topic FWSM design question in Network Security

FWSM design question

tdennehy — Mon, 11 Mar 2019 17:20:25 GMT

Are there any pros and cons to the way an FWSM can be implemented in a 6509?

For instance, our WLAN deployment sits on four WiSMs in a 6509. We have a FWSM in the 6509 with an inside and outside VLAN, and a static route pointing to the inside of the FWSM from the 6509. All traffic goes to the interface of the FWSM, gets PAT'd out through one IP address and that's it.

I have been reading that I can move the gateway addresses to the FWSM from the 6509 and PAT each range out through the FWSM, but this time I would PAT each VLAN out through its own IP address.

I'm wondering if there are any advantages or disadvantages. The latter description would be a lot more work, but provide more granularity. I can also simply change our current deployment to PAT each VLAN out through its own mapped IP address.

Either way will result in traffic flowing, but is there a "more right" way to do this?

Thanks,
Tim

Re: FWSM design question

Panos Kampanakis — Thu, 11 Mar 2010 17:48:48 GMT

There is really not much difference or advantages.

One I could think of is you have 65K ports for translation if you PAT everything from the inside which depending on traffic might at some point make you run out of PAT ports.

If you use separate PAT ip addresses for different internal ip ranges then you are less likely to run out of ports to PAT.

I don't see any other disadvantage since the FWSM will perform fine with both.

I hope it helps.

Re: FWSM design question

Jon Marshall — Thu, 11 Mar 2010 19:02:12 GMT

tdennehy wrote:
Are there any pros and cons to the way an FWSM can be implemented in a 6509?
For instance, our WLAN deployment sits on four WiSMs in a 6509.  We have a FWSM in the 6509 with an inside and outside VLAN, and a static route pointing to the inside of the FWSM from the 6509.  All traffic goes to the interface of the FWSM, gets PAT'd out through one IP address and that's it.
I have been reading that I can move the gateway addresses to the FWSM from the 6509 and PAT each range out through the FWSM, but this time I would PAT each VLAN out through its own IP address.
I'm wondering if there are any advantages or disadvantages.  The latter description would be a lot more work, but provide more granularity.  I can also simply change our current deployment to PAT each VLAN out through its own mapped IP address.
Either way will result in traffic flowing, but is there a "more right" way to do this?
Thanks,
Tim

Tim

So you have -

vlans -> (inside) FWSM (outside) -> MSFC ?

Edit - sorry meant to be -

vlans -> MSFC -> (inside) FWSM (outside)

If so the deployment o the FWSM is nothing really to do with PAT. You wouldn't need to move the gateways to the FWSM to be able to PAT each vlan to a different PAT address ie.

nat (inside) 1 172.16.5.0 255.255.255.0

nat (inside) 2 172.16.6.0 255.255.255.0

global (outside) 1 PAT1

global (outside) 2 PAT2

the above would translate the 2 separate vlans to different PAT addresses.

Whether to have the gateways for the vlans on the FWSM or the MSFC is to do with whether you want/need to firewall between those vlans. If you don't then you don't need to have their gateways on the FWSM.

If i have misunderstood your topology or question then please clarify.

Jon

Re: FWSM design question

Kureli Sankar — Thu, 11 Mar 2010 19:20:20 GMT

When you say the 6509 is pointing to the FWSM's inside interface for the default gateway the topology is

MSFC -> (inside) FWSM (outside) -> Internet

Jon is correct. With just those few lines that he gave you, you can PAT each vlan to a different global address. This will be good from the admin side of things as well.

If the other vlans are different interfaces on the FWSM then you can use change the same example around.

nat (inside) 1 172.16.5.0 255.255.255.0

nat (inside-2) 2 172.16.6.0 255.255.255.0

nat (inside-3) 2 172.16.7.0 255.255.255.0

global (outside) 1 PAT1

global (outside) 2 PAT2

global (outisde) 3 PAT3

-KS

Re: FWSM design question

tdennehy — Thu, 11 Mar 2010 20:10:00 GMT

That is how we do it now, Kusankar. I think I'll keep doing it this way, since I am not hearing any compelling reasons from anyone to change to having the gateway addresses on the FWSM.

I can do it either way, and since there is a choice, I was wondering which is the better way. Turns out I don't think there is a better way - they both seem to be "the right way".

Thanks!

-=Tim