Re: FWSM and DMZ access with switch port

robert.l.mcwhorter · ‎07-24-2006

Have a FWSM in a cat 6503, had it configured for transparent. ine interface port for in and one for out, one ip address.

Now we want to provide a DMZ with a physical port access to dmz. Have three vlans defined on Switch 30, 40 and 50, all are defined as interfaces on Catalyst.

on fwsm have three device names defined as interfaces with outside, inside and dmz as names.

vlan30 fa3/1 (inside, 10.200.252.3)

vlan40 fa3/2 (outside, 10,200,251.1)

vlan fa3/3 (dmz, 10.200.253.3)

IN PDM i can see all interfaces, and am trying to set up rules,

nameif vlan30 inside security0

nameif vlan40 outside security100

nameif vlan50 dmz security50

I have pc systems connected to the inside and outside ports. Can ping from pc to interface and vice versa, cannot ping across vlans.

Have roles setup to allow icm from in to dmz and from dmz to out and vice versa.

Can not see traffic, syslog, or errors, get host unreachable.

one vlan is active, vlan40, the other two are shutdown. When trying to bring up, get following message

"Forcing SVI 30 to stay shutdown (SVI 40 tied to card in slot 2)"

slot #2 has the fwsm, slot 3, is the switch ports.

Fernando_Meza · ‎07-24-2006

Hi ..

by default you can only have one SVI between the MSFC and the FWSM.. make sure the vlan 40 is the only one having a corresponded SVI interface on the switch. Remove the other ones you have a conflict here. From the switch make sure you assing the vlans 30.40 and 50 to the FWSM ( firewall vlan-group ) and from the FWSM configure the vlan interface's IP and policy as needed.

I hope it helps .. please rate it if it does !!