Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Troubleshooting
Research
Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

FWSM Configuration w/HSRP

Avatar of kpmas
kpmasFlag for Canada asked on
Routers
2 Comments1 Solution2985 ViewsLast Modified:
Hi there....

I have a pair of 6509 switches running native IOS.  On one of the VLAN's (vlan 11 in this case) I have a series of Linux servers with (today) a simple access-list in place to stop some SSH activity towards them.  In each of the switches I have a FWSM that isn't in production yet.  For obvious reasons I'd like to bring the FWSM into production for this VLAN and a few others.

I'm confused on how to pass traffic through the FWSM in transparent mode.  I chose transparent mode as I considered it best for the application as I understand it....  I have worked on some PIX boxes in the past so once I can figure out how to pass all traffic in a VLAN through the FWSM I think I can take it from there...

At this point I believe I have the FWSM modules up and running and configured for "intra-chassis" redundancy.  On a side note, VLAN11 is also running HSRP today as well which raises another question - if for some reason HSRP has to "kick over" to the other switch then which firewall blade is active in this scenario?  I'm a little confused when you mix HSRP into a pair of FWSM's in redundant mode where the traffic really goes and how you ensure it stays firewalled.

My first step would be to get VLAN11's traffic going through the firewall modules with HSRP intact... from there I think I can figure the rest out.

Configs:

dis1-rtr-mb

interface GigabitEthernet9/3
 description Trunk to dis2-rtr-mb
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,13,46,66
 switchport mode trunk
 no ip address

interface Vlan11
 description Linux Servers
 ip address xxx.xxx.111.2 255.255.255.224 secondary
 ip address xxx.xxx.96.2 255.255.255.0
 ip access-group 191 out
 no ip redirects
 standby 1 ip xxx.xxx.96.1
 standby 1 ip xxx.xxx.111.1 secondary
 standby 1 priority 200
 standby 1 authentication secrethere

firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66

fwsm - dis1-rtr-mb

FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit primary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cdf27c6a9b362fd3498bfae85e2059cd


dis2-rtr-mb

interface GigabitEthernet9/2
 description Trunk to dis1-rtr-mb
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,13,46,66
 switchport mode trunk
 no ip address

interface Vlan11
 description Linux Servers
 ip address xxx.xxx.111.3 255.255.255.224 secondary
 ip address xxx.xxx.96.3 255.255.255.0
 ip access-group 191 out
 no ip redirects
 standby 1 ip xxx.xxx.96.1
 standby 1 ip xxx.xxx.111.1 secondary
 standby 1 authentication secrethere

firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66

dis2-rtr-mb FWSM

FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit secondary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:7608b8e2a7f7f235310d91495db35809



Thanks in advance for your help.... :)
ASKER CERTIFIED SOLUTION
Avatar of lpse2000
lpse2000

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Commented:
This problem has been solved!
Unlock 1 Answer and 2 Comments.
See Answers