I have this type of topology:
Workstation >> Floor Switch >> Cat6513 >> ASA >> Internet
My Workstation is Vlan 123 and my ASA interface inside is Vlan 20
Here is my Vlan configuration:
ip address 172.21.123.254 255.255.255.0
C6513-Core1#sh ru int vlan 20
Current configuration : 129 bytes
ip address 172.16.20.254 255.255.255.0
My Workstation is set to:
My inside ASA:
Now I want to activate both module IDSM-2 and FWSM reside in Cat6513. All packet coming from Workstation need to be monitor by IDS in inline mode and forwarded to inside FWSM. After passing our firewall policy this packet can go to the inside ASA interface. My question is:
1) My current configuration on Cat6513 is:
C6513-Core1#sh ru | i firewall
firewall module 2 vlan-group 1,
firewall vlan-group 1 20,123
C6513-Core1#sh ru | i intrusion
intrusion-detection module 1 data-port 1 trunk allowed-vlan 20,123
Is my configuration on switch is correct?
2) My current setting on IDSM-2 is:
physical-interface GigabitEthernet0/7 subinterface-number 1
How to configure it correctly? Currently I'm testing to block YahooMessenger but IDS fail to block it, even no event occur while I'm monitoring via IME
3) My current FWSM configuration is:
ip address 172.16.20.247 255.255.255.0
ip address 172.21.123.1 255.255.255.0
same-security-traffic permit inter-interface
icmp permit any outside
icmp permit any inside
route outside 0.0.0.0 0.0.0.0 172.16.20.1 1
route inside 172.16.0.0 255.248.0.0 172.16.20.254 1
This configuration also didn't work. I try to deny tcp/80 packet coming from inside 172.21.123.0/24 to outside 0.0.0.0 0.0.0.0 but it stay passing the web traffic through FWSM.
I need some guide to configure these Cat6513, IDSM-2 and FWSM integration. Our goal is to filter traffic coming from Workstation and protect Workstation for incoming traffic from internet. Any input really appreciated. Thanks
Any response really appreciated. I already have sample configuration for these three individual items, I just need little more understanding to integrate these three items in integrated configurations file. Anybody pls help me to provide sample configuration for:
1) Catalyst6500 to redirect inside VLAN(s) traffic to IDSM-2 and FWSM module
2) IDSM-2 to analyze inside VLAN(s) traffic incoming before passing to FWSM in inline mode
3) FWSM in transparent mode to protect inside VLAN(s)zone and filter any incoming traffic from outside VLAN(s) zone.
Hasim, to run INLINE VLAN PAIR mode you need to modify your VLAN setting, it will not work the way you have it configured. Please have a look at these guidelines:
Lets say you have three user VLANs, your setup would be something like:
> Create 6 VLANs for users, 2,3,4, 22,33,44 (just examples), Create one OUTSIDE VLAN(you have VLAN b/w FWSM and MSFC already)
> On the access-switch set all ports in VLAN 2,3 and 4 (as appropriate)
> The IDSM has no 'physical' interfaces , it has a trunk with the catalyst backplane (if inline vlan pair is used).
Create three inline vlan pairs in the IDSM gui, 2 >> 22, 3 >> 33, 4 >> 44
Allow ALL 6 VLANs on the trunk (through the intrusion-detection
commands). The IDSM has to virtual sensing interfaces/ports named mod
x/7 and x/8 (where x is the slot number in which IDSM is installed).
Allow the VLANs on the trunk based on WHERE you created the
sub-interfaces/ Inline VLAN pairs in the IDSM gui (interface 7 or 8).
> Create three VLAN interfaces for VLAN 22,33 and 44 on the FWSM. These will be the default gateway of all machines in VLANs 2,3 and 4.
Allow ONLY VLANs 22,33 and 44 on the FWSM trunk (through the
firewall-xx command on the switch).
> Create another VLAN e.g OUTSIDE between the FWSM and MSFC. Make VLAN interface for it in FWSM, Create SVI in 65XX switch also.
> Add default route on FWSM pointing to switch SVI.
> Add static route on MSFC for all LAN subnets (VLAN 2, 3 and 4) pointing towards FWSM OUTSIDE VLAN interface.
> IDSM will have separate port for management, it can be any IP (from your management VLAN), this is port mod x/2.
So L2 flow will be
user vlan 2 >> access port >> core sw >> idsm >> vlan 22 >> fwsm >> msfc
Now with regards to the configuration in case you have *multiple* IDSM-2 in the same chassis:
For the case with one FWSM in each chassis and multiple IDSM-2s, it is
pretty simple. You can have upto eight IDSM-2 modules in the same
chassis and they all can be stacked using etherchannel.
e.g. Lets say you have IDSM-2 modules installed on slot 4 and 5. And
VLANs 2 and 3 have sub-interfaces on interface gig x/7 and VLAN 4 has
sub-intefaces on gig x/8, you configuration will be something like:
intrusion-detection port-channel 10 trunk allowed-vlan 2-3, 22, 33
intrusion-detection port-channel 10 autostate include
intrusion-detection port-channel 10 portfast enable
intrusion-detection port-channel 11 trunk allowed-vlan 4,44
intrusion-detection port-channel 11 autostate include
intrusion-detection port-channel 11 portfast enable
intrusion-detection module 4 data-port 1 channel-group 5 (This is int
intrusion-detection module 4 data-port 2 channel-group 6 (This is int
intrusion-detection module 5 data-port 1 channel-group 5
intrusion-detection module 5 data-port 2 channel-group 6
You are basically grouping FIRST sensing port of each IDSM into the
same Etherchannel. And the SECOND one in another.
Of course you have to manually replicate all your configurations on all IDSM-2s.
The FWSM configuration will be based on a failover LAN, which would be
carried between the inter-switch trunk between the two cores.
On the switch you would add:
firewall multiple-vlan-interfaces (IMPORTANT)
firewall module 3 vlan-group 1
firewall vlan-group 1 22,33,44
Whichever FWSM will be active, the IDSM-2s sharing the chassis with
that FWSM will serve traffic. This is based on MAC-ADDRESS learning.
The FWSM/IDSM-2 in the other chassis will sit and watch during this
Note: In FWSM you cannot pass any traffic unless you have 'incoming'
ACL on all VLAN interfaces....
Please rate if helpful
Thanks Farrukh! Your explaination really help me a lot :)
Now I'm successfully integrate these three items into my testing environment. My current configuration consist of two chasis Catalyst6513 with two IDSM-2 modules and two FWSM which is one module per chasis. Both two Cat6513 is identical in term of software version including software version for IDSM-2 and FWSM reside in respective Cat6513 chasis. My next question is:
1) I'm using single context FWSM with active/standby failover. My FWSM failover running perfectly. How to implement redundancy on both IDSM-2 with inline-vlan-pair configuration?
2) On our production environment, we have certain vlan to be firewalled by FWSM and certain vlan no to be firewalled by FWSM. All vlan(s) firewalled by FWSM are routed to FWSM inside interface by changing their default gateway to FWSM inside interface IP address. The rest of vlan(s) that configured not to be firewalled by FWSM are configured to route directly to MFSC by changing their default gateway to their respective vlan interface IP address. How to allow these traffic communication between firewalled vlan and the rest of the other vlan?
Thanks again for your time.