FWSM and multiple-vlan-interface command

Hello

I am due to configure a FWSM in an IOS 6513 running, I suppose that the example configurations are quite similar, when you use an MSFC, but I have a question.

I have 3 inside VLANs, configure 3 LAN interfaces VIRTUAL with IP addresses (as a default gateway for hosts on 3 VLANs), then set up another VLAN separated for a "next hop" between the router and the inside deals with the interface of the FWSM, put the IP on the router from VLAN and FWSM inside?

I tried this on a test set up and it seems to work but when I ping one external host through the FWSM I couldn't see not all packages using DEBUG ICMP TRACEL, PING did stop working when I removed the ACL on the FWSM inside the interface.

I used the command INTERFACE MULTIPLE VLAN FIREWALL but after reading all the documentation I think now that I'd rather avoid this command.

I want to just make sure that I was not without going through the FW

Any help appreciated

Regards Tony

I'm a little confused by your description, but it sounds as if you have it set up correctly. It is expected that you would not see the output of the "backtrace icmp" packet ICMP will * by * the FWSM. The reason for this is because as the FWSM 'fast switches' packages when the connection has been established. The debugging process run in the complex of PC which is basically 3 layers of treatment in the stream. Initial connections and traffic * to * the FWSM itself are dealt with in the complex of PC. Therefore, this is why you have seen the debugging when you ping the FWSM directly. Remove the ACL was probably the best test to see that everything worked. As long as you only have a SVI, then there is no possible way for packets routed in the MSFC. The FWSM is the only thing that can get in the above scenerio.

Hope that helps to explain the questions a bit.

Scott

Tags: Cisco Security

Similar Questions

  • Problem with FWSM and the same L3 interface switch

    I have two 6513 s with a 802. 1 q trunk linking them. Each switch is redundant Sup720s running in native mode, worm IOS 12.2 (18) SXF (that they were running out of SXD3). A FWSM (ver 2.3 (3), routed mode, unique context) is in each switch, Setup in failover mode.

    I can't get a PC in a virtual LAN that has the defined layer 3 interface on the switch with the active FWSM in this document, to communicate with the devices 'behind' the FWSM. If I move the configuration of layer 3 to this vlan to the other 6513, everything works fine.

    The MSFCs are inside the firewall, they have a configured layer 3 interface in the same vlan as the FWSM 'inside' interface. Several "same security level" interfaces are defined on the FWSM and used to protect the farms. I use OSPF on the MSFCs and FWSM and the routing table is correct.

    The FWSM generates connections to the attempts made by the PC with interface layer 3 defined on the same switch as the active FWSM very well, so this isn't a problem with FWSM ACL.

    A ping of the FWSM "inside" interface from a PC with the defined layer 3 interface on the same switch as the active FWSM fails, although debug icmp trace on the FWSM demand and response shows. A the packet capture, using the NAM-2, only shows the request packets. I captured on the vlan common and FWSM port channel interface bottom of basket.

    Just to add to the confusion, if I capture in the same places, but do the ping of a PC which is in a VLAN with the interface of layer 3 defined in the 6513 which does not contain the active FWSM, that works very well, I see the request and response on the capture of vlan common, but only on demand on the capture of the port channel.

    This problem has been there since the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I had this experience with all the VLANS that I tried to define the interface of layer 3 to on the switch with the active FWSM. I turned on MLS.

    If anyone has experienced this and solved, or knows what is happening, I would be grateful for any ideas.

    Thank you.

    Keith

    Keith, are you running etherchannel distributed on of your 6513?

  • CSM: Peripheral FWSM responsible and multiple contexts, how?

    We have several contexts on FWSM and from time to time, I would first form ASDM (Device Manager) CSM, but I can't. It says lack of credentials.

    We managed the FWSM only in the context of the admin, either we let CSM discover the FWSM.

    Usually when you start ASDM Conect to the context of the admin, you can then move on to different contexts, but not of CSM and I can't open the ASDM for the context because of the missing of credentials.

    But I don't think it's credentials, since we have not all settings enabled for direct access, as always, we managed the contexts of the admin context.

    How can we have for all contexts of work Device Manager?

    Hello

    You will need to click on each of the contexts in the inventory of the CSM and select "Properties". From there, you must add a management IP address both the credentials for the individual context. This will allow you to launch ASDM for a particular context of the MSC. When you discover all the contexts through the context of the admin, CSM fills only IP address and credentials for the admin context fields.

    -Mike

  • How to distinguish the physical interface and logic (subinterface) interface to the Cisco router/Switch?

    Hi Expert,

    How to distinguish the physical interface and logic (subinterface) interface to the Cisco router/Switch? Can you please clarify a formal way for this so have?

    A physical interface is numbered with the same name of the interface when printing on the physical port. For example "GigabitEthernet 0/1" corresponds to port 1 of the 0 module (or the base unit).

    A logical interface can be a subinterface on a routed port and will have a point ("". "") preceding the number sous-interface (ex. GigabitEthernet 0/1.1). It can also be a loop or a virtual interface (on a router this could also include interfaces like the tunnel and virtual tunnel or VTI types). A switch may also have a VLAN logical interfaces (e.g. interface vlan 1) which are used as layer 3 virtual interfaces of type.

  • Trouble with the voice and data Vlan vlan translate between CT3905 and SF300 - 24 p

    Hey actually, we have the solution to monitoring of implementation with CT3905 phone, SF300 - switches 24 p cameras and AIR-AP1041N Access Points

    We have the problem with the vlan tag in SF300 switch ports - 24 p we can´t tag vlan of the voice and data VLANs on the same port on SF300 - 24 p it is Possible or we must dedicate a port for each VLAN or ussing the same data segment of VLANs and vlan voice?

    Someone has an answer or technical documentation that can help us

    Best regards

    First of all,

    Please disable lldp transmit in SF 300 switch.

    The command is "no lldp transmitted."

    After you disable check the following steps.

    https://supportforums.Cisco.com/docs/doc-27005

    facing the same problem with cisco SG 300 and 3905 ip phone switch.

    And nested thing was my 7945 and 6941 phones use to work properly, without above configuration.

    Cisco 3905 became not vlan Ip address votes and even if I put static, it did not work.

    After a long struggle, I was able to solve the problem. Now both phone and system work fine in the same port.

    Samantha

  • is excluded them VLAN interfaces in the GAL

    Hello community,

    I have a problem with the configuration of LAG on Cisco SFE2010P 3xSwitch battery.

    The switch has in fact only web GUI. Console - too, but it is not very useful.

    I need to configure Interfaces 1/g3 and g3/2 in one SHIFT. And VLAN (vlan by default) of 60 and 110 (voice), through to allow.

    After that I configured the LAG with both interfaces, "Port of Vlan" LAG settings show me the vlan 60 is untagged and vlan 110 is labeled.

    But if I take a glance on the 1/g3 Interfaces and "Port to LAN" settings 2/g3, both VLAN interfaces are "excluded". I can't access the default gateway, which is directly connected with this settings. The default gateway is a 3750Stack whose address IP of HSRP. It has two uplinks in port the SFE2010P channel.

    I have only one Interface to 100 Mbps on the SFE2010P connected to a trunk on the spine interface. And it works in this way. But using the links LWL LAG now does not work.

    Why are the VLAN 60 and 110 is excluded on the interfaces in the GAL and how can I change it? Thank you.

    Thank you

    Sergej

    Hi Sergei, you cannot configure the individual port within an OFFSET to a vlan. When you join the VLAN, you must select the offset group, not the individual port.

    -Tom
    Please mark replied messages useful

  • 4235 with multiple monitoring Interfaces?

    This is a general question as to whether anyone is running on 4.0 4235 sensor code with multiple monitoring interfaces?

    Basically, I wonder if you have any comments on the performance or if you run into any problems with the configuration. I have not seen too much documentation for configuration in fact this, so I wonder if there are additional requirements or considerations.

    Hi Chad,

    With ID 4.0, you can only montior using an interface to sniff. 4.1 you will have taken care of multiple monitoring interfaces.

    As far as performance goes, I don't see any problems and more to ensure that the management station is able to handle the upcoming alarms when using several interfaces.

    Thank you

    Obaid.

  • I upgraded to ois9.3.3 and now my voice command does not work

    Yesterday, I did the upgrade of the ois 9.3.3 and since my voice command will not work.  I searched the internet for advice on how to fix but nothing that they suggest work.  How can I get rid of this upgrade and go back to what I had which works or solve this problem.  I need voice control for I can be hands-free while driving.

    Have you tried to force reboot the phone by holding down the button sleep and home for 10 seconds, until the Apple logo come back? You won't lose data by doing this, but he cn cure some problems after installing new software or applications.

    Have you tried to downgrade from iOS?

  • locking and unlocking through the command, 'cacls' locked but not unlock

    Dear Firend I tried locking and unlocking through the command, "" D:\Murali/e/p everyone cacls: n ' "

    afterwards, while liberating, he said like that

    C:\Documents and Settings\yantra > cacls d:/Murali /e /c /p yantra:F
    ACCESS_DENIED: d:\Murali

    Please someone help me

    Hello

    The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums:

    http://social.technet.Microsoft.com/forums/en/category/windowsxpitpro

  • Merge devices with multiple network interfaces

    Hello

    Is it possible to add several interfaces to a device network, but merged into a single device?

    For example, we have a lot of HP and Dell servers that have usually a network interface and an interface of management (ILO or iDRAC).

    It would be useful to be able to add two interfaces while having them mapped on the same server in NMS. The network interface would show us the availability on the network and the management interface may alert us hardware problems via SNMP.

    Anyone knows if this is possible, or do we need to have more than one entry for each server?

    Thanks in advance

    Ewan

    Hi Ewan,

    If the INVESTIGATION period is not recognized by the operating system, we most likely would not be able to draw the individual IP addresses of the ILO or the iDRAC. You can present this as a feature request in the ideas of the community section.

    Thank you

  • Epson-Scanner: attempt at analysis and I get: interface: not connected, option: unknown

    attempt to analysis and I get: interface: not connected, option: unknown

    Yes, 64-bit. I downloaded the correct drivers

    Right - we have established that.  What I asked (or thought I asked, sorry for any confusion) was the seocond time:

    Is the error you receive [interface: not connected, option: unknown] from a native Windows application, you are running OR the scanner utility Epson or som another application?

    I ask because it is important to know which application is gving you the error because those who are integrated into the code, usually.  The errors mean more if you know the name of the application giving error while looking for the error itself.  Epson has what he calls, "Epson Stylus NX300 and NX305 EPSON Scan Utility" and I was trying to establish whether it is what you use when you try to scan and so what gives you the error [interface: not connected, option: unknown] you have found?

    For example, a google search for:

    the Epson scanner interface: not connected, option: unknown

    Give some success (including this conversation.)  You may need to contact Epson directly support to help with it.

  • Homegroup and multiple user account problems

    I have been searching the net for information and can't find anything that matches.  I'm having all kinds of problems through the homegroup and multiple user accounts.

    I would like to know: when a machine (laptop in this case) is off the network, the individual user accounts will remain visible under homegroup?

    If they are not, then homegroup is not for me.

    UPDATE and closing:

    I confirmed that the individual accounts of the user on a machine that visible to another when this computer is connected to another group residential computer on a local network domestic.  Why they don't look just like a homegroup internally I don't get except that the machine would always be part of a group residential e.g. a laptop, as in my case, would be carrying a homegroup with it and not be able to jump on another residential group in a different location.

    What was causing me a lot of trouble has AVG Free.  Attention, the installation of AVG Free homegroup PCs cannot meet or is inconsistent at best.  My laptop would show the user accounts, but not the other homegroup PCs and both could indicate that there is no other available HG machine or sometimes invites you to create a homegroup.  It was a nightnare.

  • How can I change text size and point via the command prompt?

    I want to create a script that will allow me to easily change to or from my TV to my monitor. I know how to change the display, but I don't know how I can change the size of text and point via the command prompt (that is, from 100% to 150%). Does anyone know how?

    Unfortunately, you can not.  In addition, change the DPI requires reboot (or logout and back).  But you can apply a different theme, that you can call from the command just by opening the .themepack file.  Since themes can control the size of some elements of the police who might do the trick you are looking for.

  • Wait for the host disconnects and then run a command

    Hello world

    I have a stop script for my virtual infrastructure, now I have to add code to stop an Equallogic AFTER the last host table is turned off.

    I know the commands to do this, but I need help to write a loop that will test the ip address of the last host management and wait until this station responds to pings.

    In my script I have to establish what host will be put off to the end so it's not a problem... How can I keep ping IP management host to die and then run the commands Equallogic?

    I hope that I managed to explain to me... I was exploring the Test-Connection cmdlet but it seems that it displays che echo of the ping instead of State... I'm a bit lost around this, can someone help me please?

    Something like that would do the trick?

    $count = 0

    $maxWait = 10

    {}

    $count += 1

    Write-Output "$(get-date-f HH) $(get-date-f JJ/MM/AAAA)-host is offline."

    sleep 5

    } until (!) (Test-Connection 192.168.110.85 - BufferSize) count 16-1 - calm)- or ($count - gt $maxWait))

    If {($count - gt $maxWait)

    Write-Output "Host always online."

    }

    else {}

    Write-Output "$(get-date-f HH) $(get-date-f JJ/MM/AAAA)-host is offline."

    }

  • I've just updated to Lightroom 5.6 and now Lightroom interface is in Chinese! How can I change this back?

    I've just updated to Lightroom 5.6 and now Lightroom interface is in Chinese!

    How can I change this back?  the Installation Wizard was a mixture of English and Chinese, but after I finished the entire Lightroom is in Chinese!

    OK, I've corrected this BS... found the preferences > language setting by looking at the old installation on laptop... pick any other random language, restarted Lightroom and was in Italian... I could now give a sense... went into preferences > language and English selected, rebooted and now everything seems to be OK... come on Adobe!... this shouldn't happen.

Maybe you are looking for