Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2915
Views
0
Helpful
5
Replies
Highlighted
Chris Brun
Beginner
Beginner
‎06-08-2010 05:53 AM
‎06-08-2010 05:53 AM

FWSM in transparent mode

Attempting to set up the FWSM in transparent mode (single context).  Here is my scenario:  I have a 6509 with 3 VLANs…40 (DMZ), 41 (Staff), and 42 (Inside).  I would like to use the FWSM to control access transparently between the 3 VLANs.

Here is what I have set up:

6509

firewall multiple-vlan-interfaces

firewall module 7 vlan-group 40

firewall vlan-group 40  40-42

interface Vlan40

ip address 10.40.0.1 255.255.255.0

!

interface Vlan41

ip address 10.41.0.1 255.255.255.0

!

interface Vlan42

ip address 10.42.0.1 255.255.255.0

!

FWSM

FWSM Version 3.1(10)

firewall transparent

!

interface Vlan40

nameif DMZ

bridge-group 1

security-level 0

!

interface Vlan41

nameif Staff

bridge-group 2

security-level 50

!

interface Vlan42

nameif Inside

bridge-group 3

security-level 100

!

access-list DENY-ALL extended deny ip any any log

access-list DENY-ALL extended deny icmp any any log

access-group DENY-ALL in interface DMZ

I understood that without any ACLs, the default action would be deny, however I was able to communicate freely between all the VLANs.  I added the ACL to explicitly deny anything from the DMZ, but still able to communicate.

Would appreciate any assistance in how I can get the FWSM in transparent mode to control traffic between 3 VLANs.

Labels:
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Chris Brun
‎06-10-2010 11:20 AM
‎06-10-2010 11:20 AM

Vlan 40 and 41 should be in the same subnet.

But hosts on switchports vlan access 40 and 41 will go through the FWSM that will be bridging these vlans.

So make sure you have 2 ports with hosts in each vlan and that their ip addresses are in the same subnet.

try pinging between them and then the FWSM should be bridging and you will see traffic through it.

I hope it helps.

PK

View solution in original post

0 Helpful
Reply
5 REPLIES 5
Highlighted
Kureli Sankar
Cisco Employee
Cisco Employee
‎06-08-2010 07:12 AM
‎06-08-2010 07:12 AM

Pls. follow the sample here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/exampl_f.html#wp1029042

You need two vlans in a bridge group.

Transparent firewall overview: http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fwmode_f.html#wp1220104

-KS

0 Helpful
Reply
Highlighted
Chris Brun
Beginner
Beginner
In response to Kureli Sankar
‎06-10-2010 07:16 AM
‎06-10-2010 07:16 AM

I "think" I followed the instructions ... placing two VLANs in a single bridge_group (although that goes against everything I believe about routing!) ... but still can not seem to control access between VLAN 40 & 41.  I still have full access between devices on both subnets.

interface Vlan40
nameif DMZ
bridge-group 1
security-level 0
!
interface Vlan41
nameif Schools
bridge-group 1
security-level 50
!
access-list DENY-ALL extended deny ip any any log
access-list DENY-ALL extended deny icmp any any log
access-group DENY-ALL in interface DMZ

Appriciate any advice.

0 Helpful
Reply
Highlighted
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Chris Brun
‎06-10-2010 11:20 AM
‎06-10-2010 11:20 AM

Vlan 40 and 41 should be in the same subnet.

But hosts on switchports vlan access 40 and 41 will go through the FWSM that will be bridging these vlans.

So make sure you have 2 ports with hosts in each vlan and that their ip addresses are in the same subnet.

try pinging between them and then the FWSM should be bridging and you will see traffic through it.

I hope it helps.

PK

View solution in original post

0 Helpful
Reply
Highlighted
Chris Brun
Beginner
Beginner
In response to Panos Kampanakis
‎06-10-2010 11:36 AM
‎06-10-2010 11:36 AM

Thank you...that was my misunderstanding.  Both VLANs are using the same subnet linked back together by the bridge-group --- the pieces all fit now!

0 Helpful
Reply
Highlighted
Panos Kampanakis
Cisco Employee
Cisco Employee
In response to Chris Brun
‎06-10-2010 11:45 AM
‎06-10-2010 11:45 AM

Yup, glad it helped.

PK

0 Helpful
Reply
Latest Contents
Bridge the security gap with Cisco Remote Secure Worker
Created by Kelli Glass on 02-26-2021 04:37 PM
0
0
0
0
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use. Learn about Cisco Remote Secure Worker solutions that verify workers, secu... view more
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
214
11
214
    ISE Node Terminology PAN MNT PSN PXG Policy Administration Node Monitoring & Troubleshooting Node Policy Services Node Platform Exchange Grid Node The single plane of glass for ISE administration and configuration operatio... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Cisco Secure Endpoint Free Trial Guide
Created by E.L. Howard on 02-15-2021 07:36 PM
0
0
0
0
  About this Document Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd par... view more
Content for Community-Ad