I wonder if someone can help here, I have a FWSM in my 6509 Switch, what i need to do is relay or forward bootp requests from Micros machines on the inside interface, and so far its not working.

Tried adding a helper address with the BootP server.

i`ll try and make things clearer , this Switch has around 60 Vlan's and on these vlan there will be Micros machines, these devices need a BootP server to get an IP address and the configuration file which i boots with.

Any help appreciated,

I'm not sure how you've got the FWSM configured, are the VLANs actually on the FW as interfaces?

If so, you need to specifically allow bootp out through the inside interfaces as the traffic from the inside is NOT automatically allowed (as in a traditional PIX Firewall)

I'd write a ACLs for DHCP server access

Hope this helps

Regards Tony

Hi Tony,

If the switch loaded with native IOS, if there any major difference(s) in terms of configuration compared to hybrid?

Below is my translation of your instruction - correct me if I am wrong...

* router=switch CLI screen (running on natiove IOS)

> You need to create VLANs for the Outside and the 2 DMZs (on the switch use the command VLAN ABC)

router#conf t

router(config)#vlan 11

router(config)#vlan 12

router(config)#vlan 13

*FWSM will give this msg "Warning: VLAN *108* is not configured." if you create vlans using the above command.

You need to go thru the "vlan database" command to create it, then the FWSM will not give any warning msg.

> Then create an SVI for the inside (VLAN XYZ) on the swtich and (INTERFACE VLAN XYZ) on the MSFC router

Question: is this for switch running hybrid IOS?

> Then you assign ports on the switch to the VLANs

router#conf t

router(config)#int gig9/1

router(config)#description - port to Test_PC 10.32.1.100

router(config)#switchport access vlan 11

router(config)#speed auto

router(config)#no shut

router(config)#end

>Then put the VLANs into a VLAN-GROUP and add them the the FWSM - see documentation for this, its just 2 lines on config.

1. router#conf t

2. router (config)#firewall vlan-group 1 11-13

3. router (config)#firewall module 12 vlan 1

4. router(config)#end

*command line #2 - you'll get error msg if you do not specify/enable "firewall multiple-vlan-interfaces". Either you enabled the command or specify only 1 vlan instead of 3 (11-13).

Found svi for vlan 11

Found svi for vlan 12

Found svi for vlan 13

Found 3 SVIs on module 12.

No more than one svi is allowed. command rejected.

>On the MSFC VLAN XYZ give it an ip address, this is the 'next hop' ip address from the FWSM to get to the 25 L3 VLANs you've created.

router#conf t

router(config)#int vlan 11

router(config)#description - vlan XYZ (inside)

router(config)#ip add 10.32.47.1 255.255.255.0

router(config)#no shut

router(config)#end

> On the FWSM give each VLAN a name, security level and IP address.

nameif vlan11 inside sec100

nameif vlan12 dmz sec50

nameif vlan65 inside sec0

> For the INSIDE VLAN give it an IP address on the same subnet as the MSFC INTERFACE VLAN XYZ created earlier.

ip address inside 10.32.47.2 255.255.255.0

ip address dmz 10.32.50.1 255.255.255.0

ip address outside 10.32.55.1 255.255.255.0

> On the MSFC add a route to get to the Internet or DMZs via the FWSM Inside IP address for those 25 L3 VLANs

ip route 0.0.0.0 0.0.0.0 10.32.47.2

> On the FWSM add a route inside to get to all 25 L3 VLANs.

route inside 0 0 10.32.47.1

> Also add a route to the Internet via the outside next hop IP address.

route outside 0 0 10.32.55.2

Question:

1. Is your config. guideline for "MSFC-Outside" or "MSFC-Inside" design?

Thanks

Amrih

Hi there,

I don't think you should use the 'firewall multiple-vlan-interfaces' command, this may cause the FW to be bypassed.

It might be asking you this if you have configured more than 1 VLAN interface with an IP address.

The key point here is that you can only have 1 interface VLAN on the FWSM, the other VLANs do not appear on the MSFC at all.

I was using MSFC-inside I was also using Native IOS too by the way.

Check the command 'firewall module 12 vlan-GROUP 1'

Also using the VLAN database is fine.

Hope this helps

Cheers Tony

Hi Tony,

Yes, the 'firewall multiple-vlan-interfaces' command is not applicable here.

My design is more like a server farm (SF) environment where I have multiple VLANs to host my resources. But only a few will sit behind FWSM.The setup is more towards the "MSFC-Outside".

I have a few other SVIs with IP on the MSFC, but only one will participate in MSFC-FWSM setup. The other SVIs are not relevant.

The selected SVI served as OUTSIDE VLAN, while a few other VLANs (non-SVI) served as the INSIDE/DMZs.

Route to OUTSIDE/Internet is via the next hop IP which is the OUTSIDE VLAN on MSFC. The static route to OUTSIDE/other segments is working fine.

Questions:

1. How many vlan you tie to Firewall vlan? I believed it should be "firewall vlan-group1 11".

2. Do you get the "Warning: VLAN *XXX* is not configured" message on FWSM for other vlans that does not declared under the firewall vlan-group, e.g firewall vlan-group 1 11, but configure all 3 VLANs (11,12,13) in FWSM?

3. > Check the command 'firewall module 12 vlan-GROUP 1' - pls explain(?)

Thanks

Amrih

Hello Amrih,

1. You need to only tie the VLANs that the FWSM will have as interfaces in its configuration.

In your case that should be firewall vlan-group 1 11,12,13

2. I'm would not expect to get that warning if VLAN 108 is not in the vlan-group 1.

3. I only meant to say use the command 'firewall module 12 vlan-group 1' instead of firewall module 12 vlan 1'

Cheers Tony

Hi Tony,

1. If that's the case, I assumed the error msg produced by FWSM was ok. If you run the "show vlan" in FWSM, you'll only see 1 vlan available.

2. VLAN 108 was just an example. If you use the "firewall vlan-group 1 11-13" without having the "firewall multiple-vlan-interfaces" command enable, the MSFC will reject your attempt. It only allows you to include 1 vlan, e.g "firewall vlan-group 1 11".

The "show firewall module 12 state" will show you the trunked vlan between MSFC and FWSM, in this case is vlan 11.

3. The command "firewall module 12 vlan 1" is similar to "firewall module 12 vlan-group 1". It just a short-cut.

Thanks

Amrih

Hi Amrih,

2. If I were you I'd start again as you should be able to assign a group of VLANs (11-13) using the 'firewall module 12 vlan 1' command without it being rejected because of the 'multiple vlan interfaces issue'

Cheers Tony

Hi Tony,

I think it should be working fine now. Thanks.

regards

Amrih

Thats good to hear, what did you do to make it work?

Cheers Tony

Hi Tony,

Start all over again. My test scenario is as follow (MSFC-OUTSIDE):

On MSFC:

1. I put everything back to zero config - MSFC & FWSM.

2. Re-create all 3 VLANs (vlan 11, 12 & 13).

3. Issue command "firewall vlan-group 1 11-13". When error msg popup asking for only one SVI, I removed the command, and re-enter it again. This time no more error msg popup.

4. Issue command "firewall module 12 vlan-group 1"

5. Configure VLAN 11 as SVI@OUTSIDE VLAN - with IP

x.x.x.1 / 24

On FWSM:

a. Create interfaces:

nameif vlan11 outside security0

nameif vlan12 inside security100

nameif vlan13 dmz1 security50

b. Assign IP

ip address outside x.x.x.2 255.255.255.0

ip address inside y.y.y.1 255.255.255.0

ip address dmz1 z.z.z.1 255.255.255.0

c. Configure NAT for inside - allow all

nat (inside) 1 y.y.y.0 255.255.255.0

d. Configure Global - use PAT

global (outside) 1 x.x.x.10

e. Configure ACL (allow all for Inside & Outside), bind to relevant interfaces.

f. Allow ICMP to all 3 interfaces - test reachability

g. Configure routing to outside/Internet

route outside 0.0.0.0 0.0.0.0 x.x.x.1

h. Do a ping test & access any websites

I plan to further test FWSM in other scenario as well, e.g FWSM to participate in OSPF, integrate with CSM, etc.

Thanks

Amrih

Excellent! top banana!

Cheers Tony