I think this is all of the info that pertains to this. Attached a logical drawing, inside and 6500 would be "inside networks" at the top.

6500 Switch

firewall multiple-vlan-interfaces

firewall module 3 vlan-group 250

firewall vlan-group 250  99,230,240,245,250

interface Port-channel1

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10,47,99,100,230,240,245,250,260,600,610

switchport mode trunk

interface GigabitEthernet4/6

description CSP to Demarc

switchport

switchport access vlan 99

switchport mode access

interface GigabitEthernet4/31

description FWSM PRIVATE

switchport

switchport access vlan 230

switchport mode access

!

interface GigabitEthernet4/32

description Connection to Internet Switch Gi1/0/1

switchport

switchport access vlan 240

switchport mode access

interface Vlan10

description ETHER_CHANNEL VLAN

ip address 10.1.0.233 255.255.255.252

!

interface Vlan99

no ip address

!

interface Vlan230

description FW-PRIVATE

ip address 10.47.2.3 255.255.255.0

standby 1 ip 10.47.2.5

standby 1 priority 125

standby 1 preempt

!

interface Vlan240

description FW-PUBLIC

no ip address

router eigrp 1

network 10.47.47.0 0.0.0.15

network 10.0.0.0

no auto-summary

redistribute static

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.47.2.1(INSIDE ADDRESS FWSM)

FWSM

interface Vlan99

description Connection to Inland and Contractor Networks

nameif CSP

security-level 10

ip address 10.99.99.10 255.255.255.0

!

interface Vlan230

description FW-PRIVATE

nameif inside

security-level 100

ip address 10.47.2.1 255.255.255.0 standby 10.47.2.2

!

interface Vlan240

description FW-PUBLIC

nameif outside

security-level 0

ip address *.*.*.* standby *.*.*.*

!

interface Vlan250

description LAN/STATE Failover Interface

ip verify reverse-path interface inside

ip verify reverse-path interface outside

ip verify reverse-path interface CSP

failover

failover lan unit primary

failover lan interface FAILOVER Vlan250

failover replication http

failover link FAILOVER Vlan250

failover interface ip FAILOVER 10.1.0.237 255.255.255.252 standby 10.1.0.238

monitor-interface inside

monitor-interface outside

icmp permit any inside

icmp permit any outside

asdm history enable

arp timeout 14400

nat-control

global (outside) 2 *.*.*.*netmask 255.255.255.240

global (outside) 1 interface

nat (inside) 2 access-list inside_nat_outbound

nat (inside) 1 10.0.0.0 255.0.0.0

access-group internet2 in interface inside

access-group internet1 in interface outside

access-group CSP_access_in in interface CSP

route inside 192.168.144.0 255.255.252.0 10.47.2.5 1

route inside 172.16.206.0 255.255.254.0 10.47.2.5 1

route inside 10.0.0.0 255.0.0.0 10.47.2.5 1

route outside 0.0.0.0 0.0.0.0 209.115.188.49 1

route CSP 10.5.2.0 255.255.255.0 10.99.99.20 1

route CSP 10.5.3.0 255.255.255.0 10.99.99.20 1

Hello,

Okay let me analize this but may I know which is the new interface??

The CSP (vlan99) is the new interface, joining to the other networks/firewalls.  Added a diagram to above.

Currently the inside network 10.47.2.x and outside on the FWSM work fine, just trying to add this other function so we can talk to other parts of our network, etc.  That was all here before I started this job so I never had to do much to the FWSM.

I'm great with ASAs but when it comes to configuring the 6500/FWSM together I can't seem to get it.

I tried giving vlan99 an IP on the 6500 as well, but when I do that it seems to bypass the firewall and just talk over layer 2.

I tried giving vlan99 an IP on the 6500 as well, but when I do that it seems to bypass the firewall and just talk over layer 2.

Exactly, that will bypass the FWSM

You have nat-control On so you neet a NAT statement for the new interface

nat (CSP) 1 0 0

From the FWSM can you ping 10.99.99.20 ?

Regards

Exactly, when I give vlan99 an IP it seems to bypass.  From the FWSM I can ping .20 and .30.

When I try to ping or access anything outside of the 6500 I don't see it getting to the firewall.

Hello,

can you do a capture on the Inside interface of the FWSM to check if we are getting the packets there?

Regards

Hi,

Where are you testing the traffic from (source IP) and to where are you testing the traffic to (destination IP)

Can you also show what your routing table looks like on the 6500?

You seem to have the current interfaces in the Global Routing Table which means those networks see eachother even without the FWSM.

Typically in our FWSM enviroments we configure each network segment and its Vlan interfaces to their own VRF which means their networks/routing is separated to their own virtual routing table.

But to be honest, I am not totally sure between which networks you have done tests currently that fail?

- Jouni

I've been trying just from the 6500 itself with pings.  I can try from a server on the 10.47.2.x network as well.  Basically trying to ping anything on my 10.99.99.x network or even the 10.5.2.x network which I've allowed ping through.

I tried a capture, didn't seem to work, must have set it up wrong.

Routing table is up top, default route is what should be used...

Hello,

Okay,

On the Catalyst we only need the SVI for the Inside interface, the other 2 just basic layer 2 Vlans and that's it..

Now,

You are sending all the traffic to the FWSM via the inside interface, that's why I asked for the capture,

Let me know if you see something as soon as you set it properly

The inside interface works, and we have the vlan 230 with an address there.

interface Vlan230

description FW-PRIVATE

ip address 10.47.2.3 255.255.255.0

standby 1 ip 10.47.2.5

standby 1 priority 125

standby 1 preempt

I tried the capture but it didn't work so I will have to find out what I'm doing wrong.

Hello,

It's a shame we do not have the packet-tracer command on the FWSM family.

static (inside,CSP)  10.47.2.0 10.47.2.10

static (CSP,inside) 10.99.99.0 10.99.99.0

From a PC withing the new vlan, can you try to ping a host on the inside ( use a host different than the 10.47.2.1 and .2 as those are used by the FWSM)

Then create this capture

access-list test match icmp host CSP_IP_address host Inside_address_ip

capture test interface CSP access-list test

Then ping and share

Show cap test

Regards,

Julio carvajal

If I make the inside interfaces and the CSP interfaces all the same security, I shouldn't need the statics correct?  I just made them all 100 for now.

This is absolutly stupid.  I'm not sure why they can't just make a command that forces an interface on the 6500 to be a firewalled interface. 

If I ping from a host 10.47.2.6 to 10.99.99.20 it works but again just over layer 2.