08-21-2007 09:38 AM - edited 03-11-2019 04:00 AM
I do have a 6509-E with the FWSM module, I created two context within the FWSM, context A and context B, both in transparent mode.
Context A is "conected" to the MSFC via BVI with the IP 192.168.180.2, the MSFC IP for VLAN180 is 192.168.180.1, in context A VLAN180 is binded to the BVI. So far until this point I have a connection between the MSFC and Context A.
Now, if I want to put a server behind context A with server IP=192.168.180.100, and be able to apply some ACLs to allow certain traffic to the server, how I would achieve this?
I know that in this mode the context need two logical interfaces, one is VLAN180 already binded to the BVI, but what about the logical interface where I'm supposed to connect to the server?
Thanks in advance
Alex
08-21-2007 09:44 AM
Can you post your config?
08-21-2007 10:10 AM
Here is the config for the MSFC:
=========
NEW-CORE3#sh run
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
redundancy
mode sso
main-cpu
auto-sync running-config
auto-sync standard
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
interface Port-channel1
ip address 192.168.220.105 255.255.255.248
!
interface GigabitEthernet1/1
no ip address
shutdown
**( the rest of the physical ports config has been ommited to save space)
!
interface Vlan1
no ip address
shutdown
!
interface Vlan180
ip address 192.168.180.1 255.255.255.0
!
interface Vlan185
ip address 192.168.185.1 255.255.255.0
!
interface Vlan186
description "Logical Interface for ADMIN context firewall"
ip address 192.168.186.1 255.255.255.0
!
interface Vlan190
ip address 192.168.190.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.220.106
no ip http server
!
control-plane
!
dial-peer cor custom
!
line con 0
line vty 0 4
login local
transport input telnet ssh
transport output telnet ssh
!
!
end
=================================
Configuration on the FWSM:
CORE3-FWSM# sh run
: Saved
:
FWSM Version 3.1(6)
!
resource acl-partition 12
hostname CORE3-FWSM
interface Vlan180
!
interface Vlan186
!
interface Vlan188
!
interface Vlan190
!
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource All 0
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context ADMIN
context ADMIN
description "ADMIN Context"
allocate-interface Vlan186
config-url disk:/contextADMIN
!
context A
description "Unix Servers Farm"
allocate-interface Vlan180
allocate-interface Vlan188
config-url disk:/contextA.cfg
!
context B
description "WINTEL Servers Farm"
allocate-interface Vlan190
config-url disk:/contextB.cfg
!
prompt hostname context
Cryptochecksum:e89a1aaa37e2559418bdb042dbd6543d
: end
========================
Configuration on Context A:
CORE3-FWSM/A# sh run
: Saved
:
FWSM Version 3.1(6)
!
firewall transparent
hostname A
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan180
nameif OUTSIDE
bridge-group 1
security-level 0
!
interface Vlan188
nameif INSIDE
bridge-group 1
security-level 100
!
interface BVI1
description "L3 interface for Context A"
ip address 192.168.180.2 255.255.255.0
!
access-list 101 extended permit icmp any host 192.168.180.100
access-list 102 extended permit icmp host 192.168.180.100 any
access-list 102 extended permit icmp any host 192.168.180.100
pager lines 24
logging monitor debugging
mtu OUTSIDE 1500
mtu INSIDE 1500
icmp permit any OUTSIDE
no asdm history enable
arp timeout 14400
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.180.1 1
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.180.1 255.255.255.255 OUTSIDE
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:0878547f1b30fa39dbb0ff38806f88a7
: end
===========================
As you can see I created vlan 188 for the "INSIDE' of the Context A but if the server is inside the same subnet as the MFSC vlan 180 then by having a different vlan for the inside part of the context breaks up the act that two hosts on the same subnet must also belong to the same vlan.
08-21-2007 10:43 AM
You will have different vlan's but the vlan's will use the same ip subnet because the vlan's are bridge by a BVI interface. It's the way it work in the FWSM because the FWSM use SVI (Virtual interfaces). If you had a PIX/ASA you won't see a BVI because the PIX/ASA automatically bridge the physical inside and outside interfaces.
08-21-2007 10:01 AM
Remember that the BVI's are create in the FWSM to bridge the inside and outside interfaces. Then you assign vlan's to the ports where you are going to connect your servers or any other network device.
i.e.
Inside interface is interface vlan 180.
Outside interface is interface vlan 150.
You want your mail server in the inside. You assign the port where the mail server is connected to vlan 180. If you want it in the outside you use vlan 150.
Take a look at this:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/exampl_f.html#wp1029042
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide