10-11-2010 07:55 PM - edited 03-11-2019 11:53 AM
Hi all,
Basically I am taking my first stab at configuring a fwsm in a 6509 with a sup 720. The scenerio I need help with is this: I have 2 SVI interfaces coming into my layer 3 switch. I want to pass these 2 SVI interfaces and my ACS local SVI into the FWSM. I want to filter the 2 routable SVI interfaces and pass on what traffic that will be allowed into internal network . I have 10 other dead nets that do not need to be filtered. I have tried routed mode and transparent mode, and I cannot get any traffic to pass.
Currently I have erased the FWSM and left my basic config on my 6509 which I am including here.
firewall multiple-vlan-interfaces
firewall module 9 vlan-group 10
firewall vlan-group 10 20,597,950
10-12-2010 07:45 AM
I am guessing you have an SVI for the vlans you are pushing.
Start by going into the FWSM and configure ip addresses, names and security levels for these vlans. Then configure "icmp permit any
If that works try pinging through the FWSM. Make sure you have icmp inspection enabled and that ACLs allow it.
I hope it helps.
PK
10-12-2010 11:14 AM
I am guessing you have an SVI for the vlans you are pushing.
YES. I had these working for months before the firewall. The ws-svc-fwm was added to pass a security audit coming up.
Start by going into the FWSM and configure ip addresses, names and security levels for these vlans. Then configure "icmp permit any
Ok I so I had:
int vlan 597
nameif outside security 50
ip address 169.69.x.x 255.255.255.255.0
no shut
int vlan 950
nameif outside2 security 49
ip add 10.128.x.x 255.255.255.0
no shut
int vlan 20
nameif acs security 1
ip add 192.168.2.126 255.255.255.128
I never had the icmp permit any
If that works try pinging through the FWSM. Make sure you have icmp inspection enabled and that ACLs allow it.
For routed mode, dont you have to have ospf running between the MSFC and FWSM? I guess not, since I can now ping out to the gateways.
I hope it helps.
IT most certainly did!
PK
Thank you!
Scott
10-12-2010 11:29 AM
The FWSM is directly connected to these vlans now so it can arp and ping all hosts in these vlans.
Please mark the thread as solved so that others can benefit from it in the future.
Rgs,
PK
10-12-2010 01:14 PM
I am not sure on this one. While I can ping the IP's I cannot see any of the traffic filtered at all. I have tried multiple things, I might have to put this into another thread, but ill bite the bullet and post it. I could see the hits to each of the access with the log functionality enabled on each access-list line. I am not sure I can see that now. I have specific lines left out, to test out the implicit deny at the end of the access-list. It did not block it. Traffic flow is from the 2 SVI interfaces 169.69.100.x and 10.128.142.x into the MSFC then into the FWSM, filter traffic, then allow whats allowed into the Lab areas or drop that traffic. Only the main interface 169.69.100.x can be pinged from the outside. The 192.168.2.x is not allowed to respond to pings, and my secondary 10.128.142.x does not respond, but I can ping all gateways from the FWSM.
My config is designed to block everything into 2 areas of a Lab.
Lab 1 block all except RDP, SSH, SFTP, ICMP to 2 seperate gateway servers. 169.69.100.28 and 48, and allow connectivity to their iLo's: IP's 169.69.100.49 and 52.
All else is blocked to and from these servers....
Lab 2: a more complicated scenerio .
169.69.100.5 and 6 are routers that i need access too.
169.69.100.27 - file server
169.69.100.29 - windows network build server
169.69.100.30 - training svr, this only allows RDP to it.
169.69.100.31 - workstation - full access
169.69.100.32 - logistics server
169.69.100.33 - Wiki web server
We also have 5 servers that do bootp builds. This is a must, to allow that functionality. Thanks in advance. This is all new to me, but I am trying. I am just better at route/switching.
Config as follows.
ese340fwsm# show run
: Saved
:
FWSM Version 3.1(10)0
!
hostname ese340fwsm
enable password xxxxxxxxxxx
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan20
nameif acs
security-level 10
ip address 192.168.2.126 255.255.255.128
!
interface Vlan597
nameif outside
security-level 50
ip address 169.69.100.254 255.255.255.0
!
interface Vlan950
nameif outside2
security-level 49
ip address 10.128.142.10 255.255.255.0
!
ftp mode passive
access-list ITRISK extended permit tcp any host 169.69.100.28 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq ftp log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq ftp log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq ssh log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq ssh log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq 115 log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq 115 log
access-list ITRISK extended permit ip any host 169.69.100.49 log
access-list ITRISK extended permit ip any host 169.69.100.52 log
access-list ITRISK extended deny ip any host 169.69.100.28 log
access-list ITRISK extended deny ip any host 169.69.100.48 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.90.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.30.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.70.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.75.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 any log
access-list ITRISK extended permit udp any any eq bootpc log
access-list ITRISK extended permit udp any any eq bootps log
access-list ITRISK extended permit tcp any host 169.69.100.30 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.31 eq 3389 log
access-list ITRISK extended permit ip any host 169.69.100.5 log
access-list ITRISK extended permit ip any host 169.69.100.6 log
access-list ITRISK extended permit ip any host 169.69.100.27 log
access-list ITRISK extended permit ip any host 169.69.100.29 log
access-list ITRISK extended permit ip any host 169.69.100.32 log
access-list ITRISK extended permit ip any host 169.69.100.50 log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.49 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.52 eq echo log
pager lines 24
logging timestamp
logging console critical
logging buffered debugging
mtu outside 1500
mtu outside2 1500
mtu acs 1500
no failover
icmp permit any outside
icmp permit any outside2
icmp permit any acs
no asdm history enable
arp timeout 14400
access-group ITRISK in interface outside ========> tried out and tried in/out and just in.
access-group ITRISK in interface outside2 ========> Tried out and tried in/out and just in.
route outside 0.0.0.0 0.0.0.0 169.69.100.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
ese340fwsm#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide