Page 1

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Release 2.3 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-6392-01...
Page 2

OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco...
Page 3

VLAN Interfaces How the Firewall Services Module Works with the Switch Using the MSFC 1-10 Routed Firewall and Transparent Firewall Modes 1-11 Security Contexts 1-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 4: Table Of Contents

Firewall Mode Overview Routed Mode Overview IP Routing Support Network Address Translation How Data Moves Through the FWSM in Routed Firewall Mode Transparent Mode Overview Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 5: Table Of Contents

Changing the Security Context URL 5-23 Reloading a Security Context 5-24 Reloading by Clearing the Configuration 5-24 Reloading by Removing and Re-adding the Context 5-24 Monitoring Security Contexts 5-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 6: Table Of Contents

Assigning IP Addresses to Interfaces for a Routed Firewall Setting the Management IP Address for a Transparent Firewall Configuring the Default Route Configuring Static Routes Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 7: Table Of Contents

Outside NAT 9-10 NAT and Same Security Level Interfaces 9-11 Order of NAT Commands Used to Match Local Addresses 9-12 Maximum Number of NAT Statements 9-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 8: Table Of Contents

Access Control List Override 10-13 Adding an Extended Access Control List 10-13 Adding an EtherType Access Control List 10-16 Adding a Standard Access Control List 10-17 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide viii OL-6392-01...
Page 9: Table Of Contents

12-1 AAA Performance 12-2 About Authentication 12-2 About Authorization 12-2 About Accounting 12-3 AAA Server and Local Database Support 12-4 Configuring the Local Database 12-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 10: Table Of Contents

13-2 Inspection Support 13-2 Configuring an Inspection Engine 13-4 Detailed Information About Inspection Engines 13-5 CUSeeMe Inspection Engine 13-5 DNS over UDP Inspection Engine 13-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 11: Table Of Contents

Configuring General Filtering Parameters 14-2 Identifying the Filtering Server 14-2 Buffering Replies 14-3 Setting the Maximum Length of Long HTTP URLs 14-4 Caching URL Servers 14-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 12: Table Of Contents

15-19 Viewing Monitored Interfaces 15-22 Testing the Failover Functionality 15-22 Forcing Failover 15-23 Disabling Failover 15-23 Monitoring Failover 15-23 Failover System Messages 15-24 SNMP 15-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 13: Table Of Contents

17-9 Clearing the Application Partition Passwords and AAA Settings 17-9 Recovering the Maintenance Partition Passwords 17-10 Other Troubleshooting Tools 17-10 Viewing Debug Messages 17-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xiii OL-6392-01...
Page 14: Table Of Contents

Example 5: System Configuration B-16 Example 5: Admin Context Configuration B-17 Example 5: Customer A Context Configuration B-17 Example 5: Customer B Context Configuration B-17 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 15

Private Networks Subnet Masks Determining the Subnet Mask Determining the Address to Use with the Subnet Mask Protocols and Applications TCP and UDP Ports ICMP Types Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 16

Contents Acronyms and Abbreviations A P P E N D I X N D E X Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 17: About This Guide

This guide is for network managers who perform any of the following tasks: Managing network security • • Installing and configuring firewalls Managing default and static routes, and TCP and UDP services • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xvii OL-6392-01...
Page 18: Related Documentation

Messages Guide Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation • Note Release Notes for the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services • Module Document Organization This guide includes the following chapters and appendixes: •...
Page 19: Document Conventions, Obtaining Documentation

Chapter 17, “Monitoring and Troubleshooting the Firewall Services Module,” tells how to monitor • and troubleshoot the FWSM. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide for detailed information about system logging. •...
Page 20: Ordering Documentation, Documentation Feedback

Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 21

Cisco TAC engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 22: Obtaining Additional Publications And Information

• Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/ Cisco Press publishes a wide range of general networking, training and certification titles.
Page 23

Assign an IP address to each interface. page 8-2 Step 9 Configuring the Default Route, page 8-2 Create a default route to an upstream router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxiii OL-6392-01...
Page 24

Adding an Extended Access Control List, page 10-13 Before any traffic can go through the FWSM, you must create an ACL that permits traffic, and then apply it to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxiv OL-6392-01...
Page 25

Adding an Extended Access Control List, page 10-13 Before any traffic can go through the FWSM, you must create an ACL that permits traffic, and then apply it to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 26

Quick Start Steps Transparent Firewall Configuration Steps Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxvi OL-6392-01...
Page 27

The Firewall Services Module (FWSM) is a high-performance, space-saving, stateful firewall module that installs in the Catalyst 6500 series switches and the Cisco 7600 series routers. Firewalls protect inside networks from unauthorized access by users on an outside network. The firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network.
Page 28

1. The FWSM does not support the supervisor 1 or 1A. 2. Supports multiple switched VLAN interfaces (SVIs) between the MSFC and FWSM. An SVI is a VLAN interface that is routed on the MSFC. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 29

Other releases that do not support BPDU forwarding only support transparent mode without failover. 4. When you use Catalyst OS on the supervisor, you can use any of the supported Cisco IOS releases above on the MSFC. (When you use Cisco IOS software on the supervisor, you use the same release on the MSFC.) The supervisor software determines...
Page 30

2. Open Shortest Path First 3. Routing Information Protocol 4. access control lists 5. Dynamic Host Configuration Protocol 6. Firewall Management Center 7. command-line interface Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 31

For UDP, which does not have sessions, the FWSM creates UDP connection state information so that it can also use the fast path. ICMP control packets – Data packets for protocols that require Layer 7 inspection – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 32

(or bastion host) system. Mail Guard enforces a safe minimal set of SMTP commands to avoid an SMTP server system from being compromised. Enable this feature using the fixup protocol smtp 25 command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 33

IP packets that lack a verifiable IP source address. Enable this feature using the ip verify reverse-path command. 1. Domain Name System 2. denial of service 3. Simple Mail Transfer Protocol 4. synchronization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 34: Vlan Interfaces

By default, no traffic can pass through the firewall. By applying ACLs to interfaces, you can determine which IP addresses and traffic types can pass through the interfaces to access other networks. By default, the Cisco PIX firewall allows traffic to flow freely from an inside network (higher security Note level) to an outside network (lower security level).
Page 35

VLAN 202 How the Firewall Services Module Works with the Switch You can install the FWSM in the Catalyst 6500 series switches and the Cisco 7600 series routers. The configuration of both series is identical, except for the following variations: The Catalyst 6500 series switches supports two software modes: •...
Page 36

VLAN 200 MSFC FWSM VLAN 200 VLAN 201 FWSM MSFC VLAN 301 VLAN 303 VLAN 201 VLAN 203 Inside Inside VLAN 302 VLAN 202 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 1-10 OL-6392-01...
Page 37

ACLs to allow traffic through. Transparent mode can also optionally use EtherType ACLs to allow non-IP traffic. Transparent mode only supports two interfaces, an inside interface and an outside interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 1-11 OL-6392-01...
Page 38

You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one mode and others in another. Multiple context mode supports static routing only. Note Chapter 5, “Managing Security Contexts,” for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 1-12 OL-6392-01...
Page 39: Switch Overview

Managing the Firewall Services Module Boot Partitions, page 2-12 Switch Overview You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the “switch.”...
Page 40: C H A P T E R 2 Configuring The Switch For The Firewall Services Module

See the following topics: Prerequisites, page 2-3 • Assigning VLANs in Cisco IOS Software, page 2-3 • Assigning VLANs in Catalyst Operating System Software, page 2-5 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 41: Prerequisites

Assigning VLANs in Cisco IOS Software In Cisco IOS software, create one or more firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer.
Page 42

50 55-57 51 70-85 52 100 To view VLAN group numbers for all modules, enter the following command: Router# show firewall module Module Vlan-groups 50,52 51,52 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 43: Assigning Vlans In Catalyst Operating System Software

Configuring SVIs for Cisco IOS Software on the Supervisor Engine, page 2-8 • Configuring SVIs for Catalyst Operating System Software on the Supervisor Engine, page 2-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 44: Svi Overview

FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.) Figure 2-1 Multiple SVI Misconfiguration Internet Switch VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 45

ACL that allows only IPX traffic to pass on VLAN 201. Figure 2-2 Multiple SVIs for IPX Internet Switch VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside IPX Host IP Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 46: Configuring Svis For Cisco Ios Software On The Supervisor Engine

Customer B Configuring SVIs for Cisco IOS Software on the Supervisor Engine If you are running Cisco IOS software on the supervisor engine, follow these steps to add an SVI to the MSFC: (Optional) To allow you to add more than one SVI to the FWSM, enter the following command:...
Page 47: Configuring Svis For Catalyst Operating System Software On The Supervisor Engine

(Optional) To allow you to add more than one SVI to the FWSM. enter the following command: Step 1 Console> (enable) set firewall multiple-vlan-interfaces enable To disable this setting, enter the following command: Console> (enable) set firewall multiple-vlan-interfaces disable Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 48

255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type:ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:08, output hang never Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-10 OL-6392-01...
Page 49: Customizing The Fwsm Internal Interface

Assigning VLANs to the Secondary Firewall Services Module, page 2-12 • Adding a Trunk Between a Primary Switch and Secondary Switch, page 2-12 • Ensuring Compatibility with Transparent Firewall Mode, page 2-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-11 OL-6392-01...
Page 50: Assigning Vlans To The Secondary Firewall Services Module

Flash Memory Overview, page 2-13 • Setting the Default Boot Partition, page 2-13 • • Resetting the FWSM or Booting from a Specific Partition, page 2-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-12 OL-6392-01...
Page 51: Flash Memory Overview

The reset process might take several minutes. For Cisco IOS software, when you reset the FWSM, you can also choose to run a full memory test. When the FWSM initially boots, it only runs a partial memory test. A full memory test takes approximately six minutes.
Page 52: Resetting The Fwsm In Cisco Ios Software

1 (maintenance), 4 (application), or 5 (application). If you do not specify the partition, the default partition is used (typically cf:4). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-14...
Page 53: Sessioning And Logging Into The Firewall Services Module

For multiple context mode, see the “Logging into the FWSM in Multiple Context Mode” section on Note page 5-9 for more information about logging into security contexts. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 54

(privileged mode, configuration mode, etc.). Step 5 To access configuration mode, enter the following command: FWSM# configure terminal The prompt changes to the following: FWSM(config)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 55: C H A P T E R 3 Connecting To The Firewall Services Module And Managing The Configuration

To view the running configuration, enter the following command: • FWSM# show running-config To view the startup configuration, enter the following command: • FWSM# show startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 56: Clearing And Removing Configuration Settings

In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is “FWSM(config)#”: FWSM(config)# class gold Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 57

In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: class gold See the “Text Configuration Files” section on page C-4 for more information about formatting the file. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 58

Chapter 3 Connecting to the Firewall Services Module and Managing the Configuration Managing the Configuration at the CLI Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 59: Firewall Mode Overview

IP Routing Support, page 4-2 • Network Address Translation, page 4-2 • How Data Moves Through the FWSM in Routed Firewall Mode, page 4-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 60: Chapter 4 Configuring The Firewall Mode

NAT Example Web Server www.cisco.com Outside 209.165.201.2 Originating Responding Packet Packet FWSM Source Addr Translation Dest Addr Translation 10.1.2.27 209.165.201.10 209.165.201.10 10.1.2.27 10.1.2.1 Inside 10.1.2.27 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 61: How Data Moves Through The Fwsm In Routed Firewall Mode

The FWSM receives the packet, and because it is a new session, the FWSM verifies that the packet is allowed according to the terms of the security policy (ACLs, filters, AAA). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 62

For multiple context mode, the FWSM first classifies the packet according to either a unique VLAN or a unique destination address. In this case, the VLAN would be unique; the www.cisco.com IP address is not located uniquely within a context and is not a unique destination address.
Page 63

DMZ website. Figure 4-4 Inside to DMZ Outside Switch 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User Web Server 10.1.2.27 10.1.1.3 Source Addr Translation 10.1.2.27 10.1.1.15 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 64

The FWSM forwards the packet to the inside user. An Outside User Attempts to Access an Inside Host Figure 4-5 shows an outside user attempting to access the inside network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 65

If the outside user is attempting to attack the inside network, the FWSM employs many technologies to determine if a packet is valid for an already established session. See the “Other Protection Features” section on page 1-6 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 66: Transparent Mode Overview

Using the Transparent Firewall in Your Network, page 4-10 • Transparent Firewall Guidelines, page 4-11 • How Data Moves Through the Transparent Firewall, page 4-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 67: Transparent Firewall Features

FWSM can reach that subnet. See the “Configuring Static Routes” section on page 8-3 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 68: Using The Transparent Firewall In Your Network

VLANs. Figure 4-7 Transparent Firewall Network Internet Switch 10.1.1.1 VLAN 100 FWSM 10.1.1.2 Network A VLAN 200 10.1.1.3 192.168.1.2 Network B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-10 OL-6392-01...
Page 69: Transparent Firewall Guidelines

You must use an extended ACL to allow Layer 3 traffic, such as IP traffic, through the FWSM. • You can also optionally use an EtherType ACL to allow non-IP traffic through. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-11 OL-6392-01...
Page 70: How Data Moves Through The Transparent Firewall

An Outside User Visits a Website on the Inside Network, page 4-14 • An Outside User Attempts to Access an Inside Host, page 4-15 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-12 OL-6392-01...
Page 71

The FWSM forwards the packet to the inside user. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-13 OL-6392-01...
Page 72

VLAN on the inside and outside, so the IP address would not be considered. The FWSM records that a session is established. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-14 OL-6392-01...
Page 73

See the “Other Protection Features” section on page 1-6 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-15 OL-6392-01...
Page 74: Setting The Firewall Mode

• To set the mode to routed, enter the following command in the system execution space: FWSM(config)# no firewall transparent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-16 OL-6392-01...
Page 75: Security Context Overview

Typically, the admin context provides network access to network-wide resources, such as a syslog server or context configuration server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 76: Chapter 5 Managing Security Context

Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context to send a packet. The classifier checks for the following characteristics: • Source interface (VLAN) Destination address • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 77

Context A Context B Context C Context VLAN 201 VLAN 202 VLAN 203 VLAN 204 Inside Admin Inside Inside Customer C Network Customer A Customer B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 78

Context B Context C Context Classifier VLAN 201 VLAN 202 VLAN 203 VLAN 204 Inside Admin Inside Inside Customer C Network Customer A Customer B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 79: Ip Routing Support

This section includes the following topics: Sharing Resources, page 5-6 • Shared Interface Limitations, page 5-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 80: Sharing Resources

VLAN 202 VLAN 203 VLAN 204 Inside Inside Inside Admin Customer C Customer A Network Customer B VLAN 300 Shared Network Syslog Server AAA Server Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 81: Shared Interface Limitations

VLAN, the classifier cannot use the VLAN to classify traffic). However, the FWSM classifier only “knows” about context addresses from already existing NAT translations (returning traffic) and from static NAT translations. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 82

NAT statements for classification purposes. For example, if you send a packet from a host on an inside shared VLAN to www.cisco.com, the FWSM does not know to which context to send the packet unless you statically translate the www.cisco.com IP address in one of the contexts.
Page 83: Logging Into The Fwsm In Multiple Context Mode

The system execution space does not support any AAA commands, but you can configure its own login and enable passwords, as well as usernames in the local database to provide individual logins. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 84: Enabling Or Disabling Multiple Context Mode

Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. To view the mode, enter show mode.
Page 85: Enabling Multiple Context Mode

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-11...
Page 86: Classes And Class Members Overview

Total Number of System Connections = 999,900 Max. 20% (199,800) Maximum connections allowed. (159,984) Connections in use. (119,988) Connections denied because system limit (79,992) was reached. (39,996) Contexts in Class Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-12 OL-6392-01...
Page 87: Default Class

Telnet sessions—5 sessions. • SSH sessions—5 sessions. • IPSec sessions—5 sessions. • MAC addresses—65,535 entries. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-13 OL-6392-01...
Page 88: Class Members

FWSM(config)# class name The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-14 OL-6392-01...
Page 89

10,000 per second (rate) Application inspection. hosts 256 K concurrent Hosts that can connect through the FWSM. ipsec 1 minimum 10 concurrent IPSec sessions 5 maximum concurrent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-15 OL-6392-01...
Page 90

To add a class called silver with all resources set to 3 percent, except for syslogs, with a setting of 500 per second, enter the following commands: FWSM(config)# class silver FWSM(config-class)# limit-resource all 3% FWSM(config-class)# limit-resource rate syslogs 500 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-16 OL-6392-01...
Page 91: Acl Memory Partitions Overview

If you are using a failover configuration, you must use these recommended command sequences: On the active module, use this sequence: resource acl-partition X write mem reload On the redundant module, use this sequence: reload Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-17 OL-6392-01...
Page 92

FWSM(config)# context bandn FWSM(config-context)# allocate-acl-partition 0 FWSM(config)# context borders FWSM(config-context)# allocate-acl-partition 0 FWSM(config)# context mompopa FWSM(config)# context mompopb FWSM(config)# context mompopc FWSM(config)# context mompopd Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-18 OL-6392-01...
Page 93: Configuring A Security Context

“count” or “detail.” “system” is a reserved name, and cannot be used. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-19...
Page 94

To identify the URL from which the system downloads the context configuration, enter the following command: FWSM(config-context)# config-url url When you add a context URL, the system immediately loads the context so that it is running. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-20 OL-6392-01...
Page 95

FWSM(config-context)# allocate-interface vlan300-vlan305 int3-int8 FWSM(config-context)# config-url ftp://joe:passw0rd@10.1.1.1/configlets/test.cfg FWSM(config-context)# member gold FWSM(config-context)# context sample FWSM(config-context)# allocate-interface vlan101 int1 FWSM(config-context)# allocate-interface vlan201 int2 FWSM(config-context)# allocate-interface vlan306-vlan311 int3-int8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-21 OL-6392-01...
Page 96: Removing A Security Context

For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-22 OL-6392-01...
Page 97: Changing The Security Context Url

To enter the new URL, enter the following command: Step 4 FWSM(config)# config-url new_url The system immediately loads the context so that it is running. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-23 OL-6392-01...
Page 98: Reloading A Security Context

“Configuring a Security Context” section on page 5-19 Monitoring Security Contexts This section describes how to view and monitor context information, and includes the following topics: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-24 OL-6392-01...
Page 99: Viewing Context Information

Context "contexta", is active Config URL: disk:/contexta.cfg Interfaces: vlan10,100-101 Class: default, Flags: 0x00000055, ID: 2 The “Flags” and “ID” fields are for internal use only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-25 OL-6392-01...
Page 100: Viewing Resource Allocation

FWSM converts the percentage to an absolute number for this display. % of Avail The percentage of the total system resources that is allocated across all contexts. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-26 OL-6392-01...
Page 101

5.00% silver 10.00% bronze All Contexts: 20.00% Xlates default unlimited gold unlimited silver 23040 23040 10.00% bronze 11520 All Contexts: 23040 10.00% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-27 OL-6392-01...
Page 102: Viewing Resource Usage

Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-28...
Page 103: Monitoring Syn Attacks Using Tcp Intercept

TCP intercept for the entire system using the show resource usage summary detail command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-29...
Page 104

0 c1 chunk:static unlimited 0 c1 tcp-intercept-rate 16056 16254 unlimited 0 c1 globals unlimited 0 c1 np-statics unlimited 0 c1 statics unlimited 0 c1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-30 OL-6392-01...
Page 105

116448(S) 0 Summary console-access-rul 4356(S) 0 Summary fixup-rules 8032(S) 0 Summary S = System:Total exceeds the system limit; the system limit is shown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-31 OL-6392-01...
Page 106

Chapter 5 Managing Security Contexts Monitoring Security Contexts Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-32 OL-6392-01...
Page 107: Changing The Passwords

Changing the Maintenance Partition Passwords, page 6-2 • In multiple context mode, every context and the system execution space has its own login policies and Note passwords. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 108: Changing The Login Password

The default password is “cisco.” guest—Lets you configure the network partition parameters and show crash dump information. • The default password is “cisco.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 109: Chapter 6 Configuring Basic Setting

This example shows how to set the password for the root account: root@localhost# passwd Changing password for user root New password: *sh1p Retype new password: *sh1p passwd: all authentication tokens updated successfully Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 110: Setting The Host Name

For a context, this name is used for RSA key generation. If you do not set a host name within a context, the context name is used for the host name in the key. You can view a context host name using the show hostname command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 111: Setting The Domain Name

For example, to add a message-of-the-day banner, enter: FWSM/contexta(config)# banner motd Welcome to the $(hostname) firewall. FWSM/contexta(config)# banner motd Contact me at admin@admin.com for any FWSM/contexta(config)# banner motd issues. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 112: Configuring Interfaces

“Other Protection Features” section on page 1-6 for more information about TCP intercept. This feature is configured using the emb_limit option in the nat and static commands. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 113: Setting The Name And Security Level

NAT for these interfaces. Similarly, inspection engines are applied to both interfaces, as is filtering. By default, the Cisco PIX firewall allows traffic to flow freely from an inside network (higher security Note level) to an outside network (lower security level). However, the FWSM does not allow any traffic to pass between interfaces unless you explicitly permit it with an access control list (ACL).
Page 114: Allowing Communication Between Interfaces On The Same Security Level

TCP intercept, and connection limits. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 115

Communication Between Hosts on the Same Interface Host IP cloud-2 Vlan60 10.6.37.0 MSFC Vlan70 Vlan10 IP cloud-1 IP cloud-3 10.6.36.0 10.6.35.0 Host Host SVI, Vlan20 10.6.34.0 FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 116: Turning Off And Turning On Interfaces

NAT, including NAT exemption. See the “Bypassing NAT” section on page 9-29 for more information. For transparent mode, the FWSM supports only the following method.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-10 OL-6392-01...
Page 117

For example, to set options for the host 10.1.1.1, enter the following command: FWSM/contexta(config)# static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 norandomseq tcp 1000 200 udp 1000 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-11 OL-6392-01...
Page 118

Chapter 6 Configuring Basic Settings Configuring Connection Limits for Non-NAT Configurations Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-12 OL-6392-01...
Page 119: Customizing The Mac Address Table

Packets for remote devices—The FWSM generates a ping to the destination IP address so that the • FWSM can learn which interface receives the ping reply. The original packet is dropped. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 120: C H A P T E R 7 Configuring Bridging Parameters And Arp Inspection

MAC address table. You can disable MAC address learning if desired. To disable MAC address learning, enter the following command: FWSM/contexta(config)# mac-learn interface_name disable The no form of this command reenables MAC address learning. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 121: Viewing The Mac Address Table

ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 122: Adding A Static Arp Entry

For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP packets, enter the following command: FWSM/contexta(config)# arp-inspection outside enable no-flood Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 123: Configuring Ip Addresses

Assigning IP Addresses to Interfaces for a Routed Firewall, page 8-2 • Setting the Management IP Address for a Transparent Firewall, page 8-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 124: C H A P T E R 8 Configuring Ip Addresses, Routing, And Dhcp

Traffic that originates on the FWSM might include communications to a syslog server, Websense or N2H2 server, or AAA server. The FWSM supports up to three equal cost routes on the same interface for load balancing. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 125: Configuring Static Routes

For example, to send all traffic destined for 10.1.1.0/24 to the router (10.1.2.45) connected to the inside interface, enter the following command: FWSM/contexta(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 126: Configuring Ospf

OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each of the router usable interfaces and reachable neighbors. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 127: Enabling Ospf

ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum of two processes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 128: Redistributing Routes Between Ospf Processes

“Adding a Standard Access Control List” section on page 10-17 to add the standard ACL. If you specify more than one ACL, then the route can match any of the ACLs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 129

(LSAs) with a metric of 5, metric type of Type 1, and a tag equal to 1. FWSM(config)# route-map 1-to-2 permit FWSM(config-route-map)# match metric 1 FWSM(config-route-map)# set metric 5 FWSM(config-route-map)# set metric-type type-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 130: Redistributing Static, Connected, Or Ospf Routes To An Ospf Process

In the following example, the link-state cost is specified as 5, and the metric type is set to external, indicating that it has lower priority than internal metrics. FWSM(config)# router ospf 1 FWSM(config-router)# redistribute ospf 2 metric 5 metric-type external Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 131: Configuring Ospf Interface Parameters

To specify the length of time between the hello packets that the FWSM sends on an OSPF interface, • enter the following command: FWSM(config-interface)# ospf hello-interval seconds The value must be the same for all nodes on the network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 132

FWSM(config-interface)# ospf priority 20 FWSM(config-interface)# ospf hello-interval 10 FWSM(config-interface)# ospf dead-interval 40 FWSM(config-interface)# ospf authentication-key cisco FWSM(config-interface)# ospf message-digest-key 1 md5 cisco FWSM(config-interface)# ospf authentication message-digest Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-10 OL-6392-01...
Page 133: Configuring Ospf Area Parameters

To enable authentication for an OSPF area, enter the following command: FWSM(config-router)# area area-id authentication To enable MD5 authentication for an OSPF area, enter the following command: • FWSM(config-router)# area area-id authentication message-digest Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-11 OL-6392-01...
Page 134: Configuring Ospf Nssa

Step 2 Enter any of the following commands: To define an NSSA area, enter the following command: • FWSM(config-router)# area area-id nssa [no-redistribution] [default-information-originate] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-12 OL-6392-01...
Page 135: Configuring Route Summarization Between Ospf Areas

FWSM(config-router)# area area-id range ip-address mask [advertise | not-advertise] This example shows how to configure route summarization between OSPF areas: FWSM(config)# router ospf 1 FWSM(config-router)# area 17 range 12.1.0.0 255.255.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-13 OL-6392-01...
Page 136: Configuring Route Summarization When Redistributing Routes Into Ospf

To force the autonomous system boundary router to generate a default route, enter the following Step 2 command: FWSM(config-router)# default-information originate [always] [metric metric-value ] [metric-type {1 | 2}] [route-map map-name ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-14 OL-6392-01...
Page 137: Configuring Route Calculation Timers

Configure log-adj-changes detail if you want to see messages for each state change. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-15...
Page 138: Displaying Ospf Update Packet Pacing

You can also display information about node reachability and discover the routing path that your device packets are taking through the network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-16 OL-6392-01...
Page 139: Restarting The Ospf Process

To restart an OSPF process, clear redistribution, or counters, enter the following command: FWSM(config)# clear ip ospf pid {process | redistribution | counters [neighbor [ neighbor-interface ] [ neighbor-id ]]} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-17 OL-6392-01...
Page 140: Configuring Rip

[authentication {text | md5} key key_id ]}] You can both types of RIP on an interface by entering the command two times, one for each method. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-18...
Page 141: Configuring The Dhcp Server

The address pool must be on the same subnet as the FWSM interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-19 OL-6392-01...
Page 142: Using Cisco Ip Phones With A Dhcp Server

Cisco IP Phones might also include DHCP option 3 in their requests, which lists the IP addresses of default routers. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the FWSM DHCP server provides values for both options in the response if they are configured on the FWSM.
Page 143: Configuring Dhcp Relay

FWSM/contexta(config)# dhcprelay enable interface (Optional) To set the number of seconds allowed for relay address negotiation, enter the following Step 3 command: FWSM/contexta(config)# dhcprelay timeout seconds Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-21 OL-6392-01...
Page 144

The following example enables the FWSM to forward DHCP requests from clients connected to the inside interface to a DHCP server on the outside interface: FWSM/contexta(config)# dhcprelay server 201.168.200.4 FWSM/contexta(config)# dhcprelay enable inside FWSM/contexta(config)# dhcprelay setroute inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-22 OL-6392-01...
Page 145: Nat Overview

Order of NAT Commands Used to Match Local Addresses, page 9-12 Maximum Number of NAT Statements, page 9-12 • • Global Address Guidelines, page 9-12 DNS and NAT, page 9-13 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 146: C H A P T E R 9 Configuring Network Address Translation

You can resolve IP routing problems such as overlapping addresses. Table 13-1 on page 13-2 for information about protocols that are not supported by NAT. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 147: Nat Types

The global pool can include fewer addresses than the local group. When a local host accesses the destination network, the FWSM assigns it an IP address from the global pool. Because the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 148

IP address after the translation times out (see the timeout xlate command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access control list (ACL)).
Page 149: Static Nat

This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you cannot use the same global address for multiple static NAT statements). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 150

8080 port. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then translate them to port 80 on the local network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 151: Bypassing Nat

The classifier only looks at static statements where the global interface matches the source interface of the packet. Because NAT exemption does not identify a global interface, the classifier does not consider those NAT statements for classification purposes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 152: Policy Nat

FWSM/contexta(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 FWSM/contexta(config)# nat (inside) 1 access-list NET1 FWSM/contexta(config)# global (outside) 1 209.165.202.129 FWSM/contexta(config)# nat (inside) 2 access-list NET2 FWSM/contexta(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 153

Figure 9-5 shows a global host connecting to a local host. The local host has a policy Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 154: Outside Nat

Because the inside host is also typically translated using a static NAT statement, both host addresses are translated. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-10...
Page 155: Nat And Same Security Level Interfaces

You might want to configure NAT exemption or identity NAT on same security interfaces to set connection limits. (See the “Setting Connection Limits in the NAT Configuration” section on page 9-16.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-11 OL-6392-01...
Page 156: Order Of Nat Commands Used To Match Local Addresses

For PAT, you can even use the IP address of the global interface. Addresses on a unique network. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-12 OL-6392-01...
Page 157

NAT configuration. You can configure DNS modification when you configure each NAT translation. For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the FWSM to statically translate the ftp.cisco.com local address (10.1.3.14) to a global address (209.165.201.10) that is visible on the outside network (See...
Page 158

Configuring Network Address Translation NAT Overview When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the global address (209.165.201.10). The FWSM refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14.
Page 159

DNS server on the outside. The FWSM has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real local address, 209.165.20.10. Because you want inside users to use the translated global address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply...
Page 160: Setting Connection Limits In The Nat Configuration

Using Dynamic NAT and PAT This section includes the following topics: Dynamic NAT and PAT Implementation, page 9-17 • Configuring NAT or PAT, page 9-23 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-16 OL-6392-01...
Page 161: Dynamic Nat And Pat Implementation

209.165.201.3 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-17 OL-6392-01...
Page 162

See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-18 OL-6392-01...
Page 163

See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 FWSM/contexta(config)# global (dmz) 1 10.1.1.23 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-19 OL-6392-01...
Page 164

See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (inside) 2 192.168.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 FWSM/contexta(config)# global (outside) 2 209.165.201.11 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-20 OL-6392-01...
Page 165

Inside and the Outside interfaces), then you must configure a separate NAT statement without the outside option. In this case, you can identify the same addresses in both statements and use the same Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-21...
Page 166

FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# static (inside,dmz) 10.1.2.27 10.1.1.5 netmask 255.255.255.255 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.4 FWSM/contexta(config)# global (inside) 1 10.1.2.30-1-10.1.2.40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-22 OL-6392-01...
Page 167: Configuring Nat Or Pat

10.1.1.0 in one statement, but 10.1.1.1 in another. The traffic is matched to a policy NAT statement in order, until the first match, or for regular NAT, using the best match. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-23...
Page 168

“Configuring Identity NAT” section on page 9-29 for more information about identity NAT. See the policy NAT command above for information about other options. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-24 OL-6392-01...
Page 169

255.255.255.255 eq 23 FWSM/contexta(config)# nat (inside) 1 access-list WEB FWSM/contexta(config)# global (outside) 1 209.165.202.129 FWSM/contexta(config)# nat (inside) 2 access-list TELNET FWSM/contexta(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-25 OL-6392-01...
Page 170: Using Static Nat

{ global_ip | interface} local_ip [netmask mask ] [dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ] See the “Configuring NAT or PAT” section on page 9-23 for information about the options. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-26 OL-6392-01...
Page 171: Using Static Pat

NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-27...
Page 172

Telnet traffic to the server. You need to create a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-28...
Page 173

To configure identity NAT, enter the following command: FWSM/contexta(config)# nat ( local_interface ) 0 local_ip [ mask [dns] [outside | [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]]] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-29 OL-6392-01...
Page 174: Configuring Static Identity Nat

To configure regular static identity NAT, enter the following command: FWSM/contexta(config)# static ( local_interface , global_interface ) local_ip local_ip [netmask mask ] [dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-30 OL-6392-01...
Page 175: Configuring Nat Exemption

Because NAT exemption does not identify a global interface, the classifier does not consider those NAT statements for classification purposes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-31...
Page 176: Nat Examples

FWSM/contexta(config)# nat (inside) 0 access-list NET1 NAT Examples The following sections show typical scenarios that use NAT solutions: Overlapping Networks, page 9-33 • Redirecting Ports, page 9-34 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-32 OL-6392-01...
Page 177: Overlapping Networks

Configure the following static routes so that traffic to the dmz network can be routed correctly by the FWSM: FWSM/contexta(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 FWSM/contexta(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-33 OL-6392-01...
Page 178: Redirecting Ports

• • HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80 To implement this scenario, complete the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-34 OL-6392-01...
Page 179

Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering Step 5 the following command: FWSM/contexta(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-35 OL-6392-01...
Page 180

Chapter 9 Configuring Network Address Translation NAT Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-36 OL-6392-01...
Page 181: Access Control List Overview

This section includes the following topics: Access Control List Types and Uses, page 10-2 • Access Control List Guidelines, page 10-6 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-1 OL-6392-01...
Page 182: C H A P T E R 10 Controlling Network Access With Access Control Lists

See the “Stateful Inspection Feature” section on page 1-5 for more information. For connectionless protocols such as ICMP, however, you either need Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-2 OL-6392-01...
Page 183: Identifying Traffic For Aaa Rules (extended)

Permit entries in the ACL mark matching traffic for authorization, while deny entries exclude matching traffic from authorization. Apply the ACL using the aaa authorization match command in the “Configuring TACACS+ Authorization” section on page 12-24. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-3 OL-6392-01...
Page 184: Controlling Network Access For Ip Traffic For A Given User (extended)

Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended ACL. You can also optionally specify the source and destination ports. Regular NAT can only consider the local addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-4 OL-6392-01...
Page 185: Vpn Management Access (extended)

To control non-IP traffic, perform the following task: Create and apply the ACL according to the “Adding an EtherType Access Control List” section on • page 10-16. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-5 OL-6392-01...
Page 186: Redistributing Ospf Routes (standard)

FWSM does not commit the ACL until the waiting period has passed and you do not enter more entries. The FWSM displays a message similar to the following after it commits the ACL: Access Rules Download Complete: Memory Utilization: < 1% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-6 OL-6392-01...
Page 187: Maximum Number Of Aces

This guideline applies for both inbound and outbound ACLs: the direction does not determine the address used, only the interface does. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-7 OL-6392-01...
Page 188

209.165.201.4:port See the following commands for this example: FWSM/contexta(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 FWSM/contexta(config)# access-group INSIDE in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-8 OL-6392-01...
Page 189

Static NAT See the following commands for this example: FWSM/contexta(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 FWSM/contexta(config)# access-group OUTSIDE in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-9 OL-6392-01...
Page 190: Inbound And Outbound Access Control Lists

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-10...
Page 191

FWSM/contexta(config)# access-list HR extended permit ip any any FWSM/contexta(config)# access-group HR in interface hr FWSM/contexta(config)# access-list ENG extended permit ip any any FWSM/contexta(config)# access-group ENG in interface eng Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-11 OL-6392-01...
Page 192

FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq www FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www FWSM/contexta(config)# access-group OUTSIDE out interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-12 OL-6392-01...
Page 193: Access Control List Override

ACL information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-13...
Page 194

Note You specify a network mask in the access-list command (for example, 255.255.255.0 for a class C mask). This method is different from the Cisco IOS software access-list command, which uses wildcard bits (for example, 0.0.0.255). Add an ACE for a specific protocol by entering the following command: •...
Page 195

For example, you can allow BGP in an ACL in transparent mode, and you need to apply the ACL to both interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-15...
Page 196: Adding An Ethertype Access Control List

FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the FWSM:...
Page 197: Adding A Standard Access Control List

Standard ACLs identify the destination IP addresses of OSPF routes, and can be used in a route map for OSPF redistribution. Standard ACLs cannot be applied to interfaces to control traffic. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-17...
Page 198: Simplifying Access Control Lists With Object Grouping

After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers. You can also nest object groups in other object groups. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-18 OL-6392-01...
Page 199: Adding Object Groups

The description can be up to 200 characters. To define the protocols in the group, enter the following command for each protocol: Step 3 FWSM/contexta(config-protocol)# protocol-object protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-19 OL-6392-01...
Page 200: Adding A Network Object Group

You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-20...
Page 201: Adding An Icmp Type Object Group

FWSM/contexta(config)# object-group icmp-type grp_id The grp_id is a text string up to 64 characters in length. The prompt changes to the ICMP type subcommand mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-21 OL-6392-01...
Page 202: Nesting Object Groups

FWSM/contexta(config-network)# object-group network finance FWSM/contexta(config-network)# network-object host 10.1.4.89 FWSM/contexta(config-network)# network-object host 10.1.4.100 You then nest all three groups together as follows: FWSM/contexta(config)# object-group network admin Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-22 OL-6392-01...
Page 203: Using Object Groups With An Access Control List

FWSM/contexta(config)# object-group network denied FWSM/contexta(config-network)# network-object host 10.1.1.4 FWSM/contexta(config-network)# network-object host 10.1.1.78 FWSM/contexta(config-network)# network-object host 10.1.1.89 FWSM/contexta(config-network)# object-group network web FWSM/contexta(config-network)# network-object host 209.165.201.29 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-23 OL-6392-01...
Page 204: Displaying Object Groups

ACL. See the “Access Control List Commit” section on page 10-6 for more information about committing ACLs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-24 OL-6392-01...
Page 205: Adding Remarks To Access Control Lists

For example, you can add remarks before each ACE, and the remark appears in the ACL in this location. Entering a dash (-) at the beginning of the remark helps set it apart from ACEs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-25...
Page 206: Logging Extended Access Control List Activity

At the end of each interval, the FWSM resets the hit count to 0. If no packets match the ACE during an interval, the FWSM deletes the flow entry. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-26...
Page 207: Configuring Logging For An Access Control Entry

For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide for detailed information about this system message.
Page 208: Managing Deny Flows

FWSM/contexta(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-28 OL-6392-01...
Page 209: Allowing Telnet

100 connections divided between all contexts. See the “Rule Limits” section on page A-5 for information about the maximum number of Telnet rules allowed for the entire system. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-1 OL-6392-01...
Page 210: Chapter 11 Allowing Remote Management

SSH v1.x and v2 are entirely different protocols and are not compatible. Make sure that you download Note a client that supports SSH v1.x. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-2 OL-6392-01...
Page 211: Configuring Ssh Access

To allow all users on the 192.168.3.0 network to access the FWSM on the inside interface, the following command: FWSM/contexta(config)# ssh 192.168.3.0 255.255.255.0 inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-3 OL-6392-01...
Page 212: Using An Ssh Client

FWSM/contexta(config)# pdm history enable If you do not enable PDM metrics history, you can view real-time data only and not historical data. This step is optional. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-4 OL-6392-01...
Page 213: Allowing A Vpn Management Connection

VPN peers occurs over a secure tunnel, which means the packets are encrypted and authenticated by the peers. The FWSM can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using a site-to-site tunnel. You specify the peer networks that can communicate over the tunnel. In the case of the FWSM, the only address available on the FWSM end of the tunnel is the interface itself.
Page 214

For example, to configure the IKE policy and the IPSec transform sets, enter the following commands: FWSM/contexta(config)# isakmp policy 1 authentication pre-share FWSM/contexta(config)# isakmp policy 1 encryption 3des Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-6 OL-6392-01...
Page 215: Configuring Vpn Client Access

FWSM/contexta(config)# crypto ipsec transform-set site_to_site esp-3des ah-sha-hmac Configuring VPN Client Access A host with an installed version of the Cisco VPN Client can connect to the FWSM for management purposes over a public network, such as the Internet. To allow remote clients to connect to the FWSM for management access, first configure basic VPN settings (see “Configuring Basic Settings for All...
Page 216

FWSM/contexta(config)# vpngroup admin split-tunnel VPN_SPLIT FWSM/contexta(config)# vpngroup admin password $ecure23 FWSM/contexta(config)# telnet 10.1.1.1 255.255.255.255 outside FWSM/contexta(config)# telnet 10.1.1.2 255.255.255.255 outside FWSM/contexta(config)# telnet timeout 30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-8 OL-6392-01...
Page 217: Configuring A Site-to-site Tunnel

11-2. For example, the following commands allow hosts connected to the peer router (209.165.202.129) to use Telnet on the outside interface (209.165.200.225). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-9 OL-6392-01...
Page 218: Allowing Icmp To And From The Fwsm

For example, to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside interface, enter the following commands: FWSM/contexta(config)# icmp deny host 10.1.1.15 inside FWSM/contexta(config)# icmp permit any inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-10 OL-6392-01...
Page 219

To allow the host at 10.1.1.15 to use only ping to the inside interface, enter the following commands: FWSM/contexta(config)# icmp permit host 10.1.1.15 inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-11 OL-6392-01...
Page 220

Chapter 11 Allowing Remote Management Allowing ICMP to and from the FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-12 OL-6392-01...
Page 221: Aaa Overview

You can use accounting alone, or with authentication and authorization. This section includes the following topics: AAA Performance, page 12-2 • About Authentication, page 12-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-1 OL-6392-01...
Page 222: Chapter 12 Configuring Aaa

A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for timeout values.) For...
Page 223: About Accounting

FWSM for the session, the service used, and the duration of each session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-3 OL-6392-01...
Page 224: Aaa Server And Local Database Support

You can configure the FWSM to send accounting information user or IP address to the RADIUS server about any traffic that passes through the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-4 OL-6392-01...
Page 225

1. The local database can act as a fallback method for each of these functions if the AAA server is unavailable. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-5 OL-6392-01...
Page 226: Configuring The Local Database

RADIUS or TACACS+. For multiple context mode, you can configure up to 4 servers in a maximum of 4 groups. In single mode, you can configure 16 servers in a maximum of 14 server groups. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-6...
Page 227

FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.2 TheUauthKey2 FWSM/contexta(config)# aaa-server AuthOutbound protocol radius FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-7 OL-6392-01...
Page 228: Configuring Authentication For Cli Access

See the following sections for information about these methods: • Configuring Authentication for the enable Command, page 12-9 Authenticating Users Using the login Command, page 12-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-8 OL-6392-01...
Page 229: Configuring Authentication For The Enable Command

The FWSM prompts for your username and password. After you enter your password, the FWSM places you in the privilege level that the local database specifies. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-9...
Page 230: Configuring Command Authorization

Default Command Privilege Levels, page 12-11 • Assigning Privilege Levels to Commands and Enabling Authorization, page 12-11 • Viewing Command Privilege Levels, page 12-13 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-10 OL-6392-01...
Page 231: Local Command Authorization Prerequisites

[mode {enable | configure}] command command Repeat this command for each command you want to reassign. See the following information about the options in this command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-11 OL-6392-01...
Page 232

This example shows an additional command, the configure command, that uses the mode keyword: FWSM/contexta(config)# privilege show level 5 mode configure command configure FWSM/contexta(config)# privilege clear level 15 mode configure command configure Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-12 OL-6392-01...
Page 233: Viewing Command Privilege Levels

If you enable TACACS+ command authorization, and a user enters a command at the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-13...
Page 234: Tacacs+ Command Authorization Prerequisites

The FWSM sends the commands to be authorized as “shell” commands, so configure the commands • on the TACACS+ server as shell commands. The Cisco Secure ACS server might include a command type called “pix-shell.” Do not use this Note type for FWSM command authorization.
Page 235

We recommend using this method so that you do not have to anticipate every variant of a command, including abbreviations and ?, which shows CLI usage. (See Figure 12-3.) Figure 12-3 Permitting All Related Commands Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-15 OL-6392-01...
Page 236

TACACS+ server, and not the expanded command show logging message. You can configure multiple spellings of the same argument to anticipate abbreviations. (See Figure 12-6.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-16 OL-6392-01...
Page 237: Enabling Tacacs+ Command Authorization

We recommend that you use the same username and password in the local database as the TACACS+ server because the FWSM prompt does not give any indication which method is being used. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-17...
Page 238: Viewing The Current Logged-in User

Current Mode/s Shows the access modes: P_UNPR—Unprivileged mode (levels 0 and 1) • P_PRIV—Privileged mode (levels 2 to 15) • P_CONF—Configuration mode • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-18 OL-6392-01...
Page 239: Recovering From A Lockout

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-19 OL-6392-01...
Page 240: Configuring Authentication For Network Access

Telnet; the user Telnets to a given IP address configured on the FWSM, and the FWSM provides a Telnet prompt. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the virtual telnet command.
Page 241: Enabling Network Access Authentication

FWSM/contexta(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq telnet FWSM/contexta(config)# aaa-server AuthInbound protocol tacacs+ FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey FWSM/contexta(config)# aaa authentication match TELNET_AUTH outside AuthInbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-21 OL-6392-01...
Page 242: Enabling Secure Authentication Of Web Clients

After enabling this feature, when a user accesses a web page requiring authentication, the FWSM displays the Authentication dialog box shown in Figure 12-7. Figure 12-7 Secure Authentication Page Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-22 OL-6392-01...
Page 243: Configuring Authorization For Network Access

If you do not enter a string using the auth-prompt command, this field will be blank. For the detailed syntax of this command, refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 244: Configuring Tacacs+ Authorization

FWSM/contexta(config)# aaa-server AuthOutbound protocol tacacs+ FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 TheUauthKey FWSM/contexta(config)# aaa authentication match TELNET_AUTH inside AuthOutbound FWSM/contexta(config)# aaa authorization match SERVER_AUTH inside AuthOutbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-24 OL-6392-01...
Page 245: Configuring Radius Authorization

| permit icmp any host 10.0.0.252 | permit ip any any +--------------------------------------------+ The downloaded ACL on the FWSM has the following name: #ACSACL#-ip- acl_name - number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-25 OL-6392-01...
Page 246

Downloaded ACLs have two spaces between the word “access-list” and the name. These spaces serve to differentiate a downloaded ACL from a local ACL. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-26 OL-6392-01...
Page 247: Configuring The Radius Server To Download Per-user Access Control List Names

FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 TheUauthKey FWSM/contexta(config)# aaa authentication match TELNET_AUTH inside AuthOutbound FWSM/contexta(config)# aaa authorization match SERVER_AUTH inside AuthOutbound FWSM/contexta(config)# aaa accounting match SERVER_AUTH inside AuthOutbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-27 OL-6392-01...
Page 248

Chapter 12 Configuring AAA Configuring Accounting for Network Access Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-28 OL-6392-01...
Page 249: Inspection Engine Overview

When you enable application inspection for a service that embeds IP addresses, the FWSM translates embedded addresses and updates any checksum or other fields that are affected by the translation. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-1...
Page 250: C H A P T E R 13 Configuring Application Protocol Inspection

If a inspection engine does not support outside NAT, consider using the alias command instead of outside NAT. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the alias command.
Page 251

2. The FWSM is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed to be in a particular order, but the FWSM does not enforce the order. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-3...
Page 252: Configuring An Inspection Engine

FWSM/contexta(config)# fixup protocol ftp 9090 After entering these commands, the FWSM listens for FTP traffic on port 21, as well as 2100, 4254, and 9090. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-4 OL-6392-01...
Page 253: Detailed Information About Inspection Engines

H.323-standard format in H.323 mode. CUSeeMe is supported through H.323 inspection, as well as performing NAT on the CUSeeMe control stream, which operates on UDP port 7648. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-5 OL-6392-01...
Page 254: Dns Over Udp Inspection Engine

Command spoofing—The PORT command should always be sent from the client. The TCP connection is denied if a PORT command is sent from the server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-6...
Page 255: H.323 Inspection Engine

You can set the inspection engines for H.232 and RAS (h225 and ras) separately. The default port for h225 is 1720 (TCP), and the default ports for ras are 1718-1719 (UDP). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-7...
Page 256: Multiple Calls On One Call Signalling Connection

Real-Time Transport Protocol (RTP) uses the negotiated port number, while RTP Control Protocol (RTCP) uses the next higher port number. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-8...
Page 257

Each UDP connection with a packet going through the H.323 inspection engine is marked as an H.323 connection and will time out with the H.323 timeout as configured by the administrator using the timeout command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-9 OL-6392-01...
Page 258: Http Inspection Engine

Original packet NAT IP is changed to the Client IP – Original packet NAT port is changed to the Client Port – Original packet IP checksum is recalculated – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-10 OL-6392-01...
Page 259: Icmp Error Inspection Engine

ILS/LDAP follows a client/server model with sessions handled over a single TCP connection. Depending on the client’s actions, several of these sessions might be created. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-11...
Page 260: Mgcp Inspection Engine

This section includes the following topics: MGCP Overview, page 13-13 • Configuration for Multiple Call Agents and Gateways, page 13-13 • • Viewing MGCP Information, page 13-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-12 OL-6392-01...
Page 261: Mgcp Overview

The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295. It must correspond with the group_id of the call agents that are managing the gateway. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-13 OL-6392-01...
Page 262: Viewing Mgcp Information

The RealAudio inspection engine allows the data channel to go through the FWSM when the data channel source port is between UDP ports 6790 and 7170. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-14...
Page 263: Rsh Inspection Engine

FWSM/contexta(config)# fixup protocol rtsp [ port [- port ]] The default port is 554 (TCP). If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554 as follows: FWSM/contexta(config)# fixup protocol rtsp 554 FWSM/contexta(config)# fixup protocol rtsp 8554 The following restrictions apply to the RTSP inspection engine: The FWSM does not inspect RTSP messages passing through UDP ports.
Page 264: Sip Inspection Engine

Session Description Protocol (SDP) files as part of HTTP or RTSP messages. Packets could be fragmented, and the FWSM cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translations the FWSM performs on the SDP part of the message •...
Page 265: Sip Overview

If there is a failure to receive the response messages within one minute, the signaling connection will be torn down. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-17 OL-6392-01...
Page 266: Skinny Inspection Engine

NAT for the Cisco CallManager IP address, and you configure the TFTP server to serve a file with the local untranslated address of the Cisco CallManager, then the Cisco IP Phones cannot contact the Cisco CallManager. We recommend that you use the Cisco CallManager name instead of the IP address, and rely on the DNS server to provide the correct address.
Page 267: Problems With Fragmented Skinny Packets

The pipeline character (|) is deleted (changed to a blank space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded by “<”). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-19 OL-6392-01...
Page 268: Sql*net Inspection Engine

SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend, Marker, Redirect, and Data) and all packets are scanned for ports and addresses. Addresses are NATed and port connections are opened. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-20 OL-6392-01...
Page 269: Sun Rpc Inspection Engine

The FWSM permits all UDP connections from a TFTP server back to a client source port if there is an existing TFTP connection between the server and client. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-21...
Page 270: Xdmcp Inspection Engine

When XDMCP is used, the display is negotiated using IP addresses, which the FWSM can NAT if needed. The XDCMP inspection engine does not support PAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-22...
Page 271: Filtering Overview

For FTP, the FWSM allows the successful FTP return code to reach the user unchanged. For • example, a successful return code is “250: CWD command successful.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-1 OL-6392-01...
Page 272: C H A P T E R 14 Filtering Http, Https, Or Ftp Requests Using An External Server

[timeout seconds ] [protocol tcp [version {1 | 4}] | udp] See the following options: (if_name)—The interface through which the FWSM communicates with the server. – ip_address—The Websense server IP address. – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-2 OL-6392-01...
Page 273: Buffering Replies

FWSM/contexta(config)# url-block block block-buffer-limit The block-buffer-limit sets the amount of memory assigned to the buffer from 0 to 128 blocks. Each block is 1550 bytes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-3 OL-6392-01...
Page 274: Setting The Maximum Length Of Long Http Urls

Caches the source and destination server address, so access is only cached for a given user • at the source address. kbytes—The cache size between 1 and 128 KB. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-4 OL-6392-01...
Page 275: Filtering Http Urls

FWSM/contexta(config)# filter url http 10.1.1.0 255.255.255.0 0 0 longurl-truncate cgi-truncate To filter users only on the 10.1.2.0 network, enter the following commands: FWSM/contexta(config)# filter url http 10.1.2.0 255.255.255.0 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-5 OL-6392-01...
Page 276: Filtering Https Urls

This section describes how to monitor filtering statistics, and includes the following topics: Viewing Filtering Server Statistics, page 14-7 • Viewing Caching Statistics, page 14-7 • Viewing Filtering Performance Statistics, page 14-8 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-6 OL-6392-01...
Page 277: Viewing Filtering Server Statistics

The following sample display shows how the cache is used: FWSM/contexta# show url-cache stats URL Filter Cache Stats ---------------------- Size : 128KB Entries : 1724 In Use : Lookups : Hits : Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-7 OL-6392-01...
Page 278: Viewing Filtering Performance Statistics

Xlates Connections TCP Conns UDP Conns URL Access URL Server Req TCP Fixup TCPIntercept HTTP Fixup FTP Fixup AAA Authen AAA Author AAA Account Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-8 OL-6392-01...
Page 279: Understanding Failover

• Primary/Secondary Status and Active/Standby Status, page 15-10 • Configuration Replication, page 15-10 • Failover Triggers, page 15-12 • Failover Actions, page 15-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-1 OL-6392-01...
Page 280: Chapter 15 Using Failover

After a failover occurs, the same connection information is available at the new active module. Supported end-user applications are not required to reconnect to keep the same communication session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-2 OL-6392-01...
Page 281: Failover And State Links

The IP address and MAC address for the state link do not change at failover. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-3 OL-6392-01...
Page 282: Module Placement

FWSM VLANs. Because this trunk also accommodates FWSM traffic when a module fails, this trunk should be at least as large as the maximum amount of Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-4...
Page 283

VLAN 10 Trunk: Active Standby VLANs 200, 201, VLAN 11 FWSM FWSM 202, 203, 10, 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-5 OL-6392-01...
Page 284

VLAN 10 VLAN 200 Trunk: Standby Active VLANs 200, 201, FWSM FWSM 202, 203, 10, 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-6 OL-6392-01...
Page 285

Figure 15-4 Switch/FWSM Failure Internet VLAN 100 Standby Switch Active Switch VLAN 200 Trunk Standby Active FWSM FWSM VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-7 OL-6392-01...
Page 286

VLAN 10 Trunk: Active Standby VLANs 200, 201, VLAN 11 FWSM FWSM 202, 203, 10, 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-8 OL-6392-01...
Page 287: Transparent Firewall Requirements

“Basic Failover Questions” section on page 15-25. Because the FWSMs bridge packets between the same two VLANs, loops can occur Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-9 OL-6392-01...
Page 288: Primary/secondary Status And Active/standby Status

IP addresses; when a module is standby, it uses the standby IP addresses. Because the configuration is the same on both modules, the host names, usernames, and passwords are Note also the same. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-10 OL-6392-01...
Page 289

Configuration Replication to mate.” During the replication, information cannot be entered on the FWSM terminal. Depending on the size of the configuration, replication can take several minutes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-11...
Page 290: Disabling Configuration Synchronization

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-12 OL-6392-01...
Page 291: Failover Monitoring

If the FWSM does not receive a response on any interface, then the standby module switches to active mode and classifies the other module as failed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-13...
Page 292: Interface Monitoring

If a failed module does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the module will fail again. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-14 OL-6392-01...
Page 293: Configuring Failover

(Stateful failover only) To set the IP address of the state interface, enter the following command: Step 4 primary(config)# failover interface ip state_interface ip_address mask standby ip_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-15 OL-6392-01...
Page 294

10, then that interval is used. (Optional) To set the time in seconds between hello messages on monitored interfaces, enter the Step 9 following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-16 OL-6392-01...
Page 295

Step 12 through Step 15 for each context. Step 16 See the “Failover Configuration Example” section on page 15-27 for a typical failover configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-17 OL-6392-01...
Page 296: Configuring The Secondary Module

“End Configuration Replication to mate” appear on the active module console. Step 7 To save the configuration to Flash memory, enter the following command: secondary(config)# copy running-config startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-18 OL-6392-01...
Page 297: Verifying The Failover Configuration

Interface inside (10.6.8.100): Normal admin Interface outside (70.1.1.3): Normal Stateful Failover Logical Update Statistics Link : Luifc Vlan 151 Stateful Obj xmit xerr rerr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-19 OL-6392-01...
Page 298

FWSM Last Failover The last time a failover occurred. This host: For each host, the display shows the following information. Other host: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-20 OL-6392-01...
Page 299

• rerr—Number of errors that occurred while receiving packets from • the other module. General Sum of all stateful objects. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-21 OL-6392-01...
Page 300: Viewing Monitored Interfaces

Force a failover to the standby module by entering the following command: Step 2 primary(config)# no failover active Use FTP to send another file between the same two hosts. Step 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-22 OL-6392-01...
Page 301: Forcing Failover

When a failover occurs, both FWSMs send out system messages. This section includes the following topics: Failover System Messages, page 15-24 • SNMP, page 15-24 • Debug Messages, page 15-24 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-23 OL-6392-01...
Page 302: Failover System Messages

Debug Messages To see debug messages, enter the debug fover command. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. Frequently Asked Failover Questions This section contains frequently asked questions about the failover features and includes the following...
Page 303: Basic Failover Questions

Yes, in the following circumstances: Both modules have configurations in Flash memory – – Both modules have failover enabled – The failover link is down at startup Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-25 OL-6392-01...
Page 304: Stateful Failover Questions

Other UDP connections. – Can I share the state link interface with the failover link? • Yes, however, we recommend that you use a separate interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-26 OL-6392-01...
Page 305: Failover Configuration Example

209.165.201.1 209.165.201.2 PAT: 209.165.201.5 192.168.253.1 192.168.253.2 Failover VLAN 10 State VLAN 11 192.168.253.5 192.168.253.6 192.168.2.1 192.168.2.2 VLAN 201 Inside Web Server 192.168.2.5 Static: 209.165.201.5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-27 OL-6392-01...
Page 306: System Configuration

Example 15-2 Failover Configuration: Secondary Unit failover lan interface faillink vlan 10 failover lan unit secondary failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2 failover Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-28 OL-6392-01...
Page 307: Installing Application Or Pdm Software

You cannot copy software to the other application partition. You might want to copy to the other partition if you want to keep the old version of software as a backup in the current partition. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-1...
Page 308: Installing Application Or Pdm Software To The Current Partition

The image option (default) copies the application software, and the pdm option copies the PDM software. The type can be one of the following keywords: ap—ASCII passive mode – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-2 OL-6392-01...
Page 309: C H A P T E R 16 Managing Software And Configuration Files

For Cisco IOS software, enter the following command: Router# hw-module module mod_num reset cf:1 For Catalyst operating system software, enter the following command: • Console> (enable) reset mod_num boot cf:1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-3 OL-6392-01...
Page 310

Router# hw-module module mod_num reset cf:{4 | 5} • For Catalyst operating system software, enter the following command: Console> (enable) reset mod_num boot cf:{4 | 5} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-4 OL-6392-01...
Page 311: Installing Maintenance Software

This section describes how to download and back up configuration files, and includes the following sections: Downloading a Text Configuration, page 16-6 • Backing Up the Configuration, page 16-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-5 OL-6392-01...
Page 312: Downloading A Text Configuration

To copy the configuration from an FTP server, enter the following command: FWSM# copy ftp://admin:letmein@209.165.200.227/configs/startup.cfg;type=an startup-config To copy the configuration from an HTTP server, enter the following command: FWSM# copy http://209.165.200.228/configs/startup.cfg startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-6 OL-6392-01...
Page 313: Backing Up The Configuration

In single context mode, or from the system configuration in multiple mode, you can copy the startup configuration, running configuration, or a configuration file by name on disk (such as the admin.cfg). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-7...
Page 314: Copying The Configuration From The Terminal Display

To print the configuration to the terminal, enter the following command: FWSM# write terminal Copy the output from this command, and then paste the configuration into a text file. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-8 OL-6392-01...
Page 315: Monitoring The Firewall Services Module

Using SNMP, page 17-1 • Using System Messages The FWSM provides extensive system messages. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide to configure logging and to view system message descriptions.
Page 316: C H A P T E R 17 Monitoring And Troubleshooting The Firewall Services Module

Cisco Syslog MIB The FWSM supports the following trap: clogMessageGenerated • You cannot browse this MIB. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-2 OL-6392-01...
Page 317: Enabling Snmp

FWSM does not send SNMP traps. FWSM/contexta(config)# snmp-server host 192.168.3.2 FWSM/contexta(config)# snmp-server location building 42 FWSM/contexta(config)# snmp-server contact kim lee FWSM/contexta(config)# snmp-server community ohwhatakeyisthee Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-3 OL-6392-01...
Page 318: Troubleshooting The Firewall Services Module

To send the system messages to your Telnet or SSH session, enter the following command: Step 3 FWSM/contexta(config)# terminal monitor To enable system messages, enter the following command: Step 4 FWSM/contexta(config)# logging on Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-4 OL-6392-01...
Page 319: Pinging Fwsm Interfaces

192.168.2.2 192.168.0.2 192.168.4.2 10.1.0.2 Router Router Router Router 10.1.2.2 10.1.0.2 10.1.4.2 10.1.1.1 Host Host 10.1.2.90 10.1.0.34 10.1.4.67 Host Host 10.1.1.5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-5 OL-6392-01...
Page 320

17-4). In this case, the debug messages show that the ping was successful, but you see system message 110001 indicating a routing failure. Figure 17-4 Ping Failure Because the FWSM has no Route Ping Host Router FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-6 OL-6392-01...
Page 321: Pinging Through The Fwsm

Note through the FWSM to other hosts. Figure 17-5 Ping Failure Because the FWSM is not Translating Addresses Ping Host Router FWSM Router Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-7 OL-6392-01...
Page 322: Disabling The Test Configuration

In multiple mode, you can only reload from the system execution space. To reload the FWSM from the FWSM CLI, enter the following command: FWSM# reload Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-8 OL-6392-01...
Page 323: Reloading The Fwsm From The Switch

To log into the maintenance partition as root, enter the following command: Login: root Enter the password at the prompt: Step 4 Password: password By default, the password is “cisco.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-9 OL-6392-01...
Page 324: Recovering The Maintenance Partition Passwords

FWSM, debug messages can be useful. We recommend contacting technical support to help you debug your FWSM. To enable debug messages, see the debug commands in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 325: Viewing The Crash Dump

You did not enable multiple SVIs. Enable multiple SVIs according to the “Adding Switched Virtual Interfaces to Recommended Action the MSFC” section on page 2-5. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-11 OL-6392-01...
Page 326

Recommended Action Enable this feature according to the “Allowing Communication Between Interfaces on the Same Security Level” section on page 6-8. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-12 OL-6392-01...
Page 327

You did not assign the same VLANs for both units. Possible Cause Recommended Action Make sure to assign the same VLANs to both units in the switch configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-13 OL-6392-01...
Page 328

Chapter 17 Monitoring and Troubleshooting the Firewall Services Module Troubleshooting the Firewall Services Module Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-14 OL-6392-01...
Page 329: Physical Attributes

Maximum four modules per switch. If you are using failover, you can still only have four modules per switch even if two of them are in standby mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 330: Appendix A Specification

You can share outside interfaces between contexts, and in some circumstances, you can share inside interfaces. Transparent Mode 2 per context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 331: Managed System Resources

PAT is the translation limit (256,000), not the higher connection limit. To use the connection limit, you need to use NAT, which allows multiple connections using the same translation session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 332: Fixed System Resources

27: TFTP, Sun RPC over UDP, NetBIOS NameServer, XDMCP, and CUSeeMe. The OraServ and RealAudio inspection engines, which are also enabled by default, do not affect this limit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 333: Rule Limits

1. For example, if you have 96 contexts evenly distributed among the 12 pools, so there are 8 contexts per pool, each context can use 75 filter rules, if evenly divided. 2. access control entries 3. Internet Control Message Protocol 4. HyperText Transfer Protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 334

Appendix A Specifications Rule Limits Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 335: Routed Mode Examples

Each customer context belongs to a class that limits its resources (gold, silver, or bronze). Although inside IP addresses can be the same across contexts when the VLANs are unique, keeping them unique is easier to manage. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 336: Appendix B Sample Configuration

FWSM Version (blank means single mode, “<system>” means you are in multiple mode in the system configuration, and <context> means you are in multiple mode in a context). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 337: Example 1: Admin Context Configuration

10.1.1.75 255.255.255.255 inside nat (inside) 1 10.1.1.0 255.255.255.0 global (outside) 1 209.165.201.10-209.165.201.29 [ This context uses dynamic NAT for inside users that access the outside ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 338: Example 1: Customer A Context Configuration

10.1.4.1 255.255.255.0 ip address dmz 192.168.2.1 255.255.255.0 route outside 0 0 209.165.201.1 1 url-server (dmz) vendor websense host 192.168.2.2 url-block block 50 url-cache dst 128 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 339: Example 1: Switch Configuration

Because the FWSM does not advertise routes with RIP, the MSFC needs to use static routes for FWSM traffic (See Figure B-2.) The Department networks are allowed to access the Internet, and use PAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 340: Example 2: Fwsm Configuration

10.1.1.1 255.255.255.0 ip address dmz 192.168.2.1 255.255.255.0 route outside 0 0 209.165.201.1 1 nat (dept1) 1 10.1.1.0 255.255.255.0 nat (dept2) 1 10.1.2.0 255.255.255.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 341: Example 2: Switch Configuration

Catalyst OS on the supervisor: set vlan 3-5,9,10 firewall-vlan 8 Cisco IOS software on the MSFC: interface vlan 3 ip address 209.165.201.1 255.255.255.224 no shut Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 342: Example 3: Shared Resources For Multiple Contexts

Example 3: Department 1 Context Configuration, page B-10 • Example 3: Department 2 Context Configuration, page B-11 • Example 3: Switch Configuration, page B-11 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 343: Example 3: System Configuration

Note that the translated addresses are used. ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 344: Example 3: Department 1 Context Configuration

ACL must authenticate with the AAA server ] logging trap 4 logging host shared 10.1.1.8 [ System messages are sent to the syslog server on the Shared network ] logging on Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-10 OL-6392-01...
Page 345: Example 3: Department 2 Context Configuration

The secondary FWSM is also in routed, multiple context mode, and has the same software version. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-11...
Page 346: Example 4: Primary Fwsm Configuration

The mode and the activation key are not stored in the configuration file, even though they do endure reboots. If you view Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-12...
Page 347

(outside) 1 209.165.201.11 netmask 255.255.255.224 [ This context uses dynamic PAT for inside users that access the outside ] route outside 0 0 209.165.201.5 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-13 OL-6392-01...
Page 348: Example 4: Secondary Fwsm System Configuration

Example 4: Switch Configuration The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall module 1 vlan-group 1...
Page 349: Transparent Mode Examples

VLAN 7 10.1.1.3 10.1.2.3 10.1.3.3 10.1.4.3 Management host 10.1.1.75 192.168.1.1 192.168.2.1 192.168.3.1 192.168.4.1 Admin customerA customerB customerC Network 2 Network 2 Network 2 Network 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-15 OL-6392-01...
Page 350: Example 5: System Configuration

5% limit-resource rate conns 1000 limit-resource conns 10000 class bronze limit-resource all 3% limit-resource rate conns 500 limit-resource conns 5000 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-16 OL-6392-01...
Page 351: Example 5: Admin Context Configuration

INTERNET in interface inside [ Allows all inside hosts to access the outside for any IP traffic. Also allows OSPF. ] access-group OSPF in interface outside [ Allows OSPF. ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-17 OL-6392-01...
Page 352

B-4). Each context (A, B, and C) monitors the inside interface and outside interface. The secondary FWSM is also in transparent, multiple context mode, and has the same software version. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-18 OL-6392-01...
Page 353

The mode and the activation key are not stored in the configuration file, even though they do endure reboots. If you view Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-19...
Page 354

10.0.2.1 255.255.255.0 standby 10.0.2.2 monitor-interface inside monitor-interface outside route outside 0 0 10.0.2.4 1 telnet 10.0.2.14 255.255.255.255 inside access-list INTERNET extended permit ip any any Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-20 OL-6392-01...
Page 355

Example 6: Switch Configuration The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall multiple-vlan-interfaces firewall module 1 vlan-group 1...
Page 356

200 timers 5 15 standby 200 authentication Secret no shut interface range gigabitethernet 2/1-3 channel-group 2 mode on switchport trunk encapsulation dot1q no shut Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-22 OL-6392-01...
Page 357

The CLI uses similar syntax and other conventions to the Cisco IOS CLI, but the FWSM operating Note system is not a version of Cisco IOS software. Do not assume that a Cisco IOS CLI command works or has the same function with the FWSM.
Page 358

In addition, you can con te enter to represent 0.0.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 359

Replace regexp with any Cisco IOS regular expression. The regular expression is not enclosed in quotes or double-quotes, so be careful with trailing white spaces, which will be taken as part of the regular expression.
Page 360

Passwords, page C-6 • Multiple Security Context Files, page C-6 • To download the file, see the “Downloading a Text Configuration” section on page 16-6. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 361

How Commands Correspond with Lines in the Text File The text configuration file includes lines that correspond with the commands described in this guide and in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 362: Command Help

In addition, you can enter any command by itself on the command line and then press Enter to view the command syntax. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 363

Because Class A addresses have 16,777,214 host addresses, and Class B addresses 65,534 hosts, you can use subnet masking to break these huge networks into smaller subnets. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 364

You can also supernet multiple Class C networks into a larger network by using part of the third octet for the extended network prefix. For example, 192.168.0.0/20. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 365

The following sections describe how to determine the network address to use with a subnet mask for a Class C-size and a Class B-size network: • Class C-Size Network Address, page D-4 • Class B-Size Network Address, page D-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 366

10.1.240.0 to 10.1.255.255 1. The first and last address of a subnet are reserved. In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 367

The FWSM does not pass multicast packets. Many routing protocols use multicast packets for data Note transfer. If you need to send routing protocols across the FWSM, configure the routers with the Cisco IOS software neighbor command. We consider it inherently dangerous to send routing protocols across the FWSM.
Page 368

DNSIX Session Management Module Audit Redirector echo TCP, UDP Echo exec Remote process execution finger Finger File Transfer Protocol (control port) ftp-data File Transfer Protocol (data port) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 369

Post Office Protocol - Version 3 pptp 1723 Point-to-Point Tunneling Protocol radius 1645 Remote Authentication Dial-In User Service radius-acct 1646 Remote Authentication Dial-In User Service (accounting) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 370

RFC 854 Telnet tftp Trivial File Transfer Protocol time Time uucp UNIX-to-UNIX Copy Program whois Who Is World Wide Web xdmcp X Display Manager Control Protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 371

Table D-4 ICMP Types ICMP Number ICMP Name echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply conversion-error mobile-redirect Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 372

Appendix D Addresses, Protocols, and Ports Reference ICMP Types Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide D-10 OL-6392-01...
Page 373: Acronyms And Abbreviations

Bootstrap Protocol—Lets diskless workstations boot over the network and is described in RFC 951 and RFC 1542. BPDU bridge protocol data unit. Berkeley Standard Distribution. certification authority. Cisco Discovery Protocol. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 374

A collection of protocols that allow the transmission of voice data over TCP/IP networks. HTTP HyperText Transfer Protocol—The service that handles access to the World Wide Web. HTTPS HTTP over SSL. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 375

Telnet sessions to the console. MGCP Media Gateway Control Protocol. Management Information Base—Used with SNMP. MPLS Multiprotocol Label Switching. MSFC Multilayer Switch Feature Card. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 376

Routing Information Protocol. Remote Procedure Call. Rivest, Shamir, and Adelman. RSA is the trade name for RSA Data Security, Inc. Remote Shell—as in Remote Shell protocol. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 377

Triple Data Encryption Standard. Also known as 3DES. uauth User authentication. User Datagram Protocol. Universal Resource Locator. UUIE user-user information element. VLAN virtual LAN. VoIP Voice over IP. Virtual Private Network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 378

Acronyms and Abbreviations (continued) Abbreviation Description wide-area network. WINS Windows Internet Naming Service. World Wide Web. XDMCP X Display Manager Control Protocol. xlate Translation session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 379

10-25 access control lists standard 10-17 See ACLs acronyms accounting activation key 12-27 5-10 ACEs Active Directory 13-11 expanded active state, failover 10-7 15-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-1 OL-6392-01...
Page 380

12-23 Cisco IOS versions overview 12-2 Cisco IP/TV 13-15 Cisco IP Phones inspection engine 13-18 with DHCP 8-20 backing up configuration Cisco PDM 16-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-2 OL-6392-01...
Page 381: Command Prompts C

16-5 transparent firewall 10-3 examples DMZ, definition failover 15-10 minimum xxiii inspection engine 13-6 saving NAT effect on 9-13 switch protection from attacks Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-3 OL-6392-01...
Page 382

10-17 standby state 15-2 examples stateful failover extended ACL 10-13 overview 15-2 state information 15-3 state link 15-3 statistics 15-21 failover switch configuration 2-11 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-4 OL-6392-01...
Page 383

2-13 management connection 11-4 size maximum connections Flood Defender RSA key 11-4 Flood Guard Frag Guard fragment size ICMP authentication 12-21 10-15 filtering 14-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-5 OL-6392-01...
Page 384

11-5 client 13-16 11-7 Skinny management access 13-18 11-5 SMTP 13-19 transforms 11-6 SQL*Net IP spoofing, protection from 13-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-6 OL-6392-01...
Page 385

Flash login command 12-9 login password rules 10-7 changing message-of-the-day banner default MGCP inspection engine 13-12 MIBs 17-2 Microsoft Exchange 13-19 minimum configuration xxiii Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-7 OL-6392-01...
Page 386

NetMeeting 13-11 9-13 Network Activity test 15-14 dynamic NAT Network Address Translation configuring 9-23 See NAT implementation 9-17 network processors overview embryonic limit 9-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-8 OL-6392-01...
Page 387

NSSA 8-12 changing overview default packet pacing 8-16 maintenance partition processes changing redistributing routes default route calculation timers 8-15 troubleshooting 17-9 route map Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-9 OL-6392-01...
Page 388

12-8 from the module 17-8 prompt from the switch 2-13 privilege levels, for commands 12-11 resource management prompts Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-10 OL-6392-01...
Page 389

PIX comparison same security same security level communication setting embryonic connections 6-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-11 OL-6392-01...
Page 390

Sun RPC, inspection engine 16-2 13-21 maintenance supervisor engine versions 16-5 source quench, ICMP message supervisor IOS SPAN session SVIs specifications configuring Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-12 OL-6392-01...
Page 391: Syntax Formatting C

TCP intercept 5-29 maximum connections 6-11 overview mode, setting 4-16 security level requirements multicast traffic TCP ports and literal values 4-11 TCP sequence number randomization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-13 OL-6392-01...
Page 392

See security contexts Virtual Re-assembly VLANs adding to switch allocating to a context 5-20 assigning to FWSM assigning to switch ports failover interface 15-3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-14 OL-6392-01...

This manual also for:

7600 series