FWSM Configuration w/HSRP
Hi there....
I have a pair of 6509 switches running native IOS. On one of the VLAN's (vlan 11 in this case) I have a series of Linux servers with (today) a simple access-list in place to stop some SSH activity towards them. In each of the switches I have a FWSM that isn't in production yet. For obvious reasons I'd like to bring the FWSM into production for this VLAN and a few others.
I'm confused on how to pass traffic through the FWSM in transparent mode. I chose transparent mode as I considered it best for the application as I understand it.... I have worked on some PIX boxes in the past so once I can figure out how to pass all traffic in a VLAN through the FWSM I think I can take it from there...
At this point I believe I have the FWSM modules up and running and configured for "intra-chassis" redundancy. On a side note, VLAN11 is also running HSRP today as well which raises another question - if for some reason HSRP has to "kick over" to the other switch then which firewall blade is active in this scenario? I'm a little confused when you mix HSRP into a pair of FWSM's in redundant mode where the traffic really goes and how you ensure it stays firewalled.
My first step would be to get VLAN11's traffic going through the firewall modules with HSRP intact... from there I think I can figure the rest out.
Configs:
dis1-rtr-mb
interface GigabitEthernet9/3
description Trunk to dis2-rtr-mb
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,13,46,66
switchport mode trunk
no ip address
interface Vlan11
description Linux Servers
ip address xxx.xxx.111.2 255.255.255.224 secondary
ip address xxx.xxx.96.2 255.255.255.0
ip access-group 191 out
no ip redirects
standby 1 ip xxx.xxx.96.1
standby 1 ip xxx.xxx.111.1 secondary
standby 1 priority 200
standby 1 authentication secrethere
firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1 66
fwsm - dis1-rtr-mb
FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit primary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cdf27c6a9b3
dis2-rtr-mb
interface GigabitEthernet9/2
description Trunk to dis1-rtr-mb
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,13,46,66
switchport mode trunk
no ip address
interface Vlan11
description Linux Servers
ip address xxx.xxx.111.3 255.255.255.224 secondary
ip address xxx.xxx.96.3 255.255.255.0
ip access-group 191 out
no ip redirects
standby 1 ip xxx.xxx.96.1
standby 1 ip xxx.xxx.111.1 secondary
standby 1 authentication secrethere
firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1 66
dis2-rtr-mb FWSM
FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit secondary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:7608b8e2a7f
Thanks in advance for your help.... :)
I have a pair of 6509 switches running native IOS. On one of the VLAN's (vlan 11 in this case) I have a series of Linux servers with (today) a simple access-list in place to stop some SSH activity towards them. In each of the switches I have a FWSM that isn't in production yet. For obvious reasons I'd like to bring the FWSM into production for this VLAN and a few others.
I'm confused on how to pass traffic through the FWSM in transparent mode. I chose transparent mode as I considered it best for the application as I understand it.... I have worked on some PIX boxes in the past so once I can figure out how to pass all traffic in a VLAN through the FWSM I think I can take it from there...
At this point I believe I have the FWSM modules up and running and configured for "intra-chassis" redundancy. On a side note, VLAN11 is also running HSRP today as well which raises another question - if for some reason HSRP has to "kick over" to the other switch then which firewall blade is active in this scenario? I'm a little confused when you mix HSRP into a pair of FWSM's in redundant mode where the traffic really goes and how you ensure it stays firewalled.
My first step would be to get VLAN11's traffic going through the firewall modules with HSRP intact... from there I think I can figure the rest out.
Configs:
dis1-rtr-mb
interface GigabitEthernet9/3
description Trunk to dis2-rtr-mb
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,13,46,66
switchport mode trunk
no ip address
interface Vlan11
description Linux Servers
ip address xxx.xxx.111.2 255.255.255.224 secondary
ip address xxx.xxx.96.2 255.255.255.0
ip access-group 191 out
no ip redirects
standby 1 ip xxx.xxx.96.1
standby 1 ip xxx.xxx.111.1 secondary
standby 1 priority 200
standby 1 authentication secrethere
firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1 66
fwsm - dis1-rtr-mb
FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit primary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cdf27c6a9b3
dis2-rtr-mb
interface GigabitEthernet9/2
description Trunk to dis1-rtr-mb
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 11,13,46,66
switchport mode trunk
no ip address
interface Vlan11
description Linux Servers
ip address xxx.xxx.111.3 255.255.255.224 secondary
ip address xxx.xxx.96.3 255.255.255.0
ip access-group 191 out
no ip redirects
standby 1 ip xxx.xxx.96.1
standby 1 ip xxx.xxx.111.1 secondary
standby 1 authentication secrethere
firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1 66
dis2-rtr-mb FWSM
FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit secondary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:7608b8e2a7f
Thanks in advance for your help.... :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have some questions.. once I get one of these working I'm sure it'll be much easier..;)
For redundancy between the FWSM's then nothing will really change right? I have a VLAN directly between the switches that's in the config today - because that IP space really is only between the two cards than nothing changes when going to routed mode right?
For the routing portion, does HSRP configuration then get applied to the interface on the FWSM instead of the VLAN interface on the MSFC card? OR, is HSRP even required since both cards would be redundant anyways (through intra-chassis)?
Can I setup OSPF commands in FWSM? I can read up on it but haven't seen any support for dynamic routing protocols yet in FWSM.....
Thanks!