IDSM2 with FWSM with contexts

Hiya,
I'm not a Security guy so keep it simple!
If deploying a FWSM with multiple contexts, and you have an IDSM-2 installed:
Does the IDSM be split into contexts to match the FWSM contexts
If not, does it monitor the backplane traffic and it does not matter or care about the multiple contexts.

Hi .. by looking at your diagram .. I suggest to try placing the IDSM-2 so that traffic is inspected after the firewall policies have been checked otherwise you might end up inspecting traffic that will be blocked by the firewall anyway. You also need to create what is called boundary VLANs so that your IDSM bridges the traffic between the inline VLANs... Confused ..?
It gets a bit "blue" when you try inspecting inline on a module. For example lets say you have Context1 with Interfaces VLAN10 (outside) and VLAN20 (inside). You would have to create another VLAN30 (boundary VLAN). You then need to allocate the devices ONLY ( not the ASA's interface ) from VLAN20 to VLAN30 ( Only change VLAN membership and not the IP scheme ). Next on one of the IDSM-2 sensing ports you need to create a VLAN inline pair ( it uses subinterfaces ) which bridges VLAN20 <-> VLAN30. In that way traffic to/from your inside devices will travers the IDSM-2 before reaching its destination
I suggest you to create a test context, allocate the 2 VLANS, Create the VLAN inline pair on the IDSM-2 and test.. Once you are happy you can replicate the same configuration for the production contexts.
Below a brief example what you need to do for each context
sensor# configure terminal
sensor(config)# service interface
sensor(config-int)# physical-interfaces GigabitEthernet0/2
sensor(config-int-phy)# admin-state enabled
sensor(config-int-phy)# description INT1
sensor(config-int-phy)# subinterface-type inline-vlan-pair
sensor(config-int-phy-inl)# subinterface 1
sensor(config-int-phy-inl-sub)# vlan1 52
sensor(config-int-phy-inl-sub)# vlan2 53
sensor(config-int-phy-inl-sub)# description pairs vlans 52 and 53
sensor(config-int-phy-inl-sub)# show settings
subinterface-number: 1
description: VLANpair1 default:
vlan1: 52
vlan2: 53
sensor(config-int-phy-inl-sub)# exit
sensor(config-int-phy-inl)# exit
sensor(config-int-phy)# exit
sensor(config-int)# exit
Apply Changes:?[yes]:
I hope it helps ... please rate it if it does !!!

Similar Messages

  • Backup or redundant ISP with FWSM and security contexts...

    Hello guys,
    I am in a middle of a dessign problem. We have 2 ISP, and we have a FWSM running multiple contexts, my context that is receiving all the static translations for all my published servers is the one where i want to configure default gateway tracking (so it can go out to an "outside2" interface in case the primary fails) and use the second ISP link for internet access and static nat. Just the exact way the ASA works.
    I am not quite sure it works with FWSM.
    Thanks a lot!
    emilio

    Hello Emilio,
    You cannot configure SLA monitoring on the FWSM at this moment.
    Maybe in the future this great feature will be added to this modules.
    I know the 6500 supports it so you can try to set it up there.
    Regards,
    Julio

  • Problem with Failover FWSM (With Multiple Context)

    Dear All,
    I have 2 Catalyst 6500 with FWSM module, the catalyst and FWSM is redudant. FWSM with multiple context.
    i had done with catalyst 6500, but when i try to add (Admin -> Security and Monitor Devices) module with fwsm context is always error.
    i add this context in the active context.
    this is the error message when i try to add fwsm on mars.
    The first one;
    expect: spawn id exp3 not open
    while executing
    "expect -nobrace {<--- More --->} {
    send_user "\n"
    send -- " "
    exp_continue
    } {assword: } {
    s..."
    invoked from within
    "expect {
    "<--- More --->" {
    send_user "\n"
    send -- " "
    exp_continue
    "assword: " {
    (file "./sshpix7x.exp" line 105)
    st_key
    the second:
    invoked from within
    "expect {
    "<--- More --->" {
    send_user "\n"
    send -- " "
    exp_continue
    "assword: " {
    (file "./sshpix7x.exp" line 105)
    st_key
    and sometime:
    spawn ssh -c 3des -l siem-mars 10.x.x.x
    Connection timed out
    For Information :
    The FWSM Firewall Version 4.0(6)
    and,
    CSMAERS-200
    Product Version               :    6.0.6 ( 3368 )
    Data Package Version     :     35
    IPS Signature Version     :     454
    IPS Custom Signature Version     :     0
    Anyone can help me please...
    Thanks b4,
    Best Regards,
    Naga

    Hi Teck Yong Ng,
    I am not sure about your problem, but normally what happens when we install two databases on the same host is there will be conflict between the ports connecting to the database.
    In your case the second system database might also have the same port number which you have for the first system.that is why i think you are facing this issue.
    Try to look at the port numbers.
    Regards,
    Bharath Kumar.K
    Message was edited by:
            Bharath Kumar K

  • ISDM2 with FWSM configuration example

    Hi there,
    We're trying to implement isdm2 as inline mode integrated with fwsm module. We have two vlans on the switch: vlan 30 is responsible to take care the outside interface of the lab context of fwsm while vlan 40 is responsible from the inside interface. How can i implement a correct configuration in order to use isdm2 to inspect traffic ? There are several documents on the net, but i'm really confused with them and no one is clear enough.
    P.S: At the moment we're using isdm2 in promiscous mode with the following configuration :
    intrusion-detection module 3 data-port 1 capture
    intrusion-detection module 3 data-port 1 capture allowed-vlan 30
    Thanks in advance.

    The IDSM2 is supported in inline mode, provided that the switch has a sup720 running 12.2(18)SXE (or later) or a sup32 running 12.2(18)SXF (or later).
    Refer these link for configuration doc:
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/cliguide/cliidsm2.htm
    http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/hwguide/index.htm

  • Who is anybody using a WISM with FWSM on a CAT 6500 Switch?

    Hi
    Who is anybody using a WISM with FWSM on CAT 6500 switch ?
    Are there any problem,if use?
    And How can I set them to connecting each other ?
    I have founded a document relate it on the cisco website that name is Integrating Cisco WiSM and Firewall Service Module.
    I have a question concern it.
    Why do I have make a VRF to communication each other ?
    Please let me know.

    As far as the FWSM is concerned you can have each of the wireless vlans come in to the same context of the FWSM and then just add those vlans to the FWSM as separate vlans.

  • Question about C6509 with FWSM IDSM

    HI,
    I'm configure the FWSM with IDSM, but not worked. I using the follow commands.
    access-list aclips permit ip any any
    class-map ips_class
    match access-list aclips
    policy-map ips_policy
    class ips_class
    ips inline fail-open
    service-policy ips_policy interface outside
    Any idea?
    Regards

    IPSec on FWSM in not supported with or without contexts.
    IPSec on ASA is supported with a single mode
    IPSec on ASA is not supported with a context mode

  • How to configure ldap.ora with multiple ldap contexts

    Hello.
    My company has recently taken on another environment with it's own LDAP configuration. It's a bit tedious to have to keep switching my ldap.ora for both ldap configurations. Are there any good suggestions for either allowing me to search both LDAP configurations (2 separate LDAP setups, with 2 default context)? Or is there a smooth way to populate 1 LDAP with the others data? Or perhaps some form of redirect on one LDAP to the other LDAP server for queries?
    Some basic info: LDAP is Oracle OID version 10gR2
    Please let me know if you have any useful ideas...

    Hi,
    Here is the of OVD benefits :
    1-Easy to setup and manage via our Management client; 2-Unifies multiple directories into a single access point; 3-Normalize and Unify multiple directories; 4-Directly accesses remote repositories;
    5-Allows a unified view of an entry using data from multiple repositories;6-Can act as an LDAP proxy and firewall;
    Why you can not use OVD to improve these? Read, LDAP to the other LDAP server for queries, allowing you to search both LDAP?
    I hope this helps.
    Thiago L Guimaraes

  • PortalRuntimeException in Business Object document iview No portal component associated with the following context

    Hi all,
    We are stumped with a problem in our QA Enterprise Portal (7.3.1 Sp7) that throws a portal runtime error when we preview a Business Objects document iview.  The Business Objects Server versions are 4.0 SP5 and/or 4.1 SP3.
    The error is caught in the the defaultTrace file, /usr/sap/QNW/J00/j2ee/cluster/server0/log
    [EXCEPTION]
    com.sapportals.portal.prt.runtime.PortalRuntimeException: There is no portal component associated with the following context:
    pcd:portal_content/com.summit.SES_BI/com.summit.iviews/Daily_Margin
    at com.sap.portal.prt.component.PortalComponentContext.<init>(PortalComponentContext.java:93)
    Here is what we have tried
    * Confirmed the iviews exist in the PCD, by browsing to the content folders and right lick, preview on the iview.
    * Our PRD and DEV systems work correctly and are on same versions of EP Runtime and java. 7.3.1.7.0.201..
    * Occurs with all Businessobjects iviews from the QA portal and all doc types, webis, dashboards. Tried creating new iview.
    * Reapplied the com.sap.businessobjects.iviews.templates.epa to the Portal from t he BI 4.1 SP3 distribution
    * Deleted and recreated the BI portal system connector using the SAP BOBJ system template set path to http://bi-qas:8080/BOE
    * Set the embed key value in the BI system connector property and in the custom global.properties file, restarted tomcat and SIA services
    * Set permissions for everyone end user on the content folders and the BI system connector
    * Confirmed Single sign on configured correctly between BI and Portal
    * Confirmed that the QA BI server is configured correctly by directing the working DEV Portal to the QA BI server.
    * Performed actions in note 1709737
    We are certainly stuck and the defaultTrace file is not very informative.  Any suggestions are greatly appreciated
    Lee Lewis

    This is resolve with note 1615838  - SAP Netweaver Enterprise Portal 7.3 iView creation with BI 4.0 results in exceptions.
    The note includes a file portalapp.xml that need to be inserted into com.sap.businessobjects.iviews.par that is included in the BI server distribution.
    Then deploy the ear file.....
    Odd thing is that the note mentions 4.0 and we are on 4.1 SP3...
    Environment
    SAP BusinessObjects BI Platform 4.0 SP02 Patch 4 or lower
    SAP Netweaver Enterprise Portal 7.3
    Lee Lewis

  • Adcfgclone.pl  with using existing context file

    Hi,
    I want to clone application server with using existing context file. can I do adcfgclone.pl with using existing context file?
    What is the syntax ?
    is there any issue to use this?
    thanks

    Actually I want to clone existing enviornment of R12.0.6 application to fix local inventory issue.
    Problem: During r12.1.3 upgrade I noticed that local inventory has issue. R12.1.3 upgrade was done succssfully after clone of production. When I started upgrade on production I noticed issue during 10.1.3.4 upgrade. Thats why I thought if I clone existing production enviornment on same server by using same context file then 10.1.3.4 upgrade will run.
    I know there is a way to fix inventory but I don't want to do to avaoid more issue. Please advice which path is good in such enviornment.Are you referring to global inventory? If yes, you can simply copy it from the source servers to the target ones.
    If the PATHs are different then please refer to:
    How to Create a Clean oraInventory in Release 12 [ID 834894.1]
    How to find the location of GLOBAL Inventory and LOCAL inventory on R12.x ? Why Some Times, There are Issues With The oraInventory Registration During The Post Clone ? [ID 878717.1]
    Thanks,
    Hussein

  • Wlsm with fwsm question

    Hi
    Question I have is related to the following setup. WLSM and access points (L3 roaming)incorporated into 6500 with FWSM. The FWSM is firewalling 2 wireless networks. Access points have BVI on seperate subnet with subinterfaces on fastethernet defining vlans for 2 ssid's. BVI subnet has HSRP address for default gateway on the access points. The issue is as part of a security audit it was discovered that wireless clients were recieving HSRP traffic even though they should be completely seperate from the rest of the network via the FWSM. IS this normal or am I missing something?
    Thanks

    In relevance to this issue, you have mentioned that " The FWSM is firewalling 2 wireless networks". So, can you send me the firewall configuration?. Also, send me the network topology. These two information will be really helpful for furher analysis.

  • Problem with Portlet Backing Context

    Hi,
    I am having problem with Portlet Backing context.
    I have on portlet and one JPF associated with this portlet.
    Now in JPF action method i have Portlet Backing context object, using this object
    i tried to get the previous portlet state using portletCtx.getPreviousWindowState().
    But It always gives me null.
    can anyone help me out ? its very urgent.
    or you can suggest me anyother option to do this....
    Thanks,
    Vijay Patel

    Vijay -
    You might want to post this to the Portal newsgroup.
    Regards,
    Kunal
    "vijay patel" <[email protected]> wrote:
    >
    Hi,
    I am having problem with Portlet Backing context.
    I have on portlet and one JPF associated with this portlet.
    Now in JPF action method i have Portlet Backing context object, using
    this object
    i tried to get the previous portlet state using portletCtx.getPreviousWindowState().
    But It always gives me null.
    can anyone help me out ? its very urgent.
    or you can suggest me anyother option to do this....
    Thanks,
    Vijay Patel

  • CSS11000 VIP not communicating with FWSM Vlans

    There are two physical servers behind the load balancer. These servers are
    in VLAN54
    SRV212 -  205.190.54.212
    SRV213 -  205.190.54.213
    Load Balancer VIP for the above servers - 204.190.54.67
    Load balancer keep alive port - TCP 9999
    Load Balancer VLAN54 IPaddress - 204.190.54.69
    mac address of 204.190.54.69 - 000c.abcd.efgh
    ARP entries
    =======
    The FWSM has a static ARP entry for VIP 204.190.54.67 configured with the
    mac address of 204.190.54.69.
    204.190.54.67   000c.abcd.efgh
    Issue
    ===
    The FWSM is the routed interface (with the L3 Gateway) for VLAN54 as well as other server VLANs.
    VLAN3 is a point to point vlan that
    connects to another L3 boundary, beyond which are located the end users.
    These end users are routed via a different L3 gateway and use VLAN3 of the
    FWSM to reach the server vlans. The end users routed in different L3
    gateways are successfully able to connect to the VIP of the load balancer
    and hence connect to the application on the keepalive port of 9999. (a
    simple telnet to 204.190.54.67 on tcp port 9999 is opening)
    Server VLANs that are routed via the FWSM (with their default gateways set to FWSM) are not able to
    connect to the VIP 204.190.54.67 on port 9999. (a ping or a telnet to
    204.190.54.67 on tcp 9999 failed.)
    Observation
    ========
    server VLANS that are directly routed on the FWSM cannot communicate with the load
    balancer VIP 204.190.54.67 where as L3 boundaries that are beyond the FWSM
    perimeter can access the VIP (ping and telnet).
    Has anyone experienced a similar scenario and if so what should i do to make this work.
    Regards
    CJ

    CJ-
      Sounds like its asymetric, the firewall is not going to appreciate that and the client will recieve a SYN,ACK from the server directly, not the CSS VIP.  Try configuring a group like this for testing:
    Group TestNAT
      add destination service SRV212
      add destination service SRV213
      vip address 204.190.54.67
      active
    Regards,
    Chris Higgins

  • ACE in bridge mode with FWSM as gateway

    our design
    FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
    originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
    since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
    what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
    with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
    e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
    so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
    with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
    Thanks

    First, why don't you have an ip in your ACE vlan ?
    Then, for traffic hitting a vip, we can do source nating even in bridge mode.
    But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
    The FWSM should then send the request back to ACE (not sure how this can be done).
    So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
    So your policy-map with client nat must be on vlan 7.
    Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
    In this case, the policy-map will have to be in vlan 8 with client-nat.
    Gilles.

  • Active/active FWSM with asymmetric routing Doc

    try to find doc & design guide for active/active FWSM with asymmetric support in data center, SRND doesn't have updated version, please let me know if you are aware of some, thanks.

    I hope this link will help you
    http://cisco.com/en/US/products/hw/modules/ps2706/prod_bulletin0900aecd803ffcca.html

  • I've been texting my friend with iMessage with wifi on and all of a sudden it changed to text message and won't let me send messages. My wifi is still on and working but it won't switch back to iMessage. Please help

    I've been texting my friend with iMessage with wifi on and all of a sudden it changed to text message and won't let me send messages. My wifi is still on and working but it won't switch back to iMessage. Please help

    What I recommend you try doing first is to turn iMessage off then back on.  If that doesn't work, make sure that your Apple ID and password are correct.  If everything seems correct and you still can't send out messages using iMessage instead of text message, I think you should either try calling AppleCare at 1-800-MY-IPHONE (1-800-694-7466) and/or scheduling an appointment at the Genius Bar at an Apple Store (that is, if there's one close to you).
    Hope this helps!

Maybe you are looking for