Solved: Re: Reg:FWSM router mode issue - Page 2

cisco.anubhav · ‎06-02-2012

Hi,

I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,

7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29]

Here we created a p2p link between 7613 gig port and switch3560 gig port (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.

Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.

We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .

router config:

Router#sh firewall module

Module Vlan-groups

------ -----------

04 1,2

Router#sh firewall vlan-group

Display vlan-groups created by both ACE module and FWSM

Group Created by vlans

----- ---------- -----

1 ACE 100-101,200-202

2 <empty>

Router#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.225.62.145 - 001d.a156.9300 ARPA GigabitEthernet10/1

Internet 10.225.62.146 107 001d.a1a5.fbc1 ARPA GigabitEthernet10/1

Internet 192.168.2.1 - 001d.a156.9300 ARPA Vlan200

Internet 192.168.2.2 7 0007.0e5c.3d00 ARPA Vlan200

Internet 192.168.3.1 4 0007.0e5c.3d00 ARPA Vlan201

Internet 192.168.3.2 - 001d.a156.9300 ARPA Vlan201

Fwsm config:

hostname FWSM

interface Vlan200

nameif outside

security-level 0

ip address 192.168.2.2 255.255.255.0

!

interface Vlan201

nameif inside

security-level 100

ip address 192.168.3.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9

: end

FWSM#

FWSM# sh arp

outside 192.168.2.1 001d.a156.9300

inside 192.168.3.2 001d.a156.9300

eobc 127.0.0.81 0000.1800.0000

FWSM# sh int

Interface Vlan200 "outside", is up, line protocol is up

Hardware is EtherSVI

MAC address 0007.0e5c.3d00, MTU 1500

IP address 192.168.2.2, subnet mask 255.255.255.0

Traffic Statistics for "outside":

6 packets input, 658 bytes

12 packets output, 1316 bytes

474 packets dropped

Interface Vlan201 "inside", is up, line protocol is up

Hardware is EtherSVI

MAC address 0007.0e5c.3d00, MTU 1500

IP address 192.168.3.1, subnet mask 255.255.255.0

Traffic Statistics for "inside":

6 packets input, 658 bytes

7 packets output, 726 bytes

107 packets dropped

Jennifer Halim · ‎06-04-2012

Ahh ok, makes sense now. Thanks for the picture.

Base on that, i assume that you don't have 192.168.3.0/24 subnet on the 3560 switch, right?

If that is the case, that means traffic from 3560 will be routed next to the 7600 since you have the P2P link. What was the original default gateway on the 3560? is it 10.225.62.145?

If that is the case, then you would need to change the default gateway on the 7600 to be the FWSM inside interface since you don't have a VLAN on 3560 that is in the same subnet as the FWSM inside interface.

cisco.anubhav · ‎06-04-2012

Hi,

yes i dont have 192.168..x.x on my 3560 and yes original default gateway on 3560 is 10.225.62.145.I tried to change the default gateway of 7600 to divert all traffic to fwsm but OSPF that is running on all three 7600 core routers only is routing traffic as earlier,ignoring FWSM

BTW the OSPF config is ,

router ospf 1

log-adjacency-changes

redistribute static metric 50 metric-type 1 subnets

network 10.220.62.2 0.0.0.0 area 0

network 10.225.2.0 0.0.0.0 area 0

network 10.225.62.1 0.0.0.0 area 0

network 10.225.62.0 0.0.0.255 area 0

network 10.225.63.0 0.0.0.255 area 0

Kindly suggest

Thanks

Jennifer Halim · ‎06-04-2012

Do you have physical access to your switches?

If you do, the best way is to create VLAN 201 on your 3560 and configure IP Address in the 192.168.3.0/24 subnet, then configure default route to be the FWSM inside interface 192.168.3.1.

Then connect an interface on 3560 to 7600 and assign them to VLAN 201.

cisco.anubhav · ‎06-05-2012

hi,

what if i put inside address to some range that is operational on 3560(e.g.:10.225.2.252/30 or 10.225.3),we cannot disturb our topology and we need that point to point link .Also there is one moe 3560 connected to the previously mentioned 3560

Also how to get all the donlink routers' traffic to fwsm iside interface apart from that of LAN level trafic.

you have been very helpful ,i thank u very much.

Jennifer Halim · ‎06-05-2012

do you have a trunk port between the 3560 and the 7600? because as per your diagram, it seems that you only have p2p link therefore it's a routed connection (layer 3) instead of layer 2 connection between the 2 devices.

if you do have trunk port, or access vlan connected between the 2 apart from the P2P link, then yes, you can put the inside interface of the FWSM in the same vlan as the 3560 vlan. You would also need to change the vlan assign to the fwsm inside interface to the same vlan as the 3560 vlan that you are going to use.

To get all the routers traffic to the fwsm inside, as long as the routers next hop is to the fwsm inside instead of the 7600(b), then the traffic will be routed towards the fwsm. The router that is connected directly to the 7600 (b) needs to have an interface in the same subnet as the fwsm inside interface so you can configure the default route on that router to be the fwsm inside.

cisco.anubhav · ‎06-06-2012

Hi,

i wanted to try the same on another FWSM,i removed old assignments and created new vlans 60-66 and assigned them to the FWSM ,but when i tried to given ip ads on router vlan interfaces i could give ip to both interfaces how ever i could not get the vlan 62 up after no shut ,inface the command no shut got rejected :giving msg that

Forcing SVI 62 to stay shutdown (SVI 61tied to line card in slot 1.)

how to get rid of this.

Pls help.

Thanks.

Jennifer Halim · ‎06-06-2012

Pls configure the following command on the 7600;

firewall multiple-vlan-interfaces

cisco.anubhav · ‎06-06-2012

Hi,

thanks.What could be done in order to place fwsm in fromt of the router on a point to point link,should b end P2P ip which is on router serial inteface could be on fwsm outside interface ?

thanks.

Jennifer Halim · ‎06-06-2012

No, you can't have a P2P connection with router serial interface to be on the FWSM as well.

If you have P2P link between the switch and the router, then the FWSM needs to be configured as the next hop on a different subnet/VLAN on the router.