03-13-2010 01:59 AM - edited 03-11-2019 10:21 AM
Can I do the following using an external router instead of the MSFC? I have the exact scenario that's discussed, but it's not clear as to whether I can use a dedicated router for that purpose?
(See Figure 1-3)
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/overvw.html#wp1137474
Will the fwsm classifier still perform as expected if the ingress traffic is not coming from the msfc?
Thank you.
03-13-2010 02:48 AM
robdog01 wrote:
Can I do the following using an external router instead of the MSFC? I have the exact scenario that's discussed, but it's not clear as to whether I can use a dedicated router for that purpose?
(See Figure 1-3)
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/overvw.html#wp1137474
Will the fwsm classifier still perform as expected if the ingress traffic is not coming from the msfc?
Thank you.
Yes you should be fine with that. The scenario in the link you gave is simply showing a shared outside vlan so a router with an interface in that vlan will do just the same as the MSFC.
Jon
03-13-2010 08:56 AM
That's what I figured, but it's not working for me... If I use the MSFC, everything works fine. once I switch to an external router, I have really sporadic outbound access from behind the fwsm contexts.
From what I understood, the msfc and fwsm coordinate the ingress traffic so that it lands on the appropriate virtual context. It certainly seems like that's what's happening, but I'm looking for others who have firsthand experience with this and can share in my frustration .
Here is the configuration on the switch:
interface GigabitEthernet4/47
description To xxx router, inside interface (Internet router)
switchport
switchport access vlan 2
switchport mode access
logging event link-status
speed 100
duplex full
end
On the upstream router (cat3750):
ip route 0.0.0.0 0.0.0.0 1.1.1.229
interface FastEthernet1/0/2
description ISP Uplink
no switchport
ip address 1.1.1.230 255.255.255.252
ip access-group 101 in
speed 100
duplex full
end
!
interface FastEthernet1/0/10
description Internet routable /24 subnet
no switchport
ip address 2.2.2.1 255.255.255.0
ip access-group 102 in
speed 100
duplex full
end
simple access lists to deny management traffic to those interfaces:
access-list 101 remark deny any management access to the external interface
access-list 101 deny tcp any host 1.1.1.230 eq 22
access-list 101 deny tcp any host 1.1.1.230 eq telnet
access-list 101 deny tcp any host 1.1.1.230 eq www
access-list 101 deny tcp any host 1.1.1.230 eq 443
access-list 101 deny tcp any host 1.1.1.230 eq ftp
access-list 101 deny tcp any host 1.1.1.230 eq ftp-data
access-list 101 deny udp any host 1.1.1.230 eq snmp
access-list 101 deny udp any host 1.1.1.230 eq snmptrap
access-list 101 remark deny any management access to the internal interface
access-list 101 deny tcp any host 2.2.2.1 eq 22
access-list 101 deny tcp any host 2.2.2.1 eq telnet
access-list 101 deny tcp any host 2.2.2.1 eq www
access-list 101 deny tcp any host 2.2.2.1 eq 443
access-list 101 deny tcp any host 2.2.2.1 eq ftp-data
access-list 101 deny tcp any host 2.2.2.1 eq ftp
access-list 101 deny udp any host 2.2.2.1 eq snmp
access-list 101 deny udp any host 2.2.2.1 eq snmptrap
access-list 101 permit ip any any
access-list 102 remark deny any management access to the internal interface
access-list 102 deny tcp any host 2.2.2.1 eq 22
access-list 102 deny tcp any host 2.2.2.1 eq telnet
access-list 102 deny tcp any host 2.2.2.1 eq www
access-list 102 deny tcp any host 2.2.2.1 eq 443
access-list 102 deny tcp any host 2.2.2.1 eq ftp-data
access-list 102 deny tcp any host 2.2.2.1 eq ftp
access-list 102 deny udp any host 2.2.2.1 eq snmp
access-list 102 deny udp any host 2.2.2.1 eq snmptrap
access-list 102 remark deny any management access to the external interface
access-list 102 deny tcp any host 1.1.1.230 eq 22
access-list 102 deny tcp any host 1.1.1.230 eq telnet
access-list 102 deny tcp any host 1.1.1.230 eq www
access-list 102 deny tcp any host 1.1.1.230 eq 443
access-list 102 deny tcp any host 1.1.1.230 eq ftp
access-list 102 deny tcp any host 1.1.1.230 eq ftp-data
access-list 102 deny udp any host 1.1.1.230 eq snmp
access-list 102 deny udp any host 1.1.1.230 eq snmptrap
access-list 102 permit ip any any
Thanks,
Rob.
03-14-2010 09:38 AM
Rob
Strange, my understanding was that classifier was an FWSM thing and not related to the MSFC at all. Let me do a little digging and see if i an come up with anything.
Jon
03-15-2010 04:15 PM
Thanks. For now, I'm using the MSFC, but will need to use an external router in the next few months due to needing to use subinterfaces as well as tying into other networks that I don't want the 6500 connected to.
Rob.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: