11-15-2011 03:45 PM - edited 03-11-2019 02:51 PM
Hi,
I want to set up FWSM 4.1 on Cat6509 with multiple bridge groups in one transparent context. (as the manual says it can support up to 8 bridge-groups and the intent is to save security contexts) For a host in VLAN21 (b1_inside) to talk to a host in VLAN41 (b2_inside), traffic needs to be go out to MSFC which routed back the traffic through the FWSM. My question is how can I define a default route per bridge-group, I would assume FWSM should take the following two default routes per bridge-group interface but it won't;
route b1_outside 0.0.0.0 0.0.0.0 10.11.75.1 1
route b2_outside 0.0.0.0 0.0.0.0 10.11.76.1 1
seems like it allows only one default route per the context and gives me an error - "ERROR: Cannot add route entry, possible conflict with existing route"
How can I achieve outside per individual bridge-group? Help is greatly appreciated.
FWSM context config:
Interface VLAN11
nameif b1_outside
bridge-group 1
security-level 0
!
Interface VLAN21
nameif b1_inside
bridge-group 1
security-level 100
!
Interface VLAN31
nameif b2_outside
bridge-group 2
security-level 0
!
Interface VLAN41
nameif b2_inside
bridge-group 2
security-level 100
!
Interface VLAN11
nameif b1_outside
bridge-group 1
security-level 0
!
Interface VLAN21
nameif b1_inside
bridge-group 1
security-level 100
!
interface BVI1
ip address 10.11.75.254 255.255.255.0
!
interface BVI2
ip address 10.11.76.254 255.255.255.0
!
The 6509 has the following SVIs defined and all VLANs assigned to Firewall:
interface vlan11
ip address 10.11.75.1 255.255.255.0
no shut
!
interface vlan31
ip addresss 10.11.76.1 255.255.255.0
no shut
!
Solved! Go to Solution.
11-19-2011 06:31 AM
Hello,
In transparent mode, the FWSM is not routing the VLAN's traffic. Instead, think of the firewall as a layer 2 bridge between 2 VLANs in the bridge-group. The static routes that you configure in transparent mode are only used for management traffic and for certain functionality in application inspections, not for routing of user traffic.
Instead, you need to set the default gateway of your clients to be the MSFC's IP address. This IP will be in the same layer 3 subnet as the client's IP, but will be on a different VLAN bridged together by the FWSM. The hosts will send ARP requests for the gateway IP to resolve the MAC address and the FWSM will forward the traffic on strictly at layer 2 (assuming your ACLs/security policy allow it).
Hope that helps.
-Mike
11-19-2011 06:31 AM
Hello,
In transparent mode, the FWSM is not routing the VLAN's traffic. Instead, think of the firewall as a layer 2 bridge between 2 VLANs in the bridge-group. The static routes that you configure in transparent mode are only used for management traffic and for certain functionality in application inspections, not for routing of user traffic.
Instead, you need to set the default gateway of your clients to be the MSFC's IP address. This IP will be in the same layer 3 subnet as the client's IP, but will be on a different VLAN bridged together by the FWSM. The hosts will send ARP requests for the gateway IP to resolve the MAC address and the FWSM will forward the traffic on strictly at layer 2 (assuming your ACLs/security policy allow it).
Hope that helps.
-Mike
11-28-2011 11:09 AM
Thanks very much. I figured out the default gateway was just for the switch management only, just before you replied. But thanks anyway, it makes sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide