Solved: Re: New DMZ in FWSM - Page 2

Faisal Shabbir · ‎01-13-2014

Hi Freinds,

we have two FWSMs on 6509 boxes, inside secuirty level is 100, outside is zero one dmz has security level zero i want to create another dmz ..

could someone explain me the steps to create dmz in FWSM i am not expert on FWSM also the new DMZ should be to communicate with existing dmz,

ospf is running on fwsm

Regards,

Malik

Julio Carvajal · ‎01-13-2014

With the command:

show run access-group

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Faisal Shabbir · ‎01-13-2014

you have made my day Julio bundle of thanks

Julio Carvajal · ‎01-13-2014

Hello.

LOL

No problem bud

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jon Marshall · ‎01-13-2014

Malik

Julio has done a great job of provding you the config for the actual FWSM. Before you configure that though you need to create a L2 vlan on the 6500 and assign that vlan to the FWSM.

Are you okay with doing that ?

Jon

Faisal Shabbir · ‎01-13-2014

yeah Jon i guess its should be like that

vlan 100

name ABC

int vlan 100

no shut down

correct ??

Jon Marshall · ‎01-13-2014

Malik

Not quite. There are a couple of steps before you configure the actual FWSM -

1) create the L2 vlan as in your config but do not create a L3 vlan interface, so you don't need the second bit of your above config. If you create a L3 SVI then the 6500 will simply route around the firewall so just

vlan 100

name ABC

2) you now need to assign the vlan to the FWSM. Do a "sh run" on your 6500 and near the top will be two lines like this -

firewall module 7 vlan-group 1 <-- the 7 in this line matches the slot your FWSM is in on the 6500

firewall vlan-group 1 10,11,12

so you need to add your vlan to the second line above ie

firewall vlan-group 100

that should do it. One other thing. If you have two 6500s interconnected each with an FWSM unless you are running VSS you will need to do step 2) on the other 6500 as well because from memory it is not replicated.

Jon

Faisal Shabbir · ‎01-13-2014

great informartion jon we are using VSS

Faisal Shabbir · ‎01-13-2014

in global config it should be like that

(config)# firewall vlan-group 100 10

?????

Faisal Shabbir · ‎01-13-2014

on both VSS switches ???

Jon Marshall · ‎01-13-2014

Malik

My apologies in the example i gave i missed out the vlan group number so the command is -

firewall vlan-group

ie. you reference the vlan-group number and then specify the vlan you want to add.

With VSS you only configure the active switch and the config is replicated for you so no need to configure these commands on both switches.

Jon

Faisal Shabbir · ‎01-13-2014

Many Thanks jon