https://community.cisco.com/t5/network-security/fwsm-change-which-vlan-interface-is-inside/m-p/1209178#M859746 <P>Hello all, thank you in advance for any and all suggestions</P><P></P><P>I have inherited a network with redundant 6509 "DMZ" switches with a single FWSM installed in each - routed, single context, in failover configuration. Each FWSM has multiple VLAN interfaces, including inside, outside, and approximately 10 other DMZ interfaces with varying security levels.</P><P></P><P>It is clear that the inside interface (and all related NAT, static, route, and access rules) needs to be removed from the existing VLAN 4 interface, and applied to an as yet-to-be-created VLAN 2 interface. </P><P></P><P>I am in the planning stages for this migration and am researching others' experience with this or similar activities. The configuration steps as I see them would be:</P><P></P><P>1. Take backups of existing active and standby FWSMs.</P><P>2. Create VLAN 2 in 6509 switches' IOS, share to FWSM in firewall-group</P><P>3. Shutdown standby FWSM (don't want it "taking over" once it determines that the primary inside interface is down)</P><P>4. Remove the inside ACL from the interface interface (I believe this will allow the inside_acl to remain in configuration when the inside interface is deleted)</P><P>5. issue "no interface Vlan 4" on primary (I believe all "inside" related NAT, static, and route rules will be deleted at this point).</P><P>6. create interface Vlan 2, issue "nameif inside" and assign inside IP address.</P><P>7. From backup, reconfigure NATs, statics, and inside routes.</P><P>8. Re-apply the "inside_acl" to the inside interface.</P><P>9. Clear conn, clear xlate, etc.</P><P></P><P>Next will be to bring standby FWSM back online and this is where I have some doubts.</P><P></P><P>1. Isolate standby module (shutdown trunked interfaces between switches, perhaps also remove all VLANs from firewall-group. I think I would want to isolate this FWSM to prevent any sync'ing issues between active and standby so that the standby won't overwrite any of the changes I made on the active FWSM - not sure if I am being paranoid here and whether I need to do this...)</P><P>2. Power on and session into FWSM, remove interface VLAN 4, create interface VLAN 2, nameif inside, configure IP Address, no shut.</P><P>3. Share all VLANs back to FWSM from IOS switch, failover and monitored interface configurations should re-establish active/standby relationship between FWSMs.</P><P>4. Test applications, routing, access, etc.</P><P></P><P></P><P>It seems to me that there should be an easier way to accomplish my goal of changing which interface is "inside", but I have not performed this activity before. I think my steps above should work, although I concede I might be missing some things that will crop up when I am in the middle of the change. I would appreciate any insight into this scenario.</P><P></P><P>Thank you,</P><P></P><P>Curtis.</P> Mon, 11 Mar 2019 15:33:01 GMT charrellc011699 2019-03-11T15:33:01Z https://community.cisco.com/t5/network-security/fwsm-change-which-vlan-interface-is-inside/m-p/1209178#M859746 <P>Hello all, thank you in advance for any and all suggestions</P><P></P><P>I have inherited a network with redundant 6509 "DMZ" switches with a single FWSM installed in each - routed, single context, in failover configuration. Each FWSM has multiple VLAN interfaces, including inside, outside, and approximately 10 other DMZ interfaces with varying security levels.</P><P></P><P>It is clear that the inside interface (and all related NAT, static, route, and access rules) needs to be removed from the existing VLAN 4 interface, and applied to an as yet-to-be-created VLAN 2 interface. </P><P></P><P>I am in the planning stages for this migration and am researching others' experience with this or similar activities. The configuration steps as I see them would be:</P><P></P><P>1. Take backups of existing active and standby FWSMs.</P><P>2. Create VLAN 2 in 6509 switches' IOS, share to FWSM in firewall-group</P><P>3. Shutdown standby FWSM (don't want it "taking over" once it determines that the primary inside interface is down)</P><P>4. Remove the inside ACL from the interface interface (I believe this will allow the inside_acl to remain in configuration when the inside interface is deleted)</P><P>5. issue "no interface Vlan 4" on primary (I believe all "inside" related NAT, static, and route rules will be deleted at this point).</P><P>6. create interface Vlan 2, issue "nameif inside" and assign inside IP address.</P><P>7. From backup, reconfigure NATs, statics, and inside routes.</P><P>8. Re-apply the "inside_acl" to the inside interface.</P><P>9. Clear conn, clear xlate, etc.</P><P></P><P>Next will be to bring standby FWSM back online and this is where I have some doubts.</P><P></P><P>1. Isolate standby module (shutdown trunked interfaces between switches, perhaps also remove all VLANs from firewall-group. I think I would want to isolate this FWSM to prevent any sync'ing issues between active and standby so that the standby won't overwrite any of the changes I made on the active FWSM - not sure if I am being paranoid here and whether I need to do this...)</P><P>2. Power on and session into FWSM, remove interface VLAN 4, create interface VLAN 2, nameif inside, configure IP Address, no shut.</P><P>3. Share all VLANs back to FWSM from IOS switch, failover and monitored interface configurations should re-establish active/standby relationship between FWSMs.</P><P>4. Test applications, routing, access, etc.</P><P></P><P></P><P>It seems to me that there should be an easier way to accomplish my goal of changing which interface is "inside", but I have not performed this activity before. I think my steps above should work, although I concede I might be missing some things that will crop up when I am in the middle of the change. I would appreciate any insight into this scenario.</P><P></P><P>Thank you,</P><P></P><P>Curtis.</P> Mon, 11 Mar 2019 15:33:01 GMT https://community.cisco.com/t5/network-security/fwsm-change-which-vlan-interface-is-inside/m-p/1209178#M859746 charrellc011699 2019-03-11T15:33:01Z