Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
173
Views
0
Helpful
1
Replies

FWSM in transparent mode

ritchieb
Level 1
Level 1

‎01-23-2016 10:44 AM - edited ‎03-12-2019 12:10 AM

Hi all,

Need some help getting a FWSM running in transparent mode to work, I have the following set up.

SVI on the 6500 in VLAN 4040 (192.168.0.6 255.255.255.248)

Host on the 6500 in VLAN 4041 (192.168.0.5 255.255.255.248)

I've created a BVI on the FW (192.168.0.1)

From the 6500 and from the host I can ping 192.168.0.1, but the host cannot ping the SVI and vice-versa.

Config on the FWSM is as below;


FWSM Version 4.1(10) <context>
!
firewall transparent
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Vlan4040
 nameif FWSM-Inside
 bridge-group 11
 security-level 100
!
interface Vlan4041
 nameif FWSM-Outside
 bridge-group 11
 security-level 100
!
interface BVI11
 ip address 192.168.0.1 255.255.255.248
!
passwd 2KFQnbNIdI.2KYOU encrypted
same-security-traffic permit inter-interface
access-list FWSM-FW-Outside_access_in extended permit icmp any any
access-list FWSM-FW-Outside_access_in extended permit tcp host 192.168.0.5 host 192.168.0.6 eq bgp
access-list FWSM-FW-Inside_access_in extended permit icmp any any
access-list FWSM-FW-Inside_access_in extended permit tcp host 192.168.0.6 host 192.168.0.5 eq bgp
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
no logging message 111009
no logging message 111008
no logging message 111007
mtu FWSM-FW-Inside 1500
mtu FWSM-FW-Outside 1500
icmp permit any FWSM-Inside
icmp permit any FWSM-Outside
no asdm history enable
arp timeout 14400
access-group FWSM-FW-Inside_access_in in interface FWSM-FW-Inside
access-group FWSM-FW-Outside_access_in in interface FWSM-FW-Outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout pptp-gre 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect sunrpc
  inspect rsh
  inspect smtp
  inspect sqlnet
  inspect skinny
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:122e49b4b5cc3d25a1312dd80ae22c7f
: end

Any help or pointers greatly appriciated.

Thanks!

Labels:
0 Helpful
1 Reply 1

ritchieb
Level 1
Level 1

‎01-23-2016 12:51 PM

I'd actually figured it out, the "host" I was using on vlan 4041 was actually an SVI in a different VRF (for testing) and was using the same mac address as vlan 4040 - changed this and it sprung into life!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card