Re: FWSM newbie - traffic bypassed firewall

From: "Martin Bilgrav" <bilgravCUTTHISOUT@xxxxxxxxxx>
Date: Wed, 24 Sep 2008 01:00:27 +0200

looks to me like the :
ip address inside 192.168.5.1 255.255.255.0

Ip address exsits two places - once in C6500-SVI and once in FWSM-context.
.....
btw your ACL in that context denys all ...

HTH
Martin Bilgrav

"wookie" <wookie_at_blue_dot_uta_dot_edu@xxxxxxx> wrote in message
news:BBTAk.764$F_4.291@xxxxxxxxxxxxxxxxxxxxxxxxxx

Hi all,
I am new with FWSM. I am try to implement with routed mode in multiple
context. Currently the traffic seems totally bypased the firewall, what am
I missing here. Thanks in advance. Here is the basic design.

6506 MSFC
| 192.168.2.1
|
|
|dot1q trunk
|
|
|
6509 MSFC
|
| 192.168.2.2 vlan2
|--------------------+ outside
| |
|192.168.2.3 | 192.168.2.4
context Context
admin A
| | 192.168.5.1
| | vlan5
| | inside

6506, vtp mode server
6509, vtp mode client, FWSM (version 2.3.5)

MSFC in front of FWSM, routed mode, multiple context, inside and outside
using real IP NO Nated.

6506 contain 3 vlan (vlan 2,3,4), vtp mode server, vtp domain xxx
int vlan2
ip address 192.168.2.1 255.255.255.0
int vlan3
ip address 192.168.3.1 255.255.255.0
int vlan4
ip address 192.168.4.1 255.255.255.0
ip route 192.168.5.1 255.255.255.0 192.168.2.2

6509 contain 3 vlan (vlan 2,5,6)
int vlan2
ip address 192.168.2.2 255.255.255.0
int vlan5
ip address 192.168.5.1 255.255.255.0
ip address 192.168.55.1 255.255.255.0 secondary
int vlan6
ip address 192.168.6.1 255.255.255.0

firewall multiple-vlan-interfaces
firewall module 4 vlan-group 1
firewall vlan-group 1 2,5,6
ip route 0.0.0.0 0.0.0.0 192.168.2.1

FWSM
admin-context admin
context admin
allocate-interface vlan2
allocate-interface vlan6
config-url disk:/admin.cfg
!

context A
allocate-interface vlan2
allocate-interface vlan5
config-url disk:/contextA.cfg

FWSM configuration for context A
nameif vlan2 outside security0
nameif vlan5 inside security100
ip address outside 192.168.2.4 255.255.255.0
ip address inside 192.168.5.1 255.255.255.0
icmp permit any outside
icmp permit any inside
access-list outbound extended permit ip any any
access-list 101 extended deny ip any any
nat (inside) 0 access-list outbound
access-group 101 in int outside
route outside 0.0.0.0 0.0.0.0 129.107.254.2 1

--

##-----------------------------------------------##
Telecom Discussions at
http://www.telecom-gear.com/
no-spam access to your favorite newsgroup -
comp.dcom.sys.cisco - 47339 messages and counting!
##-----------------------------------------------##

References:
- FWSM newbie - traffic bypassed firewall
  - From: wookie

Prev by Date: A question for IPsec --SPK
Next by Date: A question for IPsec --PSK
Previous by thread: FWSM newbie - traffic bypassed firewall
Next by thread: ACL question
Index(es):
- Date
- Thread

Relevant Pages

modularity... (was: Re: Looking for real world examples to explain the difference between procedural
... typedef struct FooContext_s FooContext; ... int FooFuncA; ... (nor especially part of a context struct), ... "walls" of the API). ...
(comp.object)
RE: [PATCH] Intel IOMMU Pass Through Support
... context mapping entry. ... extern int force_iommu, no_iommu; ... -/* calculate agaw for each iommu. ... int ret; ...
(Linux-Kernel)
Invoke member of Userdefined Type
... I want to call that interfaces method. ... HttpContext _context; ... int paramCount = _params.Length; ... private void serverResponse { ...
(microsoft.public.dotnet.languages.csharp)
Re: Question about WebBrowser
... If anyone is able to get the Context Menu from displaying in the first pace, ... I simply put a WebBrowser and button component on a form and add this code ... const int WM_USER = 0x0400; ... public static extern int SendMessage(IntPtr hWnd, uint Msg, int wParam, ...
(microsoft.public.dotnet.framework.compactframework)