Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
2
Replies

FWSM Help

gdrandles
Level 1
Level 1

‎05-18-2011 10:56 AM - edited ‎03-11-2019 01:35 PM

I have attached a drawing of our network.  We have two 6509's connected to two Cisco 2811 (onsite) that the ISP owns.

I am trying to get one side up and running before I worry about redundancy and so forth.  For this reason I have set all the HSRP priorities to 110 on the left 6509.  I have HSRP running between the ISP routers and VLAN 101 of the 6509's.  This works as I can ping yahoo and google just fine from the 6509 switch.  I can't get from my laptop connected to VLAN 23 to the internet.  It doesn't even attempt to NAT as there are no translations.  I have public address assigned by my ISP configured between the ISP routers and my 6509 on VLAN 101.  I then have the public address assigned to VLAN 100.  I configured VLAN 100 on the switch and VLAN 100 on the FWSM with the IP address in the drawing.  I have my NAT statements and route in my FWSM according to the drawing as well.  On the switch, I have a default route to X.X.12.19 which is the VIP between the ISP routers.  I can reach anything on the inside of my network, including the old network addresses from VLAN 23.

1. Is it best to do NAT at the FWSM or should I do it on the MSFC connected to the ISP routers?

2. If I have to configur NAT at the FWSM, does this requires me to extend the public network down to the FWSM?

3. I'll take any examples you may have as I am stuck.

Thanks in advance.

Labels:
Preview file
2352 KB
0 Helpful
2 Replies 2

Allen P Chen
Level 5
Level 5

‎05-18-2011 06:02 PM

Hello,

1.  Most people configure NAT on firewalls, so the majority would configure NAT on the FWSM.  However, this is really up to how you wish to design the network.

2.  Again, this is up to your network design.

Here is a configuration example for the FWSM.  The 192.168.1.0/24 subnet in this example is the "outside", you can simply substitue that for the address range assigned by your ISP.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml

Hope this helps.

0 Helpful

gdrandles
Level 1
Level 1
In response to Allen P Chen

‎05-18-2011 09:45 PM

After reading up some more on the FWSM and 6509, I have decided it would be best to design the network so the MSFC is on the inside.  This would allow me to NAT on the FWSM and then connected the FWSM directly to the ISP routers.  This way I do not have to extend the public network further.  This also means I don't have to request additional public IP's from the ISP.  I will recreate my diagram and make another attempt at it.  I will post the results in the morning.

Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card