Re: FWSM

Hi,

Explained in easy steps, hope it helps

Step 1 - Create Vlan MSFC

Vlan 310
name ACE-CLIENT-DIC-ACE-A

vlan 311
NAME ACE-SERVER-DIC-ACE-A1

vlan 398
NAME ACE-FT-VLAN-1
VLAN 399
NAME ACE-FT-VLAN-2
-------------------STEP 2- (MSFC)---------------------------------
FWSM adding Vlan on the FWSM context
Firewall vlan-group 1 310
-------
Step 3

Allowing ACE vlan specific traffic to be directed towards ACE

svclc multiple-vlan-interfaces
svclc module 3 vlan-group 100

svclc vlan-group 100 310-312

-------------------STEP 4 (FWSM)-------------------------------

SVI on the ACTIVE Context of the FWSM

ACE Client Side VLAN configuration on FWSM
int vlan 310
nameif AceA
description ACE Context A- Client Side VLAN
ip address x.x.x.x 255.255.255.0 standby x.x.x.x
security-level 50
no shut

access-list acl-AceA extended permit ip any any
access-list acl-AceB extended permit ip any any

access-group acl-AceA in interface AceA

route AceA x.x.x.x x.x.x.x x.x.x.

STEP-6 (Routing for ACE on the MSFC)-----------------------
ip route x.x.x.x (server ip range behind ace ) mask X.X.X.X (FWSM outside
interface)

Regds
Nitin

On Mon, Apr 6, 2009 at 11:29 AM, Tomi Amao <tomiground_at_hotmail.com> wrote:

> Hi,
>
>
>
> how do you force traffic to flow through the FWSM and then through the ACE
> module before hitting the application servers behind the ACE module.
> Thanks.
>
> Regards,
>
> Tomi
>
>
>
>
> > Date: Fri, 3 Apr 2009 10:00:10 -0400
> > Subject: Re: FWSM
> > From: m.a.cairns_at_gmail.com
> > To: mousawi.ali_at_gmail.com
> > CC: r.steeneken_at_gmail.com; ccielab_at_groupstudy.com
> >
> > Ali,
> >
> > Ali,
> >
> > VLAN 999 is not being trunked to the FWSM by the switch. Have you
> configured
> > anything on the switch to use vlan 999? An access port in up/up status?
> > Configured the VLAN and forwarded on a trunk?
> >
> > Check the following command (just like checking a trunk between
> switches):
> >
> > Switch#sh firewall module 1 state
> > Firewall module 1:
> >
> > Switchport: Enabled
> > Administrative Mode: trunk
> > Operational Mode: trunk
> > Administrative Trunking Encapsulation: dot1q
> > Operational Trunking Encapsulation: dot1q
> > Negotiation of Trunking: Off
> > Access Mode VLAN: 1 (default)
> > Trunking Native Mode VLAN: 1 (default)
> > Trunking VLANs Enabled: 4-50,122,342-344,400-699,997,998
> > Pruning VLANs Enabled: 2-1001
> > Vlans allowed on trunk: 4-50,122,342-344,400-699,997-998
> > Vlans allowed and active in management domain:
> >
>
> 4-26,28-30,32,36,39,122,342-344,401-405,410-411,415-416,418,500,600-609,997-9
> 98
> > *Vlans in spanning tree forwarding state and not pruned:
> >
> >
>
> 4-26,28-30,32,36,39,122,342-344,401-405,410-411,415-416,418,500,600-609,997-9
> 98
> > *
> > Switch#
> >
> > Mark
> > #17755, Security
> >
> > On Fri, Apr 3, 2009 at 2:07 AM, Ali El Moussaoui
> <mousawi.ali_at_gmail.com>wrote:
> >
> > > firewall module 1 vlan-group 1
> > > firewall vlan-group 1 999-1001,1010,1017,1018,1020,2000
> > >
> > > The vlan i added was 999 and it is in the vlan database. (sh vlan br)
> > >
> > > Ali
> > >
> > > On Fri, Apr 3, 2009 at 7:13 AM, Robert Steeneken <
> r.steeneken_at_gmail.com
> > > >wrote:
> > >
> > > > did you put the firewall vlan group to the FWSM module?
> > > >
> > > > firewall module X vlan-group X,X,X
> > > >
> > > > On Thu, Apr 2, 2009 at 5:21 PM, Ali El Moussaoui <
> > > mousawi.ali_at_gmail.com>wrote:
> > > >
> > > >> Hello Guys,
> > > >>
> > > >> I am new to this FWSM and when i configure a new vlan under "xyz"
> > > context
> > > >> i
> > > >> see the following under sh int
> > > >> "Available but not assigned from Supervisor"
> > > >>
> > > >> I added the vlan to the firewall vlan-group and allocated the vlan
> for
> > > the
> > > >> "xyz" context.
> > > >>
> > > >> what am i missing?
> > > >> Ali
> > > >>
> > > >>
> > > >> Blogs and organic groups at http://www.ccie.net
> > > >>
> > > >>
> _______________________________________________________________________
> > > >> Subscription information may be found at:
> > > >> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> _________________________________________________________________
> News, entertainment and everything you care about at Live.com. Get it now!
> http://www.live.com/getstarted.aspx
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 06 2009 - 20:23:16 ART