Solved

FWSM Configuration w/HSRP

Posted on 2007-03-20
2
2,815 Views
Last Modified: 2011-09-20
Hi there....

I have a pair of 6509 switches running native IOS.  On one of the VLAN's (vlan 11 in this case) I have a series of Linux servers with (today) a simple access-list in place to stop some SSH activity towards them.  In each of the switches I have a FWSM that isn't in production yet.  For obvious reasons I'd like to bring the FWSM into production for this VLAN and a few others.

I'm confused on how to pass traffic through the FWSM in transparent mode.  I chose transparent mode as I considered it best for the application as I understand it....  I have worked on some PIX boxes in the past so once I can figure out how to pass all traffic in a VLAN through the FWSM I think I can take it from there...

At this point I believe I have the FWSM modules up and running and configured for "intra-chassis" redundancy.  On a side note, VLAN11 is also running HSRP today as well which raises another question - if for some reason HSRP has to "kick over" to the other switch then which firewall blade is active in this scenario?  I'm a little confused when you mix HSRP into a pair of FWSM's in redundant mode where the traffic really goes and how you ensure it stays firewalled.

My first step would be to get VLAN11's traffic going through the firewall modules with HSRP intact... from there I think I can figure the rest out.

Configs:

dis1-rtr-mb

interface GigabitEthernet9/3
 description Trunk to dis2-rtr-mb
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,13,46,66
 switchport mode trunk
 no ip address

interface Vlan11
 description Linux Servers
 ip address xxx.xxx.111.2 255.255.255.224 secondary
 ip address xxx.xxx.96.2 255.255.255.0
 ip access-group 191 out
 no ip redirects
 standby 1 ip xxx.xxx.96.1
 standby 1 ip xxx.xxx.111.1 secondary
 standby 1 priority 200
 standby 1 authentication secrethere

firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66

fwsm - dis1-rtr-mb

FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit primary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:cdf27c6a9b362fd3498bfae85e2059cd


dis2-rtr-mb

interface GigabitEthernet9/2
 description Trunk to dis1-rtr-mb
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,13,46,66
 switchport mode trunk
 no ip address

interface Vlan11
 description Linux Servers
 ip address xxx.xxx.111.3 255.255.255.224 secondary
 ip address xxx.xxx.96.3 255.255.255.0
 ip access-group 191 out
 no ip redirects
 standby 1 ip xxx.xxx.96.1
 standby 1 ip xxx.xxx.111.1 secondary
 standby 1 authentication secrethere

firewall multiple-vlan-interfaces
firewall module 8 vlan-group 1
firewall vlan-group 1  66

dis2-rtr-mb FWSM

FWSM Version 2.3(2)
firewall transparent
enable password xxxxxxxxxxxxxxxxxxxxxx
passwd xxxxxxxxxxxxxxxxxxxxxxxxx
hostname FWSM
domain-name nexicom.net
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
pager lines 24
logging timestamp
logging buffer-size 4096
logging console debugging
logging buffered debugging
failover
failover lan unit secondary
failover lan interface FWSM vlan 66
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover link FWSM vlan 66
failover interface ip FWSM 172.16.145.1 255.255.255.0 standby 172.16.145.2
no pdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
sysopt nodnsalias inbound
sysopt nodnsalias outbound
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:7608b8e2a7f7f235310d91495db35809



Thanks in advance for your help.... :)
0
Comment
Question by:kpmas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 2

Accepted Solution

by:
lpse2000 earned 500 total points
ID: 18757469
It's probably best you not use transparent mode.

What you want to do, is create 2 VLANs. One for the outside of the FWSM and one for the linux servers (this one you already have) but you want the IP addressing on the FWSM for that linux VLAN. Then you'll just have to add an outside VLAN and the Linux vlan to the firewall vlan-group, route for the linux subnet via the FWSM. Then create the interfaces for those VLANs on the FWSM and make your ACLs as normal.

list of steps:
  no out that interface on the MSFC (but keep the VLAN)
  on the MSFC create an outside VLAN for the FWSM and assign an IP to it
  add VLAN 11 to the firewall vlan-group
  on the FWSM, create the interfaces
    nameif vlan 5 outside
    nameif vlan 11 linux
  also on the FWSM assign appropriate IP addressing to VLAN 5 and VLAN 11
  on the MSFC, create a static route for the linux VLAN via the FWSM IP on the outside VLAN (dynamic routing will work as well)

  and create the ACLs as you need.
0
 
LVL 2

Author Comment

by:kpmas
ID: 18764020
Thanks for the reply...

I have some questions.. once I get one of these working I'm sure it'll be much easier..;)

For redundancy between the FWSM's then nothing will really change right?  I have a VLAN directly between the switches that's in the config today - because that IP space really is only between the two cards than nothing changes when going to routed mode right?

For the routing portion, does HSRP configuration then get applied to the interface on the FWSM instead of the VLAN interface on the MSFC card?  OR, is HSRP even required since both cards would be redundant anyways (through intra-chassis)?

Can I setup OSPF commands in FWSM? I can read up on it but haven't seen any support for dynamic routing protocols yet in FWSM.....

Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question