01-13-2014 06:57 AM - edited 03-11-2019 08:28 PM
Hi Freinds,
we have two FWSMs on 6509 boxes, inside secuirty level is 100, outside is zero one dmz has security level zero i want to create another dmz ..
could someone explain me the steps to create dmz in FWSM i am not expert on FWSM also the new DMZ should be to communicate with existing dmz,
ospf is running on fwsm
Regards,
Malik
Solved! Go to Solution.
01-13-2014 10:57 AM
Let's say you want to connect to a server on the New DMZ from the old DMZ or the Outside interface.
You will be going from lower to higher so an ACL will be needed on the lower security interface in the IN direction.
Remember to rate all of the helpful posts such as the ones I have provided Faisal
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 11:01 AM
Hello,
No problem Faisal.
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 11:11 AM
Hello,
That's basically an Identity NAT.
That lets the FWSM know that the 10.9.2.0 will look like 10.9.2.0 on the outside interface ( A No Nat rule)
so as you said you do not have any NAT no worry is basically doing nothing hehe
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 11:16 AM
With the command:
show run access-group
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 11:35 AM
Malik
Not quite. There are a couple of steps before you configure the actual FWSM -
1) create the L2 vlan as in your config but do not create a L3 vlan interface, so you don't need the second bit of your above config. If you create a L3 SVI then the 6500 will simply route around the firewall so just
vlan 100
name ABC
2) you now need to assign the vlan to the FWSM. Do a "sh run" on your 6500 and near the top will be two lines like this -
firewall module 7 vlan-group 1 <-- the 7 in this line matches the slot your FWSM is in on the 6500
firewall vlan-group 1 10,11,12
so you need to add your vlan to the second line above ie
firewall vlan-group 100
that should do it. One other thing. If you have two 6500s interconnected each with an FWSM unless you are running VSS you will need to do step 2) on the other 6500 as well because from memory it is not replicated.
Jon
01-13-2014 11:55 AM
Malik
My apologies in the example i gave i missed out the vlan group number so the command is -
firewall vlan-group
ie. you reference the vlan-group number and then specify the vlan you want to add.
With VSS you only configure the active switch and the config is replicated for you so no need to configure these commands on both switches.
Jon
01-13-2014 10:22 AM
Hello Faisal,
Check the configuration with the show run and follow the same configuration commands
Interface vlan X
name if DMZ_2
ip address x.x.x.x x.x.x.x
Security level #
Then create the right NAT for the traffic between the vlans and ACL as needed
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 10:32 AM
Thanks Julio for your reply my concern was what security level should i assign to new DMZ so it could communication to existing vlan and servers in new DMZ will also accessed through SSL VPN from outside
inside interface security level 100
outside interface security level 0
existing dmz security level 0
new dmz security level ???
finally why we need NAT ??
Regards,
01-13-2014 10:38 AM
Hello Faisai,
For that you will need to consider the servers/devices you will set on that interface.
If there are critical boxes then set a higher security level (100) so you can control traffic on a more responsible way (denying traffic from lower to higher by default) so you can modify as your needs instead of using a lower security level and allowing traffic to it by default.
So at the end it will all depend on what you host behind it.
Now depending on the security level you will configure NAT and ACLs.
NAT is needed in order to be able to communicate with Public IP address with a private IP address, Remember that for you to go through the internet you MUST have a public IP address.
NAT is here to do two things:
Preserver the IPv4 Address space
Allow you to communicate over the internet with another host
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 10:46 AM
Thank for brief reply i am not natting anything on FWSM there is default route on outside interface connected to another vendor device, we are doing natting on that box not on FWSM,
NOW my question is if i set security level 50 for new DMZ do i need ACL to allow traffic to talk to existing DMZ which has security level zero as well as for outside interface??
01-13-2014 10:52 AM
Then No Nat is needed here.
With a security level of 50 traffic from new DMZ to old DMZ will be allowed as well as going to Outside.
Now for traffic generated on the other side you WILL need an ACL.
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 10:55 AM
sorry Julio which other side ???
01-13-2014 10:57 AM
Let's say you want to connect to a server on the New DMZ from the old DMZ or the Outside interface.
You will be going from lower to higher so an ACL will be needed on the lower security interface in the IN direction.
Remember to rate all of the helpful posts such as the ones I have provided Faisal
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 10:59 AM
Thanks Julio for your help
01-13-2014 11:01 AM
Hello,
No problem Faisal.
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 11:09 AM
sorry to bother you again julio i fiound this line on running config could you tell me why its there
static (dmz-abc,outside) 10.9.2.0 10.9.2.0 netmask 255.255.255.0
01-13-2014 11:11 AM
Hello,
That's basically an Identity NAT.
That lets the FWSM know that the 10.9.2.0 will look like 10.9.2.0 on the outside interface ( A No Nat rule)
so as you said you do not have any NAT no worry is basically doing nothing hehe
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 11:12 AM
Thanks
01-13-2014 11:13 AM
Sure,
And remember to rate the answers (let me know if you do not know how)
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-13-2014 11:14 AM
normaly you can an ineter sh run int vlan xyz to chekck the any ACL and rest of the config under any vlan how can you check in fwsm that is there any acl is under vlan
sh run int vlan xyz ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide