07-17-2012 03:32 AM - edited 03-04-2019 04:59 PM
Hello,
I have one problem, We have configured BGP on Cisco Switch 6509E, firewall module on the switch is making nat for all users,
but users is not going to internet yet, I do not know hot to configure 6509E to give internet access to users.If I route default route to FWSM,
then BGP will not work? If I route default route what is the meaning of BGP then?
I do not want to write static route because BGP should work (4 ISPs redundancy)
Please help how to let users to go out to the internet throug BGP, but nat is being done on the firewall module on 6509, routing is beiing done on 6509,
to to configure it?
Regards
Tural L
07-17-2012 05:20 AM
Hello Tural,
the FWSM is like a separate device within your C6500 anatomy
the best way to advertise NAT pools should be the following:
on supervisor/MSFC you configure static routes for the NAT pools with IP next hop = FWSM outside L3 interface
under router bgp you add network statements that match exactly (including the network mask) the static routes defined for the NAT pools.
Traffic coming from the internet has to be routed to FWSM outside interface, the FWSM will perform NAT and after it can route again to the MSFC on the FWSM inside to reach the inslde local addresses.
On the opposite direction the opposite should happen:
traffic from internal networks have to be routed to the FWSM in order to have NAT to be performed.
In order to achieve this, the detailed BGP table has to be separated from internal network otherwise the traffic will try to go to the internet bypassing the FWSM and NAT operation.
To achieve this (the internal networks facing interfaces and FWSM inside) and ( the interfaces facing the ISPs and the FWSM outside) have to be associated to different VRFs = two different routing tables.
Example:
VRF INSIDE include interfaces facing the internal network and the FWSM inside
You run in VRF your IGP to learn about internal routes and you configure a static default route in VRF INSIDE pointing to the FWSM inside interface.
On the FWSM you configure static routes for internal networks pointing to MSFC SVI connected to the FWSM inside interface.
On the FWSM you configure the static default route pointing to the MSFC SVI in the outside interface, this SVI is in global routing table.
In this example interfaces facing the ISPs and the one facing the FWSM outside are left in global routing table.
The FWSM creates communication between the two separated routing tables. But use of the VRFs is mandatory to avoid NAT bypass.
Hope to help
Giuseppe
07-17-2012 05:56 AM
Hello Giuseppe,
Thank you very much for reply, you gave great information an I hope you gave light to me to understand the configuration
that will let users not bypass natting while exiting to the internet,
Just let me tell you tah I do not have dynamic IGP configured,cauce 6509 is the only L3 device, if I configure it I have to configure IGP on fwsm and ASA (only for vpn) too.
I would be very happy if you give some config example!
my loopback ip is 91.240.27.1/128 (outside) which is my bgp peer, default route is to one of the ISP, when I route default route to fwsm i lose connection to 91.240.27.1 from internet.
Do you have config example for this issue pls?
Best Regards
Tural
07-17-2012 06:29 AM
Hello Tural,
I can provide two links to VRF lite
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/vrflitsb.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/vrf.html
that may be helpful see the example of VRF lite in the second link it may be easier. You don't need to leak routes between VRFs just to divide the interfaces in two subsets and to have separate routing tables.
Example (following what I suggested in previous post)
ip vrf INSIDE
rd 1000:10
!
on each L3 interface "internal" you do the following
interface type x/y
ip vrf forwarding INSIDE
! at this point you retype ip address and mask
ip address x.y.z.k 255.255.255.H
you have to do this for each client facing SVI
static routes in vrf require the vrf INSIDE keyword
ip route vrf INSIDE 0.0.0.0 0.0.0.0
on main global routing table you keep the ISPs connections and link to FWSM outside
ip route NAT-pool NAT-pool-mask
router bgp
network NAT-pool mask NAT-pool-mask
and a link to FWSM configuration guide 4.0
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/intro_f.html
Hope to help
Giuseppe
07-18-2012 04:33 AM
Thank you Very much Giuseppe
I t helped me, I already configured and worked vrf and two different routing tables,but for internal routing I configured OSPF
Regards
Tural L
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide