FWSM question

I'm not familiar with configuring this module and I was looking for just a very basic how-to for it.

I have a 6500 series device with the firewall module. I was tasked with creating an inbound and outbound ACL to apply to a VLAN interface. The ACL's are around 2500 lines each.

I noticed that the 6500 has the firewall module and it is not being utilized. I thought it might be better to have the FWSM handle the ACLs, but I'm unsure of how to apply the ACLs to the VLAN on the switch when they are configured on the module. Am I even on the right track with my thinking? Does this need to even really go through the firewall module? Opinions?

Thanks.

Find more posts tagged with

Comments

shednik

You could do it either way really, it all depends on your preference.

The FWSM method would go something like this...mind you I'm assuming this VLAN was just created or has not been used in the FWSM previously.

Create the VLAN if needed in the VLAN database and then look for something like this in your running config for the switch

firewall multiple-vlan-interfaces
firewall module 3 vlan-group 700
firewall vlan-group 700  1,2,3,4

You would then need to add the vlan to that vlan-group, this is a virtual port-channel that goes up to the FWSM module.

Now you would need to log in to the FWSM either via SSH, ASDM, or console in through the switch (show module, session slot # processor 1)

From there if it's a multi-context FWSM you will need to goto the system context and allocate the vlan to the proper context, if not I believe you should just be able to create a vlan interface on the FWSM. Then you can create an ACL similar to how you would on an ASA or an IOS device. The syntax will be different but using ? should get you through it.

If you're familiar with how the ASA configures interfaces you can ignore this next part...

 interface Vlan14
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

Name the interface, set the security level 0-100, 0 where nothing is allowed by default unless there's an open session and 100 traffic from higher to lower security interfaces is allowed by default.

then you can apply the acl to the interface in whichever direction you would like in or out.

I don't particularly like using outbound acls, i'd much rather apply the policy to the interface where the traffic would enter the FWSM and restrict it/allow it there.

access-group inside_in_acl in interface inside
access-group inside_out_acl out interface inside

That's a quick explanation of how to get the job done, hope this helps.

Joe

pham0329

Cisco has a really good configuration guide on the FWSM...it's about 700 pages and super helpful. I would suggest you take a look through it if you're going to be work with FWSM