John, It sounds like what you want to do is setup a new FWSM context in transparent mode to bridge the vlan through the firewall as a layer-2 bridging firewall. Essentially, you use vlan tricks so you have the vlan for the inside that the wism is on, and then another vlan on the outside where you do your routing as the gateway. The FWSM would sit in-between the two vlans and bridge them together applying the firewall rules. See the notes on transparent mode: http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/quick.html Pretty much everything you want to focus on is on the FWSM side, and treat the WiSM side like it was an open network with the gateway on the other vlan on the other side of the FWSM. Having said all of that, is there any reason you have to avoid VRFs? That is the solution that we setup and it works extremely well. We like our firewalls to route rather than bridge, and the VRF setup, while strange at first, is extremely powerful with the FWSM. We use VRFs for our perimeter networks, highly secure networks etc and let the FWSM sit between them all as different virtual firewalls. If you trunk point to point vlans to your other routers on campus (with each vlan routing point to point for different VRFs), you can have multiple distinct networks on campus running OSPF that must come back to the FWSM to reach any other part of the network. That way you don't have to extend vlans everywhere just to get something behind the FWSM. Just something to think about. The only caveat with multiple contexts on the FWSM, transparent or routed, is that above 3 contexts or so you have to purchase an additional license. Hope this helps. -- Jonathan Yantis
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John Duran Sent: Monday, May 12, 2008 6:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Integrating Cisco WiSM and FWSM Good Afternoon, We are looking at moving one of our wireless SSIDs into a Guest type service that allows certain encrypted, authenticated and authorized TCP/UDP ports. We plan on configuring this with an FWSM facing our Internet connection so that we are treating clients on this SSID like guests with more access, but still somewhat restricted. My question is; has anyone accomplished this without using VRFs to route the traffic to the FWSM and if so did you employ the Guest Anchor controller model specified in the CISCO 4.1 Wireless Deployment Guide. My suspicion is that this may be accomplished without utilizing the Anchor/Foreign controller model and without using VRFs. The only document that I have found that specifically refers to integrating the FWSM with the WiSM is at the following link and specifies VRFs as part of the solution. http://www.cisco.com/en/US/docs/wireless/technology/wism/technical/reference/appnote.html#wp41069 My local CISCO SE indicated that this could be accomplished by simply passing the VLAN traffic through a context on the FWSM. It sounds great in theory, but I am having trouble locating proper documentation that illustrates this specifically. Since it's a design issue, Cisco TAC will not engage, they only help fix what is already in place. Feel free to contact me offline if necessary. Thanks a million for any input/experience that you may share with us. John V. Duran University of New Mexico Network Analyst ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
