Setting up a NAM with a FWSM

srowles · ‎02-18-2005

Hi

I am currntly setting up a CAT6509 using native IOS which has a FWSM, IDS and NAM. The FWSM is configured with various VLANs assigned (firewallingbetween VLANs being performed). We have one SVI configured on the MSFC for communication with the "outside" interface of the FWSM.

I am now setting up the NAM and I´m a bit unsure of which VLAN to place the NAM management interface in. I initially configured the interface to be in a VLAN which is assigned to the FWSM. I am currently allowing all communications through the firewall interfaces for testing purposes.

With this configuration I can ping the NAM from any VLAN and can connect using a browser. When I try the snmp connectivity check however the NAM is trying to connect to an address that was configured on VLAN 1 previously (VLAN 1 is now not being used). I have now read that the "The NAM automatically synchronizes its VLAN assignment to the same VLAN in which the switch (interface sc0) resides."

I am therefore now wondering if I actually need to have the NAM configured in the only VLAN which exists on the MSFC which is the VLAN used to commuinicate between the MSFC and the "outside" interface of FWSM.

Confused ?? I am. Any comments would be appreciated. I have to tackle the IDSM too which I am thinking may result in the same type of questions !!!

b.hsu · ‎02-24-2005

you can set SPAN on vlans in switch enviroment and use sniffer to capture the packet and do analysis. The FWSM does lacks of capture command (which is very useful), but still you can enable syslog message as informational, if the traffic is get denied by acl, you will see it on the syslog message with source/destination IP/ports. You can base on that to tune your acl. You might not see many deny message since only the first packet of the connection will go to central processor.

srowles · ‎02-28-2005

Hi

Thanks for the reply. I think I have it sorted now.