Presently I have a 6513 with MSFC running IOS image. I configured 25 L3 vlan on cat 6513. ALl the vlans are using vlan IP address as a default gateway. Now I want to install FWSM on this switch, I want to use 1 vlan for outside, 2 dmz vlan and other vlan as a internal vlan. How can i configured this setup. please help me to configured this FWSM.
please refer to the FWSM config guide and see your requirements.
hope this helps you
You need to create VLANs for the Outside and the 2 DMZs (on the switch use the command VLAN ABC)
Then create an SVI for the inside (VLAN XYZ) on the swtich and (INTERFACE VLAN XYZ) on the MSFC
Then you assign ports on the switch to the VLANs
Then put the VLANs into a VLAN-GROUP and add them the the FWSM - see documentation for this, its just 2 lines on config.
On the MSFC VLAN XYZ give it an ip address, this is the 'next hop' ip address from the FWSM to get to the 25 L3 VLANs you've created.
On the FWSM give each VLAN a name, security level and IP address.
For the INSIDE VLAN give it an IP address on the same subnet as the MSFC INTERFACE VLAN XYZ created earlier.
On the MSFC add a route to get to the Internet or DMZs via the FWSM Inside IP address for those 25 L3 VLANs
On the FWSM add a route inside to get to all 25 L3 VLANs.
Also add a route to the Internet via the outside next hop IP address.
Hope this makes sense
I wonder if someone can help here, I have a FWSM in my 6509 Switch, what i need to do is relay or forward bootp requests from Micros machines on the inside interface, and so far its not working.
Tried adding a helper address with the BootP server.
i`ll try and make things clearer , this Switch has around 60 Vlan's and on these vlan there will be Micros machines, these devices need a BootP server to get an IP address and the configuration file which i boots with.
Any help appreciated,
I'm not sure how you've got the FWSM configured, are the VLANs actually on the FW as interfaces?
If so, you need to specifically allow bootp out through the inside interfaces as the traffic from the inside is NOT automatically allowed (as in a traditional PIX Firewall)
I'd write a ACLs for DHCP server access
Hope this helps
If the switch loaded with native IOS, if there any major difference(s) in terms of configuration compared to hybrid?
Below is my translation of your instruction - correct me if I am wrong...
* router=switch CLI screen (running on natiove IOS)
> You need to create VLANs for the Outside and the 2 DMZs (on the switch use the command VLAN ABC)
*FWSM will give this msg "Warning: VLAN *108* is not configured." if you create vlans using the above command.
You need to go thru the "vlan database" command to create it, then the FWSM will not give any warning msg.
> Then create an SVI for the inside (VLAN XYZ) on the swtich and (INTERFACE VLAN XYZ) on the MSFC router
Question: is this for switch running hybrid IOS?
> Then you assign ports on the switch to the VLANs
router(config)#description - port to Test_PC 10.32.1.100
router(config)#switchport access vlan 11
>Then put the VLANs into a VLAN-GROUP and add them the the FWSM - see documentation for this, its just 2 lines on config.
1. router#conf t
2. router (config)#firewall vlan-group 1 11-13
3. router (config)#firewall module 12 vlan 1
*command line #2 - you'll get error msg if you do not specify/enable "firewall multiple-vlan-interfaces". Either you enabled the command or specify only 1 vlan instead of 3 (11-13).
Found svi for vlan 11
Found svi for vlan 12
Found svi for vlan 13
Found 3 SVIs on module 12.
No more than one svi is allowed. command rejected.
>On the MSFC VLAN XYZ give it an ip address, this is the 'next hop' ip address from the FWSM to get to the 25 L3 VLANs you've created.
router(config)#int vlan 11
router(config)#description - vlan XYZ (inside)
router(config)#ip add 10.32.47.1 255.255.255.0
> On the FWSM give each VLAN a name, security level and IP address.
nameif vlan11 inside sec100
nameif vlan12 dmz sec50
nameif vlan65 inside sec0
> For the INSIDE VLAN give it an IP address on the same subnet as the MSFC INTERFACE VLAN XYZ created earlier.
ip address inside 10.32.47.2 255.255.255.0
ip address dmz 10.32.50.1 255.255.255.0
ip address outside 10.32.55.1 255.255.255.0
> On the MSFC add a route to get to the Internet or DMZs via the FWSM Inside IP address for those 25 L3 VLANs
ip route 0.0.0.0 0.0.0.0 10.32.47.2
> On the FWSM add a route inside to get to all 25 L3 VLANs.
route inside 0 0 10.32.47.1
> Also add a route to the Internet via the outside next hop IP address.
route outside 0 0 10.32.55.2
1. Is your config. guideline for "MSFC-Outside" or "MSFC-Inside" design?
I don't think you should use the 'firewall multiple-vlan-interfaces' command, this may cause the FW to be bypassed.
It might be asking you this if you have configured more than 1 VLAN interface with an IP address.
The key point here is that you can only have 1 interface VLAN on the FWSM, the other VLANs do not appear on the MSFC at all.
I was using MSFC-inside I was also using Native IOS too by the way.
Check the command 'firewall module 12 vlan-GROUP 1'
Also using the VLAN database is fine.
Hope this helps
Yes, the 'firewall multiple-vlan-interfaces' command is not applicable here.
My design is more like a server farm (SF) environment where I have multiple VLANs to host my resources. But only a few will sit behind FWSM.The setup is more towards the "MSFC-Outside".
I have a few other SVIs with IP on the MSFC, but only one will participate in MSFC-FWSM setup. The other SVIs are not relevant.
The selected SVI served as OUTSIDE VLAN, while a few other VLANs (non-SVI) served as the INSIDE/DMZs.
Route to OUTSIDE/Internet is via the next hop IP which is the OUTSIDE VLAN on MSFC. The static route to OUTSIDE/other segments is working fine.
1. How many vlan you tie to Firewall vlan? I believed it should be "firewall vlan-group1 11".
2. Do you get the "Warning: VLAN *XXX* is not configured" message on FWSM for other vlans that does not declared under the firewall vlan-group, e.g firewall vlan-group 1 11, but configure all 3 VLANs (11,12,13) in FWSM?
3. > Check the command 'firewall module 12 vlan-GROUP 1' - pls explain(?)
1. You need to only tie the VLANs that the FWSM will have as interfaces in its configuration.
In your case that should be firewall vlan-group 1 11,12,13
2. I'm would not expect to get that warning if VLAN 108 is not in the vlan-group 1.
3. I only meant to say use the command 'firewall module 12 vlan-group 1' instead of firewall module 12 vlan 1'
1. If that's the case, I assumed the error msg produced by FWSM was ok. If you run the "show vlan" in FWSM, you'll only see 1 vlan available.
2. VLAN 108 was just an example. If you use the "firewall vlan-group 1 11-13" without having the "firewall multiple-vlan-interfaces" command enable, the MSFC will reject your attempt. It only allows you to include 1 vlan, e.g "firewall vlan-group 1 11".
The "show firewall module 12 state" will show you the trunked vlan between MSFC and FWSM, in this case is vlan 11.
3. The command "firewall module 12 vlan 1" is similar to "firewall module 12 vlan-group 1". It just a short-cut.
2. If I were you I'd start again as you should be able to assign a group of VLANs (11-13) using the 'firewall module 12 vlan 1' command without it being rejected because of the 'multiple vlan interfaces issue'
Start all over again. My test scenario is as follow (MSFC-OUTSIDE):
1. I put everything back to zero config - MSFC & FWSM.
2. Re-create all 3 VLANs (vlan 11, 12 & 13).
3. Issue command "firewall vlan-group 1 11-13". When error msg popup asking for only one SVI, I removed the command, and re-enter it again. This time no more error msg popup.
4. Issue command "firewall module 12 vlan-group 1"
5. Configure VLAN 11 as SVI@OUTSIDE VLAN - with IP
x.x.x.1 / 24
a. Create interfaces:
nameif vlan11 outside security0
nameif vlan12 inside security100
nameif vlan13 dmz1 security50
b. Assign IP
ip address outside x.x.x.2 255.255.255.0
ip address inside y.y.y.1 255.255.255.0
ip address dmz1 z.z.z.1 255.255.255.0
c. Configure NAT for inside - allow all
nat (inside) 1 y.y.y.0 255.255.255.0
d. Configure Global - use PAT
global (outside) 1 x.x.x.10
e. Configure ACL (allow all for Inside & Outside), bind to relevant interfaces.
f. Allow ICMP to all 3 interfaces - test reachability
g. Configure routing to outside/Internet
route outside 0.0.0.0 0.0.0.0 x.x.x.1
h. Do a ping test & access any websites
I plan to further test FWSM in other scenario as well, e.g FWSM to participate in OSPF, integrate with CSM, etc.