FWSM and CSM

Similar Messages

• FWSM and CSM in same 6509? Best Practice?

  I have a customer that has a FWSM and CSM in the same 6509 chassis. Is there a best practices configuration for doing this?

  Hi,
  Here are good documents:
  http://cisco.com/en/US/partner/netsol/ns340/ns394/ns224/ns304/networking_solutions_package.html
  In particular:
  http://cisco.com/application/pdf/en/us/guest/netsol/ns304/c649/cdccont_0900aecd8010e77f.pdf
  Best regards,
  Pascal

• FWSM and CSM (Load Balance) in the same chassi

  Folks,
  Is there any type of best practice (you ** must ** do like this) when you are going to implement the FWSM and the CSM modules on the same 6509 chassi ?
  PS: The CSM is not doing FW loadbalance, it is doing loadbalance to servers located in a DMZ
  PATH:
  (outside) FWSM (inside) -> MSFC -> (inside) PIX (dmz) -> CSM  , CSM -> (dmz) PIX (inside) -> MSFC -> (inside) FWSM
  My main doubts:
  1) FWSM using multi-context, Is there any integration problem with CSM ?
  2) FWSM and CSS in routed mode, Is there any integration problem with both modules ?
  3) Is it really necessary to operate the FWSM module in bus mode when using CSM in the same chassi (fabric switching-mode force bus) ?
  Cisco Says:
  "The CSM line card operates in bus mode. When using the CSM in conjunction with the FWSM line card,
  Cisco recommends forcing the FWSM to operate in bus mode using the
  fabric switching-mode force bus command. When service modules such as the CSM and the FWSM
  operate in bus mode, traffic from DFC-enabled line cards still use the fabric connection."
  In past it was a workaround due a bug, but I have found this recommendadon and know I am a little confused.
  Tks !!!

  Luis-
  You will want to used a routed mode on the CSM so that the Firewall contexts don't see eachothers MAC Addresses for any traffic not destine to to a VIP.  On the CSM VLANs, you will want to create alias IPs to use as the next hop destination between contexts for non-VIP traffic. Other than that, the CSM has no concept of contexts, so as long as the traffic is symetric when it flows through the CSM VLANs, it will be happy.
  Regards,
  Chris

• Problem with FWSM and L3 interface in same switch

  I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
  I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
  The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
  The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
  A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
  Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
  This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
  If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
  Thanks.
  Keith

  I will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
  I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
  I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
  Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
  Thanks.

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble

• Fwsm and msfc with glbp

  hello,
  SCENARIO; (see attached drawing)
  -2x6500
  -each having FWSM
  -GLBP running on the MSFC for redundancy
  -FWSM running on active/standby
  QUESTIONs;
  -could GLBP on msfc and active/standby on FWSMs coexist? if they could, how does msfc2 froward the outound traffic to FWSM1? ( ie. fwsm2 is standby mode).
  -Do I need L2 connections between this 2 FWSM Vlans?
  -do i need to run GLBP in this case for the MSFC vlan 100? i asked this because the fwsm has to see only single ip to forward traffic back to the rest of the vlans.
  -anything missing on my connections (cabling)?
  thanks a lot.

  Hi
  There is no reason why the 2 (GLBP + A/S on FWSM) can't co-exist. They are independent of each other.
  MSFC would forward traffic over your L2 trunk between your 6500 chassis to the active firewall. Which answers your next question - yes you do need L2 trunk for the FWSM vlans for 2 reasons
  1) For forwarding traffic as described above
  2) For failover between the FWSM modules.
  You could run GLBP on vlan 100 but you wouldn't get any benefit because the source mac-address will always be the active FWSM and this is the only sender on that vlan so there are no other senders to load balance across both MSFCs.
  Nothing missing as far as i can see. Design
  looks good to me.
  HTH
  Jon

• About ASDM and CSM

  Dear Sirs,
  First, I'm not Bilingual so excuse my English.
  Please teach the functional difference between ASDM and CSM.
  ASDM: Cisco Adaptive Security Device Manager
  CSM: Cisco Security Manager
  Best regards,

  The part I'm sure of: CSM is a CiscoWorks-based multi-device management software, which helps configure various security devices (VPN, IDS/IDSM, etc.) and is separate cost.
  The part I'm not sure about: ASDM *sounds like* the same as SDM - Security Device Manager - which is a GUI to any single device but not (concurrently) multiple devices. But it's also used to configure the devices.
  HTH.

• Keepalive not working between GSS and CSM

  Hello,
  We are using a KAL-AP keepalive between GSS and CSM for our global application. One problem we are facing is that the KAL-AP messages (UDP 5002) for VIP status are sent from GSS in one data center to the CSM in another data center. However the response from the CSM takes more than 40 seconds and by that time the firewall in between has already removed the connection. We don't see the same latency issue when we use utitlities like ping, traceroute etc between these 2 devices.
  The communication between all other GSSs and CSMs in different data centers is fine.
  Regards,
  murtaza

  Run
  show mod csm capp udp detail
  periodically and check if the send & recieve frames are incrementing..

• IPS 4260 - how to see enabled signature in CLI and CSM

  How many signatures are enabled.?
  Can the CSM see how many signatures are enabled?
  and what is the command in the CLI, where I can see how many signatures I have enabled
  The IPS Manager Express, it is easy to see how many are enabled.
  Best regard
  Rene Rolsted

  The CSM is used to manage IPS/IDSM/ASA/SWITCH/ROUTER
  and can log in to devices and can see the configuration/mange them.
  You would be able to see the no of active signatures as well.
  I don't think there is a way to see the number of active signatures on the CLI for IPS appliances.
  As always it is pretty easy to count your enabled signatures via IME/IDM.
  Regards,
  Sachin

• Out of band config changes and CSM

    Were running CSM 3.3.1 SP1 on a windows machine.  We aquired a company and have found that they were making out of band changes without the use of CSM directly from the CLI.  Is there any easy way to sync the running config on the ASA firewalls to the CSM server?  I dug in help files but nothing really pointing me where to go. 
  Thanks for any help!

  Hello,
  The easiest/fastest way to do this is to right-click on the device in CSM's device inventory and select "Rediscover policies on device". This will clear the configuration from the CSM database and rediscover the device config based on what is in the ASA's running-config.
  Keep in mind that if you are using any custom rule sections for your Access Rules or the device has any shared policies assigned, you'll need to manually rebuild the sections or re-assign the shared policies. To avoid this, you would have to manually sync the changes (i.e. make the same changes in CSM that were made on the CLI). If only certain policies are affected, you can also add the device into CSM's inventory as a new device (with a new name), and then copy the policies that weren't affected from the old device to the new device.
  Hope that helps.
  -Mike

• FWSM and vlans

  It is my understanding that the FWSM for the 6500 series switches uses a 6 port Etherchannel on the backplane to communicate with the 6500 series switch.
  Can you shutdown vlan1 on the switch and still communicate with the FWSM? I was under the impression that you could not (although I am looking at a config with it shutdown)

  It is my understanding that the FWSM for the 6500 series switches uses a 6 port Etherchannel on the backplane to communicate with the 6500 series switch.
  - This is correct.
  Can you shutdown vlan1 on the switch and still communicate with the FWSM? I was under the impression that you could not (although I am looking at a config with it shutdown)
  - shut down the vlan on the switch? If you shut the vlan down on the switch, even if you pushed the vlan down to the FWSM the vlan will not show up on the FWSM.  You can still session into the FWSM from the switch.  It does a telnet to 127.0.0.11 if the module is in slot 1 and 127.0.0.22 if the module is on slot 2 etc.
  SWITCH#who
      Line       User       Host(s)              Idle       Location
     1 vty 0                idle                 00:03:57 14.36.109.35
  *  2 vty 1                127.0.0.11                               00:00:02 10.36.109.35
    Interface      User        Mode                     Idle     Peer Address
  -Kureli

• Backup or redundant ISP with FWSM and security contexts...

  Hello guys,
  I am in a middle of a dessign problem. We have 2 ISP, and we have a FWSM running multiple contexts, my context that is receiving all the static translations for all my published servers is the one where i want to configure default gateway tracking (so it can go out to an "outside2" interface in case the primary fails) and use the second ISP link for internet access and static nat. Just the exact way the ASA works.
  I am not quite sure it works with FWSM.
  Thanks a lot!
  emilio

  Hello Emilio,
  You cannot configure SLA monitoring on the FWSM at this moment.
  Maybe in the future this great feature will be added to this modules.
  I know the 6500 supports it so you can try to set it up there.
  Regards,
  Julio

• MIB for FWSM and ASASM

                     HI
  Is there a mib to receive the total CPU load on the FWSM if you are running it in multicontex mode?
  The CISCO-PROCESS-MIB only gives you per contex.
  Rolle

  No. You can run two separate OSPF processes in a given context but the ASA does not support VRFs per se. Each context in a multi-context ASA will have it's own assigned interfaces and routing table so that can be analogous to how VRFs are used in routers.
  I generally try to avoid too much dynamic routing in an ASA of any flavor as you tend to quickly run up against its limitations in that regard.

• FWSM and SNMP ARP mibs

  Hello
  I have two FWSM cards in two 6513 switches with failover activated.
  Connected to the switches are several servers connected to the different interfaces of the firewall. One of them is one HPOV ( openview ) which needs the ARP table of the FWSM to reach and explore the whole net to begin to monitorize the network.
  My problem is I cannot get the ARP table from the firewall, so, I cannot discover more devices, i'm able to SNMP them by editing the SNMP poller in the OVO configuration file, but even the network devices appears, it cannot reach by discover job.
  I paste my sh ver here .
  FWSM -1# sh ver
  FWSM Firewall Version 3.2(1)
  Device Manager Version 5.2(1)F
  Compiled on Thu 07-Jun-07 20:16 by dalecki
  FWSM-1 up 7 days 13 hours
  failover cluster up 1 year 94 days
  Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz
  Flash STI Flash 7.2.0 @ 0xc321, 20MB
  0: Int: Not licensed : irq 5
  1: Int: Not licensed : irq 7
  2: Int: Not licensed : irq 11
  The Running Activation Key is not set, using default settings:
  Licensed features for this platform:
  Maximum Interfaces : 256
  Inside Hosts : Unlimited
  Failover : Active/Active
  VPN-DES : Enabled
  VPN-3DES-AES : Enabled
  Cut-through Proxy : Enabled
  Guards : Enabled
  URL Filtering : Enabled
  Security Contexts : 2
  GTP/GPRS : Disabled
  BGP Stub : Disabled
  VPN Peers : Unlimited
  Serial Number: SAD101804FV
  Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000
  Configuration last modified by enable_1 at 13:59:35.590 CET Mon Nov 3 2008
  I think 3.2 version cannot retrieve the MIB for ARP, and I have finded that version 4.01 does. But I was unable to find any kind of upgrading notes here, and we have the monitoring of server farms proyect sttoped for this problem.
  Does anybody have had this problem?
  How did you solve this?
  Thanks!

  Angel,
  You are correct, the "ARP table entries (IP-MIB)" MIB was introduced in 4.0(1) and you have to upgrade to 4.0 code to get pull the ARP Table through SNMP MIB.
  And below is the document that has information on upgrading FWSM.
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/swcnfg_f.html#wp1052902
  Regards,
  Arul
  *Pls rate if it helps*

• FWSM and MARS

  Hello,
  I have the following situation in my customer's network: when adding the switch 6.5k with FWSM(ver 3.1) in MARS (4.2.8) discovery of FWSM results in an error with the following message:
  Error occured during FWSM 3.x multicontext discovery. More detailed info may be available under View Error button of individual context devices. If you can not find detailed error info, please make sure 'hostname.domain-name' for each context device is unique
  The more specific errors are non existent (when i click on a specific context and choose view error a get the same message)
  I do get incidendts that my security contexts generate, but I am a bit unsure is this a regular thing or not? Deleting a module, reimaging MARS does not help.
  Any help with this would be highly appreciated.

  Hi,
  Unfortunately I cannot remove the config regarding the multicontext mode of FWSM.
  I have tried deleting the FWSM from MARS, and adding it again, but I failed, because MARS kept on giving me the message that I already have FWSM configured even though I deleted it ffrom the MARS. So I had to reimage the MARS and start all over again, with the same outcome.