04-05-2013 01:32 PM - edited 03-11-2019 06:24 PM
So we have an FWSM in our 6509 chassis. It has an inside interface and an outside interface to the internet. I would like to add an interface to the FWSM to route to other parts of our network. I have added the interface I want and have given it an IP, it can ping the other firewalls on the same network/vlan. This interface is going to be the main link between other network segments.
The way the firewall is configured now, there's no VLANs on it, I believe that is all done on the supervior, etc. I created the vlan99 on the 6500, I tried both giving it an IP and also just creating the vlan and the interface vlan but I can't get traffic to route from that switch to the firewall.
Basically I want the inside network to route everything to the inside interface, then the firewall will route out my new interface to other network segments.
I'm not sure what I'm missing but I need help with it, so if anyone has experience with the FWSM please chime in! I believe the FWSM is configured correctly, but I think the issue might be with the switch getting the traffic to it, etc.
04-05-2013 01:45 PM
Hello,
Can you share the FWSM configuration and the Switch Setup for the firewall and that vlan
Regards
04-05-2013 01:54 PM
I think this is all of the info that pertains to this. Attached a logical drawing, inside and 6500 would be "inside networks" at the top.
6500 Switch
firewall multiple-vlan-interfaces
firewall module 3 vlan-group 250
firewall vlan-group 250 99,230,240,245,250
interface Port-channel1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,47,99,100,230,240,245,250,260,600,610
switchport mode trunk
interface GigabitEthernet4/6
description CSP to Demarc
switchport
switchport access vlan 99
switchport mode access
interface GigabitEthernet4/31
description FWSM PRIVATE
switchport
switchport access vlan 230
switchport mode access
!
interface GigabitEthernet4/32
description Connection to Internet Switch Gi1/0/1
switchport
switchport access vlan 240
switchport mode access
interface Vlan10
description ETHER_CHANNEL VLAN
ip address 10.1.0.233 255.255.255.252
!
interface Vlan99
no ip address
!
interface Vlan230
description FW-PRIVATE
ip address 10.47.2.3 255.255.255.0
standby 1 ip 10.47.2.5
standby 1 priority 125
standby 1 preempt
!
interface Vlan240
description FW-PUBLIC
no ip address
router eigrp 1
network 10.47.47.0 0.0.0.15
network 10.0.0.0
no auto-summary
redistribute static
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.47.2.1(INSIDE ADDRESS FWSM)
FWSM
interface Vlan99
description Connection to Inland and Contractor Networks
nameif CSP
security-level 10
ip address 10.99.99.10 255.255.255.0
!
interface Vlan230
description FW-PRIVATE
nameif inside
security-level 100
ip address 10.47.2.1 255.255.255.0 standby 10.47.2.2
!
interface Vlan240
description FW-PUBLIC
nameif outside
security-level 0
ip address *.*.*.* standby *.*.*.*
!
interface Vlan250
description LAN/STATE Failover Interface
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip verify reverse-path interface CSP
failover
failover lan unit primary
failover lan interface FAILOVER Vlan250
failover replication http
failover link FAILOVER Vlan250
failover interface ip FAILOVER 10.1.0.237 255.255.255.252 standby 10.1.0.238
monitor-interface inside
monitor-interface outside
icmp permit any inside
icmp permit any outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 2 *.*.*.*netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 2 access-list inside_nat_outbound
nat (inside) 1 10.0.0.0 255.0.0.0
access-group internet2 in interface inside
access-group internet1 in interface outside
access-group CSP_access_in in interface CSP
route inside 192.168.144.0 255.255.252.0 10.47.2.5 1
route inside 172.16.206.0 255.255.254.0 10.47.2.5 1
route inside 10.0.0.0 255.0.0.0 10.47.2.5 1
route outside 0.0.0.0 0.0.0.0 209.115.188.49 1
route CSP 10.5.2.0 255.255.255.0 10.99.99.20 1
route CSP 10.5.3.0 255.255.255.0 10.99.99.20 1
04-05-2013 02:15 PM
Hello,
Okay let me analize this but may I know which is the new interface??
04-05-2013 02:18 PM
The CSP (vlan99) is the new interface, joining to the other networks/firewalls. Added a diagram to above.
Currently the inside network 10.47.2.x and outside on the FWSM work fine, just trying to add this other function so we can talk to other parts of our network, etc. That was all here before I started this job so I never had to do much to the FWSM.
I'm great with ASAs but when it comes to configuring the 6500/FWSM together I can't seem to get it.
I tried giving vlan99 an IP on the 6500 as well, but when I do that it seems to bypass the firewall and just talk over layer 2.
04-05-2013 02:25 PM
I tried giving vlan99 an IP on the 6500 as well, but when I do that it seems to bypass the firewall and just talk over layer 2.
Exactly, that will bypass the FWSM
You have nat-control On so you neet a NAT statement for the new interface
nat (CSP) 1 0 0
From the FWSM can you ping 10.99.99.20 ?
Regards
04-05-2013 02:32 PM
Exactly, when I give vlan99 an IP it seems to bypass. From the FWSM I can ping .20 and .30.
When I try to ping or access anything outside of the 6500 I don't see it getting to the firewall.
04-05-2013 02:38 PM
Hello,
can you do a capture on the Inside interface of the FWSM to check if we are getting the packets there?
Regards
04-05-2013 02:58 PM
Hi,
Where are you testing the traffic from (source IP) and to where are you testing the traffic to (destination IP)
Can you also show what your routing table looks like on the 6500?
You seem to have the current interfaces in the Global Routing Table which means those networks see eachother even without the FWSM.
Typically in our FWSM enviroments we configure each network segment and its Vlan interfaces to their own VRF which means their networks/routing is separated to their own virtual routing table.
But to be honest, I am not totally sure between which networks you have done tests currently that fail?
- Jouni
04-05-2013 03:01 PM
I've been trying just from the 6500 itself with pings. I can try from a server on the 10.47.2.x network as well. Basically trying to ping anything on my 10.99.99.x network or even the 10.5.2.x network which I've allowed ping through.
I tried a capture, didn't seem to work, must have set it up wrong.
Routing table is up top, default route is what should be used...
04-05-2013 03:43 PM
Hello,
Okay,
On the Catalyst we only need the SVI for the Inside interface, the other 2 just basic layer 2 Vlans and that's it..
Now,
You are sending all the traffic to the FWSM via the inside interface, that's why I asked for the capture,
Let me know if you see something as soon as you set it properly
04-05-2013 04:04 PM
The inside interface works, and we have the vlan 230 with an address there.
interface Vlan230
description FW-PRIVATE
ip address 10.47.2.3 255.255.255.0
standby 1 ip 10.47.2.5
standby 1 priority 125
standby 1 preempt
I tried the capture but it didn't work so I will have to find out what I'm doing wrong.
04-05-2013 04:19 PM
Hello,
It's a shame we do not have the packet-tracer command on the FWSM family.
static (inside,CSP) 10.47.2.0 10.47.2.10
static (CSP,inside) 10.99.99.0 10.99.99.0
From a PC withing the new vlan, can you try to ping a host on the inside ( use a host different than the 10.47.2.1 and .2 as those are used by the FWSM)
Then create this capture
access-list test match icmp host CSP_IP_address host Inside_address_ip
capture test interface CSP access-list test
Then ping and share
Show cap test
Regards,
Julio carvajal
04-07-2013 06:18 AM
If I make the inside interfaces and the CSP interfaces all the same security, I shouldn't need the statics correct? I just made them all 100 for now.
04-07-2013 07:43 AM
This is absolutly stupid. I'm not sure why they can't just make a command that forces an interface on the 6500 to be a firewalled interface.
If I ping from a host 10.47.2.6 to 10.99.99.20 it works but again just over layer 2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide