Solved: FWSM Configuration - is this a working solution

rrockliff · ‎07-26-2011

Hi All

I am about to deploy 2 FWSM's in Active/Standby mode into a pair of Cat65 Chassis running VSS

I have considered Transparent mode, however due to some of the limitations, this will not be a feasable scenario for the customer.

We run multiple VLANS, however I want to try and avoid configuring all of the VLANS on the FWSM as I do not want traffic from the inside VLANS to another inside VLAN going through the FWSM, I do however want traffic from the inside VLANS to the outside or DMZ VLANS to go via the FWSM

Here is the scenario

We have 2 VLANS that we want to secure from users on the network

We want to add a DMZ interface

We do not want to perform any NAT between any of the networks (how can i disable this compleatly)

I want all internal VLAN's to route localy on the Cat65k and route all traffic to the outside or dmz via a Transit VLAN 40 (Via the FWSM)

I want all external VLAN's to route localy on the Cat65k and route all traffic to inside or dmz interface via a Transit VLAN 110 (Via the FWSM)

I want all dmz VLAN's to route locally on the Cat65k and route all traffic to inside or outside VLANS via a Transit VLAN 210 (Via the FWSM)

Lets say for this example, the outside untrusted VLANS will be 90 and 100, the inside trusted vlans will be 20 and 30, the dmz vlan will be 200

The switch config for this will be for example

Inside VLANS

interface Vlan20
description INSIDE VLAN 20
ip address 10.1.20.1 255.255.255.0

!
interface Vlan30
description INSIDE VLAN 30
ip address 10.1.30.1 255.255.255.0

interface Vlan40
description INSIDE TRANSIT VLAN 40
ip address 10.1.40.1 255.255.255.0

Outside VLANS

interface Vlan90

description OUTSIDE VLAN 90
ip address 10.1.90.1 255.255.255.0

!
interface Vlan100

description OUTSIDE VLAN 100
ip address 10.1.100.1 255.255.255.0

interface Vlan110

description OUTSIDE TRANSIT VLAN 110
ip address 10.1.110.1 255.255.255.0

DMZ VLANS

interface Vlan200

description DMZ VLAN 200
ip address 10.1.200.1 255.255.255.0

interface Vlan210

description DMZ TRANSIT VLAN 210
ip address 10.1.210.1 255.255.255.0

I configure some firewall VLAN Groups

An Inside Group

firewall vlan-group 1 40
firewall module 1 vlan-group 1

An Outside Group

firewall vlan-group 2 110

firewall module 1 vlan-group 2

A DMZ Group

firewall vlan-group 3 210

firewall module 1 vlan-group 3

So far, Im pretty sure im correct, please let me know if im off track here

Now I configure some interfaces on the FWSM

interface vlan 40
    nameif inside
    security-level 100
    ip address 10.1.40.2 255.255.255.0
interface vlan 110
    nameif outside
    security-level 0
    ip address 10.1.110.2 255.255.255.0
interface vlan 210
    nameif dmz
    security-level 50
    ip address 10.1.210.2 255.255.255.0

and configure some routes on the FWSM

route inside 10.1.20.0 255.255.255.0 10.1.40.1 <switch IP Address>

route inside 10.1.30.0 255.255.255.0 10.1.40.1 <switch IP Address>

route outside 10.1.90.0 255.255.255.0 10.1.110.1 <switch IP Address>

route outside 10.1.100.0 255.255.255.0 10.1.110.1 <switch IP Address>

route dmz 10.1.200.0 255.255.255.0 10.1.210.1 <switch IP Address>

then some routes on the Switch

ip route 10.1.20.0 0.0.0.255 10.1.40.2<FWSM INSIDE IP Address>

ip route 10.1.30.0 0.0.0.255 10.1.40.2<FWSM INSIDE IP Address>

ip route 10.1.90.0 0.0.0.255 10.1.110.2<FWSM IP Address>

ip route 10.1.100.0 0.0.0.255 10.1.110.2<FWSM IP Address>

ip route 10.1.200.0 0.0.0.255 10.1.210.2<FWSM DMZ IP Address>

I am hopeing that this is a valid solution, and that someone may have some better ideas, please let me know if I am way off the mark.

I know still have to apply ACL's etc, I am mainly concerned about the traffic flow and the routing between the the VLAN both locally and via the FWSM

Thanks very much in advance for any feedback

Jon Marshall · ‎07-26-2011

Richard

There are 2 ways to deploy the FWSM -

FWSM -> MSFC -> vlans

MSFC -> FWSM -> vlans

the commonest is the MSFC -> FWSM -> vlans.

Looking at both -

1) FWSM -> MSFC -> vlans 20 & 30

With the FWSM -> MSFC -> vlans you can route internally between your trusted vlans without having to go through the FWSM ie. you just route on the MSFC but for any vlans on the outside of the FWSM or DMZs on the FWSM they have to go through the FWSM to get to the MSFC.

The above setup would mean no traffic restriction between vlans 20 and 30.

However there are caveats to this approach depending on your topology. If you have WAN connectivty to the rest of your network for example and the other parts of your network need access to vlans 20 and 30 you would need to make sure your WAN router connected to the MSFC and not via the FWSM otherwise you have just firewalled your entire network from vlans 20 and 30.

2) MSFC -> FWSM -> vlans 90 & 100

and have vlan 90 and 100 behind the FWSM. To get to any other vlans these vlans need to go through the FWSM. This may be a better solution depending on the rest of your network topology.

Again no traffic restrictions between vlans 20 & 30.

So with either solution you do not need to firewall all vlans just your untrusted ones. Which of the above to use depends on the rest of your setup ie. where your WAN links and other switches etc. are placed.

Jon

View solution in original post

Jon Marshall · ‎07-26-2011

Yes, you need a dedicated vlan that connects the MSFC to the FWSM. So this vlan eg. vlan 50 would be created at L2 on the 6500 and then you create a L3 SVI for it as well ie.

int vlan 50

ip address 192.168.5.1 255.255.255.248

then you also create the outside interface on the FWSM and give it an IP address of 192.168.5.2.

then you would simply add routes to the 6500 eg.

ip route 192.168.5.2

for each vlan you are firewalling.

With the setup you are proposing in your last post it is important to realise a couple of things -

1) this will only protect vlans 20 and 30. If you have other vlans on the MSFC these will be accessible from the untrusted networks via the MSFC.

2) you are limiting the throughput between vlans 20 and 30 because to communicate they have to go through the FWSM. I say limit but the FWSM does support up to 5Gbps throughput if i remember correctly.

If this is going to be a problem you could flip the design and not firewall vlans 20 and 30 and instead firewall the whole MSFC with the FWSM as described in previous post but i think the design you propose is more suited to your setup.

One other thing. I have used static routes above because you only have 2 vlans but you can run a dynamic routing protocol between the FWSM and MSFC if you want to exchange routes for vlans 20 & 30. But if it is only 2 vlans then statics should be fine.

Obviously, using the example above, you would also need a default-route on the FWSM ie.

route outside 0.0.0.0 0.0.0.0 192.168.5.1

Jon

View solution in original post

Jon Marshall · ‎07-26-2011

You can't route vlans 90 and 100 (untrusted) on the MSFC and then have them go to the FWSM to get to vlans 20 and 30 because all these vlans are directly connected interfaces on the MSFC so traffic would simply route around the FWSM eg. traffic from a client in vlan 90 would go to the vlan 90 interface on the MSFC and then be routed straight through to the inside vlans.

Adding routes to the switch pointing to FWSM interfaces will make no difference because all the vlans have directly connected interfaces on the MSFC.

If vlan 90 and 100 are untrusted then they should be firewalled ie. you don't have a L3 vlan interface for these vlans on the MSFC, the L3 interfaces for these vlans would be on the FWSM.

Does this make sense ?

Jon

rrockliff · ‎07-26-2011

Hi Jon

Makes perfect sense

Can it be achieved buy adding the Inside VLAN's to the inside firewall VLAN Group? (same for the outside and DMZ groups)

IE

An Inside Group

firewall vlan-group 1 20,30,40
firewall module 1 vlan-group 1

Would these VLANs then switch locally without forcing them through the FWSM ??

If this is not an option, should I be concerned about performance considering that this a 10Gb network?

Or is the only option here to move all of the VLAN interfaces on the FWSM

Thanks for the quick reply

Cheers

Richard

Jon Marshall · ‎07-26-2011

Richard

There are 2 ways to deploy the FWSM -

FWSM -> MSFC -> vlans

MSFC -> FWSM -> vlans

the commonest is the MSFC -> FWSM -> vlans.

Looking at both -

1) FWSM -> MSFC -> vlans 20 & 30

With the FWSM -> MSFC -> vlans you can route internally between your trusted vlans without having to go through the FWSM ie. you just route on the MSFC but for any vlans on the outside of the FWSM or DMZs on the FWSM they have to go through the FWSM to get to the MSFC.

The above setup would mean no traffic restriction between vlans 20 and 30.

However there are caveats to this approach depending on your topology. If you have WAN connectivty to the rest of your network for example and the other parts of your network need access to vlans 20 and 30 you would need to make sure your WAN router connected to the MSFC and not via the FWSM otherwise you have just firewalled your entire network from vlans 20 and 30.

2) MSFC -> FWSM -> vlans 90 & 100

and have vlan 90 and 100 behind the FWSM. To get to any other vlans these vlans need to go through the FWSM. This may be a better solution depending on the rest of your network topology.

Again no traffic restrictions between vlans 20 & 30.

So with either solution you do not need to firewall all vlans just your untrusted ones. Which of the above to use depends on the rest of your setup ie. where your WAN links and other switches etc. are placed.

Jon

rrockliff · ‎07-26-2011

Again, Thanks Jon, this all makes sense.

The topology is like this

WAN Links sit on the Untrusted Network

Switches sit on the Trusted Network

So from what I am understanding from your reply's, the configuration should be like this

Configured on the MSFC

Outside Untrusted VLANS

interface Vlan90

description OUTSIDE VLAN 90
ip address 10.1.90.1 255.255.255.0

!
interface Vlan100

description OUTSIDE VLAN 100
ip address 10.1.100.1 255.255.255.0

An Inside Group for L# interfaces on the FWSM

firewall vlan-group 1 20,30
firewall module 1 vlan-group 1

Configured on the FWSM

Inside VLANS

interface vlan 20

nameif inside

security-level 100

ip address 10.1.20.1 255.255.255.0

interface vlan 30
nameif inside
security-level 100
ip address 10.1.30.1 255.255.255.0

I think im still missing a point here, how do the untrusted VLANS route to the trusted VLANS, I assume we still need to create an outside interface on the FWSM

Thanks for your patience

Jon Marshall · ‎07-26-2011

Yes, you need a dedicated vlan that connects the MSFC to the FWSM. So this vlan eg. vlan 50 would be created at L2 on the 6500 and then you create a L3 SVI for it as well ie.

int vlan 50

ip address 192.168.5.1 255.255.255.248

then you also create the outside interface on the FWSM and give it an IP address of 192.168.5.2.

then you would simply add routes to the 6500 eg.

ip route 192.168.5.2

for each vlan you are firewalling.

With the setup you are proposing in your last post it is important to realise a couple of things -

1) this will only protect vlans 20 and 30. If you have other vlans on the MSFC these will be accessible from the untrusted networks via the MSFC.

2) you are limiting the throughput between vlans 20 and 30 because to communicate they have to go through the FWSM. I say limit but the FWSM does support up to 5Gbps throughput if i remember correctly.

If this is going to be a problem you could flip the design and not firewall vlans 20 and 30 and instead firewall the whole MSFC with the FWSM as described in previous post but i think the design you propose is more suited to your setup.

One other thing. I have used static routes above because you only have 2 vlans but you can run a dynamic routing protocol between the FWSM and MSFC if you want to exchange routes for vlans 20 & 30. But if it is only 2 vlans then statics should be fine.

Obviously, using the example above, you would also need a default-route on the FWSM ie.

route outside 0.0.0.0 0.0.0.0 192.168.5.1

Jon

Jon Marshall · ‎07-26-2011

Richard

Just a quick follow up. If literally everything from the MSFC onwards ie. towards your WAN etc. is untrusted then you could firewall the whole MSFC. I only mention this because i noticed in your first post that you said you didn't want to firewall between the trusted vlans.

I only mention it as i don't want to give you bad advice.

Jon

rrockliff · ‎07-26-2011

Hi John, Its all comming togeather now and making much more sense

It is not really important that the untrusted networks can talk to each other without being switched via the FWSM, but more critical that they must go via the FWSM to talk to the rusted networks (all up we are only looking at 4 trusted networks, plus a DMZ interface)

Therefor, from the discussion above and the great input that you have provided, my topology will look like this

Untrusted VLAN 90,100 etc > MSFC > FWSM > Trusted VLAN 20,30 etc

Untrusted VLAN 90,100 etc > MSFC > FWSM > DMZ VLAN200 etc

The untrusted VLANS are just plain old L3 Interfaces configured on the MSFC that will talk to each other via the Drirecly Connected Routes and talk to the Trusted VLANS via a static route. ie

ip route < FWSM OutsideIP >

The trusted VLANS are L3 interfaces configured on the FWSM that are treated as usual Firewall interfaces (same as a physical ASA/PIX and have a default route to the MSFC. ie
(route outside 0.0.0.0 0.0.0.0

Awesome information, thank you so much

Jon Marshall · ‎07-26-2011

Richard

Glad to hear it's making sense and happy to have helped.

Good luck with the implementation.

Jon

sctasmania · ‎07-26-2011

Yes, thank you verry much for clearing this up.

Another question regarding failover

As reccomended, I should create a VLAN for the Failover Link and a VLAN for the State Link.

In a VSS I have made the assumption that these VLANs are created on the actual switch, no in the VSS instance.

And do these VLANs need an ip address on the FWSM, The documenation is not too clear on this point

Cheers

Richard