03-29-2009 09:00 AM - edited 03-11-2019 08:11 AM
Hello everyone,
I have configure the transparent fwsm(version 3.1) on Cat6500, I found I can't ping BVI interface from MSFC and I have some questions as below:
1, For transparent fwsm, are there other ways to access the fwsm module except "session slot # process 1", I mean can I telnet this fwsm by BVI interface?
2, I found access-group just can apply on the physical interface such as inside,outside or dmz, I can't apply it in BVI interface, am I right? I can't ping bvi interface from MSFC, anyone can tell me whether there are some wrong in my configuration or it can't ping actually?
3, CCO said It can have 8 bridge-group each context, what that mean? When I configure the fwsm, I found just 2 vlan interface per bridge-group. So how can I make make many interfaces in the inside or dmz interface? For example, I have HR, Finance, Market and RD 4 vlan, which is 10.1.1.0, 10.1.2.0, 10.1.3.0, 10.1.4.0 respectively. I want to make them protected by transparent fwsm. Anyone can give me the detail configuration?
And if one context just support 8 bridge-group, do it mean it can only support 8 inside vlan on the transparent firewall?
Very Thanks
Tao
Solved! Go to Solution.
03-29-2009 11:30 PM
1. The config's look good, I am not sure why you are not able to ping the BVI ip-address, R u able to ping from the FWSM to any host/server ??
I suggest you enable debugging.
for telnet to work , you need to configure the " telnet 10.1.10.0 255.255.255.0 inside " and see if telnet works.
2. you are correct - need to have 3 pairs of vlan on MSFC and 3 bridge-groups.
This is a restricition in transparent mode , you can have only 2 interfaces ( one inside and one outside).
03-29-2009 10:10 AM
1) you should be able to access the FWSM using telnet, if you trying to connect to the FWSM from a location other than directly connected network, you will need to add a static route on the FWSM.
use the "telnet x.x.x.x <
2)pls post your config, you should be able to ping the BVI ip-address from your MSFC.
you can't apply access-list to a BVI.
3) 8 bridge-groups per context, but each bridge-group can have only two interfaces, In that way traffic from one bridge-group is isolated from another bridge-group. But all the 8 bridge-groups share the same AAA & Logging configuration.
you cannot have 8 inside vlans on the transparent firewall within in the same bridge-group.
you can find some config examples at
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html
HTH
Vikram
03-29-2009 07:56 PM
Dear Vikram,
Very thanks for your reply.
My topology and configuration is as attached file.
1ï¼Server A can ping Server B, but MSFC cannot ping MSFC BVI interface;
2, If the second topology there are 3 inside vlan as HR, RD and market server, located in different vlan and different subnet networks. I want to protect them with the FWSM. Do I need to configure 3 pair vlan on MSFC and 3 pair vlan on FWSM and 3 bridge group?
Very Thanks
Tao
03-29-2009 07:59 PM
03-29-2009 08:18 PM
03-29-2009 11:30 PM
1. The config's look good, I am not sure why you are not able to ping the BVI ip-address, R u able to ping from the FWSM to any host/server ??
I suggest you enable debugging.
for telnet to work , you need to configure the " telnet 10.1.10.0 255.255.255.0 inside " and see if telnet works.
2. you are correct - need to have 3 pairs of vlan on MSFC and 3 bridge-groups.
This is a restricition in transparent mode , you can have only 2 interfaces ( one inside and one outside).
03-30-2009 12:38 AM
Thanks for Vikram's reply.
I have slove the icmp ping problem. After add two icmp commands directly to outside interface, not in ACL, Ping can work.
But the problem is telnet didn't work for the bvi interface, even though I have configure "telnet 0.0.0.0 0.0.0.0 inside", I still can't telnet 10.1.10.2 from 10.1.10.10.
Any one know how to solve this problem?
Another question, does it mean FWSM can just support 8 inside vlans protected by FWSM? I thinks it's too few for a campus LAN design,am I right?
Very Thanks
Tao
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide