cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1342
Views
0
Helpful
11
Replies

FWSM - DMZ VLAN

markkingery
Level 1
Level 1

I have just setup a 6513 with a firewall module running 2.3(4) software.

I have configured the Vlans and put them in the Firewall Vlan group.

I assigned the IP's on the firewall.

What I do not understand is this

I have a DMZ that is VLAN 600

On the 6513 do I need to assign a default IP to this Vlan?

I have 10.15.32.2 at security 60 on the pix in Vlan 600

What steps do I need to take to make sure I have this setup correctly?

Mark

11 Replies 11

Jon Marshall
Hall of Fame
Hall of Fame

Hi Mark

If this is a DMZ on the FWSM then all you want on the 6513 switch is a layer 2 vlan which you have already done and allocated to the FWSM and depending on how you are doing your routing you may need a static route on the 6513 for the DMZ subnet with the next hop being the outside interface of your FWSM.

What you don't want is a layer 3 SVI on your 6513 or traffic will route round the FWSM to get to the DMZ.

You would then need to redistribute that static route into your IGP that you use on your network.

If you are running your FWSM in single mode you can also run OSPF on it and allow it to dynamically advertise it's DMZ subnets.

HTH

Jon

Correct it is a DMZ for the FWSM only.

Here is my basic config of the FWSM.

FWSM Version 2.3(4)

nameif Vlan30 inside security100

nameif Vlan700 outside security0

nameif Vlan600 server security60

ip address inside 10.55.0.17 255.255.255.0

ip address outside 156.47.55.8 255.255.255.0

ip address server 10.55.32.2 255.255.255.0

icmp permit any inside

icmp permit any server

pdm location F51-DMZ 255.255.255.255 server

no pdm history enable

arp timeout 14400

global (outside) 1 156.47.55.10

global (server) 1 10.55.32.3

route inside 10.0.0.0 255.0.0.0 10.55.1.1 1

route outside 0.0.0.0 0.0.0.0 156.47.55.1 1

What route would I need to put on the 6513 to allow the inside network to be able to route correctly, and then it is my understanding that I now have to allow the inside network to talk to the lower security?

Mark

On a standlaone ASA/pix you don't need access-lists to go from a higher to a lower interface but as you rightly point out here with the FWSM.

As for routing where are your clients in relation the FWSM inside interface. If they are on the same subnet as the FWSM inside interface then you don't need a route.

If they are are on different vlans then you would need on your 6513

ip route 10.55.32.0 255.255.255.0 10.55.0.17

But this will only add it to the 6513. If all your clients are on the 6513 or the 6513 is responsible for all your intervlan routing then that will do it.

HTH

Jon

Ok I have this configued and I am new to the FWSM and I appreciate your help.

My next question for help, is I want to ping DMZ host from the inside network to the DMZ. I would love to see a simple config to allow me to do this.

Mark

Inside network = 10.55.0.0 255.255.0.0

DMZ host = 10.55.32.10

access-list acl_inside permit icmp 10.55.0.0 255.255.0.0 host 10.55.32.10 echo

access-group acl_inside in interface inside

access-list acl_dmz permit icmp host 10.55.32.10 10.55.0.0 255.255.0.0 echo-reply

access-group acl_dmz in interface server

nat (inside) 1 10.55.0.0

global (server) 1 interface

HTH

Jon

Do I still need to apply the access list to an access group on this version?

Mark

Yes, sorry about that, i did edit the previous post to add those lines into the config.

Jon

I got it working. Thanks for your help.

I need to find a good book on the FWSM.

Mark

Glad you got it sorted.

As for a book. TO be honest i recommend you save the money and download the relevant configuration guide from Cisco web site.

Here is the one for FWSM 2.3.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/fwsm_cfg.html

HTH

Jon

My next question is what do I need to do on the DMZ interface to allow hosts to talk to each other in the DMZ?

I got it fixed, it was a load balance issue.

Review Cisco Networking for a $25 gift card