Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1046
Views
0
Helpful
5
Replies

FWSM configuration with shared interface - confusion

sidcracker
Level 1
Level 1

‎07-03-2011 10:47 PM - edited ‎03-11-2019 01:54 PM

Hello,

I have attached a pdf of an example of a FWSM configuration with shared interfaces. Now what I dont get is (please refer to the link)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.pdf. Also attached the link

Is there any difference between the natting that they have done on page B-4 on Context A

nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 interface

as opposed to configuring a static NAT for processing traffic to correct context

nat(inside,outside) 209.165.201.0 10.1.2.0

The other question is on page B-2 (diagram)

Context A has a customer A network linked to the inside interface. Is it possible to put a default route towards that "Network 2" cloud and restrict traffic from the 6509 switch towards the context A?

Thanks

Labels:
Preview file
649 KB
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-03-2011 10:58 PM

Question 1:

nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 interface

This is configured if you only want outbound access from 10.1.2.0/24. This subnet will get PATed to the outside interface ip address.

static (inside,outside) 209.165.201.0 10.1.2.0

This is configured if you want to allow both inbound and outbound access to 10.1.2.0/24. Each ip address of 10.1.2.0/24 will be statically NATed to 209.165.201.0/24 respectively. Eg: 10.1.2.1 will be NATed to 209.165.201.1, 10.1.2.55 will be NATed to 209.165.201.55, etc.

Question 2:

Don't quite understand what you are trying to achieve with this question.

Why would you want to configure default route towards "Network 2" when you don't want access from Network 2 towards context A?

Do you mean that you would like access from Context A towards Network2, however, you don't want access from Network 2 towards Context A? If that is the case, since the traffic between Context A and Network 2 is not actually passing through the FWSM, as per the diagram, Network 2 is just a route behind Context A, so all restriction needs to be configured on that intermediary router between Context A and Network 2

0 Helpful

sidcracker
Level 1
Level 1

‎07-03-2011 11:00 PM

Hello Jennifer,

You will be able to understand question 2 if you look at the below post i posted earlier

https://supportforums.cisco.com/thread/2091740?tstart=0

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to sidcracker

‎07-04-2011 12:23 AM

Thanks, I've read through the other post, and base on your last post, the requirements seem to be the ability to access all VLANs from all contexts. If the requirements are to be able to access all VLANs, then multiple context might not be the solution for you. The reason why multiple context is configured is to allow only access to specific context, but if the requirement is to access all VLANs within all context between each context, then it might be easier to just configure a single context.

0 Helpful

sidcracker
Level 1
Level 1
In response to Jennifer Halim

‎07-04-2011 12:35 AM

Thanks Jennifer for your reponse.

Thats what I wish to take back to the customer and let them use the single context as it is. I need to get one thing clarified before I can do this

1. The default route will be pointing towards VLAN 14 as in the diagram from the previous post (https://supportforums.cisco.com/thread/2091740?tstart=0). Are there are complications involved when I am configuring static nat for traffic processing from the 6509 switch    static(vlan11,shared) 192.168.10.0 192.168.10.10 (similar for other internal interfaces) and also when configuring nat exemptions or static nat towards the internet on vlan 14

2. Are there any complications for inter context traffic when configuring in shared interfaces scenario.

Thanks a lot

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to sidcracker

‎07-04-2011 12:50 AM

1. Base on the diagram, VLAN 14 is only connected to Context 2, so assuming that is the only access you need towards the Internet, then VLAN 14 generally should have the lowest security level, ie: configured as an outside interface.

You can't configure "static (vlan11,vlan14) 192.168.10.0 192.168.10.0" for internet traffic unless if you are going to perform NAT on any upstream device. If you would like the FWSM to perform NAT for access to the Internet, then you would need to configure NAT exemption, and in the NAT exemption access-list, you would need to be specific on what subnet you would like to exempt from NAT.

Eg:

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (vlan11) 0 access-list nonat

From the above example, only traffic from 192.168.10.0/24 towards 192.168.50.0/24 will be exempted, and the rest will just be PATed when you configure NAT/Global pair towards the Internet.

2. Yes, you would need to design this correctly, and check inter context traffic communication if you plan to have access between context. Security level, and NATing need special attention when communication between context is required. For communication between context, traffic will only flow with the following security level:

1) High --> Low --> Low --> High

2) Low --> High --> High --> Low

Plus you would also need to configure the correct NATing accordingly.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card