Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: Problem with Cisco Firewall Service Module running in transparent mode

Re: Problem with Cisco Firewall Service Module running in transparent mode

From: Brian Ford <brford_at_cisco.com>
Date: Tue, 17 Aug 2004 16:57:47 -0400

Greg,

If you check the documentation you'll find that you cannot have both
transparent (L2) and virtual contexts configured on one FWSM blade in
v2.2. This will be in a future release.

Liberty for All,

Brian

At 12:00 PM 8/17/2004 -0400, firewall-wizards-request_at_honor.icsalabs.com wrote:
>Message: 2
>Date: Fri, 13 Aug 2004 07:39:08 -0700
>From: greg padden <paddeng_at_biostat.wisc.edu>
>To: firewall-wizards_at_honor.icsalabs.com
>Subject: [fw-wiz] Problem with Cisco Firewall Service Module running in
>transparent
> mode
>
>I have attempting to get a Cisco Firewall Service Module (FWSM) running
>software version 2.2(1) in transparent mode and multiple context mode.
>
>Here is the problem that I am running into:
>
>I have a bunch of vlans already routing on the MSFC2 blade, I want to
>move each of these vlans behind their own "virtual" firewall (what cisco
>calls a context). So, I first remove this vlan interface from the MSFC2
>router, then I assign this vlan to the firewall module, assign a new
>vlan to the firewall module which will become the new outside vlan, then
>I session into the firewall module and allocate these two vlans to the
>new context, I then go into the context and define the firewall rules.
>Go back to the MSFC2 router and define the new "outside" vlan inteface
>on the router.
>
>After I have done this, "some" hosts on the inside vlan cannot connect
>to "some" places on the Internet (or other places on the outside of the
>FWSM). If I take a test pc and give it the same ip address of the
>troubled machine I can confirm that they cannot ping, http, or IMAP to
>some hosts, but if I take a different ip address on the same LAN I can
>sucessfully connect to the same outside host (the firewall rules for
>testing are permit ip any any outbound and inbound, so it is NOT the
>firewall rules).
>
>I have troubleshot this with Cisco about 3 times now and they cannot
>figure it out. After a reboot of the entire Catalyst 6500 everything
>works fine!!!
>
>So here is my complete setup: Catalyst 6509 with dual supII's with duel
>MSFC2 routers configured in SRM mode, the Cat is running hybrid IOS 7.6.7.
>
>Has anybody else had trouble migrating VLANS from the MSFC2 to a virtual
>transparent firewall on the FWSM? Or seen this behavior?

Brian Ford
Consulting Engineer, Security & Integrity Specialist
Office of Strategic Technology Planning
Cisco Systems Inc.
http://www.cisco.com/go/safe/

The opinions expressed in this message are those of the author and not
necessarily those of Cisco Systems, Inc..

This email address is transmitted from San Jose, California, U.S.A..

_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Aug 17 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos