https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045852#M896682 <HTML><HEAD></HEAD><BODY><P>even if its named "inside" syed?</P></BODY></HTML> Tue, 09 Sep 2008 17:55:47 GMT joe19366 2008-09-09T17:55:47Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045849#M896676 <P>We placed a FWSM in our 6513 to replace our external PIX525. I'm able to session into the FWSM. We are not ready to switch over as yet. I just want to work with the FWSM a bit and get things ready. I created a VLAN15 on the 6513 and presented it to the FWSM. I created an interface and assigned an IP subnet on the 6513. I sessioned into the FWSM and assigned the presented VLAN an IP address. I named it inside and gave it a security level of 100. I setup a laptop on the VLAN and gave it an IP address on that subnet and added an icmp statement to allow the lpatop to ping the inside interface on the FWSM. Works. I added a telnet statement to the FWSM for the laptop. I can't telnet to the FWSM. I also tried enabling http for the laptop and that doesn't work as well. Not sure what I'm missing. I have not added any SVI outside interface to the FMSM as yet since we are not ready to switch over from the PIX. FWSM shows version 2.3(4). We are using only static NAT.</P><P></P><P>We have multiple VLANs on the 6513 that will all use the same outside interface on the FWSM. The VLANs route to each other inside the 6513. Some VLANs have more then one subnet defined as secondary on there interface.</P><P></P><P>Craig</P> Mon, 11 Mar 2019 13:41:37 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045849#M896676 cef2lion2 2019-03-11T13:41:37Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045850#M896678 <HTML><HEAD></HEAD><BODY><P>Let's see your configs (you can attach them here as text files)</P><P></P><P>You have chosen "MSFC Inside" as your deployment design model. Microsoft actually has the best FWSM design guide on google; weird huh?</P><P></P><P><A class="jive-link-custom" href="http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/FirewallServices/igfspg_4.mspx" target="_blank">http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/FirewallServices/igfspg_4.mspx</A></P><P></P><P>Anyway, you will not then ALSO create SVI's on your MSFC, otherwise traffic could then route around the MSFC! </P><P></P><P>perhaps you meant SVI in a VRF? either way normally we just use a few ports in a VLAN on the 6500 with NO SVI as "outside vlan" ports where the FWSM outside ip interface meet border routers, etc. when using the MSFC "inside" model described on MSFT's link.</P><P></P><P>The concept of where to place the MSFC can be confusing but that doc clears it up.</P><P></P><P>Let us know if we can be of help as you move forward.</P><P></P><P>-Joe</P></BODY></HTML> Tue, 09 Sep 2008 17:47:19 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045850#M896678 joe19366 2008-09-09T17:47:19Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045851#M896681 <HTML><HEAD></HEAD><BODY><P>Telnet doesn't not work on the least secured interface. If you have configured just one interface then it is he least secure one.</P><P></P><P>Use SSH and it will work.</P><P></P><P></P><P>Syed</P></BODY></HTML> Tue, 09 Sep 2008 17:48:41 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045851#M896681 Syed Iftekhar Ahmed 2008-09-09T17:48:41Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045852#M896682 <HTML><HEAD></HEAD><BODY><P>even if its named "inside" syed?</P></BODY></HTML> Tue, 09 Sep 2008 17:55:47 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045852#M896682 joe19366 2008-09-09T17:55:47Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045853#M896683 <HTML><HEAD></HEAD><BODY><P>Yes. Even if its inside (provided there is no high security interface available). </P><P></P><P>Key point is Telnet is not possible to the "lowest security level" interface.With just one interface defined it will be the lowest security interface.</P><P></P><P>Syed</P></BODY></HTML> Tue, 09 Sep 2008 19:20:56 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045853#M896683 Syed Iftekhar Ahmed 2008-09-09T19:20:56Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045854#M896684 <HTML><HEAD></HEAD><BODY><P>Yes. Even if its inside (provided there is no high security interface available). </P><P></P><P>Key point is Telnet is not possible to the "lowest security level" interface.With just one interface defined it will be the lowest security interface.</P><P></P><P>Syed</P></BODY></HTML> Tue, 09 Sep 2008 19:23:36 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045854#M896684 Syed Iftekhar Ahmed 2008-09-09T19:23:36Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045855#M896685 <HTML><HEAD></HEAD><BODY><P>Thanks for the information. Will try SSH and or create a temp outside interface with lower security level. Just want another means to admin the FWSM besides sessioning into it from the 6513.</P><P></P><P>I think in our scenario we would want the MSFC inside. What commands place the MSFC on the inside or out? </P><P></P><P>Craig</P></BODY></HTML> Tue, 09 Sep 2008 19:41:19 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045855#M896685 cef2lion2 2008-09-09T19:41:19Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045856#M896686 <HTML><HEAD></HEAD><BODY><P>Create an SVI for the vlan connecting FWSM on the inside interface. </P><P></P><P>Make sure that you dont have SVIs on vlans connected to insid e&amp; outside interface. Otherwise you will end up bypassing FWSM.</P><P></P><P></P><P>Syed</P></BODY></HTML> Tue, 09 Sep 2008 19:52:52 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045856#M896686 Syed Iftekhar Ahmed 2008-09-09T19:52:52Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045857#M896687 <HTML><HEAD></HEAD><BODY><P>Thanks for tip on the SVIs. I created the outside interface with security level of 0 and I can now telnet into the FWSM inside interface.</P><P></P><P>Craig</P></BODY></HTML> Tue, 09 Sep 2008 19:58:56 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045857#M896687 cef2lion2 2008-09-09T19:58:56Z https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045858#M896689 <HTML><HEAD></HEAD><BODY><P>to reach the contexts themselves without using telnet/ssh you can just</P><P></P><P>session slot 4 proc 1 on the 6513 </P><P>(where slot 4 is the location of the FWSM).</P><P></P><P>you will then be in the SYSTEM context.</P><P>from there you can type</P><P></P><P>changeto context wan</P><P></P><P>and you will be logged into the virtual-fw context named "wan".</P><P></P><P>See this doc for more information.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml</A></P></BODY></HTML> Tue, 09 Sep 2008 19:59:58 GMT https://community.cisco.com/t5/network-security/fwsm-setup/m-p/1045858#M896689 joe19366 2008-09-09T19:59:58Z