Solved: Good stuff, thanks for the

Andrey Calderon · ‎09-16-2014

Here is a quick summary of what I want to accomplish.

I have installed a FWSM with multiple context in a 6500 switch, some contexts are in route mode and I have 3 in transparent mode.

What I need to do is remove the transparent context and still allow all traffic that is going over this context to avoid disrupt any connection. Once I have this part done I need to do a re-partition of the module because I am running out of space in some context. Please help with the steps to perform this job.

Here is an example of one Context in transparent mode:

firewall transparent

names
name 1.1.1.37 MSFC_A
name 1.1.1.38 MSFC_B
name 1.1.1.36 MSFC_HSRP
name 1.1.1.32 Site1
name 1.1.1.35 Site2
name 1.1.1.33 Site_HSRP
!
interface Vlan8
nameif outside
bridge-group 76
security-level 0
!
interface Vlan 9
nameif inside
bridge-group 76
security-level 100
!
interface BVI76
ip address 1.1.1.45 255.255.255.240 standby 1.1.1.46

Marius Gunnerud · ‎09-21-2014

Good stuff, thanks for the feedback. Glad you got it done.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎09-16-2014

Do you have the FWSM set up in an active/standby failover? If so, you should be able to do this with little or no down time. If not then you will need to do a bit of planning and there will be some downtime.

What you could do, if it is not in an active/standby failover pair, is configure one of the other contexts to temporarily route the desired traffic, then move the interfaces in use by the context to the temporary context, then delete the transparent firewall and do what you need to do, and then later move the interfaces back.

Just keep in mind that once you remove the interfaces from the contexts you will need to reconfigure them. So before you do this I suggest creating scripts that will do everything for you and this should hopefully give you minimal down time.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Andrey Calderon · ‎09-16-2014

Yes is running active/standby, I was looking more an answer how to get rid of the transparent firewall and only forwarding the bridge group to a vlan in the switch or something similar.

Marius Gunnerud · ‎09-17-2014

So you want to go from transparent to routed? If that is the case, I don't think there is any easy way to do it without any down time. You should be able to limit downtime because you have the active/standby failover setup. But it would take some planning, and you would have to change some routing in your network so that traffic for the 1.1.1.0 network goes to the new outside IP of the ASA.

Do you have more subnets connected to the ASA other than the 1.1.1.0 subnet?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Andrey Calderon · ‎09-20-2014

What I basically did was, remove the "out" vlan in the switch and replaced with exactly the same information, IP address, HRSP etc in the "in" vlan, this way I moved everything to the switch and get rid of the transparent context. Thanks for your input.

Marius Gunnerud · ‎09-21-2014

Good stuff, thanks for the feedback. Glad you got it done.

--
Please remember to select a correct answer and rate helpful posts

How to remove a context from FWSM installed in a 6500 switch in transparent mode and still allow traffic pass over MSFC