FWSM question
Megadeth4168
Member Posts: 2,157
in CCNP
I'm not familiar with configuring this module and I was looking for just a very basic how-to for it.
I have a 6500 series device with the firewall module. I was tasked with creating an inbound and outbound ACL to apply to a VLAN interface. The ACL's are around 2500 lines each.
I noticed that the 6500 has the firewall module and it is not being utilized. I thought it might be better to have the FWSM handle the ACLs, but I'm unsure of how to apply the ACLs to the VLAN on the switch when they are configured on the module. Am I even on the right track with my thinking? Does this need to even really go through the firewall module? Opinions?
Thanks.
I have a 6500 series device with the firewall module. I was tasked with creating an inbound and outbound ACL to apply to a VLAN interface. The ACL's are around 2500 lines each.
I noticed that the 6500 has the firewall module and it is not being utilized. I thought it might be better to have the FWSM handle the ACLs, but I'm unsure of how to apply the ACLs to the VLAN on the switch when they are configured on the module. Am I even on the right track with my thinking? Does this need to even really go through the firewall module? Opinions?
Thanks.
Comments
-
shednik
Member Posts: 2,005
You could do it either way really, it all depends on your preference.
The FWSM method would go something like this...mind you I'm assuming this VLAN was just created or has not been used in the FWSM previously.
Create the VLAN if needed in the VLAN database and then look for something like this in your running config for the switchfirewall multiple-vlan-interfaces firewall module 3 vlan-group 700 firewall vlan-group 700 1,2,3,4
You would then need to add the vlan to that vlan-group, this is a virtual port-channel that goes up to the FWSM module.
Now you would need to log in to the FWSM either via SSH, ASDM, or console in through the switch (show module, session slot # processor 1)
From there if it's a multi-context FWSM you will need to goto the system context and allocate the vlan to the proper context, if not I believe you should just be able to create a vlan interface on the FWSM. Then you can create an ACL similar to how you would on an ASA or an IOS device. The syntax will be different but using ? should get you through it.
If you're familiar with how the ASA configures interfaces you can ignore this next part...interface Vlan14 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2
Name the interface, set the security level 0-100, 0 where nothing is allowed by default unless there's an open session and 100 traffic from higher to lower security interfaces is allowed by default.
then you can apply the acl to the interface in whichever direction you would like in or out.
I don't particularly like using outbound acls, i'd much rather apply the policy to the interface where the traffic would enter the FWSM and restrict it/allow it there.
access-group inside_in_acl in interface inside
access-group inside_out_acl out interface inside
That's a quick explanation of how to get the job done, hope this helps.
Joe -
pham0329
Member Posts: 556
Cisco has a really good configuration guide on the FWSM...it's about 700 pages and super helpful. I would suggest you take a look through it if you're going to be work with FWSM