FWSM Configuration

FWSM Configuration

Step 1 :- Assigning VLAN’s to the FWSM

Define the VLAN’s the FWSM will protect in switch configuration mode

Cat6K(config)#vlan 150
Cat6K(config-vlan)#vlan 151
Cat6K(config-vlan)#vlan 152

Step2 :-Firewall Group Creation

Create a Firewall Group for the FWSM to manage

Cat6K(config)#firewall vlan-group 100 150-152

Attach Firewall Group to FWSM

Cat6K(config)#firewall module 6 vlan-group 100

Step3 :-Accessing the FWSM

Now session into the firewall module,

Cat6K# session slot module processor processor

Now type in cisco to get the welcome screen,

FWSM passwd: cisco
Welcome to the FWSM firewall
Type help of ‘?’ for a list of available commands
FWSM>

Type Enable to enter into the privilege mode,

Step4 :-Configurations at Interfaces

The FWSM supports 100 VLAN interfaces…
Interfaces are created using the following command

Creates VLAN interface 150 as an inside interface with security level 100
FWSM(config)# nameif vlan150 inside 100

Creates VLAN interface 152 as an outside interface with security level 0
FWSM(config)# nameif vlan152 outside 0

Step5 :-Assigning addresses

Assign IP address to the corresponding interfaces,

FWSM(config)# ip address inside 10.1.1.1 255.255.255.0
FWSM(config)# ip address outside 203.10.47.1 255.255.255.0

Step6 :-Assigning ACL’s

Configure corresponding ACL's to define the policies,

FWSM(config)# access-list in_acl permit tcp any host 10.1.1.1 eq 80
FWSM(config)# access-group in_acl in interface inside

Failover

FWSM:- Single Chassis Failover

1. Ability to failover to a redundant FWSM located in the same chassis…

2. FWSM pairs act in an active-standby relationship

3. Failover VLAN is required to be configured between both FWSM’s

4. Failover VLAN used to send heartbeat between primary and backup FWSM

5. Failover is stateful – backup FWSM understands full state of existing sessions

FWSM:- Multiple Chassis Failover

Ability to failover to a redundant FWSM located in a remote chassis…

Same setup as single chassis failover,..
No failover cable required (like with the PIX)

Configuring Failover
Pre-requisites

1. Create VLAN interface for failover protocol
2. Assign IP Address to VLAN interface
3. Associate VLAN interface to failover
4. Define firewall role (Primary/Secondary)
5. Define IP address for backup firewall
6. Define failover link (if remote chassis)
7. Force failover

The follwoing are the steps to be followed while configuring failover,

Step1 :-Define VLAN

Define the VLAN for carrying the failover protocol information between FWSM’s

FWSM(config)# nameif vlan500 bkup-link security99

Step2 :-Assign IP Address

Assign IP Address to the failover VLAN

FWSM(config)# ip address bkup-link 10.1.1.1 255.255.255.0

FWSM(config)# ip address bkup-link 10.1.1.2 255.255.255.0

Step3 :-Define Failover VLAN

Define VLAN 500 as the failover VLAN

FWSM(config)# failover lan interface bkup-link

FWSM(config)# failover lan interface bkup-link

Step4 :-Define role

Define the role of the FWSM in the chassis

FWSM(config)# failover lan unit primary

FWSM(config)# failover lan unit secondary

Step5 :-Define backup ip address

Define the IP address of the backup FWSM

FWSM(config)# failover ip address bkup-link 10.1.1.2

Step6 :-Define failover link

Define the link that will be used for failover

FWSM(config)# failover link bkup-link

Step7 :-Forcing failover

Forcing failover on the FWSM by issuing the failover command

FWSM(config)# failover

Well with these commands you will successfully establish the failover connectvity.

Confirming failover configuration

FWSM(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface bkup-link
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Primary - Active
Active time: 29925 (sec)
Interface outside (10.11.1.2): Normal
Interface inside (10.2.1.1): Normal
Other host: Secondary - Standby
Active time: 285 (sec)
Interface outside (10.11.1.3): Normal
Interface inside (10.2.1.2): Normal
Stateful Failover Logical Update Statistics
Link : Unconfigured.