Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
4
Replies

C6513 with FWSM Question

jfraasch
Level 3
Level 3

‎11-11-2009 05:19 AM - edited ‎03-06-2019 08:33 AM

I have a bunch of VLANs configured on my 6513 FWSM. I wanted all my VLANs to be on there but just found out a requirement to run IRDP. Since IRDP can only be run on a router interface, I had to take this VLAN off the FWSM and put it on the MSFC.

How now do I connect to the servers on in the VLANS on the FWSM?

I have VLAN2 on both the MSFC and the FWSM and they can ping. But from the MSFC I cannot ping any of the other VLAN interfaces on the FWSM.

I put a static route on the MSFC to point to the VLAN2 interface on the FWSM for the subnet but to no avail.

I have attached the relevant show run output for the 6513 and the entire show run from the FWSM.

The goal is to allow vlan 150 on the MSFC to have access to all the vlans on the FWSM.

James

Labels:
11670-ShowRun
0 Helpful
4 Replies 4

adamclarkuk_2
Level 4
Level 4

‎11-11-2009 05:24 AM

Hi James

Just to cover some basics, as the FWSM is just a moduled version of the ASA, have you checked security levels on the interfaces and if you have ACL's have you checked icmp is allowed.

Could you dump as much of the FWSM config as possible so we can check it out aswell.

0 Helpful

jfraasch
Level 3
Level 3
In response to adamclarkuk_2

‎11-11-2009 05:26 AM

The config for both 6513 and the FWSM (just scroll down a bit) are attached.

I hadn't changed the security level on the interfaces to match yet but will do that now.

My initial concern was just trying to ping the VLAN100 interface on the FWSM from the MSFC or from the user VLAN150 on the MSFC.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-11-2009 05:28 AM

Hello James,

>> I have VLAN2 on both the MSFC and the FWSM and they can ping. But from the MSFC I cannot ping any of the other VLAN interfaces on the FWSM.

this is correct because it is a firewall.

on the MSFC you need specific static routes for all IP subnets on vlans on other FWSM interfaces.

you then need on the ACL applied to outside interface vlan 2 to permit what you need

example net 10.0.0.0/8 can access WEB servers 10.72.25.0

access-list outside permit line 1 tcp 10.0.0.0 255.0.0.0 10.72.25.0 255.255.255.0 eq www

most of job on FWSM then becomes opening connections to servers inside.

the same idea applies to FWSM in multicontext mode where it needs to be replicated in each context.

Edit:

to ping vlan 100 you need to allow it on access-list applied to outside vlan2 interface

Hope to help

Giuseppe

0 Helpful

jfraasch
Level 3
Level 3
In response to Giuseppe Larosa

‎11-11-2009 05:31 AM

Giuseppe,

Thanks for the reply.

I do have the static route in place (pointed to the VLAN2 interface and that pings fine).

Also, I have an ip any any access list on the outside interface to allow any ip.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card