topic Need help configuring my FWSM. Adding an interface? in Network Security

Need help configuring my FWSM. Adding an interface?

cshannahan — Tue, 12 Mar 2019 01:24:21 GMT

So we have an FWSM in our 6509 chassis. It has an inside interface and an outside interface to the internet. I would like to add an interface to the FWSM to route to other parts of our network. I have added the interface I want and have given it an IP, it can ping the other firewalls on the same network/vlan. This interface is going to be the main link between other network segments.

The way the firewall is configured now, there's no VLANs on it, I believe that is all done on the supervior, etc. I created the vlan99 on the 6500, I tried both giving it an IP and also just creating the vlan and the interface vlan but I can't get traffic to route from that switch to the firewall.

Basically I want the inside network to route everything to the inside interface, then the firewall will route out my new interface to other network segments.

I'm not sure what I'm missing but I need help with it, so if anyone has experience with the FWSM please chime in! I believe the FWSM is configured correctly, but I think the issue might be with the switch getting the traffic to it, etc.

Need help configuring my FWSM. Adding an interface?

Julio Carvajal — Fri, 05 Apr 2013 20:45:14 GMT

Hello,

Can you share the FWSM configuration and the Switch Setup for the firewall and that vlan

Regards

Re: Need help configuring my FWSM. Adding an interface?

cshannahan — Fri, 05 Apr 2013 20:54:22 GMT

I think this is all of the info that pertains to this. Attached a logical drawing, inside and 6500 would be "inside networks" at the top.

6500 Switch

firewall multiple-vlan-interfaces

firewall module 3 vlan-group 250

firewall vlan-group 250 99,230,240,245,250

interface Port-channel1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,47,99,100,230,240,245,250,260,600,610

switchport mode trunk

interface GigabitEthernet4/6

description CSP to Demarc

switchport

switchport access vlan 99

switchport mode access

interface GigabitEthernet4/31

description FWSM PRIVATE

switchport

switchport access vlan 230

switchport mode access

interface GigabitEthernet4/32

description Connection to Internet Switch Gi1/0/1

switchport

switchport access vlan 240

switchport mode access

interface Vlan10

description ETHER_CHANNEL VLAN

ip address 10.1.0.233 255.255.255.252

interface Vlan99

no ip address

interface Vlan230

description FW-PRIVATE

ip address 10.47.2.3 255.255.255.0

standby 1 ip 10.47.2.5

standby 1 priority 125

standby 1 preempt

interface Vlan240

description FW-PUBLIC

no ip address

router eigrp 1

network 10.47.47.0 0.0.0.15

network 10.0.0.0

no auto-summary

redistribute static

ip classless

ip route 0.0.0.0 0.0.0.0 10.47.2.1(INSIDE ADDRESS FWSM)

FWSM

interface Vlan99

description Connection to Inland and Contractor Networks

nameif CSP

security-level 10

ip address 10.99.99.10 255.255.255.0

interface Vlan230

description FW-PRIVATE

nameif inside

security-level 100

ip address 10.47.2.1 255.255.255.0 standby 10.47.2.2

interface Vlan240

description FW-PUBLIC

nameif outside

security-level 0

ip address *.*.*.* standby *.*.*.*

interface Vlan250

description LAN/STATE Failover Interface

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip verify reverse-path interface CSP

failover

failover lan unit primary

failover lan interface FAILOVER Vlan250

failover replication http

failover link FAILOVER Vlan250

failover interface ip FAILOVER 10.1.0.237 255.255.255.252 standby 10.1.0.238

monitor-interface inside

monitor-interface outside

icmp permit any inside

icmp permit any outside

asdm history enable

arp timeout 14400

nat-control

global (outside) 2 *.*.*.*netmask 255.255.255.240

global (outside) 1 interface

nat (inside) 2 access-list inside_nat_outbound

nat (inside) 1 10.0.0.0 255.0.0.0

access-group internet2 in interface inside

access-group internet1 in interface outside

access-group CSP_access_in in interface CSP

route inside 192.168.144.0 255.255.252.0 10.47.2.5 1

route inside 172.16.206.0 255.255.254.0 10.47.2.5 1

route inside 10.0.0.0 255.0.0.0 10.47.2.5 1

route outside 0.0.0.0 0.0.0.0 209.115.188.49 1

route CSP 10.5.2.0 255.255.255.0 10.99.99.20 1

route CSP 10.5.3.0 255.255.255.0 10.99.99.20 1

Need help configuring my FWSM. Adding an interface?

Julio Carvajal — Fri, 05 Apr 2013 21:15:18 GMT

Hello,

Okay let me analize this but may I know which is the new interface??

Re: Need help configuring my FWSM. Adding an interface?

cshannahan — Fri, 05 Apr 2013 21:18:28 GMT

The CSP (vlan99) is the new interface, joining to the other networks/firewalls. Added a diagram to above.

Currently the inside network 10.47.2.x and outside on the FWSM work fine, just trying to add this other function so we can talk to other parts of our network, etc. That was all here before I started this job so I never had to do much to the FWSM.

I'm great with ASAs but when it comes to configuring the 6500/FWSM together I can't seem to get it.

I tried giving vlan99 an IP on the 6500 as well, but when I do that it seems to bypass the firewall and just talk over layer 2.

Re: Need help configuring my FWSM. Adding an interface?

Julio Carvajal — Fri, 05 Apr 2013 21:25:43 GMT

I tried giving vlan99 an IP on the 6500 as well, but when I do that it seems to bypass the firewall and just talk over layer 2.

Exactly, that will bypass the FWSM

You have nat-control On so you neet a NAT statement for the new interface

nat (CSP) 1 0 0

From the FWSM can you ping 10.99.99.20 ?

Regards

Re: Need help configuring my FWSM. Adding an interface?

cshannahan — Fri, 05 Apr 2013 21:32:58 GMT

Exactly, when I give vlan99 an IP it seems to bypass. From the FWSM I can ping .20 and .30.

When I try to ping or access anything outside of the 6500 I don't see it getting to the firewall.

Re: Need help configuring my FWSM. Adding an interface?

Julio Carvajal — Fri, 05 Apr 2013 21:38:05 GMT

Hello,

can you do a capture on the Inside interface of the FWSM to check if we are getting the packets there?

Regards

Re: Need help configuring my FWSM. Adding an interface?

Jouni Forss — Fri, 05 Apr 2013 21:58:52 GMT

Hi,

Where are you testing the traffic from (source IP) and to where are you testing the traffic to (destination IP)

Can you also show what your routing table looks like on the 6500?

You seem to have the current interfaces in the Global Routing Table which means those networks see eachother even without the FWSM.

Typically in our FWSM enviroments we configure each network segment and its Vlan interfaces to their own VRF which means their networks/routing is separated to their own virtual routing table.

But to be honest, I am not totally sure between which networks you have done tests currently that fail?

- Jouni

Re: Need help configuring my FWSM. Adding an interface?

cshannahan — Fri, 05 Apr 2013 22:01:25 GMT

I've been trying just from the 6500 itself with pings. I can try from a server on the 10.47.2.x network as well. Basically trying to ping anything on my 10.99.99.x network or even the 10.5.2.x network which I've allowed ping through.

I tried a capture, didn't seem to work, must have set it up wrong.

Routing table is up top, default route is what should be used...

Re: Need help configuring my FWSM. Adding an interface?

Julio Carvajal — Fri, 05 Apr 2013 22:43:09 GMT

Hello,

Okay,

On the Catalyst we only need the SVI for the Inside interface, the other 2 just basic layer 2 Vlans and that's it..

Now,

You are sending all the traffic to the FWSM via the inside interface, that's why I asked for the capture,

Let me know if you see something as soon as you set it properly

Re: Need help configuring my FWSM. Adding an interface?

cshannahan — Fri, 05 Apr 2013 23:04:42 GMT

The inside interface works, and we have the vlan 230 with an address there.

interface Vlan230

description FW-PRIVATE

ip address 10.47.2.3 255.255.255.0

standby 1 ip 10.47.2.5

standby 1 priority 125

standby 1 preempt

I tried the capture but it didn't work so I will have to find out what I'm doing wrong.

Re: Need help configuring my FWSM. Adding an interface?

Julio Carvajal — Fri, 05 Apr 2013 23:19:49 GMT

Hello,

It's a shame we do not have the packet-tracer command on the FWSM family.

static (inside,CSP) 10.47.2.0 10.47.2.10

static (CSP,inside) 10.99.99.0 10.99.99.0

From a PC withing the new vlan, can you try to ping a host on the inside ( use a host different than the 10.47.2.1 and .2 as those are used by the FWSM)

Then create this capture

access-list test match icmp host CSP_IP_address host Inside_address_ip

capture test interface CSP access-list test

Then ping and share

Show cap test

Regards,

Julio carvajal

Need help configuring my FWSM. Adding an interface?

cshannahan — Sun, 07 Apr 2013 13:18:29 GMT

If I make the inside interfaces and the CSP interfaces all the same security, I shouldn't need the statics correct? I just made them all 100 for now.

Need help configuring my FWSM. Adding an interface?

cshannahan — Sun, 07 Apr 2013 14:43:43 GMT

This is absolutly stupid. I'm not sure why they can't just make a command that forces an interface on the 6500 to be a firewalled interface.

If I ping from a host 10.47.2.6 to 10.99.99.20 it works but again just over layer 2.

Need help configuring my FWSM. Adding an interface?

cshannahan — Sun, 07 Apr 2013 16:38:26 GMT

Ok progress. Although I removed the interface vlan 99 info, the actual interface vlan 99 was still there on the MFSC, so I removed that, added some NAT statements and now I'm getting from inside the FWSM to inside the firewall on the other side so I think once I get all of the nat statements sorted out I should be working without issue.