topic FWSM Help in Network Security

FWSM Help

gdrandles — Mon, 11 Mar 2019 20:31:33 GMT

All,

I am new to using a FWSM. I am familiar with the PIX and ASA's. We have two Cisco 6509's with a FWSM installed in both. Our network is shown in the diagram. We use Blue Coat Packetshapers and Barracuda Proxy appliances. I plan on setting up HSRP on both 6509's for traffic coming from our ISP Cisco 2811's as well as use HSRP for our DMZ and internal network. I would like to setup the firewalls for statefull failover. We will be using PAT for our internal users and one-to-one static NAT for our DMZ. Here are my questions:

Is it better to setup the firewall's as transparent or routed?

Since the firewall is built into the switch, how do I insert the Barracuda proxies?

I can configure them as transparent or routed proxies.

Thanks,

Re: FWSM Help

brquinn — Tue, 10 May 2011 22:36:10 GMT

Looking at the diagram, it's not really clear how the Barracuda proxies are put in place. It looks like the packetshapers are already bridging in-line. Do you want the FWSMS to also be bridging between the same two L3 hops?

Looking at your diagram, the FWSM could easily be the default gateway for your 10.1.1.0/25 and 10.1.2.0/25 networks. Both configurations could work, but I think it is generally easier to troubleshoot L3 adjacencies than L2. Then again, changing around your routing topology can be more of a burden.

Regardless which setup you choose, I would avoid any situation which places your hosts on a subnet with more than one gateway/router. For example, do NOT do this:

Router (.254) --- hosts (.2-.253) --- FWSM (.1)

RouterA (.254) --- hosts (.2-.253) --- vlan10--FWSM--vlan20 --- RouterB (.1)

Asymmetric routing with the FWSM will break the stateful inspections and cause your traffic to fail.

I hope this helps.

Thanks,

Brendan

Re: FWSM Help

gdrandles — Tue, 10 May 2011 23:37:05 GMT

Brenden,

The Barracuda proxies have not been connected to the network because I am unclear where or how to attach them. This network is also being built and currently has no users so I can configure whatever is needed. In the past when I used an ASA it was easy to connect a proxy between the ASA and the inside router. The inside router would then be the gateway for the users.

Users --> GW --> Proxy --> ASA --> BC Packetshaper --> ISP

Because the FWSM is not a physically seperate device, I do not understand how to setup the same logical topology or data flow. I was thinking I create VLAN 100 and connect the LAN side of the proxy. Point the default route to the LAN IP of the proxy. Create VLAN 101 and FW vlan-group 1 101 and assign this the nameif "inside". Point the WAN side of the proxy to the VLAN 101 IP as the default route. I would then have to figure out how to setup HSRP on the outside to connect the "outside" FW VLAN to the ISP. I would rather place the Proxy in transparent mode and not require it to do any routing. Any help is appreciated.

Thanks,