Re: [fw-wiz] Problem with Cisco Firewall Service Module running in transparent mode

From: Greg Padden (paddeng_at_biostat.wisc.edu)
Date: 08/18/04

  • Next message: Desai, Ashish: "RE: [fw-wiz] Remote Access via Checkpoint VPN"
    To: Brian Ford <brford@cisco.com>
    Date: Wed, 18 Aug 2004 07:57:21 -0500
    
    

    Brian, according to the Cisco document in Example 5: Security Contexts
    With Outside Access in the documentation:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_2/fwsm_cfg/examples.htm#wp1052835
    this can be done.

    Should this example be removed from the doc? In which section of the
    documentation does it say that transparent and birtual context are not
    supported int v2.2? I thought that was the whole purpose of the upgrade
    from 1.1(x) to 2.2(x)?

    Brian Ford wrote:

    > Greg,
    >
    > If you check the documentation you'll find that you cannot have both
    > transparent (L2) and virtual contexts configured on one FWSM blade in
    > v2.2. This will be in a future release.
    >
    > Liberty for All,
    >
    > Brian
    >
    > At 12:00 PM 8/17/2004 -0400,
    > firewall-wizards-request@honor.icsalabs.com wrote:
    >
    >> Message: 2
    >> Date: Fri, 13 Aug 2004 07:39:08 -0700
    >> From: greg padden <paddeng@biostat.wisc.edu>
    >> To: firewall-wizards@honor.icsalabs.com
    >> Subject: [fw-wiz] Problem with Cisco Firewall Service Module running
    >> in transparent
    >> mode
    >>
    >> I have attempting to get a Cisco Firewall Service Module (FWSM) running
    >> software version 2.2(1) in transparent mode and multiple context mode.
    >>
    >> Here is the problem that I am running into:
    >>
    >> I have a bunch of vlans already routing on the MSFC2 blade, I want to
    >> move each of these vlans behind their own "virtual" firewall (what cisco
    >> calls a context). So, I first remove this vlan interface from the MSFC2
    >> router, then I assign this vlan to the firewall module, assign a new
    >> vlan to the firewall module which will become the new outside vlan, then
    >> I session into the firewall module and allocate these two vlans to the
    >> new context, I then go into the context and define the firewall rules.
    >> Go back to the MSFC2 router and define the new "outside" vlan inteface
    >> on the router.
    >>
    >> After I have done this, "some" hosts on the inside vlan cannot connect
    >> to "some" places on the Internet (or other places on the outside of the
    >> FWSM). If I take a test pc and give it the same ip address of the
    >> troubled machine I can confirm that they cannot ping, http, or IMAP to
    >> some hosts, but if I take a different ip address on the same LAN I can
    >> sucessfully connect to the same outside host (the firewall rules for
    >> testing are permit ip any any outbound and inbound, so it is NOT the
    >> firewall rules).
    >>
    >> I have troubleshot this with Cisco about 3 times now and they cannot
    >> figure it out. After a reboot of the entire Catalyst 6500 everything
    >> works fine!!!
    >>
    >> So here is my complete setup: Catalyst 6509 with dual supII's with duel
    >> MSFC2 routers configured in SRM mode, the Cat is running hybrid IOS
    >> 7.6.7.
    >>
    >> Has anybody else had trouble migrating VLANS from the MSFC2 to a virtual
    >> transparent firewall on the FWSM? Or seen this behavior?
    >
    >
    >
    > Brian Ford
    > Consulting Engineer, Security & Integrity Specialist
    > Office of Strategic Technology Planning
    > Cisco Systems Inc.
    > http://www.cisco.com/go/safe/
    >
    > The opinions expressed in this message are those of the author and not
    > necessarily those of Cisco Systems, Inc..
    >
    > This email address is transmitted from San Jose, California, U.S.A..
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Desai, Ashish: "RE: [fw-wiz] Remote Access via Checkpoint VPN"

    Relevant Pages

    • Re: [fw-wiz] Problem with Cisco Firewall Service Module running in transparent mode
      ... >I have attempting to get a Cisco Firewall Service Module (FWSM) running ... >software version 2.2in transparent mode and multiple context mode. ... I first remove this vlan interface from the MSFC2 ...
      (Firewall-Wizards)
    • RE: The Trivial Cisco IP Phones Compromise
      ... It seems that dispite repeated efforts to educate Cisco about the ... tout their knee-jerk "firewall" response. ... TFTP is the remote unauthenticated administrative mechanism. ... I will explore the problems with Cisco's VLAN ...
      (Bugtraq)
    • [fw-wiz] Problem with Cisco Firewall Service Module running in transparent mode
      ... I have attempting to get a Cisco Firewall Service Module running ... software version 2.2in transparent mode and multiple context mode. ... I first remove this vlan interface from the MSFC2 ...
      (Firewall-Wizards)
    • [fw-wiz] Nokia 5300 or Cisco Firewall Services Module
      ... I was wondering if anyone had experience with Cisco's Firewall Service ... We're trying to decide between two Nokia Checkpoint boxes (Nokia ... Cisco Catalyst 6513 switches. ... each firewall on the same VLAN on their respective switches. ...
      (Firewall-Wizards)
    • Re: [opensuse] cron.hourly
      ... (they said something about home users not needing this. ... Context is Everything ... As my laptop is plugged in here it has its firewall disabled. ... Big Bad Wild Internet, yes I agree, they need the firewall ON! ...
      (SuSE)