Solved

FWSM Configuration w/HSRP

Posted on 2007-03-20
2
2,782 Views
Last Modified: 2011-09-20
Hi there....

I have a pair of 6509 switches running native IOS.  On one of the VLAN's (vlan 11 in this case) I have a series of Linux servers with (today) a simple access-list in place to stop some SSH activity towards them.  In each of the switches I have a FWSM that isn't in production yet.  For obvious reasons I'd like to bring the FWSM into production for this VLAN and a few others.

I'm confused on how to pass traffic through the FWSM in transparent mode.  I chose transparent mode as I considered it best for the application as I understand it....  I have worked on some PIX boxes in the past so once I can figure out how to pass all traffic in a VLAN through the FWSM I think I can take it from there...

At this point I believe I have the FWSM modules up and running and configured for "intra-chassis" redundancy.  On a side note, VLAN11 is also running HSRP today as well which raises another question - if for some reason HSRP has to "kick over" to the other switch then which firewall blade is active in this scenario?  I'm a little confused when you mix HSRP into a pair of FWSM's in redundant mode where the traffic really goes and how you ensure it stays firewalled.

My first step would be to get VLAN11's traffic going through the firewall modules with HSRP intact... from there I think I can figure the rest out.

Configs:

dis1-rtr-mb

interface GigabitEthernet9/3
 description Trunk to dis2-rtr-mb
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,13,46,66
 switchport mode trunk
 no ip address

interface Vlan11
 description Linux Servers
 ip address xxx.xxx.111.2 255.255.255.224 secondary
 ip address xxx.xxx.96.2 255.255.255.0
 ip access-group 191 out
 no ip redirects
 standby 1 ip xxx.xxx.96.1
 standby 1 ip xxx.xxx.111.1 secondary
 standby 1 priority 200
 standby 1 authentication secrethere

firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66

fwsm - dis1-rtr-mb

FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit primary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cdf27c6a9b362fd3498bfae85e2059cd


dis2-rtr-mb

interface GigabitEthernet9/2
 description Trunk to dis1-rtr-mb
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,13,46,66
 switchport mode trunk
 no ip address

interface Vlan11
 description Linux Servers
 ip address xxx.xxx.111.3 255.255.255.224 secondary
 ip address xxx.xxx.96.3 255.255.255.0
 ip access-group 191 out
 no ip redirects
 standby 1 ip xxx.xxx.96.1
 standby 1 ip xxx.xxx.111.1 secondary
 standby 1 authentication secrethere

firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66

dis2-rtr-mb FWSM

FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit secondary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:7608b8e2a7f7f235310d91495db35809



Thanks in advance for your help.... :)
0
Comment
Question by:kpmas
2 Comments
 
LVL 2

Accepted Solution

by:
lpse2000 earned 500 total points
ID: 18757469
It's probably best you not use transparent mode.

What you want to do, is create 2 VLANs. One for the outside of the FWSM and one for the linux servers (this one you already have) but you want the IP addressing on the FWSM for that linux VLAN. Then you'll just have to add an outside VLAN and the Linux vlan to the firewall vlan-group, route for the linux subnet via the FWSM. Then create the interfaces for those VLANs on the FWSM and make your ACLs as normal.

list of steps:
  no out that interface on the MSFC (but keep the VLAN)
  on the MSFC create an outside VLAN for the FWSM and assign an IP to it
  add VLAN 11 to the firewall vlan-group
  on the FWSM, create the interfaces
    nameif vlan 5 outside
    nameif vlan 11 linux
  also on the FWSM assign appropriate IP addressing to VLAN 5 and VLAN 11
  on the MSFC, create a static route for the linux VLAN via the FWSM IP on the outside VLAN (dynamic routing will work as well)

  and create the ACLs as you need.
0
 
LVL 2

Author Comment

by:kpmas
ID: 18764020
Thanks for the reply...

I have some questions.. once I get one of these working I'm sure it'll be much easier..;)

For redundancy between the FWSM's then nothing will really change right?  I have a VLAN directly between the switches that's in the config today - because that IP space really is only between the two cards than nothing changes when going to routed mode right?

For the routing portion, does HSRP configuration then get applied to the interface on the FWSM instead of the VLAN interface on the MSFC card?  OR, is HSRP even required since both cards would be redundant anyways (through intra-chassis)?

Can I setup OSPF commands in FWSM? I can read up on it but haven't seen any support for dynamic routing protocols yet in FWSM.....

Thanks!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now