FWSM configuration with shared interface - confusion

sidcracker · ‎07-03-2011

Hello,

I have attached a pdf of an example of a FWSM configuration with shared interfaces. Now what I dont get is (please refer to the link)

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/exampl_f.pdf. Also attached the link

Is there any difference between the natting that they have done on page B-4 on Context A

nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 interface

as opposed to configuring a static NAT for processing traffic to correct context

nat(inside,outside) 209.165.201.0 10.1.2.0

The other question is on page B-2 (diagram)

Context A has a customer A network linked to the inside interface. Is it possible to put a default route towards that "Network 2" cloud and restrict traffic from the 6509 switch towards the context A?

Thanks

Jennifer Halim · ‎07-03-2011

Question 1:

nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 interface

This is configured if you only want outbound access from 10.1.2.0/24. This subnet will get PATed to the outside interface ip address.

static (inside,outside) 209.165.201.0 10.1.2.0

This is configured if you want to allow both inbound and outbound access to 10.1.2.0/24. Each ip address of 10.1.2.0/24 will be statically NATed to 209.165.201.0/24 respectively. Eg: 10.1.2.1 will be NATed to 209.165.201.1, 10.1.2.55 will be NATed to 209.165.201.55, etc.

Question 2:

Don't quite understand what you are trying to achieve with this question.

Why would you want to configure default route towards "Network 2" when you don't want access from Network 2 towards context A?

Do you mean that you would like access from Context A towards Network2, however, you don't want access from Network 2 towards Context A? If that is the case, since the traffic between Context A and Network 2 is not actually passing through the FWSM, as per the diagram, Network 2 is just a route behind Context A, so all restriction needs to be configured on that intermediary router between Context A and Network 2

sidcracker · ‎07-03-2011

Hello Jennifer,

You will be able to understand question 2 if you look at the below post i posted earlier

https://supportforums.cisco.com/thread/2091740?tstart=0

Jennifer Halim · ‎07-04-2011

Thanks, I've read through the other post, and base on your last post, the requirements seem to be the ability to access all VLANs from all contexts. If the requirements are to be able to access all VLANs, then multiple context might not be the solution for you. The reason why multiple context is configured is to allow only access to specific context, but if the requirement is to access all VLANs within all context between each context, then it might be easier to just configure a single context.

sidcracker · ‎07-04-2011

Thanks Jennifer for your reponse.

Thats what I wish to take back to the customer and let them use the single context as it is. I need to get one thing clarified before I can do this

1. The default route will be pointing towards VLAN 14 as in the diagram from the previous post (https://supportforums.cisco.com/thread/2091740?tstart=0). Are there are complications involved when I am configuring static nat for traffic processing from the 6509 switch static(vlan11,shared) 192.168.10.0 192.168.10.10 (similar for other internal interfaces) and also when configuring nat exemptions or static nat towards the internet on vlan 14

2. Are there any complications for inter context traffic when configuring in shared interfaces scenario.

Thanks a lot

Jennifer Halim · ‎07-04-2011

1. Base on the diagram, VLAN 14 is only connected to Context 2, so assuming that is the only access you need towards the Internet, then VLAN 14 generally should have the lowest security level, ie: configured as an outside interface.

You can't configure "static (vlan11,vlan14) 192.168.10.0 192.168.10.0" for internet traffic unless if you are going to perform NAT on any upstream device. If you would like the FWSM to perform NAT for access to the Internet, then you would need to configure NAT exemption, and in the NAT exemption access-list, you would need to be specific on what subnet you would like to exempt from NAT.

Eg:

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0

nat (vlan11) 0 access-list nonat

From the above example, only traffic from 192.168.10.0/24 towards 192.168.50.0/24 will be exempted, and the rest will just be PATed when you configure NAT/Global pair towards the Internet.

2. Yes, you would need to design this correctly, and check inter context traffic communication if you plan to have access between context. Security level, and NATing need special attention when communication between context is required. For communication between context, traffic will only flow with the following security level:

1) High --> Low --> Low --> High

2) Low --> High --> High --> Low

Plus you would also need to configure the correct NATing accordingly.