Cisco Firewall :: Moving IDSM-2 And FWSM From 7613 To 6513?
Feb 5, 2013
I need your opinion regarding moving of IDSM -2 and FWSM Module from 7613 to 6513 chassis.Currently these two modules are in 7613 and we are not using either of them now we have to configure them in 6513 chassis. As you can see from the figure that traffic of all 3 core router i.e 7613 go to 6513 - to proxy ISA 2004 - 6513 - to Internet.
There are also some network attached with 6513 and we want to move both of modules to 6513 so that NetworkA/B/C/D/E which are attached to 6513 can also be configured for FWSM and IDSM -2.
I have a query regarding this migration:Do we need license for these two modules again for 6513 chassis?
We are looking forward to install a Cisco 6513 with IDSM-2 in each chassis in a VSS mode. Any experience with the configuration of the 6513 ? Also, lets assume I installed one active IDSM in each chassis with identical configuration... what happens when one of them fails ?
As I am planning to deploy FWSM Module in 6513 chassis and need your valuable comments regarding the strategy that I create for this deployment.Initially (Without FWSM Deployment) all internal traffic moves in this manner.
7613(G9/5) --> 6513(G10/4) --> ISA (Internal Int.) [NATing] (ISA External Int.) --> 6513(G9/45){This is L2 port in VLAN 164} --> VLAN 164(SVI Int,IP:192.168.40.20) --> (G9/44){This is L2 port in VLAN 164}--> ASR 1002 -->Router -->Internet.
As you can see from the Image that I am planning to deploy FWSM in transparent mode in between VLAN 164(SVI Int,IP:192.168.40.20) -[FWSM here]->(G9/44){This is L2 port in VLAN 120}By putting Inside interface of FWSM in VLAN 164 and create a new VLAN on 6513 i.e VLAN 120 and put G9/44 in it.know will this configuration will work regarding the passing of traffic through FWSM ? what improvement I have to made in this design. You can check the attached diagram.
Today i received FWSM from cisco (RMA), I need to configure it as standby unit for existing FWSM active/standby setup.
IOS on RMAed FWSM is 2.3.4 and cisco VSS supports FWSM IOS 4.0.4 and later.My issue is, I cannot access FWSM (IOS 2.3.4) via session command from cisco 6513 but could successfully consoled it without any problem. I have reloaded it twice and also tried to disable and enable power on it.
VSS#sh module switch 2 Switch Number: 2 Role: Virtual Switch Standby Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 2 6 Firewall Module WS-SVC-FWM-1 -----------
[code]....
why I cannot access FWSM through session command ?Whether this is because of older IOS ? If yes then how to upgrade its IOS ?Is it possible to upgrade IOS via FWSM console ? if yes, Do i need to test on different slot ?
We have a customer who has 4 x 'WS-SVC-FWM-1' modules installed within 2 x 6513 chassis. The FWSMs are all running version 3.1(16) with failover group 1 and 2 enabled.After a few recent planned and un-planned power outages the FWSMs have come up without a full configuration. Is this a common fault? If so it there any kind of workaround that can be implemented?
I am trying to make the multicast working between few hosts inside a single vlan. Host are running mysql cluster and Multicast is used to send master/slave status information to the IP 228.10.10.10 on port 45566.The vlan is defined in FWSM and the host are connected via the core-switch(6513). (hosts-->core-sws--->fwsm)I have tried searching the documentation, but couldn't find specific info to enable multicast between hosts residing in same vlan. FWSM is running code 3.1(4). since the hosts are residing in the same vlan, I am thinking of applying the <multicast-routing> just for that SVI in FWSM.
My corporate internal network is currently fire walled by an FWSM module on a 6513 switch. We have each security zone (we have eight) assigned to a FWSM context and have ACLs set up between the contexts and the enterprise LAN/WAN. Is it possible to support fire walling between these zones within a single security context? The reason I am asking is that we would like to purchase a second FWSM for use as a standby, but do not want to cough up the ~ $12K for the context license. We will ultimately be transitioning to ASAs for internal security, so do not want to spend more than we need to.
I am planning to deploye the fwsm with all this complexity, will this type of senario work or not means traffic will move from msfc to the core.. Is this right to create another svi int2 on msfc to move traffic from msfc to core-switch.
I have a Cisco 6513 switches connected to HP VC Flex 10 Module. The (2) 10Gb ports on a Cisco Switch connected to VC Flex-10 in LACP mode.
I need to move those (2) 10Gb ports on Cisco Switch 10Gb Module to a different 10Gb module on a same Switch without bringing the ports down since it is a live environment.
What I would do is to configure a same port channel ID on a new 10Gb module and then move port one by one. unplug one port and connect to the new port on a module. While I will be unplugging the first port the other active port will keep sending traffic and as soon as I plug in on another port, both ports will be active.
My company has acquired a Catalyst 6513 with a FWSM module installed on it. I have been reading lot of documentation on [URL], but still have some problems configuring the FWSM:
The 6513 has 10 SVIs configured, each of them with an IP address. These 10 SVIs are binded to 10 VLANs which I need to secure. These SVIs are used for routing all the Inter-VLAN traffic inside the switch. The documentation says it is recommended to use just one SVIs for connecting the switch to the FWSM, although you can use more than one using the command "firewall multiple-vlan-interfaces". I don't want to use this command because it seems a pretty more difficult configuration, since you have to use policy routing after using this command (or that is, at least, what documentation says).
When I try to "send" to the FWSM more than one VLAN that are configured as SVIs on the switch I get this error message:
"No more than one svi is allowed, command rejected."
If I delete the IP address of those SVIs, then I can to "send" those SVIs to the switch with no problem at all. But I need the SVIs to have IP address configured, since they are needed for routing Inter-V LAN traffic.
So, the question is: how can I route all the inter-VLAN traffic using just one SVI on the switch? Should I use the FWSM for inter-VLAN traffic routing?
I need to move from ASA 8.4(1) to 9.0(2). Reading [URL] it seems to be a quite safe upgrade cause I do not have IPv6 ACL and I have only IKE v1. The following is not very understandable to me,No Payload Encryption for export—You can purchase some models with No Payload Encryption. For export to some countries, payload encryption cannot be enabled on the Cisco ASA 5500 series. The ASA software senses a No Payload Encryption model, and disables the following features:
# –Unified Communications # –VPN #
You can still install the Strong Encryption (3DES/AES) license for use with management connections and encrypted route messages for OSPFv3. For example, you can use ASDM HTTPS/SSL, SSHv2, Telnet and SNMPv3. You can also download the dynamic database for the Botnet Traffic Filer (which uses SSL) and redirect traffic to Cloud Web Security. Reading [URL] under 'Limitations and Restrictions' I find this point moving to 8.4(2), which I also dont understand,Currently in 8.4(2) and later, the PAT pool feature is not available as a fallback method for dynamic NAT or PAT. You can only configure the PAT pool as the primary method for dynamic PAT. For example, if you enter the following twice NAT command that configures a PAT pool (object2) for fallback when the addresses in object1 are used up, you see the following error message:
hostname(config)# nat (inside,outside) source dynamic any object1 pat-pool object2 interface round-robin ERROR: Same mapped parameter cannot be used to do both NAT and PAT. ERROR: NAT pool allocation failed.
You can alter this command to make it PAT-pool only by removing object1; the PAT pool is used as the primary method, instead of as a fallback method:
I have a customer moving from a 5505 to a 5510. They are currently running websense express, which monitors and filters traffic based off of a port mirror on the ASA. Can this function still be performed on the ASA5510? If so, I am having trouble figuring out the method.
We want to provide an end to encryption service using an ACE02 in a CAT 6509E. This is covered in the ACE config guide so should be OK. The issue is that we want to include traffic inspection using an IDSM2 so we need to seperate the decrypt and encryption stages and send cleartext traffic to the IDMS2. The Security and Virtualization in the Data Center pdf page 18/19 suggests that it might be possible. The design depicted there though is only doing SSL termination, then sending the clear text onto a WAF, and onto IPS but it does say end-to-end encryption is also possible.So in essence what we want to do is have traffic from clients destined for the server farm decrypted by the ACE and sent to the IDS. We then want the traffic to return from the IDS to the ACE to be encrypted and sent onto the server farm.
we have a chassis 6513-E and a module WS-X6748-GE-TX, I'd like to know if could I put this module in any slot, since the documentation from Cisco says that any slot from a chassis 6500-E Series can support this module. And then in the documentation of WS-X6748-GE-TX says that this module is not compatible in the slots 1-8 of the 6513 chassis, only from 9th to 13th slots, in those slots from the 6513-E we already have 4x WS-X6748-GE-TX, and we'd like to know if could we put the module in the rest of the slots. The 6513, and 6513-E is kind of confusing.
Me to a 2951 router with fireawall featureset. Ive begun to move the ACLs that where in the pix. However some of the rules are allowed to be typed in bur when i look at the ACL afterwards they are not what i typed in.
We have 2 FWSM modules in each 6500 switches. 1st module is having 04 firewall vlan groups with 18 vlan interfaces in a single context firewall. All are working fine with no issues. Recently we create one more vlan on MFSC and add into the same firewall module. However newly created vlan inside the FW is not able to communicate with outside and also outside users not able to reach newly created subnet. But within the firewall zones (other interfaces) it can communicate. Once we did packet capture we noticed that its hitting firewall outside interface only and when we ping we got TTL expired error. we have default routes to outside and there's no any route inside as new segment is within the firewall (no any hop).
I guess there's no limitation on number of vlans that we can assign on one firewall eventhough there is a limitation for number of vlan-group which is 16 max (but we are within that limit).
I want to upgrade a pair of FWSM in active failover from 4.0(4) to 4.1(8) i just want to double check the process. i have tftp access to the primary at the minute. i cannot access the same tftp server with the standby. do i need flip over to the standby to be able to tftp the image across?
I am planning for an VSS in Core but firstly I need to upgrade FWSM which is at 3.2 Ver to 4.0.4 (min release) I have checked software dependencies but not sure about Hardware Dependency on Fwsm and Chassis for Eg. Rommon Upgrade on Chassis.
I wanna upgrade FWSM Version 3.1(11) to latest 4.x version is this possible or i have to upgrade first to 3.2 and then to 4.x?
Is there any changes in configuration commands that i need to know? The version that 6500 running is s72033-advipservicesk9_wan-mz.122-18.SXF14.bin,an upgrade to 6500 is needed also?And if so what ios version will i put?Also which is the asdm supported version?
We recently deployed a FWSM on our 6503-e boxes (w/ sup720). NAT is working (PAT) but the issue I am seeing is private traffic from remote sites is not being allowed through the FW. I was able to get the remote site to ping the FWSM itself (inside address), but no hosts behind it. Maybe an ACL issue? Also when I turn off NAT on the remote end, I can than access everything (We are NATng on both ends). Im a routing guy by nature so I will defer this to the security guys out there.
I am unable to remove an access list. Currently this this access list contains 4 lines of remarks. I was unsure if I was entering the command correctly and now I have 4 lines of "trash" that needs to be removed.
Symptoms: The "sh run" command shows that I have access-list 100 defined. The "sh access-list" returns nothing.
Process I have tried: config t no access-list 100 no access-list remark Test (just trying anything at this point) clear configure access-list 100 (This returns "Invalid input detected at '^' marker" and the '^' is under the 'e' in clear.)
So the "clear configure" command is not working. The "no access-list" commands does not return an error but does not remove anything. What step am I missing? Let me know if I can provide any more information.
I have FWSM's in Cat 6513's. I have a need to be able to session from the switch to the FWSM by using default account (not local user), at privilege level 15 I further have a need to allow a user read only access by ssh'n into the FWSM...
I believe I need to setup a local user, at, say privilege level 5, assign the show command only to privilege level 5, then set the authorization command for that user. So, i think my command sets are as follows to accomplish this: username <username> password <pw> priv 5 priv command level 5 mode exec command show aaa auth ssh console LOCAL aaa auth enable console LOCAL aaa authorization command LOCAL
I think, that this will allow the user at privilege 5 to run only the show command and only by SSH to the FWSM while allow the priv 15 level default login to continue to function properly.
We have a pair of 6500s with Sup720 running 12.2(33)SXI3. Each has an ACE-20 (s/w A2(2.0)) and FWSM (s/w v3.2(15)). We have reached a limit on the number of rules we can configure on the FWSM, and have determined that we shall upgrade to 4.1(5), with ASDM to 6.2(2)F. A question has been raised regarding the s/w on the ACE-20 modules. Do we need to upgrade them as well?
ASA code 8.3 and higher uses NAT objects and totally changes the NAT rule config. I am new to FWSM .... but was wondering if this comparable ? I am lookinig at upgrading FWSM 3.1(16) to a higher 4.1 version .... but have a feeling this could be a huge task if NAT config changes as with the ASA's
am trying to config a FWSM by ASDM 6.2f.there are formerly configured interfaces and new interfaces i created.when i add a new access rule it gets added only to all the old interfaces but not to the new ones i created.
1. what wrong with the new interfces i created?
2. whats the logic of auto adding a rule to "all" interfaces , the rules are incoming rules specific to interfaces or groups , why add the to the rule to "all" intefaces?.
We would like to decommission our FWSMs and upgrade to the ASA 5555Xs. This leads me to ask the following: What would be the most efficient way of doing this without any interruption to production? How to successfully accomplish this?
our FWSM (in 6509) is not coming up, when tried to sesssion up using "Session slot 1 proc 1" command,It is giving error , "Tyring 127.0.0.11 .....connection timed out remote host not responding".
In "show mod" command output at Switch in IOS console: under Card Type Section: it is showing Model & Serial Number correctly, Under MAC address sectino: displaying some MAC address But in Online Diag Status, it showing "Unknown" for Module 1.
We tried re-seating in other slots, but of no use. Giving same error. Some of other forms are saying it is the issue with 128 Mb CF image problem, FWSM is no more reachable from 6509 IOS console. We even tried using FWSM console (using PC-Conse & LCP Console) but FWSM is not contactable.
I am having two dc switches with FWSM modules installed. DC switch1 FWSM (Ver 3.2(12) is wokring as active and Secondary DC switch2 FWSM (ver 3.2.(12) is in standby mode.
From yesterday I am trying to login primary FWSM, It is accepting my username and credentials but prompting again for username please refer below
DXB-DC1>session slot 5 p 1The default escape character is Ctrl-^, then x.You can also type 'exit' at the remote prompt to end the sessionTrying 127.0.0.51 Open. [code]
I have had a strange issue with a pair of FWSM's in 2 6500's, it seems there was a failover but both module's have been reset.
CAT1 Feb 03 17:08:46.525: %SNMP-5-MODULETRAP: Module 8 [Down] Trap Feb 03 17:08:46.522: SP: The PC in slot 8 is shutting down. Please wait ...Feb 03 17:09:01.525: SP: shutdown_pc_process:No response from module 8 Feb 03 17:09:11.382: %C6KPWR-SP-4-DISABLED: power to module in slot 8 set off (Reset) Feb 03 17:10:56.093: %DIAG-SP-6-RUN_MINIMUM: Module 8: Running Minimal Diagnostics...Feb 03 17:10:59.796: %SVCLC-5-FWVTPMODE: VTP [Code]...
I'm running two C6509 Chassis with FWSM and ACE module install on each chasiss.I have no problem with session into 1 FWSM and 2 ACE modules.But 1 FWSM module can't be access by session command.As I understand two FWSM module status is OK, and working fine.When I tried to session into FWSM, I got these messages..
