go from a higher to a lower interface but as you rightly point out here with the FWSM.

As for routing where are your clients in relation the FWSM inside interface. If they are on the same subnet as the FWSM inside interface then you don't need a route.

If they are are on different vlans then you would need on your 6513

ip route 10.55.32.0 255.255.255.0 10.55.0.17

But this will only add it to the 6513. If all your clients are on the 6513 or the 6513 is responsible for all your intervlan routing then that will do it.

HTH

Jon

Re: FWSM - DMZ VLAN

markkingery — Tue, 10 Jul 2007 16:43:46 GMT

Ok I have this configued and I am new to the FWSM and I appreciate your help.

My next question for help, is I want to ping DMZ host from the inside network to the DMZ. I would love to see a simple config to allow me to do this.

Re: FWSM - DMZ VLAN

Jon Marshall — Tue, 10 Jul 2007 16:56:52 GMT

Mark

Inside network = 10.55.0.0 255.255.0.0

DMZ host = 10.55.32.10

access-list acl_inside permit icmp 10.55.0.0 255.255.0.0 host 10.55.32.10 echo

access-group acl_inside in interface inside

access-list acl_dmz permit icmp host 10.55.32.10 10.55.0.0 255.255.0.0 echo-reply

access-group acl_dmz in interface server

nat (inside) 1 10.55.0.0

global (server) 1 interface

HTH

Jon

Re: FWSM - DMZ VLAN

markkingery — Tue, 10 Jul 2007 17:06:45 GMT

Do I still need to apply the access list to an access group on this version?

Re: FWSM - DMZ VLAN

Jon Marshall — Tue, 10 Jul 2007 17:07:50 GMT

Mark

Yes, sorry about that, i did edit the previous post to add those lines into the config.

Jon

Re: FWSM - DMZ VLAN

markkingery — Tue, 10 Jul 2007 18:38:17 GMT

I got it working. Thanks for your help.

I need to find a good book on the FWSM.

Re: FWSM - DMZ VLAN

Jon Marshall — Wed, 11 Jul 2007 05:36:04 GMT

Mark

Glad you got it sorted.

As for a book. TO be honest i recommend you save the money and download the relevant configuration guide from Cisco web site.

Here is the one for FWSM 2.3.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/fwsm_cfg.html

HTH

Jon

Re: FWSM - DMZ VLAN

markkingery — Thu, 19 Jul 2007 18:51:35 GMT

My next question is what do I need to do on the DMZ interface to allow hosts to talk to each other in the DMZ?

Re: FWSM - DMZ VLAN

markkingery — Thu, 19 Jul 2007 19:31:02 GMT

I got it fixed, it was a load balance issue.