Re: [fw-wiz] Problem with Cisco Firewall Service Module running in transparent mode

From: Greg Padden (paddeng_at_biostat.wisc.edu)
Date: 08/18/04

  • Next message: Desai, Ashish: "RE: [fw-wiz] Remote Access via Checkpoint VPN"
    To: Brian Ford <brford@cisco.com>
    Date: Wed, 18 Aug 2004 07:57:21 -0500
    
    

    Brian, according to the Cisco document in Example 5: Security Contexts
    With Outside Access in the documentation:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/examples.htm#wp1052835
    this can be done.

    Should this example be removed from the doc? In which section of the
    documentation does it say that transparent and birtual context are not
    supported int v2.2? I thought that was the whole purpose of the upgrade
    from 1.1(x) to 2.2(x)?

    Brian Ford wrote:

    > Greg,
    >
    > If you check the documentation you'll find that you cannot have both
    > transparent (L2) and virtual contexts configured on one FWSM blade in
    > v2.2. This will be in a future release.
    >
    > Liberty for All,
    >
    > Brian
    >
    > At 12:00 PM 8/17/2004 -0400,
    > firewall-wizards-request@honor.icsalabs.com wrote:
    >
    >> Message: 2
    >> Date: Fri, 13 Aug 2004 07:39:08 -0700
    >> From: greg padden <paddeng@biostat.wisc.edu>
    >> To: firewall-wizards@honor.icsalabs.com
    >> Subject: [fw-wiz] Problem with Cisco Firewall Service Module running
    >> in transparent
    >> mode
    >>
    >> I have attempting to get a Cisco Firewall Service Module (FWSM) running
    >> software version 2.2(1) in transparent mode and multiple context mode.
    >>
    >> Here is the problem that I am running into:
    >>
    >> I have a bunch of vlans already routing on the MSFC2 blade, I want to
    >> move each of these vlans behind their own "virtual" firewall (what cisco
    >> calls a context). So, I first remove this vlan interface from the MSFC2
    >> router, then I assign this vlan to the firewall module, assign a new
    >> vlan to the firewall module which will become the new outside vlan, then
    >> I session into the firewall module and allocate these two vlans to the
    >> new context, I then go into the context and define the firewall rules.
    >> Go back to the MSFC2 router and define the new "outside" vlan inteface
    >> on the router.
    >>
    >> After I have done this, "some" hosts on the inside vlan cannot connect
    >> to "some" places on the Internet (or other places on the outside of the
    >> FWSM). If I take a test pc and give it the same ip address of the
    >> troubled machine I can confirm that they cannot ping, http, or IMAP to
    >> some hosts, but if I take a different ip address on the same LAN I can
    >> sucessfully connect to the same outside host (the firewall rules for
    >> testing are permit ip any any outbound and inbound, so it is NOT the
    >> firewall rules).
    >>
    >> I have troubleshot this with Cisco about 3 times now and they cannot
    >> figure it out. After a reboot of the entire Catalyst 6500 everything
    >> works fine!!!
    >>
    >> So here is my complete setup: Catalyst 6509 with dual supII's with duel
    >> MSFC2 routers configured in SRM mode, the Cat is running hybrid IOS
    >> 7.6.7.
    >>
    >> Has anybody else had trouble migrating VLANS from the MSFC2 to a virtual
    >> transparent firewall on the FWSM? Or seen this behavior?
    >
    >
    >
    > Brian Ford
    > Consulting Engineer, Security & Integrity Specialist
    > Office of Strategic Technology Planning
    > Cisco Systems Inc.
    > http://www.cisco.com/go/safe/
    >
    > The opinions expressed in this message are those of the author and not
    > necessarily those of Cisco Systems, Inc..
    >
    > This email address is transmitted from San Jose, California, U.S.A..
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Desai, Ashish: "RE: [fw-wiz] Remote Access via Checkpoint VPN"