Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
2
Replies

FWSM Help

gdrandles
Level 1
Level 1

‎05-10-2011 07:38 AM - edited ‎03-11-2019 01:31 PM

All,

  I am new to using a FWSM.  I am familiar with the PIX and ASA's.  We have two Cisco 6509's with a FWSM installed in both.  Our network is shown in the diagram.  We use Blue Coat Packetshapers and Barracuda Proxy appliances.  I plan on setting up HSRP on both 6509's for traffic coming from our ISP Cisco 2811's as well as use HSRP for our DMZ and internal network.  I would like to setup the firewalls for statefull failover.  We will be using PAT for our internal users and one-to-one static NAT for our DMZ.  Here are my questions:

Is it better to setup the firewall's as transparent or routed?

Since the firewall is built into the switch, how do I insert the Barracuda proxies?

  I can configure them as transparent or routed proxies.

Thanks,

Labels:
Preview file
2576 KB
0 Helpful
2 Replies 2

brquinn
Level 1
Level 1

‎05-10-2011 03:36 PM

Looking at the diagram, it's not really clear how the Barracuda proxies are put in place. It looks like the packetshapers are already bridging in-line. Do you want the FWSMS to also be bridging between the same two L3 hops?

Looking at your diagram, the FWSM could easily be the default gateway for your 10.1.1.0/25 and 10.1.2.0/25 networks. Both configurations could work, but I think it is generally easier to troubleshoot L3 adjacencies than L2. Then again, changing around your routing topology can be more of a burden.

Regardless which setup you choose, I would avoid any situation which places your hosts on a subnet with more than one gateway/router. For example, do NOT do this:

Router (.254) --- hosts (.2-.253) --- FWSM (.1)

OR

RouterA (.254) --- hosts (.2-.253) --- vlan10--FWSM--vlan20 --- RouterB (.1)

Asymmetric routing with the FWSM will break the stateful inspections and cause your traffic to fail.

I hope this helps.

Thanks,

Brendan

0 Helpful

gdrandles
Level 1
Level 1
In response to brquinn

‎05-10-2011 04:37 PM

Brenden,

  The Barracuda proxies have not been connected to the network because I am unclear where or how to attach them.  This network is also being built and currently has no users so I can configure whatever is needed.  In the past when I used an ASA it was easy to connect a proxy between the ASA and the inside router.  The inside router would then be the gateway for the users.

Users --> GW --> Proxy --> ASA --> BC Packetshaper --> ISP

Because the FWSM is not a physically seperate device, I do not understand how to setup the same logical topology or data flow.  I was thinking I create VLAN 100 and connect the LAN side of the proxy.  Point the default route to the LAN IP of the proxy.  Create VLAN 101 and FW vlan-group 1 101 and assign this the nameif "inside".  Point the WAN side of the proxy to the VLAN 101 IP as the default route.  I would then have to figure out how to setup HSRP on the outside to connect the "outside" FW VLAN to the ISP.  I would rather place the Proxy in transparent mode and not require it to do any routing.  Any help is appreciated.

Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card