03-25-2014 09:37 AM - edited 03-11-2019 08:59 PM
Hi All,
I have been reading for some time now, all related to the FWSM configuration, but i cant find a step-by-step guide on how to configure it in Transparent Mode on a Cisco 6509 Switch.
The main thing i need help with, is how to get it to communicate with the Cisco 6509.
If anybody can point me to the right direction/link/article/KB, would be great.
Thanks,
Ezequiel
03-25-2014 09:54 AM
Ezequiel
Have you looked at the configuration guide ? -
http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm41/configuration/guide/fwsm_cfg/intfce_f.html
Jon
03-25-2014 10:31 AM
Hi Jon,
Thanks for the reply.
I have read two documents, one was 180 pages and the other one was over 400. I am not able to understand how to get the 6509 to communicate with the FWSM.
This is my Scenario:
I have to issue the "session slot 3 processor 1" command in order to get to the FWSM.
When there, i can see the following:
Version: Device Manager Version 5.2(4)F
Firewall Status:
FWSM# sho fire
Context Mode
admin Transparent
FWSM#
This is what I'm trying to do:
I have A client is renting a server and he is expecting some DDoS and so forth, i want to put him behind the FWSM.
He is right now sitting on vlan 473. This is a L3 Switch, so vlan 473 exists on L2 and obviously an SVI (interface vlan) with the following configuration:
Router.(config-if)#do svlan 473
Building configuration...
Current configuration : 201 bytes
!
interface Vlan473
description 04001021613.PRIVATELAYER.CH
ip address 31.7.61.177 255.255.255.240
ip access-group SPAM out
no ip redirects
no ip proxy-arp
ipv6 address 2A02:29B8:2118::1/48
end
Router.(config-if)#
I am aware that in routed mode you have to add the same vlans to the FWSM and so forth, but in transparent mode, honestly i am clueless.
Its stated that i have to use TWO interfaces and configure the same IPs on each (...) in routed mode i know its not possible, but in transparent mode it is somehow.
NOTE: I am only a CCNA but have done a LOT of research on the topic, I have not found a step-by-step guide not even in the CCNP or CCIE training videos out there. (i have over 40GB of Cisco videos...getting frustrated)
Any help is appreciated.
Thanks,
Ezequiel
03-25-2014 12:16 PM
It's been a while since i did this but basically you need to bridge two vlans together.
So you have two vlans but they use the same IP subnet ie. no need to readdress the server.
You do not need two interfaces with the same IP because you only have a BVI with the IP and that is used for management ie. it does not affect traffic passing through the firewall.
Because vlan 473 is routed on the MSFC then you need a new vlan for the other side of the FWSM and your server would need allocating into this new vlan. So it would basically look like -
MSFC -> vlan 473 -> FWSM -> new vlan -> server
but the same IP subnet is used for both vlans.
The MSFC and the server in effect do not know about the FWSM.
What i am not sure about (can't remember) is how it works if there are other servers in vlan 473 ie. can you just leave them in vlan 473 which means they are not firewalled.
I believe you can but unfortunately can't say for sure.
My main concern is about allocating vlan 473 to the FWSM ie. in L3 mode you do not have to allocate the vlan between the FWSM and the MSFC
Hopefully someone else can contribute to clear that point up.
Sorry i can only be of limited help.
Jon
03-26-2014 02:25 PM
Hi Jon,
Thanks for your help.
And yes, i have those questions, i will read further and tryu to come up with a solution.
As the the vlan 473, it only handles that one server, every server has its own vlan, and we keep it like that in order to isolate traffic from each other.
I will post in the future if i come up with the solution.
Thanks,
Ezequiel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide