07-11-2007 11:08 PM - edited 03-11-2019 03:43 AM
i'm trying to make two outside interfaces in FWSM to talk to each other and i cant seem to make it work. any idea or sample configuration please
07-11-2007 11:12 PM
Hi
What do you mean by talk to each other. Do you mean from interface to interface.
Are you running multiple contexts. Do the contexts share a vlan on the outside interface.
Please elaborate on what you need.
Jon
07-11-2007 11:27 PM
07-11-2007 11:31 PM
okay, so you have 2 interfaces on the outside within the same context. Are the client PC's in the same vlans as their relevant outside interface ?
Presumably you are trying to get connectivity between your PC's ?
Could you send a copy of your FWSM config ?
Jon
07-11-2007 11:52 PM
no, the client PCs are of different vlans with respect to their respective outside interfaces.
i dont have working config yet for this setup but here is my current config:
nameif vlan325 internet security0
nameif vlan555 fwtest security0
nameif vlan327 inside security100
access-list inside_access_in extended permit ip x.x.x.x [IP from inside] host y.y.y.y [PC1]
access-list internet_access_in extended permit ip host y.y.y.y [PC1] host x.x.x.x [IP from inside]
access-list fwtest_access_in extended permit ip any
ip address inside
ip address internet
ip address fwtest
icmp permit any inside
icmp permit any internet
icmp permit any fwtest
no pdm history enable
arp timeout 14400
global (inside) 1 interface
global (internet) 1 interface
global (fwtest) 3 interface
global (bdoextranetout) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (internet) 1 access-list fwtest_nat0_outbound
nat (fwtest) 3 access-list bdoextranetin_pnat_outbound_V3
!
interface inside
!
interface internet
!
!
interface fwtest
07-11-2007 11:59 PM
Hi
Okay, before we do anything else can you add the following if it isn't already in your config
same-security-traffic permit inter-interface
and let me know what happens.
Jon
07-12-2007 12:03 AM
already added
same-security-traffic permit inter-interface
but still nothing happens
thanks
07-12-2007 12:18 AM
just thought i'd check :)
You say the PC are not on the same vlans as the FWSM outside interfaces.
Do you have Layer 3 SVI's for each outside interface of your FWSM on your switch ?
It would help if you could send the full config for this context plus the relevant firewall lines (firewall vlan-group etc) from your switch plus an output of a sh ip int br on your switch.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide