Cisco Firewall :: 6513 / All Traffic Move Via FWSM (Transparent Mode)

Apr 18, 2013

As I am planning to deploy FWSM Module in 6513 chassis and need your valuable comments regarding the strategy that I create for this deployment.Initially (Without FWSM Deployment) all internal traffic moves in this manner.
 
7613(G9/5) --> 6513(G10/4) --> ISA (Internal Int.) [NATing] (ISA External Int.) -->
6513(G9/45){This is L2 port in VLAN 164} --> VLAN 164(SVI Int,IP:192.168.40.20) -->
(G9/44){This is L2 port in VLAN 164}--> ASR 1002 -->Router -->Internet.
 
As you can see from the Image that I am planning to deploy FWSM in transparent mode in between VLAN 164(SVI Int,IP:192.168.40.20) -[FWSM here]->(G9/44){This is L2 port in VLAN 120}By putting Inside interface of FWSM in VLAN 164 and create a new VLAN  on 6513 i.e VLAN 120 and put G9/44 in it.know will this configuration will work regarding the passing of traffic through FWSM ? what improvement I have to made in this design. You can check the attached diagram.

View 3 Replies


ADVERTISEMENT

Cisco Firewall :: Cat6509 / FWSM - Default Route Per Bridge Group In Transparent Mode

Nov 14, 2011

I want to set up FWSM 4.1 on Cat6509 with multiple bridge groups in one transparent context. (as the manual says it can support up to 8 bridge-groups and the intent is to save security contexts) For a host in VLAN21 (b1_inside) to talk to a host in VLAN41 (b2_inside), traffic needs to be go out to MSFC which routed back the traffic through the FWSM. My question is how can I define a default route per bridge-group, I would assume FWSM should take the following two default routes per bridge-group interface but it won't;  

route b1_outside 0.0.0.0 0.0.0.0 10.11.75.1 1
route b2_outside 0.0.0.0 0.0.0.0 10.11.76.1 1
 
seems like it allows only one default route per the context and gives me an error - "ERROR: Cannot add route entry, possible conflict with existing route"
 
How can I achieve outside per individual bridge-group?
 
 FWSM  context config:
 
Interface VLAN11
nameif b1_outside
bridge-group 1
security-level 0
!
Interface VLAN21
nameif b1_inside

[code]...

View 2 Replies View Related

Cisco Firewall :: ASA 5505 In Transparent Mode Traffic?

Oct 23, 2011

I've  setup my Cisco ASA 5505 in transparent mode. I have a Cisco 1841  connecting to the ISP (DHCP client) and F0/0 for inside. The 1841 is the  DHCP server.  I have my ASA 5505 behind the 1841 in transparent mode  (Vlan 1 for Outside and Vlan 1 for inside). The router config is  good as when you connect a computer straight to the inside interface I  get DHCP and can go to internet, no problems what so ever. But When  you're trying to go through ASA isn't not working.  if I add a ip any any statement to the access list it will work but  having an "ip any any" in a access list is like having no firewall at  all.

ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(4)
!
firewall transparent
hostname ciscoasa
enable password zmQ6OnxvsOOEDNAy encrypted

[code]....

View 4 Replies View Related

Cisco WAN :: 7613 - Traffic Move From Msfc To Fwsm?

Apr 4, 2013

I am planning to deploye the fwsm with all this complexity, will this type of senario work or not means traffic will move from msfc to the core.. Is this right to create another svi int2 on msfc to move traffic from msfc to core-switch.
 
G0/1(cisco7613) Vlan10----Vlan10(inside)FWSM-(outside)vlan20---Vlan20(inside)(svi-int1)MSFC(outside)(svi-int2)Vlan30---Vlan 30G0/2(Core-Switch)-----internet--->

View 5 Replies View Related

Cisco Firewall :: 5505 Transparent Mode Doesn't Pass Traffic

Dec 4, 2012

  asa 5505 do not pass traffic as a patch cord, how to make it pass traffic? [code]

View 2 Replies View Related

Cisco Firewall :: ASA5510 Single Mode / Move To Multi Context Mode

Sep 16, 2012

I got an ASA 5510 system currently in single context mode, with CSC SSM installed. Single ISP uplink to internet, no VPN. And now customer would like add another ISP uplink, without invest another box for HA.What come across my mind is make the current box into multi context. There's some area i need to concern and also need yours perspective on it.
 
Question 1: For making the firewall into multi context, am i need to do it from scratch, issue mode multiple command. Then rebuilt the current production config into one of the context, then another context meant for the new IPS uplink, and one admin context?
 
Question 2: For CSC -SSM licensing requirement, model ASA 5510 with security plus license is able to support 2 context. So if i split my firewall like what i mention in question, what exactly number of context do i own (admin, context A, context B)?
 
Question 3: For CSC-SSM module in multi context mode, so the management port of CSC SSM must attach at admin context?
 
Question 4: After configured all the policy and traffic to scan, how exactly i should do in order apply this policy to the interface?  Should i only enable at admin context, then firewall service-policy rules, and apply it global, OR should i also do the same action on context A and Context B?

View 3 Replies View Related

Cisco Firewall :: Moving IDSM-2 And FWSM From 7613 To 6513?

Feb 5, 2013

I need your opinion regarding moving of IDSM -2 and FWSM Module from 7613 to 6513 chassis.Currently these two modules are in 7613 and we are not using either of them now we have to configure them in 6513 chassis. As you can see from the figure that traffic of all 3 core router i.e 7613 go to 6513 - to proxy ISA 2004 - 6513 - to Internet.
 
There are also some network attached with 6513 and we want to move both of modules to 6513 so that NetworkA/B/C/D/E which are attached to 6513 can also be configured for FWSM and IDSM -2.
 
I have a query regarding this migration:Do we need license for these two modules again for 6513 chassis?

View 2 Replies View Related

Cisco Firewall :: Cannot Access FWSM Via Session Command In 6513 (VSS Enabled)

Apr 24, 2012

Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
 
IOS on RMAed FWSM is 2.3.4 and  cisco VSS supports FWSM IOS 4.0.4 and later.My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
 
VSS#sh module switch 2
 Switch Number:     2   Role:  Virtual Switch Standby
Mod Ports Card Type                              Model              Serial No.
--- ----- -------------------------------------- ------------------ -----------
   2    6  Firewall Module                        WS-SVC-FWM-1  -----------

[code]....

why I cannot access FWSM through session command ?Whether this is because of older IOS ? If yes then how to upgrade its IOS ?Is it possible to upgrade IOS via FWSM console ? if yes, Do i need to test on different slot ? 

View 2 Replies View Related

Cisco Firewall :: 6513 FWSM Coming Up Without Full Config After A Reboot

Oct 29, 2012

We have a customer who has 4 x 'WS-SVC-FWM-1' modules installed within 2 x 6513 chassis. The FWSMs are all running version 3.1(16) with failover group 1 and 2 enabled.After a few recent planned and un-planned power outages the FWSMs have come up without a full configuration. Is this a common fault? If so it there any kind of workaround that can be implemented?

View 5 Replies View Related

Cisco Firewall :: 6513 Switch - Multicast Inside A Single VLAN In FWSM

Dec 6, 2009

I am trying to make the multicast working between few hosts inside a single vlan. Host are running mysql cluster and Multicast is used to send master/slave status  information to the IP 228.10.10.10 on port 45566.The vlan is  defined in FWSM and the host are connected via the core-switch(6513). (hosts-->core-sws--->fwsm)I have tried searching the documentation, but couldn't find specific info to enable multicast between hosts residing in same vlan. FWSM is running code 3.1(4). since the hosts are residing in the same vlan, I am thinking of applying the <multicast-routing> just for that SVI in FWSM.

View 6 Replies View Related

Cisco Firewall :: 6513 - FWSM Multiple Security Zones On Single Context

Nov 7, 2012

My corporate internal network is currently fire walled by an FWSM module on a 6513 switch.  We have each security zone (we have eight) assigned to a FWSM context and have ACLs set up between the contexts and the enterprise LAN/WAN.  Is it possible to support fire walling between these zones within a single security context?  The reason I am asking is that we would like to purchase a second FWSM for use as a standby, but do not want to cough up the ~ $12K for the context license.  We will ultimately be transitioning to ASAs for internal security, so do not want to spend more than we need to.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Can't Move Traffic From DMZ To Outside Interface

Jan 16, 2012

I can't move traffic (isakmp udp_port: 500 & ipsec nat traverse udp_port: 4500) from my dmz to the  outside interface

View 1 Replies View Related

Cisco Firewall :: ASA Firewall Positioning In Transparent Mode Between 6509 Core Switch And WLC

Apr 26, 2011

I do have the below setup,,
 
1. I have 6509 switch
 
2. I have 2 WLC configured in Active/Active mode connected in Trunk mode (L2 Port-Channel) connected with 6509 switch
 
3. On switch side i have configured the port as Trunk
 
4. L3 SVI for wireless users are created in 6509 switch (attached the diagram).
 
I would like to introduce a Cisco ASA 5520 firewall with AIp-SSM module so that all wirelees traffic can be inspected.
 
The issue is: Without changing any configuration in the network (switch & WLC) is it possible to introduce the firewall?

View 2 Replies View Related

Cisco Firewall :: ASA5512-X - ASDM In Firewall Transparent Mode

Dec 3, 2012

I would like to configure an ASA5512-X in firewall transparent mode, but I am having trouble getting ASDM to lauch when I do.
 
I have created a BVI interface with an IP address, and I hve enabled the mangement interface, but ASDM does not lauch when I enter the IP adress of the BVI I created.
 
Apprently you need to use the bridge-group command to assign an interfce to a bridge group. When I enter this command at the (config-if) prompt for Management 0/0, this command is not recognized.
 
What are the general steps for configuring the management interface to be able to launch ASDM in transparent mode?

View 1 Replies View Related

Cisco Firewall :: 5512X IPS In Transparent Mode

Dec 19, 2012

I need to know if the 5512X IPS will work if the ASA is in transparent mode and/or any limitations.

View 5 Replies View Related

Cisco Firewall :: Is It Possible For 5505 ASA To Be In Transparent Mode

Feb 20, 2013

Is it possible for an 5505 ASA to be in transparent mode such as ethernet0/0 outside, ethernet 0/1 inside, and use ethernet 0/2 for syslog only on a seperate network other than the one that 0/0 and 0/1 is using.  The tranparent part being on a 192.168.168.X/24 and the syslog server being on say a 10.2.1.X/24 network?

View 1 Replies View Related

Cisco Firewall :: ASA 5505 - Transparent Mode

Sep 15, 2012

I just have 1 question. I am going to be getting U Verse installed at my house and have been having a hard time finding this in the documentation. The modem I am going to be getting is the 3800HGV-B. Over on the ATT forum users are stating that the modem needs every MAC of every potential IP. I thought about using it's DMZ Plus mode but I am getting a block of 8 IP's and it doesn't seem to play nice unless it see's 5 different MAC's. Right now I have my 5505 in routed mode so I don't believe it passes the MAC of the client's through. Will the ASA pass the MAC of the client's through to the modem with the appropriate ACL's applied?

View 2 Replies View Related

Cisco Firewall :: ASA5510 Firewall Transparent Mode

Sep 10, 2012

i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.I am getting the below error, it only allow me to do changes those pre-defined interface.how to I create extra sub interface?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Firewall Is In Transparent Mode

Apr 10, 2013

We've in our company a Cisco Asa 5510 v8.4(3), Asdm 6.4(7) and a SSM-CSC-10-K9. The firewall is in transparent mode. I get an exchange 2003 SP2 server behind. When users trying to send mailing lists with many recipients (above 300), the Exchange server didn't send these mails. I'm pretty sure that this problem come from the ASA Firewall, because when I plug my server directly on my Internet Connection, the mailing list is sent. I've search on the web, and disable "ESMTP Inspection", but it didn't work. [code]

View 4 Replies View Related

Cisco WAN :: ASA5500 Transparent Multi Mode Firewall

Feb 4, 2012

Recently i have configured ASA5550 with 2 Contexts in Transparent mode. Traffic can pass through a single Firewall context but through both contexts it couldn't.

View 0 Replies View Related

Cisco Firewall :: ASA 5500 - Transparent And Routed Mode

Jun 26, 2012

have a Cisco ASA that I am trying to configure in a unique way, I want it to perform a variety of tasks;
 
VPN SSL
VPN Tunnels
Firewall Inside to Outside via versa
 
But the difficult task, is creating a DMZ with devices that are assigned fully routed IP addresses from our ISP directly, these are H323 and SIP devices that cannot use NAT, and must have a fully routed IP address assigned to them.
 
Obviously the problem I have with the Firewall in its default routed mode, is that it wont allow me to overlap IP addresses on the outside interface with the DMZ interface.
 
Could the Firewall be configured for Transparent mode between Outside and DMZ, but Routed mode between Outside and Inside?
 
Eth0/0: 10.0.0./24 (inside)
Eth0/1: 190.0.0.0/24 (dmz)
Eth0/2: 190.0.0.0/24 (outside)
 
[Code]....

But could the new Cisco ASA with the latest firmware and model be ale to do this with 1 physical firewall?

View 5 Replies View Related

Cisco Firewall :: Failover Transparent Mode ASA 5520?

Sep 19, 2012

Recently, I unable to configure the failover on bridge group in transparent mode . I have five interfaces .out of this only 3 is showing in the show run config . Whether I can config failover on on of the data interfaces.
 
I have the ASA 5520 with the version ASA Version 7.2(4) <context>

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Transparent Mode Setup?

Dec 5, 2011

i need to configure a ASA 5505 in transparent mode.learned from Internet, my configuration is :

int e0/0 --- vlan 1---->nameif outside
int e0/4 --- vlan 2------> nameif inside
gloable ip is 172.17.104.10 255.255.255.0
 http server enable
http 172.17.104.0 255.255.255.0 inside
 
when i connect the outside interface to one PC with ip addr 172.17.104.194 my PC connect to inside interface with ip 172.17.104.249 cannot ping each other even when i set rules as permit any any on both direction

View 2 Replies View Related

Cisco Firewall :: ASA5505 Transparent Mode Not Working

Feb 19, 2013

I have a cisco ASA5505 configured in transparent mode. This evening we attempted to plug a couple of new servers in but they simply didnt work, despite our test server working absolutely fine. The server IP's are all in a network object group (the same as the test server) and they're all using the same ACLs etc. I'm relatively new to configuring cisco equipment.
 
the only thing I can think of is a static route I had to add to get the managemet IP to work might be causing problems.route outside 0.0.0.0 0.0.0.0 XX.XXX.132.1 1(IP addresses obfuscated- servers are all in the same range so assume XX.XXX is the same across all IP's).

View 7 Replies View Related

Cisco Firewall :: ASA5510 - LACP In Transparent Mode

Mar 3, 2013

I understand that in transparent mode an ASA5510 would only be able to have two interfaces, inside and outside. My question is could one of those logical interfaces be an LACP'd interface, made up of two physical interfaces. Topology below. I understand that the router and ASA5510 are SPOF here, so it is a bit of a moot point, but we're connecting already existing infrastructures together!
 
|-------–---|      |---------|        
| Switch 1  |------|         |        
|-----------|      | ASA5510 |         |----------|
     | |           | (transp |---------|  Router  |
|-------–---|      |  mode)  |         |----------|
| Switch 2  |------|         |        
|-----------|      |---------|        

View 4 Replies View Related

Cisco Firewall :: ASA 5510 - Can Transparent Mode Use / 30 And Still Work

Oct 9, 2012

I have a ASA 5510 that is connected to my ISP and the inside interface that is connected to my router.  I have a /30 and need to determine if the configuration of x.x.x.121/30 which is my ISP and also the BVI address on the ASA.  The inside router address is x.x.x.122/30 same subnet as my ISP will allow me to pass traffic.  Management interface works using a different ip address but not able to get the traffic to pass traffic out to the internet thru the ASA
 
ISP-------->ASA-------->Router 
 
Bottom Line is that I only have one usable address that is being used by the router and the ISP and ASA are using the other.  Will this work?

View 4 Replies View Related

Cisco Firewall :: ASA 8.4 Transparent Mode Creation Of Sub Interfaces

Jul 30, 2012

On the ASA running  the 8.4.4.1 code in transparent mode. Can I create sub interfaces in different vlans and attach them to different BVI groups?
 
switch---trunk---ASA---Trunk---switch
 
Gig0/1.1 vlan 100 bridge-gr1          Gig0/2.1 vlan 101 bridge-gr1
Gig0/1.2 vlan 200 bridge-gr2          Gig0/2.2 vlan 201 bridge-gr2

View 6 Replies View Related

Cisco Firewall :: Basic Config Transparent Mode ASA 5510

Apr 19, 2012

I m trying to set my friewall in my network. The network is very simple. I have my router in 192.168.16.1 255.255.255.0 (mac-address  58-98-35-2a-4c-39) I have my switch in 192.168.16.26 255.255.255.0 (mac-address 00-19-99-5d-1f-43) and i have my firewall ASA between the router and the switch in 192.168.16.250 255.255.255.0 (mac-address 64-9e-f3-ba-28-c9)
 
So i need to configure 3 interface in my ASA.
- OUTSIE e0/0(I call it INTERNET)
- INSIDE e0/1(I call it LAN)
- MANGEMENT m0/0(I call it MANAGEMENT)
 
[Code]....
 
But with this config when I plug the firewall, i dont have access to internet anymore.

View 7 Replies View Related

Cisco Firewall :: 5585 / Have Context In Transparent And Routed Mode?

Apr 24, 2012

Is it possible to have context in transperant mode and routed mode. Means if i need three context then 2 of them is in routed mode and one of them is in transperant mode. If yes then how, i can 't find this info in cisco website.?I am havin 5585-x and asa version 8.4?

View 8 Replies View Related

Cisco Firewall :: Configure ASA 5520 In Transparent Bridge Mode

Sep 20, 2012

I am new to cisco ASA. I need to configure ASA 5520 in transparent bridge mode. [code] I need to place the new asa firewall in transparent mode. How to configure the firewall in transparent bridgmode.

View 5 Replies View Related

Cisco Firewall :: ASA 5505 - Transparent Mode And Mac Address Table

Nov 28, 2011

I have an ASA 5505 in transparent mode. The device mac address table is always empty.

show mac-address-table and show mac-learn both come with empty response.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Transparent Mode And Management Access

Apr 26, 2012

I have a need to manage the 5505 outside of the 2 interfaces however I see it documented that Management access is only via the data path interface. This won't work for me because there will be NO management access on the data network being bridged through the firewall. Is there any option outside of going to routed mode or moving to the 5510?

View 1 Replies View Related

Cisco Firewall :: ASA 5585 Transparent Mode With Multiple Contexts

May 6, 2013

We are deploying the Cisco ASA 5585 in transparent mode with multiple contexts, the port-channel was configured to connect to the core switches using  dot1q trunk. We are experiencing an issue which is the core switches are configured loop guard globally, therefore the port-channel connected to the firewalls will be put into inconsistent state when the failover happen, and the two firewalls' failover can not fulfill the failover at last.
 
I have two queries below: 

1. Does the firewall allow the BPDU passing through when it is in standby mode, for example, secondary firewall is active for group 2 and standby for  group 1.  does the secondary firewall block the BPDU from the vlans under group1 ?   
2. Can we disable the loop guard feature on the switch port-channel or is there any other way to solve this issue ?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved