Hi Giuseppe Larosa,

I need your valuable feedback to clear some of my concern regarding the points you mentioned below related to my scenario.

a) you need to use different routing tables to avoid to bypass the FWSM. So internal interfaces or external interfaces must be associated to a VRF

Yes in my environment my outside interface of 6513 is connected ASR 1002 interface for which VRF is defined in like this manner.

interface GigabitEthernet0/0/2

description "Connect to 6513"

ip vrf forwarding ABC-PUB

ip address IP:192.168.1.20 255.255.255.0

ip access-group SPAM in

ip access-group SPAM out

load-interval 30

negotiation auto

As you can from the figure “6513 Initial running configuration without any FWSM” the traffic flow in this manner to Internet.

b) to permit communication between different SVIs of the same device you need to change the MAC address used by one of the two SVI  ( by default all the SVIs in a C6500 device use the same MAC address) ( under SVI command )

Giuseppe my query is regarding the creating of two SVI Interface in my case please look in the next figure  name as 6513 with FWSM deployment Planning the way I am trying to fit FWSM in my current configuration. Here I have only one SVI Interface ie VLAN 170 IP:192.168.1.10 through which I think traffic will come to inside interface and through bridging it will move to outside interface of FWSM , I will create a new VLAN ie VLAN 120 and put outside interface and Gi9/44 into it (Gi9/44 is in VLAN 170 previously) but I am not clear for creating the SVI Interface for VLAN 120.

So in this situation will the traffic move to ASR interface.

c) the FWSM may need to block STP BPDUs to avoid the switch to realize two different Vlans are joined together

What configuration part we have to do on FWSM to block STP BPDUs because in books this thing is not mentioned.

d) routing between the different SVIs must point to each other static routing or dynamic routing is possible.

How this thing will be possible in my case.

The FWSM should be inserted on the path to the ISP as the transparent FW has only two interfaces, the proxy server must be on the INSIDE side.

#VLAN 170  IP(192.168.1.10) is mentioned on ISA external interface as a Default Gateway on it.

# We define route map name NAT and match it with Extended ACL 101 and define the next hop address which is my ASR IP for all traffic that match with ACL 101 and put this PBR on my SVI Interface VLAN 170

!

route-map NAT permit 10 

match ip address 101

set ip next-hop 192.168.1.20

!

interface Vlan170

description "PUBLIC IP VLAN"

ip address 192.168.1.10. 255.255.255.0

ip policy route-map NAT

Regards

Ambivert Skill

Hello Ambivert skill,

you and your colleagues have opened three different threads on the same issue.

I have answered to two of them wasting my time before realizing it was exactly the same scenario!

The third thread has been answered by somebody else.

However, I try to provide some feedback on this thread.

a) in your case you have a L2 port to the ASR 1000 device that before introduction of the transparent FWSM is associated to Vlan 170.

But is Vlan 170 in a different routing table then the the subnet 192.168.2.0 or you are using PBR to divert traffic to ISA server?.

In any case the way you would like to introduce the transparent FW looks like correct.

b) in your case you don't need an SVI in new Vlan 120 the L3 peers will be SVI 170 on inside and the external ASR

1000 device interface out of gi9/44.

So you don't need to modify any source MAC address

c)  to be checked on configuration used on the field

I see the following on a FWSM used in transparent mode

access-group BPDU in interface inside

access-group acl_inside in interface inside

access-group BPDU in interface outside

access-group acl_outside in interface outside

where acl_inside and acl_outside are L3 IP ACL and BPDU ACL has the following configuration

access-list BPDU ethertype permit bpdu

actually the ACL permits STP BPDUs it does not block them, as I wrote I had to check, my memory failed in this case.

So actually it is the opposite to be sure to build loop free topologies the STP is allowed to flow.

This does not apply to your scenario as you have a single box, in my case I had two C6500 boxes with each one having its own FWSM with a transparent FW context interconnecting two VRFs.

d)

you route between SVI vlan 170 and the ASR 1000 interface

#VLAN 170  IP(192.168.1.10) is mentioned on ISA external interface as a Default Gateway on it.

this is fine

e)

# We define route map name NAT and match it with Extended ACL 101 and define the next hop address which is my ASR IP for all traffic that match with ACL 101 and put this PBR on my SVI Interface VLAN 170

the MAC address of the ASR 1000 will be learned via the transparent FWSM

I would expect a default route pointing to the ASR 1000 address instead of this PBR rule but it should work also with this setup.

I would put SVI Vlan 170 in a separate VRF in comparison to the interface that connects to the inside of the ISA

In this way routing outbound to the internet would just follow the default route in each routing table

in global routing table a default route pointing to the ISA server, the ISA server will have a static route pointing to the C7513 that in the upper part of your network diagram for all internal networks.

in VRF TOFW a default route pointing to the ASR 1000 interface and a static route pointing to the NAT pools using as nexthop   the external ISA server IP address.

In this scenario you may need to disable ICMP redirects

By using a VRF on the 6513 you can avoid to use PBR rules.

final note: if your C6513 has a Sup720 supervisor you should consider to implement NAT directly on it without using the external ISA server, but I understand there may be other reasons even not technical for this scenario (the ISA server may be administered by a different working group then yours that wants to keep control on internet access)

Hope to help

Giuseppe

THANKS a Lot Giuseppe for this wonderful expaination and pointing out the exact issues that I have a doubt with Hats off to you  and my sincere apologies for posting multiple threads actually due to certain limitations like we cannot test this in any kind of simulated environment I need a full proof method to deploy it in the prodution environment and some of these major points are not very much eleborated in the books for this technology.

Thanks again for your co operation and support.

Regards

Ambivert Skill

Giuseppe FWSM is sucessfully deployedin my scenario thanks to you for valuable guidance that you gave me.

I have made a one major modification so regarding that I want to discuss with you it's when I put outside interface of FWSM and Gi 9/44 interface into VLAN 120 (as Gi 9/44 was previously in VLAN 164 ) this configuration is not working but when I put this interface back into the VLAN 164 the traffic start go and come successfully from the internet and outside interface of FWSM is still in VLAN  120 so this thing is not very much clear can you please guide me the reason behind this concept.

Regards

Ambivert Skill