04-04-2009 03:08 AM - edited 03-10-2019 04:35 AM
I have this type of topology:
Workstation >> Floor Switch >> Cat6513 >> ASA >> Internet
My Workstation is Vlan 123 and my ASA interface inside is Vlan 20
Here is my Vlan configuration:
!
interface Vlan123
ip address 172.21.123.254 255.255.255.0
end
C6513-Core1#sh ru int vlan 20
Building configuration...
Current configuration : 129 bytes
!
interface Vlan20
ip address 172.16.20.254 255.255.255.0
end
My Workstation is set to:
IP: 172.21.123.123/24
Gateway: 172.21.123.1
My inside ASA:
IP: 172.16.20.1/24
Now I want to activate both module IDSM-2 and FWSM reside in Cat6513. All packet coming from Workstation need to be monitor by IDS in inline mode and forwarded to inside FWSM. After passing our firewall policy this packet can go to the inside ASA interface. My question is:
1) My current configuration on Cat6513 is:
C6513-Core1#sh ru | i firewall
firewall autostate
firewall multiple-vlan-interfaces
firewall module 2 vlan-group 1,
firewall vlan-group 1 20,123
C6513-Core1#sh ru | i intrusion
intrusion-detection module 1 data-port 1 trunk allowed-vlan 20,123
Is my configuration on switch is correct?
2) My current setting on IDSM-2 is:
service interface
physical-interfaces GigabitEthernet0/7
subinterface-type inline-vlan-pair
subinterface 1
vlan1 123
vlan2 124
exit
exit
exit
bypass-mode off
exit
service analysis-engine
virtual-sensor vs0
physical-interface GigabitEthernet0/7 subinterface-number 1
inline-TCP-session-tracking-mode vlan-only
exit
exit
How to configure it correctly? Currently I'm testing to block YahooMessenger but IDS fail to block it, even no event occur while I'm monitoring via IME
3) My current FWSM configuration is:
!
interface Vlan20
nameif outside
security-level 0
ip address 172.16.20.247 255.255.255.0
!
interface Vlan123
nameif inside
security-level 100
ip address 172.21.123.1 255.255.255.0
!
same-security-traffic permit inter-interface
icmp permit any outside
icmp permit any inside
route outside 0.0.0.0 0.0.0.0 172.16.20.1 1
route inside 172.16.0.0 255.248.0.0 172.16.20.254 1
This configuration also didn't work. I try to deny tcp/80 packet coming from inside 172.21.123.0/24 to outside 0.0.0.0 0.0.0.0 but it stay passing the web traffic through FWSM.
I need some guide to configure these Cat6513, IDSM-2 and FWSM integration. Our goal is to filter traffic coming from Workstation and protect Workstation for incoming traffic from internet. Any input really appreciated. Thanks
./hasim
04-06-2009 05:06 PM
Any response really appreciated. I already have sample configuration for these three individual items, I just need little more understanding to integrate these three items in integrated configurations file. Anybody pls help me to provide sample configuration for:
1) Catalyst6500 to redirect inside VLAN(s) traffic to IDSM-2 and FWSM module
2) IDSM-2 to analyze inside VLAN(s) traffic incoming before passing to FWSM in inline mode
3) FWSM in transparent mode to protect inside VLAN(s)zone and filter any incoming traffic from outside VLAN(s) zone.
Thanks.
./hasim
04-08-2009 10:47 AM
Anybody care to help me on this issue?
04-15-2009 11:23 PM
Hasim, to run INLINE VLAN PAIR mode you need to modify your VLAN setting, it will not work the way you have it configured. Please have a look at these guidelines:
Lets say you have three user VLANs, your setup would be something like:
> Create 6 VLANs for users, 2,3,4, 22,33,44 (just examples), Create one OUTSIDE VLAN(you have VLAN b/w FWSM and MSFC already)
> On the access-switch set all ports in VLAN 2,3 and 4 (as appropriate)
> The IDSM has no 'physical' interfaces , it has a trunk with the catalyst backplane (if inline vlan pair is used).
Create three inline vlan pairs in the IDSM gui, 2 >> 22, 3 >> 33, 4 >> 44
Allow ALL 6 VLANs on the trunk (through the intrusion-detection
commands). The IDSM has to virtual sensing interfaces/ports named mod
x/7 and x/8 (where x is the slot number in which IDSM is installed).
Allow the VLANs on the trunk based on WHERE you created the
sub-interfaces/ Inline VLAN pairs in the IDSM gui (interface 7 or 8).
> Create three VLAN interfaces for VLAN 22,33 and 44 on the FWSM. These will be the default gateway of all machines in VLANs 2,3 and 4.
Allow ONLY VLANs 22,33 and 44 on the FWSM trunk (through the
firewall-xx command on the switch).
> Create another VLAN e.g OUTSIDE between the FWSM and MSFC. Make VLAN interface for it in FWSM, Create SVI in 65XX switch also.
> Add default route on FWSM pointing to switch SVI.
> Add static route on MSFC for all LAN subnets (VLAN 2, 3 and 4) pointing towards FWSM OUTSIDE VLAN interface.
> IDSM will have separate port for management, it can be any IP (from your management VLAN), this is port mod x/2.
So L2 flow will be
user vlan 2 >> access port >> core sw >> idsm >> vlan 22 >> fwsm >> msfc
Regards
Farrukh
04-15-2009 11:26 PM
Now with regards to the configuration in case you have *multiple* IDSM-2 in the same chassis:
For the case with one FWSM in each chassis and multiple IDSM-2s, it is
pretty simple. You can have upto eight IDSM-2 modules in the same
chassis and they all can be stacked using etherchannel.
e.g. Lets say you have IDSM-2 modules installed on slot 4 and 5. And
VLANs 2 and 3 have sub-interfaces on interface gig x/7 and VLAN 4 has
sub-intefaces on gig x/8, you configuration will be something like:
intrusion-detection port-channel 10 trunk allowed-vlan 2-3, 22, 33
intrusion-detection port-channel 10 autostate include
intrusion-detection port-channel 10 portfast enable
intrusion-detection port-channel 11 trunk allowed-vlan 4,44
intrusion-detection port-channel 11 autostate include
intrusion-detection port-channel 11 portfast enable
intrusion-detection module 4 data-port 1 channel-group 5 (This is int
4/7 basically)
intrusion-detection module 4 data-port 2 channel-group 6 (This is int
4/8 basically)
intrusion-detection module 5 data-port 1 channel-group 5
intrusion-detection module 5 data-port 2 channel-group 6
You are basically grouping FIRST sensing port of each IDSM into the
same Etherchannel. And the SECOND one in another.
Of course you have to manually replicate all your configurations on all IDSM-2s.
The FWSM configuration will be based on a failover LAN, which would be
carried between the inter-switch trunk between the two cores.
On the switch you would add:
firewall multiple-vlan-interfaces (IMPORTANT)
firewall module 3 vlan-group 1
firewall vlan-group 1 22,33,44
Whichever FWSM will be active, the IDSM-2s sharing the chassis with
that FWSM will serve traffic. This is based on MAC-ADDRESS learning.
The FWSM/IDSM-2 in the other chassis will sit and watch during this
time :)
Note: In FWSM you cannot pass any traffic unless you have 'incoming'
ACL on all VLAN interfaces....
Please rate if helpful
Regards
Farrukh
04-17-2009 07:35 PM
Thanks Farrukh! Your explaination really help me a lot :)
Now I'm successfully integrate these three items into my testing environment. My current configuration consist of two chasis Catalyst6513 with two IDSM-2 modules and two FWSM which is one module per chasis. Both two Cat6513 is identical in term of software version including software version for IDSM-2 and FWSM reside in respective Cat6513 chasis. My next question is:
1) I'm using single context FWSM with active/standby failover. My FWSM failover running perfectly. How to implement redundancy on both IDSM-2 with inline-vlan-pair configuration?
2) On our production environment, we have certain vlan to be firewalled by FWSM and certain vlan no to be firewalled by FWSM. All vlan(s) firewalled by FWSM are routed to FWSM inside interface by changing their default gateway to FWSM inside interface IP address. The rest of vlan(s) that configured not to be firewalled by FWSM are configured to route directly to MFSC by changing their default gateway to their respective vlan interface IP address. How to allow these traffic communication between firewalled vlan and the rest of the other vlan?
Thanks again for your time.
./hasim
04-17-2009 08:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide