07-21-2010 02:36 PM - edited 03-04-2019 09:08 AM
My original question was answered to remove certain Vlans from the 6500 and add it a new 3750 switch. The traffic from the 3750 would only access the 6509 network when needed. The inter vlan routing ould be done by the 3750 instead of the 6500. I was able to get the setup working on a 3550 and 3750 switch test network. Now my problem is modifying the FWSM on the 6500 to route the traffic from the 3750. My original post was titled 'adding a 3750 to a 6500 network' Not sure if I can post a link to it, but a search will find it.
I guess what I'm trying to figure out is how do I configure the FWSM to route traffic from the different subnets on the 3750 switch. the 3750 and 6500 are connected like this:
on the 3750
int vlan 10
ip address 192.168.5.1 255.255.255.0
no shut
int vlan 11
ip address 192.168.6.1 255.255.255.0
int gi0/1 <-- this port connects to 6500
no switchport
ip address 192.168.7.2 255.255.255.252
ip route 0.0.0.0 0.0.0.0 192.168.7.1
on the 6500 (my test network this is a 3550)
int gi0/1 <-- this port connects to 3750
no switchport
ip address 192.168.7.1 255.255.255.252
ip route 192.168.5.0 255.255.255.0 192.168.7.2
ip route 192.168.6.0 255.255.255.0 192.168.7.2
On my test network I have a 3550 in substitute of the 6500 so I have no firewall. Now how would I handle the ip route command in the FWSM? Do I have to create and interface for the 192.168.7.0 subnet to handle the traffic from each of the subnets on the 3750? I noticed the FWSM has a route command but you have to define an interface first. Also the Supervisor 720 module has Vlans defined on it, so do I define a new vlan here and then create the interface on the FWSM? Basically if I wanted to add my 3750 switch to my 6500 switch how would I configure the firewall to get the traffic to route to the right vlan on my 6500? Thanks in advance for any help I can get. If you have any links to documentation/examples that would be helpful too.
Solved! Go to Solution.
07-21-2010 04:57 PM
Mike
Do you want it to look like this -
6500 - MSFC -> FWSM -> 3750 - 4 vlans
so basically any traffic to or from the 3750 vlans has to go through the FWSM ?
If so then where we created a L3 routed link using 192.168.7.0/30 before between the 3750 and the 6500 that was assuming this setup -
6500 - MSFC -> 3750 - 4 vlans
so to insert the FWSM allocate a new vlan on the 6500 eg vlan 20. Assign this vlan to FWSM. Create an interface on the FWSM in vlan 20 and assign it the 192.168.7.1 address we previously gave to the 6500.
On the 3750 you will need to changed the port from a routed port to a switchport to be in vlan 20 ie.
int gi0/1 <--- this was previously the routed port
switchport mode access
switchport access vlan 20
then also on the 3750
int vlan 20
ip address 192.168.7.2 255.255.255.252
also you will need to create vlan 20 on your 3750 switch ie.
vlan 20 name v20
by doing this you are effectively firewalling off the 4 vlans from the rest of your network. Note they are not firewalled between each other because they can simply route between each other on the 3750 but to get anywhere else they have to go through your FWSM.
Edit - note also as you say the routes you added to the 6500 will need to be modified ie. on the 6500 switch itself -
ip route 192.168.5.0 255.255.255.0
ip route 192.168.6.0 255.255.255.0
the above assumes the outside interface of the FWSM is connected to the MSFC as in the above schematic.
Then on the FWSM itself
route inside 192.168.5.0 255.255.255.0 192.168.7.2
route inside 192.168.6.0 255.255.255.0 192.168.7.2
note i have assumed inside interface but it can be any interface you care to use.
Edit2 - i think you could actually leave the gi0/1 interface on the 3750 as a routed port and it would still work, it's just that it has to be in a vlan on the other end for the FWSM so it seemed to be more logical to use a switchport on the 3750.
Jon
07-21-2010 04:57 PM
Mike
Do you want it to look like this -
6500 - MSFC -> FWSM -> 3750 - 4 vlans
so basically any traffic to or from the 3750 vlans has to go through the FWSM ?
If so then where we created a L3 routed link using 192.168.7.0/30 before between the 3750 and the 6500 that was assuming this setup -
6500 - MSFC -> 3750 - 4 vlans
so to insert the FWSM allocate a new vlan on the 6500 eg vlan 20. Assign this vlan to FWSM. Create an interface on the FWSM in vlan 20 and assign it the 192.168.7.1 address we previously gave to the 6500.
On the 3750 you will need to changed the port from a routed port to a switchport to be in vlan 20 ie.
int gi0/1 <--- this was previously the routed port
switchport mode access
switchport access vlan 20
then also on the 3750
int vlan 20
ip address 192.168.7.2 255.255.255.252
also you will need to create vlan 20 on your 3750 switch ie.
vlan 20 name v20
by doing this you are effectively firewalling off the 4 vlans from the rest of your network. Note they are not firewalled between each other because they can simply route between each other on the 3750 but to get anywhere else they have to go through your FWSM.
Edit - note also as you say the routes you added to the 6500 will need to be modified ie. on the 6500 switch itself -
ip route 192.168.5.0 255.255.255.0
ip route 192.168.6.0 255.255.255.0
the above assumes the outside interface of the FWSM is connected to the MSFC as in the above schematic.
Then on the FWSM itself
route inside 192.168.5.0 255.255.255.0 192.168.7.2
route inside 192.168.6.0 255.255.255.0 192.168.7.2
note i have assumed inside interface but it can be any interface you care to use.
Edit2 - i think you could actually leave the gi0/1 interface on the 3750 as a routed port and it would still work, it's just that it has to be in a vlan on the other end for the FWSM so it seemed to be more logical to use a switchport on the 3750.
Jon
07-22-2010 03:17 PM
Hi Jon,
Thanks for all your help. How do I know if the MSFC is on the inside or outside? My mistake was there is no 'ip route' on the 6500 switch the routing is all done by the FWSM. Only my test switch (3550) I put the 'ip route' command. I read some of your older posts on FWSM problems and it was helpful. I think I understand the concept but I'm unsure of the configuration difference between the two.
If my setup was:
6500 -> FWSM - MSFC -> 3750 - 4 vlans
On the 6500 switch I would use:
ip route 192.168.5.0 255.255.255.0
ip route 192.168.6.0 255.255.255.0
If I had it 6500 - MSFC -> FWSM -> 3750 - 4 vlans
then I would use on the FWSM:
route inside 192.168.5.0 255.255.255.0 192.168.7.2
route inside 192.168.6.0 255.255.255.0 192.168.7.2
Is this correct?
And yes, I want the traffic from 3750 to go through the firewall just like you assumed.
07-22-2010 05:53 PM
hustler0002 wrote:
Hi Jon,
Thanks for all your help. How do I know if the MSFC is on the inside or outside? My mistake was there is no 'ip route' on the 6500 switch the routing is all done by the FWSM. Only my test switch (3550) I put the 'ip route' command. I read some of your older posts on FWSM problems and it was helpful. I think I understand the concept but I'm unsure of the configuration difference between the two.
If my setup was:
6500 -> FWSM - MSFC -> 3750 - 4 vlans
On the 6500 switch I would use:
ip route 192.168.5.0 255.255.255.0
ip route 192.168.6.0 255.255.255.0
If I had it 6500 - MSFC -> FWSM -> 3750 - 4 vlans
then I would use on the FWSM:
route inside 192.168.5.0 255.255.255.0 192.168.7.2
route inside 192.168.6.0 255.255.255.0 192.168.7.2
Is this correct?
And yes, I want the traffic from 3750 to go through the firewall just like you assumed.
Mike
Yes what you say is correct in regards to routing. Note if the FWSM is connected to the 3750 directly then you need 2 sets of routes, one set on the 6500 MSFC pointing to the FWSM outside and the other on the FWSM pointing to the 3750.
I'm assuming at present that you have other subnets on the 6500 and that these are routed by the MSFC. Now this isn't necessarily the case altho it is the more common scenario. You may be using the 6500 purely as a L2 switch and have all routing done by the FWSM. In which case there is no need to worry about the MSFC.
Assuming you do have more subnets on the 6500 and you want to firewall these from the 4 on the 3750 then you can't have -
6500 -> FWSM -> MSFC -> 3750 -> 4 vlans
because the 4 vlans would be able to comunicate with all the vlans on the 6500 via the MSFC without going through the firewall. So you need to the original topology we talked about ie.
6500 -> MSFC -> FWSM -> 3750 -> 4 vlans
One thing i haven't mentioned is obviously if you use the above topology then you need to add NAT rules and access-lists to the FWSM for 4 vlans. Not sure how familiar you are with the FWSM but in short -
1) if you are using NAT on the FWSM you need to add static NAT's to the firewall eg.
static (inside,outside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
static (inside,outside) 192.168.6.0 192.168.6.0 netmask 255.255.255.0
2) access-lists are needed both on the inside and the outside interfaces to allow traffic. Note on a standalone pix/ASA you don't need an acl to allow traffic from the inside but you do on the FWSM.
The above assumes that your FWSM is in routed mode and running nat-control.
Jon
07-23-2010 07:59 AM
Current configuration : 19830 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SUP720
!
boot system flash bootflash:s72033-jk9o3sv-mz.122-17a.SX3.bin
boot bootldr sup-bootflash:s72033-psv-mz.122-17a.SX1.bin
logging snmp-authfail
enable secret 5 $1$cL8f$Ev56nw5F1IAzmUjeigLml0
enable password *****
!
clock timezone PST -8
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 1,2
firewall vlan-group 1 20,40,99-102,106,108,110,112,114-118,120,122,142,180
firewall vlan-group 1 200,220,240,260,280,402,900
vtp domain casta
vtp mode transparent
ip subnet-zero
!
!
no ip domain-lookup
!
mpls ldp logging neighbor-changes
no mls flow ip
no mls flow ipv6
no spanning-tree optimize bpdu transmission
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
mode rpr-plus
main-cpu
auto-sync running-config
auto-sync standard
!
power redundancy-mode combined
!
vlan internal allocation policy ascending
!
vlan 40
name ita
!
vlan 99
name ita2
!
vlan 100
name ssr
!
vlan 101
name windows
!
vlan 102
name bus
!
vlan 105
name car
!
vlan 106
name ct
!
vlan 108
name county
!
vlan 110
name train
!
vlan 112
name traffic
!
vlan 114
name rail
!
vlan 115
name atm1
!
vlan 116
name atm2
!
vlan 117
name pdfd
!
vlan 118
name dsl
!
vlan 120
name vpn
!
vlan 122
name cdpd
!
vlan 142
name test
!
vlan 180
name cms
!
vlan 200
name trafgraf
!
vlan 220
name grxfx
!
vlan 240
name tms
!
vlan 260
name lb
!
vlan 280
name burglen
!
vlan 900
name tmc2
!
...................just giving a few examles for the gigabitethernet
interface GigabitEthernet2/47
no ip address
switchport
switchport access vlan 102
!
....................
interface GigabitEthernet3/19
no ip address
switchport
switchport access vlan 100
!
interface GigabitEthernet3/48
no ip address
switchport
switchport access vlan 105
!
.....................interface Vlan1
no ip address
shutdown
!
interface Vlan99
ip address 172.168.99.1 255.255.255.0
load-interval 30
!
interface Vlan100
ip address 10.10.10.3 255.255.255.0
!
!
interface Vlan105
ip address 192.1.1.1 255.255.255.0
!
...........there some other Vlans defined but they are not assined to any ports and not used in the FSWM either
although Vlan99 isn't assigned a gigabitethernet port it is defined in the FWSM and has an ACL, but I assume because
it's not defined in this config it's a port that is no longer used.
!
ip classless
no ip http server
!
line con 0
line vty 0 4
password *******
login
end
Looking at this config can you conclude that the switch is being used as a L2 device like you described and the FWSM is doing all the routing? And does tht mean in terms of the MSFC?
Also I notice that Vlan 105 is defined on the switch but doesn't have a nameif vlan105 on the FWSM like all the other vlans. What does this mean? If you need I can show you the config for the FWSM also.
Thanks again for your help.
07-23-2010 11:38 AM
Mike
Can you post -
1) "sh ip int brief" from the 6500
2) "sh ip route" from the 6500
3) the FWSM config
Jon
07-23-2010 01:23 PM
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES NVRAM administratively down down
Vlan99 172.168.99.1 YES NVRAM up up
Vlan100 10.94.80.3 YES NVRAM up up
Vlan101 unassigned YES NVRAM up up
Vlan105 192.1.1.1 YES NVRAM up up
Vlan107 67.125.153.35 YES NVRAM down down
Vlan108 unassigned YES NVRAM administratively down down
GigabitEthernet2/1 unassigned YES unset up up
GigabitEthernet2/2 unassigned YES unset up up
GigabitEthernet2/3 unassigned YES unset up up
GigabitEthernet2/4 unassigned YES unset down down
GigabitEthernet2/5 unassigned YES unset down down
GigabitEthernet2/6 unassigned YES unset up up
GigabitEthernet2/7 unassigned YES unset up up
GigabitEthernet2/8 unassigned YES unset up up
GigabitEthernet2/9 unassigned YES unset up up
GigabitEthernet2/10 unassigned YES unset up up
GigabitEthernet2/11 unassigned YES unset up up
GigabitEthernet2/12 unassigned YES unset up up
GigabitEthernet2/13 unassigned YES unset up up
GigabitEthernet2/14 unassigned YES unset up up
GigabitEthernet2/15 unassigned YES unset up up
GigabitEthernet2/16 unassigned YES unset down down
GigabitEthernet2/17 unassigned YES unset up up
GigabitEthernet2/18 unassigned YES unset up up
GigabitEthernet2/19 unassigned YES unset up up
GigabitEthernet2/20 unassigned YES unset down down
GigabitEthernet2/21 unassigned YES unset down down
GigabitEthernet2/22 unassigned YES unset down down
GigabitEthernet2/23 unassigned YES unset up up
GigabitEthernet2/24 unassigned YES unset up up
GigabitEthernet2/25 unassigned YES unset up up
GigabitEthernet2/26 unassigned YES unset up up
GigabitEthernet2/27 unassigned YES unset up up
GigabitEthernet2/28 unassigned YES unset up up
GigabitEthernet2/29 unassigned YES unset up up
GigabitEthernet2/30 unassigned YES unset up up
GigabitEthernet2/31 unassigned YES unset up up
GigabitEthernet2/32 unassigned YES unset down down
GigabitEthernet2/33 unassigned YES unset down down
GigabitEthernet2/34 unassigned YES unset down down
GigabitEthernet2/35 unassigned YES unset up up
GigabitEthernet2/36 unassigned YES unset down down
GigabitEthernet2/37 unassigned YES unset up up
GigabitEthernet2/38 unassigned YES unset down down
GigabitEthernet2/39 unassigned YES unset up up
GigabitEthernet2/40 unassigned YES unset down down
GigabitEthernet2/41 unassigned YES unset down down
GigabitEthernet2/42 unassigned YES unset up up
GigabitEthernet2/43 unassigned YES unset down down
GigabitEthernet2/44 unassigned YES unset up up
GigabitEthernet2/45 unassigned YES unset down down
GigabitEthernet2/46 unassigned YES unset up up
GigabitEthernet2/47 unassigned YES unset down down
GigabitEthernet2/48 172.168.1.1 YES NVRAM down down
GigabitEthernet3/1 unassigned YES unset up up
GigabitEthernet3/2 unassigned YES unset down down
GigabitEthernet3/3 unassigned YES unset up up
GigabitEthernet3/4 unassigned YES unset down down
GigabitEthernet3/5 unassigned YES unset down down
GigabitEthernet3/6 unassigned YES unset down down
GigabitEthernet3/7 unassigned YES unset up up
GigabitEthernet3/8 unassigned YES unset down down
GigabitEthernet3/9 unassigned YES unset down down
GigabitEthernet3/10 unassigned YES unset down down
GigabitEthernet3/11 unassigned YES unset up up
GigabitEthernet3/12 unassigned YES unset down down
GigabitEthernet3/13 unassigned YES unset down down
GigabitEthernet3/14 unassigned YES unset down down
GigabitEthernet3/15 unassigned YES unset up up
GigabitEthernet3/16 unassigned YES unset up up
GigabitEthernet3/17 unassigned YES unset down down
GigabitEthernet3/18 unassigned YES unset down down
GigabitEthernet3/19 unassigned YES unset down down
GigabitEthernet3/20 unassigned YES unset down down
GigabitEthernet3/21 unassigned YES unset up up
GigabitEthernet3/22 unassigned YES unset up up
GigabitEthernet3/23 unassigned YES unset up up
GigabitEthernet3/24 unassigned YES unset down down
GigabitEthernet3/25 unassigned YES unset up up
GigabitEthernet3/26 unassigned YES unset down down
GigabitEthernet3/27 unassigned YES unset down down
GigabitEthernet3/28 unassigned YES unset down down
GigabitEthernet3/29 unassigned YES unset down down
GigabitEthernet3/30 unassigned YES unset down down
GigabitEthernet3/31 unassigned YES unset up up
GigabitEthernet3/32 unassigned YES unset down down
GigabitEthernet3/33 unassigned YES unset down down
GigabitEthernet3/34 unassigned YES unset up up
GigabitEthernet3/35 unassigned YES unset down down
GigabitEthernet3/36 unassigned YES unset down down
GigabitEthernet3/37 unassigned YES unset down down
GigabitEthernet3/38 unassigned YES unset down down
GigabitEthernet3/39 unassigned YES unset down down
GigabitEthernet3/40 unassigned YES unset down down
GigabitEthernet3/41 unassigned YES unset up up
GigabitEthernet3/42 unassigned YES unset down down
GigabitEthernet3/43 unassigned YES unset up up
GigabitEthernet3/44 unassigned YES unset down down
GigabitEthernet3/45 unassigned YES unset down down
GigabitEthernet3/46 unassigned YES unset down down
GigabitEthernet3/47 unassigned YES unset down down
GigabitEthernet3/48 unassigned YES unset down down
GigabitEthernet4/1 unassigned YES unset up up
GigabitEthernet4/2 unassigned YES unset up up
GigabitEthernet4/3 unassigned YES unset up up
GigabitEthernet4/4 unassigned YES unset down down
GigabitEthernet4/5 unassigned YES unset up up
GigabitEthernet4/6 unassigned YES unset up up
GigabitEthernet4/7 unassigned YES unset up up
GigabitEthernet4/8 unassigned YES unset down down
GigabitEthernet4/9 unassigned YES unset down down
GigabitEthernet4/10 unassigned YES unset up up
GigabitEthernet4/11 unassigned YES unset up up
GigabitEthernet4/12 unassigned YES unset up up
GigabitEthernet4/13 unassigned YES unset down down
GigabitEthernet4/14 unassigned YES unset up up
GigabitEthernet4/15 unassigned YES unset up up
GigabitEthernet4/16 unassigned YES unset up up
GigabitEthernet4/17 unassigned YES unset up up
GigabitEthernet4/18 unassigned YES unset down down
GigabitEthernet4/19 unassigned YES unset up up
GigabitEthernet4/20 unassigned YES unset down down
GigabitEthernet4/21 unassigned YES unset down down
GigabitEthernet4/22 unassigned YES unset down down
GigabitEthernet4/23 unassigned YES unset up up
GigabitEthernet4/24 unassigned YES unset down down
GigabitEthernet4/25 unassigned YES unset up up
GigabitEthernet4/26 unassigned YES unset up up
GigabitEthernet4/27 unassigned YES unset up up
GigabitEthernet4/28 unassigned YES unset up up
GigabitEthernet4/29 unassigned YES unset up up
GigabitEthernet4/30 unassigned YES unset up up
GigabitEthernet4/31 unassigned YES unset up up
GigabitEthernet4/32 unassigned YES unset down down
GigabitEthernet4/33 unassigned YES unset up up
GigabitEthernet4/34 unassigned YES unset down down
GigabitEthernet4/35 unassigned YES unset down down
GigabitEthernet4/36 unassigned YES unset down down
GigabitEthernet4/37 unassigned YES unset down down
GigabitEthernet4/38 unassigned YES unset down down
GigabitEthernet4/39 unassigned YES unset down down
GigabitEthernet4/40 unassigned YES unset down down
GigabitEthernet4/41 unassigned YES unset down down
GigabitEthernet4/42 unassigned YES unset down down
GigabitEthernet4/43 unassigned YES unset down down
GigabitEthernet4/44 unassigned YES unset down down
GigabitEthernet4/45 unassigned YES unset down down
GigabitEthernet4/46 unassigned YES unset down down
GigabitEthernet4/47 unassigned YES unset down down
GigabitEthernet4/48 unassigned YES unset down down
GigabitEthernet5/1 unassigned YES NVRAM administratively down down
GigabitEthernet5/2 unassigned YES NVRAM administratively down down
GigabitEthernet6/1 unassigned YES NVRAM administratively down down
GigabitEthernet6/2 unassigned YES NVRAM administratively down down
GigabitEthernet7/1 unassigned YES unset up up
GigabitEthernet7/2 unassigned YES unset down down
GigabitEthernet7/3 unassigned YES unset up up
GigabitEthernet7/4 unassigned YES unset down down
GigabitEthernet7/5 unassigned YES unset up up
GigabitEthernet7/6 unassigned YES unset down down
GigabitEthernet7/7 unassigned YES unset down down
GigabitEthernet7/8 unassigned YES unset up up
GigabitEthernet7/9 unassigned YES unset up up
GigabitEthernet7/10 unassigned YES unset up up
GigabitEthernet7/11 unassigned YES unset down down
GigabitEthernet7/12 unassigned YES unset up up
GigabitEthernet7/13 unassigned YES unset up up
GigabitEthernet7/14 unassigned YES unset up up
GigabitEthernet7/15 unassigned YES unset up up
GigabitEthernet7/16 unassigned YES unset up up
GigabitEthernet7/17 unassigned YES unset up up
GigabitEthernet7/18 unassigned YES unset down down
GigabitEthernet7/19 unassigned YES unset up up
GigabitEthernet7/20 unassigned YES unset up up
GigabitEthernet7/21 unassigned YES unset up up
GigabitEthernet7/22 unassigned YES unset up up
GigabitEthernet7/23 unassigned YES unset down down
GigabitEthernet7/24 unassigned YES unset up up
GigabitEthernet7/25 unassigned YES unset up up
GigabitEthernet7/26 unassigned YES unset up up
GigabitEthernet7/27 unassigned YES unset up up
GigabitEthernet7/28 unassigned YES unset up up
GigabitEthernet7/29 unassigned YES unset up up
GigabitEthernet7/30 unassigned YES unset up up
GigabitEthernet7/31 unassigned YES unset up up
GigabitEthernet7/32 unassigned YES unset up up
GigabitEthernet7/33 unassigned YES unset up up
GigabitEthernet7/34 unassigned YES unset up up
GigabitEthernet7/35 unassigned YES unset down down
GigabitEthernet7/36 unassigned YES unset up up
GigabitEthernet7/37 unassigned YES unset up up
GigabitEthernet7/38 unassigned YES unset up up
GigabitEthernet7/39 unassigned YES unset up up
GigabitEthernet7/40 unassigned YES unset down down
GigabitEthernet7/41 unassigned YES unset down down
GigabitEthernet7/42 unassigned YES unset down down
GigabitEthernet7/43 unassigned YES unset down down
GigabitEthernet7/44 unassigned YES unset down down
GigabitEthernet7/45 unassigned YES unset down down
GigabitEthernet7/46 unassigned YES unset down down
GigabitEthernet7/47 unassigned YES unset down down
GigabitEthernet7/48 unassigned YES unset down down
GigabitEthernet8/1 unassigned YES unset up up
GigabitEthernet8/2 unassigned YES unset up up
GigabitEthernet8/3 unassigned YES unset up up
GigabitEthernet8/4 unassigned YES unset up up
GigabitEthernet8/5 unassigned YES unset down down
GigabitEthernet8/6 unassigned YES NVRAM administratively down down
GigabitEthernet8/7 unassigned YES NVRAM administratively down down
GigabitEthernet8/8 unassigned YES NVRAM administratively down down
SUP720#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.168.0.0/24 is subnetted, 1 subnets
C 172.168.99.0 is directly connected, Vlan99
10.0.0.0/24 is subnetted, 1 subnets
C 10.94.80.0 is directly connected, Vlan100
C 192.1.1.0/24 is directly connected, Vlan105
FWSM Version 1.1(3)
no gdb enable
nameif vlan102 astar_intf security90
nameif vlan99 tma_intf security1
nameif vlan101 kernel_intf security95
nameif vlan40 ita_intf security70
nameif vlan106 ct_intf security10
nameif vlan110 riits_intf security3
nameif vlan112 tps_intf security15
nameif vlan114 lax_intf security20
nameif vlan116 atm_intf security97
nameif vlan100 ssr_intf security85
nameif vlan240 tms_intf security96
nameif vlan200 sg_intf security30
nameif vlan900 lacotmc_intf security8
nameif vlan220 inetgrx_intf security4
nameif vlan260 multi_agency_intf security1
nameif vlan280 bur_intf security1
nameif vlan115 lawaatm_intf security20
nameif vlan117 pdfd_intf security20
enable password U6BcR0LozQw4aZAf encrypted
passwd U6BcR0LozQw4aZAf encrypted
hostname FWSM
domain-name fwsm.atsar.org2
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
ACL is here but I removed it because it's really long. If there's something you need from the ACL I can post it.
pager lines 75
logging on
logging buffered notifications
icmp permit any astar_intf
icmp permit any tma_intf
icmp permit any kernel_intf
icmp permit any ita_intf
icmp permit any ct_intf
icmp permit any riits_intf
icmp permit any tps_intf
icmp permit any lax_intf
icmp permit any atm_intf
icmp permit any ssr_intf
icmp permit any tms_intf
icmp permit any sg_intf
icmp permit any lacotmc_intf
icmp permit any inetgrx_intf
icmp permit any multi_agency_intf
icmp permit any bur_intf
icmp permit any lawaatm_intf
icmp permit any pdfd_intf
mtu astar_intf 1500
mtu tma_intf 1500
mtu kernel_intf 1500
mtu ita_intf 1500
mtu ct_intf 1500
mtu riits_intf 1500
mtu tps_intf 1500
mtu lax_intf 1500
mtu atm_intf 1500
mtu ssr_intf 1500
mtu tms_intf 1500
mtu sg_intf 1500
mtu lacotmc_intf 1500
mtu inetgrx_intf 1500
mtu multi_agency_intf 1500
mtu bur_intf 1500
mtu lawaatm_intf 1500
mtu pdfd_intf 1500
ip address astar_intf 10.94.26.11 255.255.255.0
ip address tma_intf 172.168.99.2 255.255.255.0
ip address kernel_intf 192.9.210.101 255.255.255.0
ip address ita_intf 10.94.230.254 255.255.255.0
ip address ct_intf 149.136.5.86 255.255.255.240
ip address riits_intf 192.3.3.2 255.255.255.0
ip address tps_intf 192.4.4.2 255.255.255.0
ip address lax_intf 10.94.29.2 255.255.255.0
ip address atm_intf 172.16.1.1 255.255.0.0
ip address ssr_intf 10.94.80.2 255.255.255.0
ip address tms_intf 172.168.77.2 255.255.255.0
ip address sg_intf 192.9.200.70 255.255.255.0
ip address lacotmc_intf 192.6.6.2 255.255.255.0
ip address inetgrx_intf 192.7.7.2 255.255.255.0
ip address multi_agency_intf 10.94.58.2 255.255.255.0
ip address bur_intf 192.168.9.2 255.255.255.0
ip address lawaatm_intf 172.18.152.2 255.255.0.0
ip address pdfd_intf 10.94.30.2 255.255.255.0
no failover
failover lan unit secondary
failover timeout 0:00:00
failover poll 15
failover ip address astar_intf 0.0.0.0
failover ip address tma_intf 0.0.0.0
failover ip address kernel_intf 0.0.0.0
failover ip address ita_intf 0.0.0.0
failover ip address ct_intf 0.0.0.0
failover ip address riits_intf 0.0.0.0
failover ip address tps_intf 0.0.0.0
failover ip address lax_intf 0.0.0.0
failover ip address atm_intf 0.0.0.0
failover ip address ssr_intf 0.0.0.0
failover ip address tms_intf 0.0.0.0
failover ip address sg_intf 0.0.0.0
failover ip address lacotmc_intf 0.0.0.0
failover ip address inetgrx_intf 0.0.0.0
failover ip address multi_agency_intf 0.0.0.0
failover ip address bur_intf 0.0.0.0
failover ip address lawaatm_intf 0.0.0.0
failover ip address pdfd_intf 0.0.0.0
pdm history enable
arp timeout 14400
global (tma_intf) 1 interface
global (tps_intf) 1 interface
global (lax_intf) 1 interface
global (ssr_intf) 100 interface
nat (astar_intf) 1 0.0.0.0 0.0.0.0 0 0
nat (riits_intf) 110 0.0.0.0 0.0.0.0 0 0
nat (ssr_intf) 1 0.0.0.0 0.0.0.0 0 0
static (astar_intf,tma_intf) 172.168.99.192 10.94.26.192 netmask 255.255.255.255 0 0
static (astar_intf,tma_intf) 172.168.99.196 10.94.26.196 netmask 255.255.255.255 0 0
static (kernel_intf,astar_intf) 192.9.210.0 192.9.210.0 netmask 255.255.255.0 0 0
static (astar_intf,tma_intf) 172.168.99.57 192.94.6.57 netmask 255.255.255.255 0 0
static (astar_intf,tps_intf) 192.4.4.128 10.94.26.128 netmask 255.255.255.192 0 0
static (astar_intf,tps_intf) 192.4.4.192 10.94.26.192 netmask 255.255.255.192 0 0
static (astar_intf,tps_intf) 192.4.4.64 10.94.26.64 netmask 255.255.255.192 0 0
static (astar_intf,lax_intf) 10.94.29.192 10.94.26.192 netmask 255.255.255.255 0 0
static (astar_intf,lax_intf) 10.94.29.196 10.94.26.196 netmask 255.255.255.255 0 0
static (astar_intf,ssr_intf) 10.94.26.0 10.94.26.0 netmask 255.255.255.0 0 0
static (kernel_intf,ssr_intf) 192.9.210.0 192.9.210.0 netmask 255.255.255.0 0 0
static (ssr_intf,lax_intf) 10.94.80.0 10.94.80.0 netmask 255.255.255.0 0 0
static (ssr_intf,tma_intf) 172.168.99.86 10.94.80.86 netmask 255.255.255.255 0 0
static (astar_intf,ct_intf) 149.136.5.93 10.94.26.198 netmask 255.255.255.255 0 0
static (astar_intf,ct_intf) 172.16.70.0 172.16.70.0 netmask 255.255.255.0 0 0
static (atm_intf,astar_intf) 192.172.0.0 192.172.0.0 netmask 255.255.0.0 0 0
static (atm_intf,astar_intf) 172.16.12.254 172.16.12.254 netmask 255.255.255.255 0 0
static (ssr_intf,tma_intf) 172.168.99.80 10.94.80.80 netmask 255.255.255.254 0 0
static (astar_intf,tma_intf) 172.168.99.208 10.94.26.208 netmask 255.255.255.252 0 0
static (ssr_intf,riits_intf) 192.3.3.198 10.94.80.72 netmask 255.255.255.255 0 0
static (astar_intf,lax_intf) 10.94.29.194 10.94.26.194 netmask 255.255.255.255 0 0
static (astar_intf,tma_intf) 172.168.99.194 10.94.26.194 netmask 255.255.255.255 0 0
static (ssr_intf,sg_intf) 10.94.80.0 10.94.80.0 netmask 255.255.255.0 0 0
static (ssr_intf,lacotmc_intf) 192.6.6.72 10.94.80.72 netmask 255.255.255.255 0 0
static (ssr_intf,lacotmc_intf) 192.6.6.73 10.94.80.73 netmask 255.255.255.255 0 0
static (ssr_intf,lacotmc_intf) 192.6.6.80 10.94.80.80 netmask 255.255.255.255 0 0
static (astar_intf,lacotmc_intf) 192.6.6.192 10.94.26.192 netmask 255.255.255.255 0 0
static (astar_intf,inetgrx_intf) 192.7.7.194 10.94.26.194 netmask 255.255.255.255 0 0
static (astar_intf,inetgrx_intf) 192.7.7.195 10.94.26.195 netmask 255.255.255.255 0 0
static (ssr_intf,lacotmc_intf) 172.16.75.0 172.16.75.0 netmask 255.255.255.0 0 0
static (tms_intf,ssr_intf) 172.168.77.12 172.168.77.12 netmask 255.255.255.255 0 0
static (atm_intf,ssr_intf) 172.16.12.254 172.16.12.254 netmask 255.255.255.255 0 0
static (atm_intf,ssr_intf) 172.16.4.134 172.16.4.134 netmask 255.255.255.255 0 0
static (atm_intf,ssr_intf) 192.172.0.0 192.172.0.0 netmask 255.255.0.0 0 0
static (astar_intf,ita_intf) 161.149.247.0 161.147.247.0 netmask 255.255.255.0 0 0
static (astar_intf,ita_intf) 10.94.26.0 10.94.26.0 netmask 255.255.255.0 0 0
static (ssr_intf,ita_intf) 10.94.80.0 10.94.80.0 netmask 255.255.255.0 0 0
static (lacotmc_intf,bur_intf) 192.6.6.1 192.6.6.1 netmask 255.255.255.255 0 0
static (lacotmc_intf,bur_intf) 10.10.2.0 10.10.2.0 netmask 255.255.255.0 0 0
static (ssr_intf,bur_intf) 10.94.80.80 10.94.80.80 netmask 255.255.255.255 0 0
static (astar_intf,bur_intf) 192.168.9.194 10.94.26.194 netmask 255.255.255.255 0 0
static (astar_intf,ita_intf) 172.22.9.0 172.22.9.0 netmask 255.255.255.0 0 0
static (ssr_intf,multi_agency_intf) 10.94.80.0 10.94.80.0 netmask 255.255.255.0 0 0
static (astar_intf,multi_agency_intf) 10.94.26.0 10.94.26.0 netmask 255.255.255.0 0 0
static (ita_intf,multi_agency_intf) 10.32.12.0 10.32.12.0 netmask 255.255.255.0 0 0
static (ita_intf,multi_agency_intf) 10.94.230.200 10.94.230.200 netmask 255.255.255.255 0 0
static (ita_intf,multi_agency_intf) 10.42.1.0 10.42.1.0 netmask 255.255.255.0 0 0
static (astar_intf,ssr_intf) 10.94.38.138 10.94.38.138 netmask 255.255.255.255 0 0
static (astar_intf,lawaatm_intf) 10.94.26.0 10.94.26.0 netmask 255.255.255.0 0 0
static (astar_intf,pdfd_intf) 10.94.26.78 10.94.26.78 netmask 255.255.255.255 0 0
static (atm_intf,astar_intf) 172.16.12.253 172.16.12.253 netmask 255.255.255.255 0 0
static (atm_intf,ssr_intf) 172.16.12.253 172.16.12.253 netmask 255.255.255.255 0 0
static (ssr_intf,lacotmc_intf) 192.6.6.79 10.94.80.79 netmask 255.255.255.255 0 0
static (ssr_intf,lacotmc_intf) 192.6.6.85 10.94.80.85 netmask 255.255.255.255 0 0
access-group astar_acc in interface astar_intf
access-group tma_acc in interface tma_intf
access-group kernel_acc in interface kernel_intf
access-group ita_acc in interface ita_intf
access-group ct_acc in interface ct_intf
access-group riits_acc in interface riits_intf
access-group tps_acc in interface tps_intf
access-group lax_acc in interface lax_intf
access-group atm_acc in interface atm_intf
access-group ssr_acc in interface ssr_intf
access-group tms_acc in interface tms_intf
access-group sg_acc in interface sg_intf
access-group lacotmc_acc in interface lacotmc_intf
access-group inetgrx_acc in interface inetgrx_intf
access-group multi_agency_acc in interface multi_agency_intf
access-group bur_acc in interface bur_intf
access-group lawaatm_acc in interface lawaatm_intf
access-group pdfd_acc in interface pdfd_intf
!
interface astar_intf
!
interface tma_intf
!
interface kernel_intf
!
interface ita_intf
!
interface ct_intf
!
interface riits_intf
!
interface tps_intf
!
interface lax_intf
!
interface atm_intf
!
interface ssr_intf
!
interface tms_intf
!
interface sg_intf
!
interface lacotmc_intf
!
interface inetgrx_intf
!
interface multi_agency_intf
!
interface bur_intf
!
interface lawaatm_intf
!
interface pdfd_intf
route astar_intf 172.168.99.57 255.255.255.255 10.94.26.209 1
route astar_intf 192.94.6.57 255.255.255.255 10.94.26.209 1
route astar_intf 10.94.82.0 255.255.255.0 10.94.26.1 1
route tma_intf 192.1.1.0 255.255.255.0 172.168.99.1 1
route tma_intf 172.168.99.57 255.255.255.255 10.94.26.209 1
route ita_intf 0.0.0.0 0.0.0.0 10.94.230.200 1
route ita_intf 161.149.247.0 255.255.255.0 10.94.230.200 1
route ct_intf 172.16.70.0 255.255.255.0 149.136.5.89 1
route ct_intf 172.16.72.0 255.255.255.0 149.136.5.89 1
route ct_intf 172.16.70.254 255.255.255.255 149.136.5.89 1
route ct_intf 172.16.100.8 255.255.255.255 149.136.5.89 1
route riits_intf 63.192.224.0 255.255.255.0 192.3.3.1 1
route riits_intf 10.17.19.0 255.255.255.0 192.3.3.1 1
route tps_intf 192.127.1.0 255.255.255.0 192.4.4.1 1
route lax_intf 172.18.151.0 255.255.255.0 10.94.29.220 1
route atm_intf 192.172.0.0 255.255.0.0 172.16.4.134 1
route ssr_intf 75.6.33.33 255.255.255.255 10.94.80.6 1
route ssr_intf 67.125.153.42 255.255.255.255 10.94.80.6 1
route ssr_intf 67.125.153.0 255.255.255.0 10.94.80.2 1
route ssr_intf 161.149.240.176 255.255.255.255 10.94.80.6 1
route ssr_intf 192.75.6.0 255.255.255.0 10.94.80.6 1
route lacotmc_intf 10.10.2.0 255.255.255.0 192.6.6.1 1
route lacotmc_intf 172.16.75.0 255.255.255.0 192.6.6.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username xxxxxx password nFkCJKuqqzpB2OnR encrypted privilege 2
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
fragment size 10 astar_intf
no sysopt route dnat
telnet 10.94.26.135 255.255.255.255 astar_intf
telnet 10.94.26.80 255.255.255.255 astar_intf
telnet 10.94.80.80 255.255.255.255 ssr_intf
telnet 10.94.80.79 255.255.255.255 ssr_intf
telnet 10.94.80.85 255.255.255.255 ssr_intf
telnet 10.94.80.83 255.255.255.255 ssr_intf
telnet timeout 15
ssh 10.94.80.80 255.255.255.254 ssr_intf
ssh timeout 15
terminal width 120
Here's all the information. I took out the ACL. It's kind of long. Plus I'm not sure if the boss would be happy with me posting the fwsm on a forum. But I need help understanding what I dealing with. Thanks again.
07-23-2010 02:09 PM
Mike
vlan 99 and vlan 100 both have L3 interfaces on the MSFC. As you say vlan 105 doesn't have an interface on the FWSM.
This raises a couple of questions -
1) what is vlan 105 used for, does it have servers/PCs etc in it ?
2) the routing table on the 6500 only shows connected interfaces. Does this mean that the 6500 is not actually connected to any other L3 device ?
3) most importantly vlan 99 and vlan 100 both have interfaces on the MSFC. This is slightly unusual but may not matter because -
4) Because you only have connected routes in the 6500 routing table it looks like all routing is indeed taking place via the FWSM because if there were any devices in vlan 105 or any they wouldn't be able to get to any of the DMZs because the 6500 MSFC doesn't have routes to the DMZs.
There are some other oddities ie.
1) you have an ip assigned to gig2/48 of 172.168.1.1 which means this is a routed port. But the port is down.
2) vlan 107 has an ip assigned but is in a down state
3) vlan 99 has a security level of 1 which is the lowest and the lowest is usually the outside but you have another interface on the FWSM with a security level of 1.
So overall it looks like the 6500 is there purely to house the FWSM and the FWSM routes between subnets. Note however that having a vlan 99 and 100 SVI on the MSFC could lead to routing between these 2 subnets without going via the firewall. My guess is that some of this is legacy and could be removed.
It's difficult to be 100% sure based on the configs alone.
Do you know what vlan 99/100 and 105 are meant to be for ?
Is the 6500 connected to any other L3 device ?
What is the rest of the network topology and how does the 6500 fit into this.
It's later here in UK so i'll have another more detailed look at the configs tomorrow to see if anything else stands out.
Jon
07-23-2010 03:03 PM
Jon,
Vlan 105 as far as I can tell:
1) is configured on the switch to ports Gi3/45-Gi3/48
2) IP address 192.1.1.1 255.255.255.0
3) From a topography I found it looks like 192.1.1.1 is a router to the tma_intf network for PC's 192.1.1.101-103
6509 (172.168.99.2) ---> (172.168.99.1) router (192.1.1.1) ---> 192.1.1.101-103
I hope this helps because I'm confused on how vlan 105 and the tma_intf relate to each other. I think vlan 105 and 99 are somehow related. The ACL might help you.
access-list tma_acc permit tcp 192.1.1.0 255.255.255.0 host 172.168.99.196 eq 3306
access-list tma_acc permit tcp 192.1.1.0 255.255.255.0 host 172.168.99.192 eq 81
access-list tma_acc permit tcp 192.1.1.0 255.255.255.0 host 172.168.99.57 eq www
access-list tma_acc permit tcp 192.1.1.0 255.255.255.0 172.168.99.208 255.255.255.252 eq 81
access-list tma_acc permit tcp 192.1.1.0 255.255.255.0 host 172.168.99.194 eq 1051
access-list tma_acc permit tcp 192.1.1.0 255.255.255.0 host 172.168.99.192 eq 1051
I think the 6509 is not connected to an other L3 switches only routers from what I can guess and maybe a L2 switch on vlan 280.
Vlan 100 is the subnet I use to telnet into the switch (10.94.80.3) and the FWSM (10.94.80.2). My PC is on that subnet.
Hope some of this extra information helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide