New DMZ in FWSM

Hi Freinds,
we have two FWSMs on 6509 boxes, inside secuirty level is 100, outside is zero one dmz has security level zero i want to create another dmz ..
could someone explain me the steps to create dmz in FWSM i am not expert on FWSM also the new DMZ should be to communicate with existing dmz,
ospf is running on fwsm
Regards,
Malik

Hello Faisai,
For that you will need to consider the servers/devices you will set on that interface.
If there are critical boxes then set a higher security level (100) so you can control traffic on a more responsible way (denying traffic from lower to higher by default) so you can modify as your needs instead of using a lower security level and allowing traffic to it by default.
So at the end it will all depend on what you host behind it.
Now depending on the security level you will configure NAT and ACLs.
NAT is needed in order to be able to communicate with Public IP address with a private IP address, Remember that for you to go through the internet you MUST have a public IP address.
NAT is here to do two things:
Preserver the IPv4 Address space
Allow you to communicate over the internet with another host
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com

Similar Messages

Access for for new DMZ

Dear All,
please help me to filter the traffic for a new dmz which i have created right now the follwing acl is under this new dmz
access-list TEST line 1 extended permit ip any any
but i want to allow certain subnets plus an old dmz to access the this new DMZ. i am not expert of FWSM so could you please he to wrire down this ACL ??
Regards
Malik

I am assuming that the new DMZ is not to be able to initiate traffic to the old DMZ and the other subnets.
interface g0/1
description LAN
security-level 100
nameif LAN-subnet
ip address 10.10.10.1 255.255.255.0
interface g0/2
description Old-DMZ
security-level 50
nameif Old-DMZ
ip address 11.11.11.1 255.255.255.0
interface g0/3
description New-DMZ
security-level 50
nameif New-DMZ
ip address 12.12.12.1 255.255.255.0
access-list LAN-to-New-DMZ extended permit tcp 10.10.10.0 255.255.255.0 12.12.12.0 255.255.255.0 eq 21
access-list Old-DMZ-to-New-DMZ extended perit tcp 11.11.11.0 255.255.255.0 12.12.12.0 255.255.255.0 eq 80
access-group LAN-to-New-DMZ in interface LAN
access-group Old-DMZ-to-New-DMZ in interface Old-DMZ
same-security-traffic permit inter-interface
You could use objects when creating the ACLs but for the sake simplicity I have not done so here. This will allow traffic that is initiated from the LAN and Old-DMZ to access the New-DMZ. This configuration will however not allow the New-DMZ to initiate any traffic to either of those networks. If the New-DMZ needs to be able to initiate traffic then you would also need to create an ACL and apply it to the New-DMZ interface.
Please remember to rate and select a correct answer

Re: adding new dmz nic

Lane,
> I just added a third nic to my bm37 server for a dmz. I also added a
> server in the dmz. I can ping server and dmz interface on bm server.
> the dmz server cannot access the internet for updates. I thought that
> the all interfaces on the bm server would use the default route. I have
> unloaded filters and it still does not work, so I know it is not a
> filtering issue. Why does the dmz server not access the internet?
> Private network 150.1.1.0, public interface 66.28.220.* dmz network 10.1.1.*
did you configure the default gatway on the server in the DMZ, to be the
IP address of the DMZ interface in the BM server?
Cat
NSC Volunteer Sysop

Yes.
>>> On 10/28/2005 at 10:21 am, in message <Ztq8f.782$[email protected]>, Caterina Luppi<[email protected]> wrote:
Lane,
> I just added a third nic to my bm37 server for a dmz. I also added a
> server in the dmz. I can ping server and dmz interface on bm server.
> the dmz server cannot access the internet for updates. I thought that
> the all interfaces on the bm server would use the default route. I have
> unloaded filters and it still does not work, so I know it is not a
> filtering issue. Why does the dmz server not access the internet?
> Private network 150.1.1.0, public interface 66.28.220.* dmz network 10.1.1.*
did you configure the default gatway on the server in the DMZ, to be the
IP address of the DMZ interface in the BM server?
Cat
NSC Volunteer Sysop

Want to push my home network behind a WRVS4400N DMZ

Hello all,
     I've got a pretty typical setup with my DSL modem hooked to my WRT54GS, which is the gateway for my home network, both wired and not.   I have received a block of static IP's from my ISP and I now want to build a DMZ in "front" of my home network. Here's what I envision:
        Internet
            |
        DSL Modem
            |
        WRVS4400N V.2 (no NAT, no DHCP, intrusion detection and firewall only) static IP on both sides of the router
            |
         DMZ (all static IP)
            |
        WRT54GS (static IP facing the DMZ, NAT, DHCP, etc behind the router)
Does this look like a good design? Is there anything I need to watch for to "push" my current home lan behind my new DMZ? I'll have wireless (3 different SSID's) at each router (including the DSL modem which will have firewall, nat, etc turned off).
Thanks for the help.
     - Jeff

Jeff based on your description and setup diagram that looks just fine. With the wrt54g on the dmz with the firewall on you will be just fine.

DMZ static nat!

Hi Experts,
I believe this everyone is doing OK and getting along with your are doing? I have this funny scenario that happened on ASA 8.4 I configured recently for DMZ static nat. See the topology attached.
I did configure the inside with a PAT
object network INSIDE
   subnet 192.168.200.0 255.255.255.0
   nat (inside,outside) dynamic interface
That is working perfectly for inside to outside, So i have this server on the dmz, some edge mail server for the client that is meant for the outside world to reach. Sure enough I was happy that with the ASA 8.4 software that doing DMZ static nat I don't have to do with ACL to allow access anymore I mean I thought that has been depricated on the 8.3 and higher release.
I went on configuring the DMZ static nat like this
object network DMZ_MAILEDGE_SERVER
host 172.16.1.2
object network DMZ_GLOBAL
host 1.1.1.2
object network DMZ_MAILEDGE_SERVER
nat (dmz,any) static DMZ_GLOBAL
I was happy that finally i get to feel what the new dmz config on 8.4 should feel like.....I tried pinging my dmz server from outside, no joys at all. Did all i could to do even had to cross check the internet for config samples, everything looked good. Still no joys.
Then i though of creating an access list to permit ip from the OUTSIDE interface to the DMZ, like so,
access-list outside_access_in extended permit ip any object DMZ_MAILEDGE_SERVER
Then did my pings started going through for me to reach the server.
I don't know it feels all weird to me, since i was expecting configs 1 and 2 to get things going for me on software 8.4 not until i had to add config 3.
Please someone should tell me I am getting it all wrong and let me know what i did wrongly!
Thanks
Teddy
OK i know the first part of the situation is solved and I'm grateful to Jouni who elaborated me on it. But I have yet another pending situation that I could use a help here and really wouldn't mind been told this is where i got it all wrong.
So finally I could reach the Server on the DMZ from outside via the static nat. Yay!!! But I have some services that needs to be reached on the mailserver on the DMZ side of the network.
Services like:
dns 53, 193
smtp 25
My question is, do i place the access list to permit these service from outside to dmz like this below ?
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_in extended permit udp any object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_in extended permit tcp any object DMZ_MAILEDGE_SERVER eq smtp
                                                                  OR THIS
access-list outside_access_dmz extended permit udp any eq dnsix object DMZ_MAILEDGE_SERVER eq dnsix
access-list outside_access_dmz extended permit udp any eq domain object DMZ_MAILEDGE_SERVER eq domain
access-list outside_access_dmz extended permit tcp any eq smtp object DMZ_MAILEDGE_SERVER eq smtp
Which direction would be more appropriate to go via?
Also from the front end mail server, If i try to ping the internet say a domain name like www.yahoo.com, it would only resolve the name but the ping are not going thru.
Thanks for your advice in advance.
I say this not to undermine anybody's help, Jouni please if you see this I would also appreciate your contribution too!
Cheers!
Teddy

Hi,
The NAT configurations seem just fine but I would configure them the Static NAT a bit differently (doesnt mean you have to though)
What I would do is simply state the public IP address in the NAT configuration rather than configure "object network" for the public IP address too
Your configuration is
object network DMZ_MAILEDGE_SERVER
host 172.16.1.2
object network DMZ_GLOBAL
host 1.1.1.2
object network DMZ_MAILEDGE_SERVER
nat (dmz,any) static DMZ_GLOBAL
My version would be
object network DMZ_MAILEDGE_SERVER
host 172.16.1.2
nat (dmz,any) static 1.1.1.2
The simple reason for me would be keeping the "object network" amount at minimum and the fact that we dont need to reference the public IP address in any ACL configurations usually.
What you originally saw happening with the configurations 1 and 2 configured is to be expected. You will always need the configuration 3 which is the ACL to allow the traffic from the "outside".
If the "outside" interface doesnt have any ACL configured then it relies on the "security-level" alone which should be "0". This usually means that no traffic can enter from "outside" to any other interface on the ASA because all the other interfaces are above "security-level 0" and traffic is only allowed from HIGHER -> LOWER when there is NO ACLs. So the natural step to allow this traffic is to configure ACL with the appropriate rules and attach it to the "outside" interface.
Hope this helps
Please remember to mark a reply as the correct answer if it has answered your question.
Naturally ask more if your question wasnt answered.
- Jouni

DMZ config! How to do? Easy question for experts! (ASA 5510

Dear All
I would like to add a DMZ and VPN to inside network to my ASA5510 configuration, but I'm not sure about the correct way to achieve my goal (I'm a newbie).
I'll rate your post and promise to send to the best answer a traditional Christmas gift from my country, I'm sure that you will be pleased with it!:)
Goal:
1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.
2- VPN access to inside network.
1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:
ï Access to EDGESRV from Internet (SMTP)
ï¨ Access from EDGESRV to internet (SMTP)
ï¨ Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
ROUTER :
Interface Serial IP: 195.22.12.46/30
IP route 0.0.0.0 0.0.0.0 195.22.12.45
Interface Ethernet f0/0: IP 195.22.26.17/29 (connect to router)
ASA NETWORK
Interface External e0/0 :IP 195.22.26.18/29 (connect to router)
Interface internal: e0/1: IP 10.10.100.1 mask 255.255.252.0
Interface DMZ: e0/2 : IP 10.10.150.1 mask 255.255.255.0 (not implemented yet)
ASA Configuration (actual)
ASA Version 8.0(2)
interface Ethernet0/0
nameif Interface_to_cisco_router
security-level 0
ip address 195.22.26.18 255.255.255.248
interface Ethernet0/1
nameif Int_Internal_domain
security-level 100
ip address 10.10.100.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
passwd xxxxxxxxxxxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone WEST 0
clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Interface_to_cisco_router
dns domain-lookup Int_Internal_domain.com
dns server-group DefaultDNS
name-server 195.22.0.136
name-server 195.22.0.33
domain-name domain.com
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list Interface_to_router_Cisco_access_in extended permit object-group TCPUDP any any eq domain
access-list Interface_to_router_Cisco_access_in extended permit tcp any any eq www
pager lines 24
logging list Registo_eventos_william level emergencies
logging list Registo_eventos_william level emergencies class vpn
logging asdm informational
logging recipient-address [email protected] level critical
mtu management 1500
mtu Interface_to_router_Cisco 1500
mtu Int_Internal_domain 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Interface_to_router_Cisco) 101 interface
nat (Int_Internal) 101 10.10.100.0 255.255.255.0
nat (Int_Internal) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
access-group Interface_to_router_Cisco_access_in in interface Interface_to_router_Cisco
route Interface_to_router_Cisco 0.0.0.0 0.0.0.0 195.22.26.17 1
access-list Int_Internal_access_in extended permit tcp any any
access-list Int_Internal_access_in extended permit udp any any
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.100.0 255.255.255.0 Int_Internal_domain
http 10.10.10.0 255.255.255.0 management
http 195.22.26.16 255.255.255.248 Interface_to_router_Cisco
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
Kind Regards
MP

Mario,
I think you have much more to go but this is a start, I don't think I have cover everything .. others in netpro may add to this.
1- I want to put a Microsoft Exchange Server 2007 (EDGE Role- Front-Side e-mail server) on a new DMZ.
Use this example, Configuring Mail server on DMZ http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
2- VPN access to inside network.
You can configure RA VPN server using/creating in ASA5510 Local user database
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
or configure RA VPN server using IAS RADIUS-Windows AD for authentication
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
1.1 This e-mail server (name EDGESRV) in the DMZ needs the following configurations:
ï Access to EDGESRV from Internet (SMTP)
ï¨ Access from EDGESRV to internet (SMTP)
ï¨ Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
-Access to EDGESRV from internet on port smtp if you have spare public IP you can create a one-to-one NAT for this server and create
inbound access rules to allow access on SMPT from outside internet.
If you do not have spare public IPs for a one-to-one nat on this server you can use ASA outside interface static PAT.
Example : static (dmz,outside) tcp interface smtp netmask 255.255.255.255
-Access from EDGESRV to internet (SMTP)
You need to PAT DMZ network, if EDGESRV does not have one-to-one static NAT
typical scenario
global (outside ) 101 interface
nat (dmz ) 101 0 0
or
nat (dmz) 101 <255.255.255.255>
also for the MAIL Server, if you are using DNS server from your inside network you need acl to allow traffic from MAILserver DMZ to DNS in inside network.
-Access from internal network to EDGSRV ports: 25(SMTP), 50389 (Ldap), 50636(Secure Ldap) and port 3389 (TCP for terminal services)
from low sec level 0 to high sec level access is permited by default, you do however need to create static nat to allow comm between inside and dmz
in your scenario if you have 192.168.1.0/24 for inside interface network you would then create something like this.
static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
Observation -
I see you have interface Ethernet0/2 free, I assume you will probably be using this interface for your DMZ, I would advice to use subinterfaces and use dot1q in order to scale your DMZs in the future.
Look this link for reference on working with subinterfaces
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html
Rgds
Jorge

New block of IPs and new gateway to add on ASA5505

At this time I have on my firewall the following;
Subnet; 24.222.61.x
Gateway; 24.222.61.x
Subnet Mask; 255.255.255.240
Usable IP Range; 24.222.61.x to x
They gave me a new outside IP Addresses and GW;
Subnet; 24.222.92.x
Gateway; 24.222.92.x
Subnet Mask; 255.255.255.224
Usable IP Range; 24.222.92.x to x
How do I add the new outside network to my ASA?

Interfaces only support a single IPv4 address. If you are changing addresses, you can just redo the outside interface ip address line and any default route statement.
If you are keeping the old addresses plus adding the new ones, you have a couple of options:
You could configure a second "outside" interface with a different name which used the new subnet and address. However, there would be routing issues, so you might not like that.
You could have the upstream ISP route the new subnet to your old firewall address, and use the new subnet for NAT. This is particularly good for static inbound NAT scenarios.
You could configure a new DMZ style interface for the new subnet on the inside, and also have the ISP route the new subnet to the old outside address.
I use both strategies (2) and (3) with different chunks of my own public v4 space.
-- Jim Leinweber, WI State Lab of Hygiene

DMZ VLANs in the Data Centre - Physical or Logical Seperation

I am building a new DMZ in my Data Centre and I'm looking at the merits of Logical Seperation rather than Physical Seperation.
Instead of putting in some new DMZ Switches and then physically cabling all the DMZ devices and Servers to these switches so that these are physically seperate from the rest of the DC, I'm thinking of connecting them up to the existing DC Switches and just use a different set of VLANs with the routed interface for these on Physical Firewalls.
Can people please appraise me of the concerns or issues with this? Are there any articles or design papers on this?
Thanks

Come on guys I expected someone to at least make some form of comment!
It looks like either the community doesn't know or doesn't care!

Upgrading FWSM version 4.x

Good morning guys
I need to upgrade a FWSM from version 4.1(6) to 4.1(15). I understand this procedure as mantaining the same major and minor version, only changing the maintenance release.
I found some articles and discussions regarding caution upgrading with different minor and major versions.
I have never upgraded FWSM only ASA appliances. I need to perform this aiming zero-downtime, the same way I could perform with ASA appliances.
I could not find where is the actual system image (it doesnt appear with dir command). Even I could not find something like boot in configuration.
That modules work in active-standby and have many contexts.
Anyone have the detailed procedures, recommendations, commands to perform this task?...This environment is very critical.
Regards
Christian

Hello.
Today I have found that new release available - FWSM 4.1(16), but there is no Release Notes for this minor release!
Download link:
http://software.cisco.com/download/release.html?mdfid=277413409&flowid=4383&softwareid=280775068&release=3.2(28)&relind=AVAILABLE&rellifecycle=&reltype=latest
Release notes link:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/release/notes/fwsmrn41.html
There are no 4.1(16) mentioned. Anybody knows what difference between 4.1(15) and 4.1(16)?

Want to put my WRT54GS behind a WRVS4400N DMZ

Hello all,
   I've got a pretty typical setup with my DSL modem hooked to my WRT54GS, which is the gateway for my home network, both wired and not. I have received a block of static IP's from my ISP and I now want to build a DMZ in "front" of my home network. Here's what I envision:
Internet
|
DSL Modem
|
WRVS4400N V.2 (no NAT, no DHCP, intrusion detection and firewall only) static IP on both sides of the router
|
   DMZ (all static IP)
|
WRT54GS (static IP facing the DMS, NAT, DHCP, etc behind the router)
Does this look like a good design? Is there anything I need to watch for to "push" my current home lan behind my new DMZ?
Thanks for the help.
   - Jeff

OK, I have a complication (I used to know this stuff, really....) I started mapping out the IP networks and started to configure the WRVS4400N and got lost.
My ISP gave me a block of static IP's - say 1.2.3.4-19 (16 block). They reserve 3, so I get to use 13.
1.2.3.4 is reserved (probably for their router)
1.2.3.19 is reserved for broadcast
1.2.3.18 is reserved for gateway.
So I tried to set up the 4400N last night and got stuck setting up the routing. Here's a diagram:
     DSL Modem - 1.2.3.4 (internal) - this is an Actiontec GT701-WG - could be replaced with any DSL modem/router
              | 1.2.3.18 (gateway)
              |
              | (1.2.3.5 Wan port)
    WRVS4400N - no dhcp, no nat (in router state not gateway), Intrusion and Firewall on - 1.2.3.6 internal
              | (1.2.3.7 Lan port)
              |
              |------------------------------------------this is where I want to put 1.2.3.8-16 (servers)
              |
              | 1.2.3.17 (Wan Address)
     WRT54GS - almost default setup
              | 192.168.1.1
              |
(Home Network)
The problem I have is that I don't get to pick the IP's that are reserved on the actiontec, and they encompass the entire IP range I've been given. I want the protection of the 4400 for my servers, but I don't see how to build a route table to form a separate cloud of 1.2.3.5-17. It's like I'm cascading three routers over only two IP ranges. Splitting the 1.2.3.x ip range into two subnets doesn't seem to work since the isp grabs both the top and the bottom of the range.
Can someone help me with the details of setting something like this up?
....Alternatively, the reason I am looking to do this is that I want to protect my home net, offer web services from my DMZ, yet be able to let my home net access dmz servers without going out and back in via the internet. I could set up two VLAN's, one for home, one for the DMZ, both using NAT on two different IP ranges (giving me 3), but I have two problems - I have several servers that I need to service internet requests (not just one DMZ PC) and I want to access the DMZ from the home net directly. If I set inter-VLAN routing on, I think I'm giving a channel for a hacker to get to my home net.
So I'd be open to any alternatives. Functionally, I don't think what I want to do is hard, but getting into the weeds of configuration has my head spinning.
Thanks again for all the help, it is very much appreciated.
    - Jeff

ESP traffic through FWSM

HI,
I've built a site-to-site VPNs between a PIX and an ASA with traffic passing through an FWSM.
This is the architecture:
LAN1---PIX--------(dmz interface)FWSM(otuside interface)--------ASA----LAN2
The VPNs go up regurarly but I am experencing some performance issue so I am trying to look into the logs.
In the FWSM log I can see a lots of these entries regarding esp protocol traffic between end point peer:
6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237602 for outside:x.x.x.x(x.x.x.x) to dmz:y.y.y.y (y.y.y.y)
6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237601 for dmz:x.x.x.x(x.x.x.x) to outside:y.y.y.y (y.y.y.y)
x.x.x.x and y.y.y.y are the vpn peers ip addresses, but I am suspecting some strange behaviour because I see x.x.x.x an y.y.y.y respectively at the same time on outiside interface and on dmz interface during the build of ip protocol 50 connection.
Do you think it is a normal behaviour or it means that it's a fault?
Pls any suggestion will be very appreciated.
Thanks
angelo

Hi Marcin, thanks for you reply.
Yes I know, I expected two flows for inbound and outbound, it's correct but I don't understand why the FWSM see the same IP incoming both interfaces, dmz and outside. That seems strange. If x.x.x.x is on dmz and y.y.y.y on outside, what does this entry means? :
6|Jan 29 2014|13:07:56|302022|||||Built IP protocol 50 connection 144547910545237602 for outside:x.x.x.x(x.x.x.x) to dmz:y.y.y.y (y.y.y.y).
Hi
angelo

ACE and FWSM Deployment design

Hi,
I have a new deployment with FWSM in single context and ACE in multiple context. I need actually 3 contexts. what is the best mode of deployment of FWSm with ACE. I want to have the gateway of all real servers as the Firewall.
shall it be something like this - MSFC-> Fwsm -> ACE -> Real servers.
what mode the FWSM should be?
with regards
sathappan.s

Hi
You don't need to match FWSM contexts to ACE contexts. You are quite right in what you say in that you could use one routed context on the FWSM use different interfaces in that context for each ACE context.
It all depends on hwo you want to organise it. For example it could be argued that having matching contexts allows for easier adminstration having both the FW ruleset and the ACE rules "tied" to each other. Also if you have separate depts. managing their firewalls/load balancers contexts are the way to go.
As i said before it often comes down to licenses/cost but yes it is possible to use only one FWSM context.
Jon

Design Help - Firewall/DMZ

Hi,
I am about to purchase two 5515-X next generation firewalls and I need to decide what to do as far as the design goes so I need some help from the experts. This appliances seem to come with 6 1Gbps ports which is enough. In our LAN, we have two 6500 running on VSS mode and we are also going to get our second ISP. Doing the obvious which is cross-connect each firewall with the two 6500s and possibly with the internet routers. Is it something else you recommend?
Planning to trunk a couple interfaces and connect them to a DMZ switch; however, how do I make that one switch redundant? Some of the vendors currently connected do not offer a redundant link in case of failure.
I'll be deploying the devices as active/standby and this is because I have VPNs configured which it is my understanding that both devices can't be active with this type of configuration. Can someone advise on this matter? However, the company wants to use them both at the same time.
Using two ISPs, how do I deal with the Public-Internal NAT?
Any help is greatly appreciated. Thanks.

Planning to trunk a couple interfaces and connect them to a DMZ switch; however, how do I make that one switch redundant? Some of the vendors currently connected do not offer a redundant link in case of failure.
Well, you could use the 6500s if you have enough free interfaces on it. Create the DMZ VLAN on the 6500s as well as on the new DMZ switch. On the 6500 and the DMZ switch configure the ports as trunk but only allow the single VLAN on that trunk. Create a subinterface on the ASA and place that subinterface in the new DMZ VLAN and give it an IP.
I'll be deploying the devices as active/standby and this is because I have VPNs configured which it is my understanding that both devices can't be active with this type of configuration. Can someone advise on this matter? However, the company wants to use them both at the same time.
What the company wants isn't always what is the best solution and they should be told that, from time to time. However, it is possible to configure the ASAs in an Active/Active setup. This will require that the ASAs are configured in multiple context mode. On one ASA context 1 is active while context 1 on the second ASA is in standby mode. then on the second ASA context 2 is the active context and on ASA context 2 is in standby mode. This setup will alow the use of both ISP connections and be able to maintain VPN connections. Keep in mind that the VPN connections will not be active on both ASAs. It wil only be active on the active context, but will failover to the standby context if a failure occurs.
Using two ISPs, how do I deal with the Public-Internal NAT?
the ASA does not support two active default gateways, and therefore support for two ISPs is not supported in single context mode. So if you have a requirement to use both ISP connection simultaneously then you need to have multiple contexts. Each context is a virtual firewall and completely seperate from eachother.
So, back to the active contexts. context 1 on ASA1 is the active context and is connected to ISP1. context 2 on ASA2 is the active context and is connected to ISP2. You would perform NAT in the exact same way as you would in a single context ASA no hocus pocus. The only difference is that the traffic that goes towards each context and subsiquently each ISP are not from the same subnet. They need to be seperated and then diveded between the two contexts.
So, context 1 would have traffic for VLANs 1, 3, 5, 7, 9 and context 2 would have traffic for VLANs 2, 4, 6, 8, 10.
here is a link on how to configure active/active failover.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html#wp1163513
Please remember to rate and select a correct answer

DMZ and the Portal

Hello,
I hope this is the right forum for this question. Our Portal is up and running fine however we are having problems with our DMZ and need to replace it. Can anyone tell me what if any configuration will need to be done with the new DMZ.
Thanks in advance
Stephanie

Hi Stephanie,
In the portal the system object pointing to the new cluster instance needs to point at the virtual node which will always be available. So instead of an alias you use the virtual name of the clustered instance. Also in the configuration parameters remember to use UNC paths (ex. "
virtualservernode\sapmnt\SID\SYS\profile" instead of "C:\usr\sap\SID\SYS\profile".) We have a problem due to this in my company at the moment because it wasnt installed using virtual nodes and UNC paths, but using physical hardware nodes/names, and non UNC paths. So if the cluster fails over, it will be alive, but users would not be able to log on anymore because their links (favourites etc) points to the physcal node 1 of the cluster, and the system object in the portal points to the old node 1. Its easy enough to change the portal system object, but parameters are wrong in the profile too, which is a bigger issue. So please be aware about functionality in the cluster operation, and make sure to implement it after best practise methods so that you can avoid these issues.
Another way of controlling this would be to use a Web Dispatcher in front of your portal so if you should encounter problems you only have 1 place to correct paths etc. So the users would have 1 link to the portal, and you could change whats behind the Web Dispatcher without any user interruption - they still just have the pointer for the Web Dispatcher - as a single point of entrance to the portal. This is a solution I will implement myself Q1 of next year, because I had issues with old saved favourites when I changed our portal environment to run https/ssl. everyone still had the old link for http - and you cant blame the users really, I use favourites a lot myself So I want a single point of entry for the portal environment, nomatter whats behind.
I hope everything will be ok in your project.
Kind Regards,
Soren
Edited by: Soeren Friis Pedersen on Dec 23, 2010 7:37 AM

Firewall Vlan group

Buenas noches. Tengo un Cisco Catalyst 6500 con un módulo Firewall el cual tiene la siguiente configuración en el Switche:
firewall module 4 vlan-group 10,20,30,40,50,60,70,80,90,100,140,190,200,300,310,350
firewall vlan-group 10 10
firewall vlan-group 20 20
firewall vlan-group 30 30
firewall vlan-group 40 40
firewall vlan-group 50 50
firewall vlan-group 60 60
firewall vlan-group 70 70
firewall vlan-group 80 80
firewall vlan-group 90 90
firewall vlan-group 100 100
firewall vlan-group 140 140
firewall vlan-group 190 190
firewall vlan-group 200 200
firewall vlan-group 350 350
Cuando quiero agregar una nueva VLAN para que sea controlada por el Firewall, me aparece el siguiente mensaje de error:
No more than 16 groups allowed for a module
Este Core me permite hasta 256 VLAN's pero en grupos de a 16 Vlan. La pregunta es cómo puedo cambiar esta configuración para poder asignas más VLAN hacia el FWSM? Y en caso de hacerlo, es garantizable que no se pierda ninguna configuración del FWSM al hacer este cambio?
Quedo muy agradecido a la(s) persona(s) que me pueda colaborar con esta inquietud.
Feliz noche y hasta luego.
Francisco Velasco
E-mail: [email protected]

Dear Team
We have a core switch in VSS with FWSM running with multiple contexts.
I need to create 5 new DMZ (interfaces) in FWSM server context
Currently my config shows like below, which includes three "firewall vlan-group" statements, each with a comma-separated list of vlan numbers:
firewall switch 1 module 4 vlan-group 1,2,3
firewall switch 2 module 4 vlan-group 1,2,3
firewall vlan-group 1 2,3,4
firewall vlan-group 2 5,6,7 (vlans for server context)
firewall vlan-group 3 8,9,10
My question is: when I add the 5 new vlans, do I have to simply issue an additional "firewall vlan-group" statement with the five new vlan numbers, like this?
firewall vlan-group 2 30,40,50,60,70 (I need to add vlans in vlan-group 2)
In other words, will above command overwrite my existing list of vlans in vlan group 2 if I only add the five new vlans in vlan group 2 ? I obviously don't want to lose connectivity by erasing all my existing vlans.
Or do I have to issue a new statement that includes ALL of the existing vlans and five new vlans, like this?
firewall vlan-group 2 [all previously existing vlans],30,40,50,60,70 (five new vlans)
I want to know if i typed the above command with existing vlan and the new vlans does it cause any issues to the running environment b/c i think with the above command existing vlans will also be pushed along with new vlans to FWSM again or this is not the case.

New DMZ in FWSM

Similar Messages

Maybe you are looking for