Transparent Firewall Guidelines - Cisco Catalyst 6500 Series Configuration Manual

Chapter 4 Configuring the Firewall Mode

Transparent Firewall Guidelines

Follow these guidelines when planning your transparent firewall network:
•
•
•
•
•
•
•
•
•
•
OL-6392-01
The transparent FWSM uses an inside interface and an outside interface only.
Each directly connected network must be on the same subnet.
A management IP address is required for each context, even if you do not intend to use Telnet to the
context.
The FWSM uses this IP address as the source address for packets originating on the FWSM, such
as system messages or AAA communications.
The management IP address must be on the same subnet as the connected network.
Do not specify the FWSM management IP address as the default gateway for connected devices;
devices need to specify the router on the other side of the FWSM as the default gateway.
Each interface must be a different VLAN interface.
For multiple context mode, each context must use different VLANs; you cannot share a VLAN
across contexts.
For multiple context mode, each context can use the same (overlapping) subnet or different subnets.
Make sure that the upstream router performs NAT if you use overlapping subnets.
Dynamic routing protocols are neither required nor supported.
You can, however, add static routes.
NAT is not supported.
NAT is performed on the upstream router. However, you can configure some parameters available
only in the static command. See the
section on page 6-10 for more information.
You must use an extended ACL to allow Layer 3 traffic, such as IP traffic, through the FWSM.
You can also optionally use an EtherType ACL to allow non-IP traffic through.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
"Configuring Connection Limits for Non-NAT Configurations"
Firewall Mode Overview
4-11