Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
0
Helpful
3
Replies

Configuring FWSM - Many internal vlans on one FWSM inferface

raymond1234
Level 1
Level 1

‎12-27-2005 01:48 PM - edited ‎03-09-2019 01:28 PM

Hi,

We are replaing the PIX 520 with FWSM module. I would like to put all the vlans in my internal network and one outside and two DMZ network. I am doing Single context mode.

First step is to group the vlans in the switch to the firewall module.

But in the FWSM - nameif command I am not able to give the group of vlans. Any advice on how to configure this stuff is really appreciated.

Thanks

raymond

Labels:
0 Helpful
3 Replies 3

raymond1234
Level 1
Level 1

‎12-27-2005 03:09 PM

All the internal VLANs in - Internal interface (Inside)

DMZ interface (DMZ1)

DMZ interface (DMZ2)

Outside interface

I am not be able to assign more than one VLAN on the inside network. How to add more than one VLAN to the same interface ?

please let me know

Thanks

0 Helpful

passmon
Level 1
Level 1
In response to raymond1234

‎12-27-2005 08:57 PM

you have to configure this on your catalyst switch

assume that your fwsm is installed on slot 9 of catlayst switch

1. creating vlan 10-12 on your switch

2. config vlan to fwsm

firewall module 9 vlan-group 1

firewall vlan-group 1 10-12

in this configuration will assign vlan 10-12 to fwsm.

3. after that you have to assign vlan to firewall context

admin-context admin

context admin

config-url disk:/admin.cfg

!

context inside-server

allocate-interface vlan10-vlan12

config-url disk:/inside_server.cfg

4. after that you changeto context inside-server

and you can nameif your vlan to dmz as your need.

nameif vlan10 outside security0

nameif vlan11 DMZ1 security100

nameif vlan12 DMZ2 security90

Good luck.

0 Helpful

johansens
Level 4
Level 4
In response to raymond1234

‎12-29-2005 03:37 AM

The rule of thumb is as follows:

- Each VLAN gets its own interface

In your specific case, you would have the following options:

a) Put all your internal VLAN's on the supervisor/MSFC and just make a link-VLAN into the FWSM

b) Put all your internal VLAN's on the FWSM at different interfaces

With option b) you have two more options:

b1) Let each interface have it's own security-level and configure your static's and nat's accordingly

b2) Let each internal interface share the same security-level and use the "same-security-traffic permit inter-interface" command to let them talk together without needing the static's and nat's between them.

You'll need the static's and nat's for communication to/from the internet/dmz's unless you put them also at the same security-levels.. (which you shouldn't do for the internet-interface at least..)

Did it help?

0 Helpful
Customers Also Viewed These Support Documents