https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313914#M827267 <HTML><HEAD></HEAD><BODY><P>I did a debug of the ICMP and it was being denied so I suspect it had to do with the ICMP permit any outside command. I had added an IP-ANY-ANY access group and put it on the Mngt interface but ICMP still came back as being denied.</P><P></P><P>The VLAN was created on the 6500 already so basically changing the name to "outside" and creating the correct access list did the trick.</P><P></P><P>Good times. Only three more of these things to upgrade!</P></BODY></HTML> Thu, 03 Sep 2009 14:34:54 GMT jfraasch 2009-09-03T14:34:54Z https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313908#M827261 <P>I have a 6513 with a simple config setup with just two VLANs.</P><P></P><P>VLAN1- IP 10.210.36.1/24</P><P>VLAN2- IP 10.10.10.1/24</P><P></P><P>I just want to upgrade the code on the FWSM to the latest. I put Int VLAN2 on FWSM with IP of 10.10.10.2/24.</P><P></P><P>This is first time with FWSM. It seems like the FW does not have a route to the MSFC on the 6500.</P><P></P><P>Can someone give me the basic config to get the FWSM to talk to the switch?</P><P></P><P>Thanks.</P><P></P><P>James</P> Mon, 11 Mar 2019 16:12:09 GMT https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313908#M827261 jfraasch 2019-03-11T16:12:09Z https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313909#M827262 <HTML><HEAD></HEAD><BODY><P>James</P><P></P><P>Have a look at this thread i did a while back and see if it helps. Feel free to come back with further questions - </P><P></P><P><A class="jive-link-custom" href="http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40" target="_blank">http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&amp;CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40</A>^1%40.2cbef1c1/5#selected_message</P><P></P><P>Jon</P></BODY></HTML> Thu, 03 Sep 2009 12:41:28 GMT https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313909#M827262 Jon Marshall 2009-09-03T12:41:28Z https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313910#M827263 <HTML><HEAD></HEAD><BODY><P>Looks good. I am going to go try it now.</P><P></P><P>What it looks like is that the FWSM will contain the VLAN/IP address inforomation and in the IOS on the 6500 I will allocate certain VLANs to be handled by the FWSM.</P><P></P><P>So I could technically add a third VLAN on the FWSM. The routing on this is sort of fuzzy for me though.</P><P></P><P>If, for instance, I create the VLAN on the FWSM, allocate VLAN in my IOS, where is my static route pointing to? The FWSM won't know about any other VLAN besides the one I configure on it. And my IOS/MSFC wont have an IP on it to have the FWSM point to for routing. I think I am missing a small piece.</P><P></P><P>Thanks so far. Like I said, I am going to go change the config and see what happens.</P><P></P><P>James</P></BODY></HTML> Thu, 03 Sep 2009 12:58:01 GMT https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313910#M827263 jfraasch 2009-09-03T12:58:01Z https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313911#M827264 <HTML><HEAD></HEAD><BODY><P>James</P><P></P><P>You have to have a vlan that "connects" the MSFC to FWSM. So lets say you want to firewall vlan 10 and vlan 20 - </P><P></P><P>MSFC -&gt; vlan 30 -&gt; outside (FWSM) -&gt; vlans 10/20</P><P></P><P>you would use a new vlan to simply connect the MSFC to the outside of the FWSM, in the above example vlan 30.</P><P></P><P>So lets assume you have </P><P></P><P>MSFC </P><P></P><P>int vlan 30</P><P>ip address 192.168.5.1 255.255.255.252</P><P></P><P>FWSM </P><P></P><P>outside interface -&gt; 192.168.5.2 255.255.255.252</P><P></P><P>then on the MSFC you would simply add static routes for vlan 10 and vlan 20 subnets - </P><P></P><P>ip route v10-subnet <MASK> 192.168.5.2</MASK></P><P>ip route v20-subnet <MASK> 192.168.5.2 </MASK></P><P></P><P>See other thread for more details on this.</P><P></P><P>Jon</P></BODY></HTML> Thu, 03 Sep 2009 13:13:10 GMT https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313911#M827264 Jon Marshall 2009-09-03T13:13:10Z https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313912#M827265 <HTML><HEAD></HEAD><BODY><P>I think you might be one step ahead of me here. I am unable to ping on VLAN2.</P><P></P><P>I have:</P><P></P><P>MSFC:</P><P></P><P>Interface VLAN 2</P><P> ip address 10.10.10.1 255.255.255.0</P><P></P><P>FWSM:</P><P>Interface VLAN 2</P><P> name MNGT</P><P> security-level 100</P><P> ip address 10.10.10.3 255.255.255.0</P><P></P><P>I cant ping between the two. I believe the IOS needs just to know that I have that IP on the FWSM...I am not sure how to make that happen. Your other examples showed how to allocate VLANs to the FWSM and how to route, but I think this is just the basic, "hey, we need to know you exist" kind of config that I am looking for.</P><P></P><P>The documentation I have seen seems to skip this basic step.</P><P></P><P>Thanks.</P><P></P><P>James</P></BODY></HTML> Thu, 03 Sep 2009 13:42:53 GMT https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313912#M827265 jfraasch 2009-09-03T13:42:53Z https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313913#M827266 <HTML><HEAD></HEAD><BODY><P>James</P><P></P><P>Can you change vlan 2 interface to outside on the FWSM ie.</P><P></P><P>interface vlan 2</P><P>name outside</P><P>security-level 0 </P><P>ip address 10.10.10.3 255.255.255.0</P><P></P><P>then can you also check you have vlan 2 created on the 6500 switch ie.</P><P></P><P>6500# sh vlan </P><P></P><P>do you see vlan 2 in the output ?</P><P></P><P>run a "sh interface" on the FWSM and see if vlan 2 interface is up. </P><P></P><P>If it is and vlan 2 is created try pinging again. If it still doesn't work add this to FWSM config -</P><P></P><P>icmp permit any outside </P><P></P><P>and try pinging again.</P><P></P><P>This doc covers the initial setup including the outside interface - </P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml</A></P><P></P><P>Jon</P><P></P></BODY></HTML> Thu, 03 Sep 2009 14:20:28 GMT https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313913#M827266 Jon Marshall 2009-09-03T14:20:28Z https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313914#M827267 <HTML><HEAD></HEAD><BODY><P>I did a debug of the ICMP and it was being denied so I suspect it had to do with the ICMP permit any outside command. I had added an IP-ANY-ANY access group and put it on the Mngt interface but ICMP still came back as being denied.</P><P></P><P>The VLAN was created on the 6500 already so basically changing the name to "outside" and creating the correct access list did the trick.</P><P></P><P>Good times. Only three more of these things to upgrade!</P></BODY></HTML> Thu, 03 Sep 2009 14:34:54 GMT https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313914#M827267 jfraasch 2009-09-03T14:34:54Z https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313915#M827268 <HTML><HEAD></HEAD><BODY><P>Glad to have helped.</P><P></P><P>Jon</P></BODY></HTML> Thu, 03 Sep 2009 14:36:33 GMT https://community.cisco.com/t5/network-security/need-basic-setup-help-for-6500-fwsm/m-p/1313915#M827268 Jon Marshall 2009-09-03T14:36:33Z