Solved: Re: FWSM on 6513 switch

hebaelshahat · ‎12-27-2009

Dear All,

We have FWSM on 6513 core switche, we configure it in routed mode without natting (by just typing "no nat-control" command). Now i face a problem which is, the users in the inside interface can't access the Internet although i can ping any Internet site through the outside interface.
Also, Not all the vlans on the core switch are passing through FWSM so, how can i permit the users that passthrough FWSM to communicate with the other vlans that are on the core switch.

please find below the configuration of the FWSM:

interface Vlan254
nameif outside
security-level 100
ip address 172.29.254.200 255.255.255.0
!
interface Vlan800
nameif Inside1
security-level 100
ip address 10.50.10.2 255.255.255.0
!
interface Vlan820
nameif Inside2
security-level 100
ip address 10.50.20.2 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list test extended permit ip 10.50.20.0 255.255.255.0 10.50.10.0 255.255.255.0
access-list test extended permit ip 10.50.10.0 255.255.255.0 10.50.20.0 255.255.255.0
access-list test extended permit ip 10.50.10.0 255.255.255.0 172.30.240.0 255.255.255.0 >>>>> (172.30.240.0 is the subnet that dosen't passthrough FWSM and created on the core switch)
access-list test extended permit ip any any

access-group test in interface Inside1
access-group test in interface Inside2

route outside 0.0.0.0 0.0.0.0 172.29.254.1 1

Jon Marshall · ‎12-27-2009

We have FWSM on 6513 core switche, we configure it in routed mode without natting (by just typing "no nat-control" command). Now i face a problem which is, the users in the inside interface can't access the Internet although i can ping any Internet site through the outside interface.

Where are the 10.x.x.x addresses getting Natted as these are not routable on the Internet. Also does the MSFC on the 6500 know how to get to the 10.x.x.x addressing ie. you can either

1) exchange routing information between the MSFC and the FWSM

OR

2) you can have static routes on the MSFC ie.

ip route 10.50.10.0 255.255.255.0 172.29.254.200

ip route 10.50.20.0 255.255.255.0 172.29.254.200

if you use option 2) then any other vlans connected to the 6500 will be able to route to the 10.50.x.x addressing. If you have remote sites or other vlans not routed on the 6500 then you will need to redistribute the above statics into your routing protocol.

Also, Not all the vlans on the core switch are passing through FWSM so, how can i permit the users that passthrough FWSM to communicate with the other vlans that are on the core switch.

Well you need to allow the traffic but it looks like you have done that. I would check the routing as above.

Jon

View solution in original post

Jon Marshall · ‎12-27-2009

We have FWSM on 6513 core switche, we configure it in routed mode without natting (by just typing "no nat-control" command). Now i face a problem which is, the users in the inside interface can't access the Internet although i can ping any Internet site through the outside interface.

Where are the 10.x.x.x addresses getting Natted as these are not routable on the Internet. Also does the MSFC on the 6500 know how to get to the 10.x.x.x addressing ie. you can either

1) exchange routing information between the MSFC and the FWSM

OR

2) you can have static routes on the MSFC ie.

ip route 10.50.10.0 255.255.255.0 172.29.254.200

ip route 10.50.20.0 255.255.255.0 172.29.254.200

if you use option 2) then any other vlans connected to the 6500 will be able to route to the 10.50.x.x addressing. If you have remote sites or other vlans not routed on the 6500 then you will need to redistribute the above statics into your routing protocol.

Also, Not all the vlans on the core switch are passing through FWSM so, how can i permit the users that passthrough FWSM to communicate with the other vlans that are on the core switch.

Well you need to allow the traffic but it looks like you have done that. I would check the routing as above.

Jon

hebaelshahat · ‎12-28-2009

Jon,

thanks a lot for your reply.

i already use option 2 but unfortunately the ip route command was wrongly configured.

Jon Marshall · ‎12-28-2009

hebaelshahat wrote:

Jon,

thanks a lot for your reply.

i already use option 2 but unfortunately the ip route command was wrongly configured.

No problem. Presumably this fixed both issues ?

Jon

hebaelshahat · ‎12-28-2009

Hi Jon,

yes the two issues are fixed, but users on vlan 800 can't ping users on vlan 820 and vice vers although i open ping on all the interfaces.

Also, i'd like to configure failover between two FWSM on two 6513 core switches and i'll configure active/standby single mode failover but i cann't find any configuration example. can you help me in that issue?

thanks in advance!

Regards,

Heba

Jon Marshall · ‎12-28-2009

hebaelshahat wrote:

Hi Jon,

yes the two issues are fixed, but users on vlan 800 can't ping users on vlan 820 and vice vers although i open ping on all the interfaces.

Also, i'd like to configure failover between two FWSM on two 6513 core switches and i'll configure active/standby single mode failover but i cann't find any configuration example. can you help me in that issue?

thanks in advance!

Regards,

Heba

Here is the config chapter for failover for the FWSM -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/fail_f.html

As for communication between vlan 800 and vlan 820, can you pass any traffic between these 2 vlans ?

Jon

hebaelshahat · ‎12-28-2009

yes i can pass traffic between them but they can't ping each other.

Jon Marshall · ‎12-28-2009

hebaelshahat wrote:

yes i can pass traffic between them but they can't ping each other.

Okay, not sure what is happening as permit ip should include ICMP and if you can pass traffic then it shows your config is okay. Have you got ICMP inspection enabled on the FWSM ?

Jon