Re: FWSM outside interface

dennisopiso · ‎07-11-2007

i'm trying to make two outside interfaces in FWSM to talk to each other and i cant seem to make it work. any idea or sample configuration please

Jon Marshall · ‎07-11-2007

Hi

What do you mean by talk to each other. Do you mean from interface to interface.

Are you running multiple contexts. Do the contexts share a vlan on the outside interface.

Please elaborate on what you need.

Jon

dennisopiso · ‎07-11-2007

hi jon,yes the fwsm is running multiple contexts. in one of the contexts, i created multiple outside interfaces (e.g. vlan 500 and vlan 555).

i also attached a diagram to have a clearer view

thanks

Jon Marshall · ‎07-11-2007

okay, so you have 2 interfaces on the outside within the same context. Are the client PC's in the same vlans as their relevant outside interface ?

Presumably you are trying to get connectivity between your PC's ?

Could you send a copy of your FWSM config ?

Jon

dennisopiso · ‎07-11-2007

no, the client PCs are of different vlans with respect to their respective outside interfaces.

i dont have working config yet for this setup but here is my current config:

nameif vlan325 internet security0

nameif vlan555 fwtest security0

nameif vlan327 inside security100

access-list inside_access_in extended permit ip x.x.x.x [IP from inside] host y.y.y.y [PC1]

access-list internet_access_in extended permit ip host y.y.y.y [PC1] host x.x.x.x [IP from inside]

access-list fwtest_access_in extended permit ip any

ip address inside

ip address internet

ip address fwtest

icmp permit any inside

icmp permit any internet

icmp permit any fwtest

no pdm history enable

arp timeout 14400

global (inside) 1 interface

global (internet) 1 interface

global (fwtest) 3 interface

global (bdoextranetout) 2 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (internet) 1 access-list fwtest_nat0_outbound

nat (fwtest) 3 access-list bdoextranetin_pnat_outbound_V3

!

interface inside

!

interface internet

!

interface fwtest

Jon Marshall · ‎07-11-2007

Hi

Okay, before we do anything else can you add the following if it isn't already in your config

same-security-traffic permit inter-interface

and let me know what happens.

Jon

dennisopiso · ‎07-12-2007

already added

same-security-traffic permit inter-interface

but still nothing happens

thanks

Jon Marshall · ‎07-12-2007

just thought i'd check :)

You say the PC are not on the same vlans as the FWSM outside interfaces.

Do you have Layer 3 SVI's for each outside interface of your FWSM on your switch ?

It would help if you could send the full config for this context plus the relevant firewall lines (firewall vlan-group etc) from your switch plus an output of a sh ip int br on your switch.

Jon