I have 2 modules of FWSM in 6500 switch (failover). I need 5 context. When I use in routed mode (like in the picture) , I cannot ping the servers behind the firewall. (I have ping to FW context) In transparent mode, it is not happening.
View 1 Repliesi do have two 6500 in VSS mode , and one FWSM module on each 6500, i want to configure these modules as Active/Standby, how do i start , should i follow this (not in VSS mode): url..
View 1 Replies View RelatedI have a vlan defined in FWSM for server farm there is a one server with two IP addresses and teaming has done on it how ever from FWSM i am able to ping both IP addresses but from core 6509 switch i am only able to ping one ip address. from FWSM show ARP command displays the same virtual mac addresses against both IPS of the same server.
View 2 Replies View Related have a Cisco ASA that I am trying to configure in a unique way, I want it to perform a variety of tasks;
VPN SSL
VPN Tunnels
Firewall Inside to Outside via versa
But the difficult task, is creating a DMZ with devices that are assigned fully routed IP addresses from our ISP directly, these are H323 and SIP devices that cannot use NAT, and must have a fully routed IP address assigned to them.
Obviously the problem I have with the Firewall in its default routed mode, is that it wont allow me to overlap IP addresses on the outside interface with the DMZ interface.
Could the Firewall be configured for Transparent mode between Outside and DMZ, but Routed mode between Outside and Inside?
Eth0/0: 10.0.0./24 (inside)
Eth0/1: 190.0.0.0/24 (dmz)
Eth0/2: 190.0.0.0/24 (outside)
[Code]....
But could the new Cisco ASA with the latest firmware and model be ale to do this with 1 physical firewall?
We have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
We have a pair of 6500s with Sup720 running 12.2(33)SXI3. Each has an ACE-20 (s/w A2(2.0)) and FWSM (s/w v3.2(15)). We have reached a limit on the number of rules we can configure on the FWSM, and have determined that we shall upgrade to 4.1(5), with ASDM to 6.2(2)F. A question has been raised regarding the s/w on the ACE-20 modules. Do we need to upgrade them as well?
View 2 Replies View RelatedI have had a strange issue with a pair of FWSM's in 2 6500's, it seems there was a failover but both module's have been reset.
CAT1
Feb 03 17:08:46.525: %SNMP-5-MODULETRAP: Module 8 [Down] Trap Feb 03 17:08:46.522: SP: The PC in slot 8 is shutting down. Please wait ...Feb 03 17:09:01.525: SP: shutdown_pc_process:No response from module 8 Feb 03 17:09:11.382: %C6KPWR-SP-4-DISABLED: power to module in slot 8 set off (Reset) Feb 03 17:10:56.093: %DIAG-SP-6-RUN_MINIMUM: Module 8: Running Minimal Diagnostics...Feb 03 17:10:59.796: %SVCLC-5-FWVTPMODE: VTP
[Code]...
We run a 6500 with an FWSM with multiple security contexts as well as cascading contexts with a "shared V LAN" . There is a problem with regards to Linux machines and our shared network.
For example, we have three Linux machines in production, each in three separate V LAN's. For me to communicate to these boxes from one V LAN to another I must first ping the server. If I do not ping the server it will not bring up a connection like ssh or HTTP, etc. Below is the error I get from the FWSM that hosts the Linux server, but like I said once I ping the server the error goes away. We only have this problem with Linux machines, and it is a problem for all three of them. Is the FWSM having issues understanding something with all three Linux boxes? Below is the error I get at first, when I try to SSH from one V LAN to another V LAN with the Linux machine.
6 Dec 21 2012 16:33:54 106015 10.255.12.109 22 10.255.1.30 63000
Deny TCP (no connection) from 10.255.12.109/22 to 10.255.1.30/63000 flags SYN ACK on interface inside.
Below is what happens when I initiate a ping to the Linux Server and then ssh again. Notice it builds the connection with no problem after the ping. During the ping it builds the dynamic translation, and then when I ssh it builds the TCP connection. Do you know why this could be?
6 Dec 21 2012 16:35:08 305009 10.255.12.109 10.255.12.109
[Code]....
Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.?I am havin 5585-x and asa version 8.4?
View 8 Replies View RelatedThere is a 6500 switch with fwsm. We have extended 2 vlans from the ISP into the FWSM. Also there are atleast 10 other vlans for our internal network. We would like say half of the internal vlans to go out of the 1st ISP vlan and the remaining half from the 2nd ISP vlan. Is there a way we can do this in the FWSM?
View 2 Replies View RelatedFirstly is this the right forum to post threads about FWSM's. We have 2 FWSM's in two seperate 6500 switches. There are a number of contexts on each FWSM.I want to fail a context from one FWSM over to the other 6500 and FWSM. Can you tell me how I can do that? Do I need to do it in the admin context and do I need to do it on the admin context of each 6500?
View 7 Replies View RelatedWe are thinking of introducing ASA's into our setup instead of using FWSM for our firewalls with our 6500. Currently we use multiple contexts with the FWSM, as we provide hosting services for multiple clients and want them behidn their own firewall. My question is how can we make this happen with an ASA. Since with the FWSM we use the backplane of the 6500 and SVI's for all interfaces between them. For example if we have 20 clients what will be the ideal setup for us to use with an ASA. If we can infact use mutiple contexts how can we? Is there a way we can maybe bundle all the ports in the ASA into the 6500 as a layer two trunk port and continue to use SVIs to manage all the clients.
View 3 Replies View RelatedI have just joined a networks team and will be working on two fwsm versions 4.0(8) in two 6500 routers. Now the fwsms seem to be virtualised with multiple contexts. The server team want a new context setup for a group of servers behind a vlan. [code]
This context just seems to have two Vlans and a BVI interface. What is the function of this context and why we have 2 admin contexts?
Also another important question is on which 6500 do I create the new context? Is the admin context active on one 6500 just like other contexts and will sync across or do I have to create the new context on both 6500s.
Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
I need to remove FWSM from a prodcution 6509. This FWSM is a standby. What's the best way to remove without powering down the switch or impacting antyhing?
View 3 Replies View RelatedI'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)
CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER
At the moment we can make the control connection but when we issue commands the connection times out.
Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.
The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.
We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.
Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).
I am just designing a solution where a FWSM consists of 2 contexts initially and has a shared outside interface pointing to the 6500 switch. There are 3 subnets connected to each of the FWSM contexts. So if anyone wants to access these 6 subnets then a route would be needed pointing to the interface vlan of the shared interface on the switch. But that would not be enough to access the subnets.. I am sure we have to define static NATS to point them to the right context where these subnets reside.
The FWSM is running version 3.x code So say 1.1.1.0(shared), 10.10.0.0(inside1), 10.20.0.0(inside2) and 10.30.0.0(inside3) reside in Context 1 and 1.1.1.0(shared), 20.10.0.0(dmz1), 20.20.0.0(dmz2) and 20.30.0.0(dmz3) reside in Context 2 in each of the context we would have to make three static NATS
static(inside1,shared) 10.10.0.0 10.10.0.0 netmask 255.255.255.0
static(inside2,shared) 10.20.0.0 10.20.0.0 netmask 255.255.255.0
static(inside3,shared) 10.30.0.0 10.30.0.0 netmask 255.255.255.0
The same would go for context 2 as well
static(dmz1,shared) 20.10.0.0 20.10.0.0 netmask 255.255.255.0
static(dmz2,shared) 20.20.0.0 20.20.0.0 netmask 255.255.255.0
static(dmz3,shared) 20.30.0.0 20.30.0.0 netmask 255.255.255.0
By creating these NAT statements, would the outside users be able to access the subnets residing in the context?
I have a customer that has a FWSM on a 6500, I want to create a read only account for them, i believe user privelage of lvl_3 When I log into the firewall it prompts me for a password straight away.
Is there a way that i can create a login that when it prompts me for a password, I can have a password setup to put into that prompt to get a certain level of access, instead of the standard lvl_15 access
I'm looking at upgrading our FWSM modules in our 6500's. They're the WS-SVC-FWM-1 modules.
We're running on version 3.2(12) at the moment and I'm looking to jump up to 4. Any recommendations around whether I should to go to 4.1(6) or 4.0(16)? There aren't any features in particular that I would need in 4.1 but want a good stable base to sit on for 12 months until I look at this exercise all over again.
What the support for WCCP on a FWSM running 4.0(7) is like, if there is any at all ?
I've read that the earliest PIX release that supports WCCP was 7.2(1) but I'm not sure how FWSM 4.0(7) aligns with the PIX versions.The only doc's i can find refrencing WCCP on a 6500 with FWSM is in the 6500 12.2 IOS guide.
It is my understanding that the FWSM for the 6500 series switches uses a 6 port Etherchannel on the backplane to communicate with the 6500 series switch.Can you shutdown vlan1 on the switch and still communicate with the FWSM? I was under the impression that you could not (although I am looking at a config with it shutdown)
View 1 Replies View RelatedWe are running an FWSM on a 6509 with a SUP720. Firmware 3.2(18), in MultiContext Routed Mode, with shared MSFC.Everything runs fine on this baby most of them time, however occasionally without warning and with no specific pattern the Primary node will fail (as in completely stop responding) and the secondary will takover as active. Two get the primary up agian, I reset the hw-module and then no failover active on the secondary to return the primary as active. However, after this event, I start to experience strange issues with connectivity. Certain TCP src dst combinations will just not work.
View 1 Replies View RelatedI'm using ASDM 6.2 with a FWSM on a 6500.
At the moment everytime I want to make a change to firewall rules I click apply and the rules are applied Immediately. I have to make multiple changes during the working day which I don't like to do.
What I would like to do is make changes during the day but not apply them until out of hours (some sort of batch mode). Like I can do in my check point firewalls.
I have FWSM failover pair, Active/Active configuration, admin and another 4 context, few context active on first FWSM, other on second FWSM.I needed to add VLANs 51 and 52 to FWSMI created VLANs on both Cat6500, created firewall vlan-group 3 a and put "firewall module1 vlan-group 3" on both cat6500Then I log in in system space on primary FWSM and created interface VLAN.Created VLANs automatically occured in system space on Secondary FWSM.Then I wanted allocate VLAN 51 and 52 to context XY, so I went to part of configuration for context XY and "allocate-interface Vlan51" and "allocate-interface Vlan52".
View 1 Replies View Relatedtell me for the FWSM (blade on 6500 or 7600) the maximum number of virtual interfaces (VLANs)
View 14 Replies View RelatedAs I am planning to deploy FWSM Module in 6513 chassis and need your valuable comments regarding the strategy that I create for this deployment.Initially (Without FWSM Deployment) all internal traffic moves in this manner.
7613(G9/5) --> 6513(G10/4) --> ISA (Internal Int.) [NATing] (ISA External Int.) -->
6513(G9/45){This is L2 port in VLAN 164} --> VLAN 164(SVI Int,IP:192.168.40.20) -->
(G9/44){This is L2 port in VLAN 164}--> ASR 1002 -->Router -->Internet.
As you can see from the Image that I am planning to deploy FWSM in transparent mode in between VLAN 164(SVI Int,IP:192.168.40.20) -[FWSM here]->(G9/44){This is L2 port in VLAN 120}By putting Inside interface of FWSM in VLAN 164 and create a new VLAN on 6513 i.e VLAN 120 and put G9/44 in it.know will this configuration will work regarding the passing of traffic through FWSM ? what improvement I have to made in this design. You can check the attached diagram.
We have a 6509 that was connected to 2 other locations(location A and B) and our local lan (location MAIN). We wanted to move the location A and B to a 3750 switch and only allow the traffic that needed to access our location MAIN to come through the firewall. The only problem I ran into is that before location A and B were on different interfaces so in the 6509 firewall the routes for traffic to our MAIN location was done by static routes.
I.E.
static (MAIN_intf,A_intf) 192.1.1.72 10.94.10.72 netmask 255.255.255.255 0 0
static (MAIN_intf,B_intf) 192.2.2.72 10.94.10.72 netmask 255.255.255.255 0 0
[Code]....
because it has a static overlap, which makes sense to me, but my question is how do I configure the network to get this to work? Do I have to reconfigure my network and access-list? Do I need to add more ports between the 6509 and 3750? I'm not sure if this is the best way to do what we want. If something is not clear I'll try my best to explain the setup, but I just took over for our I.T. guy when he left.
I put 10.10.10.72 instead I should have put 10.94.10.72. the routed port is on a different subnet than the computer I'm trying to access.
I want to set up FWSM 4.1 on Cat6509 with multiple bridge groups in one transparent context. (as the manual says it can support up to 8 bridge-groups and the intent is to save security contexts) For a host in VLAN21 (b1_inside) to talk to a host in VLAN41 (b2_inside), traffic needs to be go out to MSFC which routed back the traffic through the FWSM. My question is how can I define a default route per bridge-group, I would assume FWSM should take the following two default routes per bridge-group interface but it won't;
route b1_outside 0.0.0.0 0.0.0.0 10.11.75.1 1
route b2_outside 0.0.0.0 0.0.0.0 10.11.76.1 1
seems like it allows only one default route per the context and gives me an error - "ERROR: Cannot add route entry, possible conflict with existing route"
How can I achieve outside per individual bridge-group?
FWSM context config:
Interface VLAN11
nameif b1_outside
bridge-group 1
security-level 0
!
Interface VLAN21
nameif b1_inside
[code]...
I am having two dc switches with FWSM modules installed. DC switch1 FWSM (Ver 3.2(12) is wokring as active and Secondary DC switch2 FWSM (ver 3.2.(12) is in standby mode.
From yesterday I am trying to login primary FWSM, It is accepting my username and credentials but prompting again for username please refer below
DXB-DC1>session slot 5 p 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.51 Open. [code]
Here is my Lab Setup: 2691 is BGP nei to R4 router and they are not directly connected. 2691 and R4 are in same AS 6500. 2691 Config---router ospf 1 network 3.3.3.3 0.0.0.0 area 0 . Its advertising its loop back IP to OSPF domain.
router bgp 6500
no synchronization
bgp log-neighbor-changes
neighbor 6.6.6.6 remote-as 6500
neighbor 6.6.6.6 update-source Loopback3
[code]...
R4 Router
router ospf 11
log-adjacency-changes
network 6.6.6.6 0.0.0.0 area 0
[ code].....
We can see that 2691 and R4 are BGP neis and 2691 has 200.1.x.x routes in its route table. My question is why from 2691 router i am unable to ping any route learned by BGP from R4?
2691Router# ping 50.1.1.0 Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 50.1.1.0, timeout is 2 seconds:.....Success rate is 0 percent (0/5)2691Router#ping 200.1.2.0 [ code]...
I am trying to setup ACE in bridge mode. Network topology is as follows:
1. ACE Gi 1/2 (client-side vlan) is connected to 3750 (vlan 40)
2. ACE Gi 1/3 (server-side vlan) is connected to 3750 (vlan 50)
3. Two real servers are connected to 3750 (vlan 50)
4. One client device (linux box) is connected to 3750 (vlan 40)
I am not using admin context. I have created a new one for user. I am unable to ping VIP (10.10.50.15) either from client linux box or from within ACE.
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http PROBE_CGNMS_WEB
port 80
interval 15
passdetect interval 60
[code]....
I am having FWSM in active /standby mode deployed on two different cat 6k chassis. Unable to access the fwsm module from switch using ' session module mod_no processor 1 ", it throws error " % telnet connections not permitted from this terminal" Running Version 3.2.6 on fwsm, Cat 6k is running 12.2.33.SXH1,
switch#session slot 3 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
% telnet connections not permitted from this terminal
---------------------------------------------------------------------------
have allowed telnet on line vty, configuration on Line vty is simple allowing all transport protocols
line vty 0 4
exec-timeout 5 0
transport input all
transport output all
line vty 5 15
exec-timeout 5 0
transport input all
transport output all
I have 2 modules of FWSM in 6500 switch (failover).I need 5 context.When I use in routed mode (like in the picture) , I cannot ping the servers behind the firewall. (I have ping to FW context),In transparent mode, it is not happening.what is the problem with routed mode?
View 1 Replies View Related