topic Re: FWSM in transparent mode in Network Security

FWSM in transparent mode

Chris Brun — Mon, 11 Mar 2019 17:56:07 GMT

Attempting to set up the FWSM in transparent mode (single context). Here is my scenario: I have a 6509 with 3 VLANs…40 (DMZ), 41 (Staff), and 42 (Inside). I would like to use the FWSM to control access transparently between the 3 VLANs.

Here is what I have set up:

6509

firewall multiple-vlan-interfaces

firewall module 7 vlan-group 40

firewall vlan-group 40 40-42

interface Vlan40

ip address 10.40.0.1 255.255.255.0

interface Vlan41

ip address 10.41.0.1 255.255.255.0

interface Vlan42

ip address 10.42.0.1 255.255.255.0

FWSM

FWSM Version 3.1(10)

firewall transparent

interface Vlan40

nameif DMZ

bridge-group 1

security-level 0

interface Vlan41

nameif Staff

bridge-group 2

security-level 50

interface Vlan42

nameif Inside

bridge-group 3

security-level 100

access-list DENY-ALL extended deny ip any any log

access-list DENY-ALL extended deny icmp any any log

access-group DENY-ALL in interface DMZ

I understood that without any ACLs, the default action would be deny, however I was able to communicate freely between all the VLANs. I added the ACL to explicitly deny anything from the DMZ, but still able to communicate.

Would appreciate any assistance in how I can get the FWSM in transparent mode to control traffic between 3 VLANs.

Re: FWSM in transparent mode

Kureli Sankar — Tue, 08 Jun 2010 14:12:00 GMT

Pls. follow the sample here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/exampl_f.html#wp1029042

You need two vlans in a bridge group.

Transparent firewall overview: http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwmode_f.html#wp1220104

-KS

Re: FWSM in transparent mode

Chris Brun — Thu, 10 Jun 2010 14:16:28 GMT

I "think" I followed the instructions ... placing two VLANs in a single bridge_group (although that goes against everything I believe about routing!) ... but still can not seem to control access between VLAN 40 & 41. I still have full access between devices on both subnets.

interface Vlan40
nameif DMZ
bridge-group 1
security-level 0
!
interface Vlan41
nameif Schools
bridge-group 1
security-level 50
!
access-list DENY-ALL extended deny ip any any log
access-list DENY-ALL extended deny icmp any any log
access-group DENY-ALL in interface DMZ

Appriciate any advice.

Re: FWSM in transparent mode

Panos Kampanakis — Thu, 10 Jun 2010 18:20:07 GMT

Vlan 40 and 41 should be in the same subnet.

But hosts on switchports vlan access 40 and 41 will go through the FWSM that will be bridging these vlans.

So make sure you have 2 ports with hosts in each vlan and that their ip addresses are in the same subnet.

try pinging between them and then the FWSM should be bridging and you will see traffic through it.

I hope it helps.

Re: FWSM in transparent mode

Chris Brun — Thu, 10 Jun 2010 18:36:59 GMT

Thank you...that was my misunderstanding. Both VLANs are using the same subnet linked back together by the bridge-group --- the pieces all fit now!

Re: FWSM in transparent mode

Panos Kampanakis — Thu, 10 Jun 2010 18:45:24 GMT

Yup, glad it helped.