All Traffic Move via FWSM(Tranparent Mode)

mca.ahsan · ‎04-19-2013

Dear Experts,

As I am planning to deploy FWSM Module in 6513 chassis and need your valuable comments regarding the strategy that I create for this deployment.

Initially (Without FWSM Deployment) all internal traffic moves in this manner.

7613(G9/5) --> 6513(G10/4) --> ISA (Internal Int.) [NATing] (ISA External Int.) -->

6513(G9/45){This is L2 port in VLAN 164} --> VLAN 164(SVI Int,IP:192.168.40.20) -->

(G9/44){This is L2 port in VLAN 164}--> ASR 1002 -->Router -->Internet.

As you can see from the Image that I am planning to deploy FWSM in transparent mode in

between VLAN 164(SVI Int,IP:192.168.40.20) -[FWSM here]->(G9/44){This is L2 port in VLAN 120}

By putting Inside interface of FWSM in VLAN 164 and create a new VLAN on 6513 i.e VLAN 120

and put G9/44 in it.

Please let me know will this configuration will work regarding the passing of traffic through FWSM ? what improvement I have to made

in this design. You can check the attached diagram.

All comments are welcomed

Regards

Syed

Ramraj Sivagnanam Sivajanam · ‎04-23-2013

Hi Bro

Let me get this right. You want to bridge VLAN 164 and VLAN 120 (network address 192.168.40.XXX/24).

This will allow all LAN users going to the Internet to pass through, firstly the ISA box, and then followed by the FWSM context to the Cisco ASR Router, am i right? Please kindly confirm if I've got my understanding correct?

Regards,

Ram

Warm regards,
Ramraj Sivagnanam Sivajanam

mca.ahsan · ‎04-24-2013

Hello, Ramraj

You are Right. Will this configuration will work regarding the passing of traffic through FWSM?

Ramraj Sivagnanam Sivajanam · ‎04-28-2013

Hi Bro

Please give this config a try, and let me know the outcome? If it still doesn't work, please paste your Core Switch show run and FWSM latest show tech (from system context)

------------------ show running-config (CORE-SWITCH) ------------------

!

hostname CORE-SWITCH

!

firewall autostate

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 1

firewall vlan-group 1 120,164

!

ip route 0.0.0.0 0.0.0.0 192.168.40.40 name Internet_via_ASR_Router

!

------------------ show running-config (SYSTEM-CONTEXT) ------------------

!

hostname SYSTEM-CONTEXT

!

interface Vlan164

!

interface Vlan120

!

admin-context admin

context admin

description *** Admin/Management Context ***

allocate-interface Vlan??? visible

config-url disk:/admin.cfg

!

context INTERNET-CONTEXT

description *** INTERNET Context ***

allocate-interface Vlan164 visible

allocate-interface Vlan120 visible

config-url disk:/internet.cfg

!

------------------ show running-config (ADMIN-CONTEXT) ------------------

!

hostname ADMIN-CONTEXT

!

interface Vlan???

nameif inside

security-level 100

ip address XXX.XXX.XXX.XXX 255.255.255.0

!

route inside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

!

------------------ show running-config (INTERNET-CONTEXT) ------------------

!

firewall transparent

hostname INTERNET-CONTEXT

!

interface Vlan164

description ### Facing Core Switch ###

nameif inside

bridge-group 1

security-level 100

!

interface Vlan120

description ### Facing Internet Router ###

nameif outside

bridge-group 1

security-level 0

!

interface BVI1

ip address 192.168.40.100 255.255.255.0

!

access-list inside permit ip any any

access-list outside permit ip any any

access-group inside in interface inside

access-group outside in interface outside

!

route outside 0.0.0.0 0.0.0.0 192.168.40.20

!

Warm regards,
Ramraj Sivagnanam Sivajanam