topic FWSM configuration in Network Security

FWSM configuration

cisco.anubhav — Mon, 11 Mar 2019 19:59:38 GMT

Hi,

I am new to FWSM and i have a network in which FWSM is installed on 7613 router which has many wan links connected to it,there is a P2P link between router and cisco 3560 G multilayer switch(10.229.1.252/30) ,this L3 has 4 vlans and other networks connected to L3 and another switch 3560 is connected to L3 which connects its own LAN in the range of 10.229.1.0/24.Should i use Transparent mode on FWSM or Routed mode,what could be my inside and outside interface,and what ip adds should i use on them.Since its a connectivity based on Vlan interfaces should i use a new range for BV1 interface.

At present my topology is attached in Doc1 and current FWSM config in second attachment.,hope for your help in this case.

Thanks,

Re: FWSM configuration

PAUL GILBERT ARIAS — Wed, 02 Mar 2011 12:15:02 GMT

Conside which networks you want to protect and that way you will be able to set your inside and outside interfaces. I had a similar case and iI used bridge interfaces since I had multiple inside LAN subnets with different IPs as gateways on the core switch.

Try to work your ideas, draw a topology and try to test this out before going into production.

Sent from Cisco Technical Support iPhone App

Re: FWSM configuration

cisco.anubhav — Wed, 02 Mar 2011 13:14:01 GMT

Hi,

Thanks for the reply,its the ip that i m more concerned, what ip should i give on bv interface,as its said that both inside and outside sholud be on sane ip subnet and different vlan and inside interface must have the ip of the connected ip subnet.what ip should be used kindly suggest. kindly consider the attached config

Thanks,

Re: FWSM configuration

PAUL GILBERT ARIAS — Wed, 02 Mar 2011 14:08:21 GMT

You can add an available IP that could be reachable for management porpuses. If you are going to have bridge groups then it means that the firewall is in L2. If you are planning to have multiple bvi interface I can tell you it is not needed. You can create one just for management.

On the setup I did for a costumer I configured the BVI interface in a complete different subnet, this was a management VLAN. Just make sure you include that VLAN on the configuration required on the 7600/6500.

Re: FWSM configuration

cisco.anubhav — Tue, 08 Mar 2011 06:03:32 GMT

Hi,

thanks for ur help,I m very cionfused at the moment so that i may get out of this confusion.The scenario is this that FWSM is on cisco 7613 and my LAN to be protected is two swithches away there are point to point links between router and switchL3 using two ip adds 10.229.1.253.on router and 10.229.1.254 on switch what ip should we use on fwsm BV interface as curently we have put 10.229.1.252 on it but the status of BV interface is admin down and line protocol is up,

we have three vlan on our L3 and another switch connected to L3 has our Lans to be protected.Kindly help

Re: FWSM configuration

cisco.anubhav — Thu, 10 Mar 2011 13:31:40 GMT

Hi Paul,

kindly help and suggest if i m goin in the right direction,as there is a P2P link between my 7613 and L3 3560 and fwsm is on 7613 i m goin to use an entirely new address(say 192.168.1.0) for this192.168.1.1 will be on vlan 100 on router 1.2 will be on fwsm bv1 interface ,would it be okay as there are already 3 different VLANs on my L3 and one of them contains the servers i wanna protect(10.220.1.0 range).

thanks,

Re: FWSM configuration

PAUL GILBERT ARIAS — Thu, 10 Mar 2011 14:13:03 GMT

it the interface is admin down you need to apply the no shut command.

Re: FWSM configuration

PAUL GILBERT ARIAS — Thu, 10 Mar 2011 14:14:18 GMT

I am not able to understand this question. I need to picture it on my mind but I can't image how is the topology. Can you explain a little more?

Re: FWSM configuration

cisco.anubhav — Fri, 11 Mar 2011 05:37:35 GMT

Hi Paul,

the figure is given in the first post of mine,still ,i may give it here

7613----FWSM-------3560------3560-------|10.229.1.0 (n/w to be protected.)

Re: FWSM configuration

cisco.anubhav — Fri, 11 Mar 2011 10:59:38 GMT

Hi Paul,

the figure is given in the first post of mine,still ,i may give it here

------------------

7613----FWSM-------3560------3560-------|10.229.1.0 (n/w to be protected.)

| |

10.220.62.x/30 10.22062.Y/30