IDSM-2 - FWSM

Rodrigo Gurriti · ‎08-12-2011

Hello,

I have two questions on the IDSM-2:

1- How can I inspect inline the FWSM outside/dmz interfaces?

I followed this doc http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1068377

I understand that I'm bridging the L2 with the L3 Vlans, but on the FWSM how would that work ?

I have 2 L2 vlans:

Vlan 20 the outside with my ISP router on the segment.
Vlan 60 the DMZ with a couple servers.

My FWSM config:

firewall multiple-vlan-interfaces

firewall module 1 vlan-group 10

firewall vlan-group 10 20,50,60,100

!

interface Vlan20

no ip address

shutdown

!

interface Vlan60

no ip address

shutdown

2 - I also want to inspect my vlan 300 L2 with users and my 301 L3 as SVI

intrusion-detection module 6 management-port access-vlan 100

intrusion-detection module 6 data-port 1 trunk allowed-vlan 300,301

This is correct right ?

Thank you !

Farrukh Haroon · ‎08-17-2011

You have to make an inline VLAN pair for each segement you want to monitor in the IDSM and add each of them to the trunk. For better separation of load, you could divide the VLANs over two different interfaces on the IDSM.

Please search the forum, I have posted sample configs multiple times and let me know if you are not able to find those old posts.

Please rate if helpful.

Regards

Farrukh

haivrajesh · ‎08-21-2011

Create a Inline vlan pair