Configuring ASR in FWSM

The command to enable the ASR feature introduced in the 3.1 code release for the FWSM is asr-group number

This command-line interface (CLI) should be attached to the interface configuration, for example:

interface vlan 9 nameif outside security-level 0

ip address 11.1.1.10 255.255.255.0 standby 11.1.1.11 asr-group 1

Example 17-1 represents the FWSM in multiple context routed mode. ASR groups are configured to allow the FWSM to pass the traffic.

The spanning tree root for a VLAN is represented by the switch with an active firewall context, and HSRP Primary for the VLAN is represented in the same switch.

Figure 17-7 gives an example of Active/Active context using failover groups. The outside interfaces of both context A and context B are configured for ASR routing with asr-group 1.

Figure 17-7 FWSM and Asymmetric Routing Support in Multiple Context Routed Mode

Cat6k-1 SUP720 and

FWSM Primary for Context A Secondary for Context B

Context A

Outside VLAN 9 at FWSM Primary 11.1.1.10 and Secondary 11.1.1.11 ASR Group 1

Inside VLAN 10 at FWSM Primary 172.1.1.12 and Secondary 172.1.1.13 vlaN 10 Context B

Outside VLAN 50 at FWSM Primary 11.2.2.10 and Secondary 11.2.2.11 ASR Group 1

Inside VLAN 51 at FWSM Primary 172.2.2.12 and Secondary 172.2.2.13

Figure 17-7 FWSM and Asymmetric Routing Support in Multiple Context Routed Mode

Cisco Cat6k

Cat6k-2 SUP720 and

FWSM Secondary for Context A Primary for Context B

Next is the snapshot configuration of FWSMs in multiple context mode with ASR group.

Example 17-1 FWSM and Asymmetric Routing Support in Multiple Context Routed Mode

! (Cat 6k1) FWSM primary for contexta

FWSM/contexta# show run

: Saved

FWSM Version 3.1(4) <context> !

hostname contexta

enable password 8Ry2YjIyt7RRXU24 encrypted

names

interface Vlan9

nameif outside

security-level 0

ip address 11.1.1.12 255.255.255.0 standby 11.1

1.13

asr-group 1

! ASR group 1 is configured for the interface in

the outside security domain

interface Vlan10

nameif inside

security-level 100

ip address 172.1.1.12 255.255.255.0 standby 172

1.1.13

Example 17-1 FWSM and Asymmetric Routing Support in Multiple Context Routed Mode (Continued) i passwd 2KFQnbNIdI.2KYOU encrypted access-list 100 extended permit ip any any pager lines 24

mtu outside 1500

mtu inside 1500

monitor-interface outside monitor-interface inside icmp permit any outside icmp permit any inside no asdm history enable arp timeout 14400

global (outside) 1 11.1.1.0 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 access-group 100 in interface outside access-group 100 out interface outside access-group 100 in interface inside access-group 100 out interface inside route outside 0.0.0.0 0.0.0.0 11.1.1.3 1 timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact telnet timeout 5

ssh timeout 5 i class-map inspection_default match default-inspection-traffic i policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect skinny inspect smtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp i service-policy global_policy global Cryptochecksum:2873ca18580fb555ea47c15d0ac94a08 : end

Example 17-1 FWSM and Asymmetric Routing Support in Multiple Context Routed Mode (Continued)

FWSM/contexta#_

! (Cat 6k2) FWSM primary for contextb FWSM/contextb# show run : Saved

hostname contextb enable password 8Ry2YjIyt7RRXU24 encrypted names !

interface Vlan50 nameif inside security-level 100

ip address 172.2.2.10 255.255.255.0 standby 172.2.2.11

interface Vlan51 nameif outside security-level 0

ip address 11.2.2.10 255.255.255.0 standby 11.2.2.11 asr-group 1

! ASR group 1 is configured for the interface in the outside security domain passwd 2KFQnbNIdI.2KYOU encrypted access-list 100 extended permit ip any any access-list 101 extended permit ip any any pager lines 24

mtu inside 1500

mtu outside 1500

monitor-interface inside monitor-interface outside icmp permit any inside icmp permit any outside no asdm history enable arp timeout 14400

global (outside) 1 11.2.2.0 netmask 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 access-group 101 in interface inside access-group 101 out interface inside access-group 101 in interface outside access-group 101 out interface outside route outside 0.0.0.0 0.0.0.0 11.2.2.3 1 timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact telnet timeout 5

ssh timeout 5 !

class-map inspection_default

Example 17-1 FWSM and Asymmetric Routing Support in Multiple Context Routed Mode (Continued) match default-inspection-traffic

policy-map global_policy class inspection_default

inspect

dns maximum-length 512

inspect

ftp

inspect

h323 h225

inspect

h323 ras

inspect

netbios

inspect

rsh

inspect

skinny

inspect

smtp

inspect

sqlnet

inspect

sunrpc

inspect

tftp

inspect

sip

inspect

xdmcp

service-policy global_policy global Cryptochecksum:b59531047507cf7e9ee7effb2cce9a21 : end service-policy global_policy global Cryptochecksum:b59531047507cf7e9ee7effb2cce9a21 : end

Was this article helpful?

+1 0

Post a comment