Page 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Release 2.3 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-6392-01...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco...
Page 3 VLAN Interfaces How the Firewall Services Module Works with the Switch Using the MSFC 1-10 Routed Firewall and Transparent Firewall Modes 1-11 Security Contexts 1-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 4: Table Of Contents
Firewall Mode Overview Routed Mode Overview IP Routing Support Network Address Translation How Data Moves Through the FWSM in Routed Firewall Mode Transparent Mode Overview Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 5 Changing the Security Context URL 5-23 Reloading a Security Context 5-24 Reloading by Clearing the Configuration 5-24 Reloading by Removing and Re-adding the Context 5-24 Monitoring Security Contexts 5-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 6 Assigning IP Addresses to Interfaces for a Routed Firewall Setting the Management IP Address for a Transparent Firewall Configuring the Default Route Configuring Static Routes Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 7 Outside NAT 9-10 NAT and Same Security Level Interfaces 9-11 Order of NAT Commands Used to Match Local Addresses 9-12 Maximum Number of NAT Statements 9-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 8 Access Control List Override 10-13 Adding an Extended Access Control List 10-13 Adding an EtherType Access Control List 10-16 Adding a Standard Access Control List 10-17 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide viii OL-6392-01...
Page 9 12-1 AAA Performance 12-2 About Authentication 12-2 About Authorization 12-2 About Accounting 12-3 AAA Server and Local Database Support 12-4 Configuring the Local Database 12-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 10 13-2 Inspection Support 13-2 Configuring an Inspection Engine 13-4 Detailed Information About Inspection Engines 13-5 CUSeeMe Inspection Engine 13-5 DNS over UDP Inspection Engine 13-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 11 Configuring General Filtering Parameters 14-2 Identifying the Filtering Server 14-2 Buffering Replies 14-3 Setting the Maximum Length of Long HTTP URLs 14-4 Caching URL Servers 14-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 12 15-19 Viewing Monitored Interfaces 15-22 Testing the Failover Functionality 15-22 Forcing Failover 15-23 Disabling Failover 15-23 Monitoring Failover 15-23 Failover System Messages 15-24 SNMP 15-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 13 17-9 Clearing the Application Partition Passwords and AAA Settings 17-9 Recovering the Maintenance Partition Passwords 17-10 Other Troubleshooting Tools 17-10 Viewing Debug Messages 17-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xiii OL-6392-01...
Page 14 Example 5: System Configuration B-16 Example 5: Admin Context Configuration B-17 Example 5: Customer A Context Configuration B-17 Example 5: Customer B Context Configuration B-17 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 15 Private Networks Subnet Masks Determining the Subnet Mask Determining the Address to Use with the Subnet Mask Protocols and Applications TCP and UDP Ports ICMP Types Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 16 Contents Acronyms and Abbreviations A P P E N D I X N D E X Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 17: Document Objectives
This guide is for network managers who perform any of the following tasks: Managing network security • • Installing and configuring firewalls Managing default and static routes, and TCP and UDP services • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xvii OL-6392-01...
Page 18: Chapter 2 Configuring The Switch For The Firewall Services Module
Messages Guide Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation • Note Release Notes for the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services • Module Document Organization This guide includes the following chapters and appendixes: •...
Page 19: Document Conventions
Chapter 17, “Monitoring and Troubleshooting the Firewall Services Module,” tells how to monitor • and troubleshoot the FWSM. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide for detailed information about system logging. •...
Page 20: Ordering Documentation
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 21 Cisco TAC engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
Page 22: Obtaining Additional Publications And Information
• Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/ Cisco Press publishes a wide range of general networking, training and certification titles.
Page 23 Assign an IP address to each interface. page 8-2 Step 9 Configuring the Default Route, page 8-2 Create a default route to an upstream router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxiii OL-6392-01...
Page 24 Adding an Extended Access Control List, page 10-13 Before any traffic can go through the FWSM, you must create an ACL that permits traffic, and then apply it to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxiv OL-6392-01...
Page 25 Adding an Extended Access Control List, page 10-13 Before any traffic can go through the FWSM, you must create an ACL that permits traffic, and then apply it to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 26 Quick Start Steps Transparent Firewall Configuration Steps Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxvi OL-6392-01...
Page 27 The Firewall Services Module (FWSM) is a high-performance, space-saving, stateful firewall module that installs in the Catalyst 6500 series switches and the Cisco 7600 series routers. Firewalls protect inside networks from unauthorized access by users on an outside network. The firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network.
Page 28 1. The FWSM does not support the supervisor 1 or 1A. 2. Supports multiple switched VLAN interfaces (SVIs) between the MSFC and FWSM. An SVI is a VLAN interface that is routed on the MSFC. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 29 Other releases that do not support BPDU forwarding only support transparent mode without failover. 4. When you use Catalyst OS on the supervisor, you can use any of the supported Cisco IOS releases above on the MSFC. (When you use Cisco IOS software on the supervisor, you use the same release on the MSFC.) The supervisor software determines...
Page 30 2. Open Shortest Path First 3. Routing Information Protocol 4. access control lists 5. Dynamic Host Configuration Protocol 6. Firewall Management Center 7. command-line interface Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 31 For UDP, which does not have sessions, the FWSM creates UDP connection state information so that it can also use the fast path. ICMP control packets – Data packets for protocols that require Layer 7 inspection – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 32 (or bastion host) system. Mail Guard enforces a safe minimal set of SMTP commands to avoid an SMTP server system from being compromised. Enable this feature using the fixup protocol smtp 25 command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 33 IP packets that lack a verifiable IP source address. Enable this feature using the ip verify reverse-path command. 1. Domain Name System 2. denial of service 3. Simple Mail Transfer Protocol 4. synchronization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 34: Vlan Interfaces
By default, no traffic can pass through the firewall. By applying ACLs to interfaces, you can determine which IP addresses and traffic types can pass through the interfaces to access other networks. By default, the Cisco PIX firewall allows traffic to flow freely from an inside network (higher security Note level) to an outside network (lower security level).
Page 35 VLAN 202 How the Firewall Services Module Works with the Switch You can install the FWSM in the Catalyst 6500 series switches and the Cisco 7600 series routers. The configuration of both series is identical, except for the following variations: The Catalyst 6500 series switches supports two software modes: •...
Page 36 VLAN 200 MSFC FWSM VLAN 200 VLAN 201 FWSM MSFC VLAN 301 VLAN 303 VLAN 201 VLAN 203 Inside Inside VLAN 302 VLAN 202 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 1-10 OL-6392-01...
Page 37 ACLs to allow traffic through. Transparent mode can also optionally use EtherType ACLs to allow non-IP traffic. Transparent mode only supports two interfaces, an inside interface and an outside interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 1-11 OL-6392-01...
Page 38 You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one mode and others in another. Multiple context mode supports static routing only. Note Chapter 5, “Managing Security Contexts,” for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 1-12 OL-6392-01...
Page 39: Switch Overview
Managing the Firewall Services Module Boot Partitions, page 2-12 Switch Overview You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the “switch.”...
Page 40: Verifying The Module Installation
See the following topics: Prerequisites, page 2-3 • Assigning VLANs in Cisco IOS Software, page 2-3 • Assigning VLANs in Catalyst Operating System Software, page 2-5 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 41: Prerequisites
Assigning VLANs in Cisco IOS Software In Cisco IOS software, create one or more firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer.
Page 42 50 55-57 51 70-85 52 100 To view VLAN group numbers for all modules, enter the following command: Router# show firewall module Module Vlan-groups 50,52 51,52 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 43: Assigning Vlans In Catalyst Operating System Software
Configuring SVIs for Cisco IOS Software on the Supervisor Engine, page 2-8 • Configuring SVIs for Catalyst Operating System Software on the Supervisor Engine, page 2-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 44: Svi Overview
FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.) Figure 2-1 Multiple SVI Misconfiguration Internet Switch VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 45 ACL that allows only IPX traffic to pass on VLAN 201. Figure 2-2 Multiple SVIs for IPX Internet Switch VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside IPX Host IP Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 46: Configuring Svis For Cisco Ios Software On The Supervisor Engine
Customer B Configuring SVIs for Cisco IOS Software on the Supervisor Engine If you are running Cisco IOS software on the supervisor engine, follow these steps to add an SVI to the MSFC: (Optional) To allow you to add more than one SVI to the FWSM, enter the following command:...
Page 47: Configuring Svis For Catalyst Operating System Software On The Supervisor Engine
(Optional) To allow you to add more than one SVI to the FWSM. enter the following command: Step 1 Console> (enable) set firewall multiple-vlan-interfaces enable To disable this setting, enter the following command: Console> (enable) set firewall multiple-vlan-interfaces disable Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 48 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type:ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:08, output hang never Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-10 OL-6392-01...
Page 49: Customizing The Fwsm Internal Interface
Assigning VLANs to the Secondary Firewall Services Module, page 2-12 • Adding a Trunk Between a Primary Switch and Secondary Switch, page 2-12 • Ensuring Compatibility with Transparent Firewall Mode, page 2-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-11 OL-6392-01...
Page 50: Assigning Vlans To The Secondary Firewall Services Module
Flash Memory Overview, page 2-13 • Setting the Default Boot Partition, page 2-13 • • Resetting the FWSM or Booting from a Specific Partition, page 2-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-12 OL-6392-01...
Page 51: Flash Memory Overview
The reset process might take several minutes. For Cisco IOS software, when you reset the FWSM, you can also choose to run a full memory test. When the FWSM initially boots, it only runs a partial memory test. A full memory test takes approximately six minutes.
Page 52: Resetting The Fwsm In Cisco Ios Software
1 (maintenance), 4 (application), or 5 (application). If you do not specify the partition, the default partition is used (typically cf:4). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-14...
Page 53: Chapter 3 Connecting To The Firewall Services Module And Managing The Configuration
For multiple context mode, see the “Logging into the FWSM in Multiple Context Mode” section on Note page 5-9 for more information about logging into security contexts. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 54 (privileged mode, configuration mode, etc.). Step 5 To access configuration mode, enter the following command: FWSM# configure terminal The prompt changes to the following: FWSM(config)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 55: Managing The Configuration At The Cli
To view the running configuration, enter the following command: • FWSM# show running-config To view the startup configuration, enter the following command: • FWSM# show startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 56: Clearing And Removing Configuration Settings
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is “FWSM(config)#”: FWSM(config)# class gold Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 57 In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: class gold See the “Text Configuration Files” section on page C-4 for more information about formatting the file. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 58 Chapter 3 Connecting to the Firewall Services Module and Managing the Configuration Managing the Configuration at the CLI Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 59: Firewall Mode Overview
IP Routing Support, page 4-2 • Network Address Translation, page 4-2 • How Data Moves Through the FWSM in Routed Firewall Mode, page 4-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 60: Network Address Translation
NAT Example Web Server www.cisco.com Outside 209.165.201.2 Originating Responding Packet Packet FWSM Source Addr Translation Dest Addr Translation 10.1.2.27 209.165.201.10 209.165.201.10 10.1.2.27 10.1.2.1 Inside 10.1.2.27 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 61: How Data Moves Through The Fwsm In Routed Firewall Mode
The FWSM receives the packet, and because it is a new session, the FWSM verifies that the packet is allowed according to the terms of the security policy (ACLs, filters, AAA). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 62 For multiple context mode, the FWSM first classifies the packet according to either a unique VLAN or a unique destination address. In this case, the VLAN would be unique; the www.cisco.com IP address is not located uniquely within a context and is not a unique destination address.
Page 63 DMZ website. Figure 4-4 Inside to DMZ Outside Switch 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User Web Server 10.1.2.27 10.1.1.3 Source Addr Translation 10.1.2.27 10.1.1.15 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 64 The FWSM forwards the packet to the inside user. An Outside User Attempts to Access an Inside Host Figure 4-5 shows an outside user attempting to access the inside network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 65 If the outside user is attempting to attack the inside network, the FWSM employs many technologies to determine if a packet is valid for an already established session. See the “Other Protection Features” section on page 1-6 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 66: Transparent Mode Overview
Using the Transparent Firewall in Your Network, page 4-10 • Transparent Firewall Guidelines, page 4-11 • How Data Moves Through the Transparent Firewall, page 4-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 67: Transparent Firewall Features
FWSM can reach that subnet. See the “Configuring Static Routes” section on page 8-3 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 68: Using The Transparent Firewall In Your Network
VLANs. Figure 4-7 Transparent Firewall Network Internet Switch 10.1.1.1 VLAN 100 FWSM 10.1.1.2 Network A VLAN 200 10.1.1.3 192.168.1.2 Network B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-10 OL-6392-01...
Page 69: Transparent Firewall Guidelines
You must use an extended ACL to allow Layer 3 traffic, such as IP traffic, through the FWSM. • You can also optionally use an EtherType ACL to allow non-IP traffic through. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-11 OL-6392-01...
Page 70: How Data Moves Through The Transparent Firewall
An Outside User Visits a Website on the Inside Network, page 4-14 • An Outside User Attempts to Access an Inside Host, page 4-15 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-12 OL-6392-01...
Page 71 The FWSM forwards the packet to the inside user. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-13 OL-6392-01...
Page 72 VLAN on the inside and outside, so the IP address would not be considered. The FWSM records that a session is established. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-14 OL-6392-01...
Page 73 See the “Other Protection Features” section on page 1-6 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-15 OL-6392-01...
Page 74: Setting The Firewall Mode
• To set the mode to routed, enter the following command in the system execution space: FWSM(config)# no firewall transparent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-16 OL-6392-01...
Page 75: Security Context Overview
Typically, the admin context provides network access to network-wide resources, such as a syslog server or context configuration server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 76: Common Uses For Security Contexts
Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context to send a packet. The classifier checks for the following characteristics: • Source interface (VLAN) Destination address • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 77 Context A Context B Context C Context VLAN 201 VLAN 202 VLAN 203 VLAN 204 Inside Admin Inside Inside Customer C Network Customer A Customer B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 78 Context B Context C Context Classifier VLAN 201 VLAN 202 VLAN 203 VLAN 204 Inside Admin Inside Inside Customer C Network Customer A Customer B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 79: Ip Routing Support
This section includes the following topics: Sharing Resources, page 5-6 • Shared Interface Limitations, page 5-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 80: Sharing Resources
VLAN 202 VLAN 203 VLAN 204 Inside Inside Inside Admin Customer C Customer A Network Customer B VLAN 300 Shared Network Syslog Server AAA Server Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 81: Shared Interface Limitations
VLAN, the classifier cannot use the VLAN to classify traffic). However, the FWSM classifier only “knows” about context addresses from already existing NAT translations (returning traffic) and from static NAT translations. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 82 NAT statements for classification purposes. For example, if you send a packet from a host on an inside shared VLAN to www.cisco.com, the FWSM does not know to which context to send the packet unless you statically translate the www.cisco.com IP address in one of the contexts.
Page 83: Logging Into The Fwsm In Multiple Context Mode
The system execution space does not support any AAA commands, but you can configure its own login and enable passwords, as well as usernames in the local database to provide individual logins. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 84: Enabling Or Disabling Multiple Context Mode
Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. To view the mode, enter show mode.
Page 85: Enabling Multiple Context Mode
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-11...
Page 86: Classes And Class Members Overview
Total Number of System Connections = 999,900 Max. 20% (199,800) Maximum connections allowed. (159,984) Connections in use. (119,988) Connections denied because system limit (79,992) was reached. (39,996) Contexts in Class Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-12 OL-6392-01...
Page 87: Default Class
Telnet sessions—5 sessions. • SSH sessions—5 sessions. • IPSec sessions—5 sessions. • MAC addresses—65,535 entries. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-13 OL-6392-01...
Page 88: Class Members
FWSM(config)# class name The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-14 OL-6392-01...
Page 89 10,000 per second (rate) Application inspection. hosts 256 K concurrent Hosts that can connect through the FWSM. ipsec 1 minimum 10 concurrent IPSec sessions 5 maximum concurrent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-15 OL-6392-01...
Page 90 To add a class called silver with all resources set to 3 percent, except for syslogs, with a setting of 500 per second, enter the following commands: FWSM(config)# class silver FWSM(config-class)# limit-resource all 3% FWSM(config-class)# limit-resource rate syslogs 500 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-16 OL-6392-01...
Page 91: Acl Memory Partitions Overview
If you are using a failover configuration, you must use these recommended command sequences: On the active module, use this sequence: resource acl-partition X write mem reload On the redundant module, use this sequence: reload Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-17 OL-6392-01...
Page 92 FWSM(config)# context bandn FWSM(config-context)# allocate-acl-partition 0 FWSM(config)# context borders FWSM(config-context)# allocate-acl-partition 0 FWSM(config)# context mompopa FWSM(config)# context mompopb FWSM(config)# context mompopc FWSM(config)# context mompopd Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-18 OL-6392-01...
Page 93: Configuring A Security Context
“count” or “detail.” “system” is a reserved name, and cannot be used. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-19...
Page 94 To identify the URL from which the system downloads the context configuration, enter the following command: FWSM(config-context)# config-url url When you add a context URL, the system immediately loads the context so that it is running. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-20 OL-6392-01...
Page 95 FWSM(config-context)# allocate-interface vlan300-vlan305 int3-int8 FWSM(config-context)# config-url ftp://joe:passw0rd@10.1.1.1/configlets/test.cfg FWSM(config-context)# member gold FWSM(config-context)# context sample FWSM(config-context)# allocate-interface vlan101 int1 FWSM(config-context)# allocate-interface vlan201 int2 FWSM(config-context)# allocate-interface vlan306-vlan311 int3-int8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-21 OL-6392-01...
Page 96: Removing A Security Context
For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-22 OL-6392-01...
Page 97: Changing The Security Context Url
To enter the new URL, enter the following command: Step 4 FWSM(config)# config-url new_url The system immediately loads the context so that it is running. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-23 OL-6392-01...
Page 98: Reloading A Security Context
“Configuring a Security Context” section on page 5-19 Monitoring Security Contexts This section describes how to view and monitor context information, and includes the following topics: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-24 OL-6392-01...
Page 99: Viewing Context Information
Context "contexta", is active Config URL: disk:/contexta.cfg Interfaces: vlan10,100-101 Class: default, Flags: 0x00000055, ID: 2 The “Flags” and “ID” fields are for internal use only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-25 OL-6392-01...
Page 100: Viewing Resource Allocation
FWSM converts the percentage to an absolute number for this display. % of Avail The percentage of the total system resources that is allocated across all contexts. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-26 OL-6392-01...
Page 101 5.00% silver 10.00% bronze All Contexts: 20.00% Xlates default unlimited gold unlimited silver 23040 23040 10.00% bronze 11520 All Contexts: 23040 10.00% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-27 OL-6392-01...
Page 102: Viewing Resource Usage
Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-28...
Page 103: Monitoring Syn Attacks Using Tcp Intercept
TCP intercept for the entire system using the show resource usage summary detail command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-29...
Page 104 0 c1 chunk:static unlimited 0 c1 tcp-intercept-rate 16056 16254 unlimited 0 c1 globals unlimited 0 c1 np-statics unlimited 0 c1 statics unlimited 0 c1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-30 OL-6392-01...
Page 105 116448(S) 0 Summary console-access-rul 4356(S) 0 Summary fixup-rules 8032(S) 0 Summary S = System:Total exceeds the system limit; the system limit is shown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-31 OL-6392-01...
Page 106 Chapter 5 Managing Security Contexts Monitoring Security Contexts Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-32 OL-6392-01...
Page 107: Changing The Passwords
Changing the Maintenance Partition Passwords, page 6-2 • In multiple context mode, every context and the system execution space has its own login policies and Note passwords. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 108: Changing The Login Password
The default password is “cisco.” guest—Lets you configure the network partition parameters and show crash dump information. • The default password is “cisco.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 109: Chapter 6 Configuring Basic Setting
This example shows how to set the password for the root account: root@localhost# passwd Changing password for user root New password: *sh1p Retype new password: *sh1p passwd: all authentication tokens updated successfully Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 110: Setting The Host Name
For a context, this name is used for RSA key generation. If you do not set a host name within a context, the context name is used for the host name in the key. You can view a context host name using the show hostname command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 111: Setting The Domain Name
For example, to add a message-of-the-day banner, enter: FWSM/contexta(config)# banner motd Welcome to the $(hostname) firewall. FWSM/contexta(config)# banner motd Contact me at admin@admin.com for any FWSM/contexta(config)# banner motd issues. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 112: Configuring Interfaces
“Other Protection Features” section on page 1-6 for more information about TCP intercept. This feature is configured using the emb_limit option in the nat and static commands. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 113: Setting The Name And Security Level
NAT for these interfaces. Similarly, inspection engines are applied to both interfaces, as is filtering. By default, the Cisco PIX firewall allows traffic to flow freely from an inside network (higher security Note level) to an outside network (lower security level). However, the FWSM does not allow any traffic to pass between interfaces unless you explicitly permit it with an access control list (ACL).
Page 114: Allowing Communication Between Interfaces On The Same Security Level
TCP intercept, and connection limits. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 115 Communication Between Hosts on the Same Interface Host IP cloud-2 Vlan60 10.6.37.0 MSFC Vlan70 Vlan10 IP cloud-1 IP cloud-3 10.6.36.0 10.6.35.0 Host Host SVI, Vlan20 10.6.34.0 FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 116: Turning Off And Turning On Interfaces
NAT, including NAT exemption. See the “Bypassing NAT” section on page 9-29 for more information. For transparent mode, the FWSM supports only the following method.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-10 OL-6392-01...
Page 117 For example, to set options for the host 10.1.1.1, enter the following command: FWSM/contexta(config)# static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 norandomseq tcp 1000 200 udp 1000 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-11 OL-6392-01...
Page 118 Chapter 6 Configuring Basic Settings Configuring Connection Limits for Non-NAT Configurations Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-12 OL-6392-01...
Page 119: Customizing The Mac Address Table
Packets for remote devices—The FWSM generates a ping to the destination IP address so that the • FWSM can learn which interface receives the ping reply. The original packet is dropped. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 120: Adding A Static Mac Address
MAC address table. You can disable MAC address learning if desired. To disable MAC address learning, enter the following command: FWSM/contexta(config)# mac-learn interface_name disable The no form of this command reenables MAC address learning. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 121: Viewing The Mac Address Table
ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 122: Adding A Static Arp Entry
For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP packets, enter the following command: FWSM/contexta(config)# arp-inspection outside enable no-flood Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 123: Configuring Ip Addresses
Assigning IP Addresses to Interfaces for a Routed Firewall, page 8-2 • Setting the Management IP Address for a Transparent Firewall, page 8-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 124: Assigning Ip Addresses To Interfaces For A Routed Firewall
Traffic that originates on the FWSM might include communications to a syslog server, Websense or N2H2 server, or AAA server. The FWSM supports up to three equal cost routes on the same interface for load balancing. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 125: Configuring Static Routes
For example, to send all traffic destined for 10.1.1.0/24 to the router (10.1.2.45) connected to the inside interface, enter the following command: FWSM/contexta(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 126: Configuring Ospf
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each of the router usable interfaces and reachable neighbors. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 127: Enabling Ospf
ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum of two processes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 128: Redistributing Routes Between Ospf Processes
“Adding a Standard Access Control List” section on page 10-17 to add the standard ACL. If you specify more than one ACL, then the route can match any of the ACLs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 129 (LSAs) with a metric of 5, metric type of Type 1, and a tag equal to 1. FWSM(config)# route-map 1-to-2 permit FWSM(config-route-map)# match metric 1 FWSM(config-route-map)# set metric 5 FWSM(config-route-map)# set metric-type type-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 130 In the following example, the link-state cost is specified as 5, and the metric type is set to external, indicating that it has lower priority than internal metrics. FWSM(config)# router ospf 1 FWSM(config-router)# redistribute ospf 2 metric 5 metric-type external Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 131: Configuring Ospf Interface Parameters
To specify the length of time between the hello packets that the FWSM sends on an OSPF interface, • enter the following command: FWSM(config-interface)# ospf hello-interval seconds The value must be the same for all nodes on the network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 132 FWSM(config-interface)# ospf priority 20 FWSM(config-interface)# ospf hello-interval 10 FWSM(config-interface)# ospf dead-interval 40 FWSM(config-interface)# ospf authentication-key cisco FWSM(config-interface)# ospf message-digest-key 1 md5 cisco FWSM(config-interface)# ospf authentication message-digest Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-10 OL-6392-01...
Page 133: Configuring Ospf Area Parameters
To enable authentication for an OSPF area, enter the following command: FWSM(config-router)# area area-id authentication To enable MD5 authentication for an OSPF area, enter the following command: • FWSM(config-router)# area area-id authentication message-digest Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-11 OL-6392-01...
Page 134: Configuring Ospf Nssa
Step 2 Enter any of the following commands: To define an NSSA area, enter the following command: • FWSM(config-router)# area area-id nssa [no-redistribution] [default-information-originate] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-12 OL-6392-01...
Page 135: Configuring Route Summarization Between Ospf Areas
FWSM(config-router)# area area-id range ip-address mask [advertise | not-advertise] This example shows how to configure route summarization between OSPF areas: FWSM(config)# router ospf 1 FWSM(config-router)# area 17 range 12.1.0.0 255.255.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-13 OL-6392-01...
Page 136: Configuring Route Summarization When Redistributing Routes Into Ospf
To force the autonomous system boundary router to generate a default route, enter the following Step 2 command: FWSM(config-router)# default-information originate [always] [metric metric-value ] [metric-type {1 | 2}] [route-map map-name ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-14 OL-6392-01...
Page 137: Configuring Route Calculation Timers
Configure log-adj-changes detail if you want to see messages for each state change. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-15...
Page 138: Displaying Ospf Update Packet Pacing
You can also display information about node reachability and discover the routing path that your device packets are taking through the network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-16 OL-6392-01...
Page 139: Restarting The Ospf Process
To restart an OSPF process, clear redistribution, or counters, enter the following command: FWSM(config)# clear ip ospf pid {process | redistribution | counters [neighbor [ neighbor-interface ] [ neighbor-id ]]} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-17 OL-6392-01...
Page 140: Configuring Rip
[authentication {text | md5} key key_id ]}] You can both types of RIP on an interface by entering the command two times, one for each method. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-18...
Page 141: Configuring The Dhcp Server
The address pool must be on the same subnet as the FWSM interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-19 OL-6392-01...
Page 142: Using Cisco Ip Phones With A Dhcp Server
Cisco IP Phones might also include DHCP option 3 in their requests, which lists the IP addresses of default routers. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the FWSM DHCP server provides values for both options in the response if they are configured on the FWSM.
Page 143: Configuring Dhcp Relay
FWSM/contexta(config)# dhcprelay enable interface (Optional) To set the number of seconds allowed for relay address negotiation, enter the following Step 3 command: FWSM/contexta(config)# dhcprelay timeout seconds Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-21 OL-6392-01...
Page 144 The following example enables the FWSM to forward DHCP requests from clients connected to the inside interface to a DHCP server on the outside interface: FWSM/contexta(config)# dhcprelay server 201.168.200.4 FWSM/contexta(config)# dhcprelay enable inside FWSM/contexta(config)# dhcprelay setroute inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-22 OL-6392-01...
Page 145: Nat Overview
Order of NAT Commands Used to Match Local Addresses, page 9-12 Maximum Number of NAT Statements, page 9-12 • • Global Address Guidelines, page 9-12 DNS and NAT, page 9-13 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 146: Nat Overview
You can resolve IP routing problems such as overlapping addresses. Table 13-1 on page 13-2 for information about protocols that are not supported by NAT. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 147: Nat Types
The global pool can include fewer addresses than the local group. When a local host accesses the destination network, the FWSM assigns it an IP address from the global pool. Because the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 148: Pat
IP address after the translation times out (see the timeout xlate command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access control list (ACL)).
Page 149: Static Nat
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you cannot use the same global address for multiple static NAT statements). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 150 8080 port. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then translate them to port 80 on the local network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 151: Bypassing Nat
The classifier only looks at static statements where the global interface matches the source interface of the packet. Because NAT exemption does not identify a global interface, the classifier does not consider those NAT statements for classification purposes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 152: Policy Nat
FWSM/contexta(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 FWSM/contexta(config)# nat (inside) 1 access-list NET1 FWSM/contexta(config)# global (outside) 1 209.165.202.129 FWSM/contexta(config)# nat (inside) 2 access-list NET2 FWSM/contexta(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 153 Figure 9-5 shows a global host connecting to a local host. The local host has a policy Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 154: Outside Nat
Because the inside host is also typically translated using a static NAT statement, both host addresses are translated. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-10...
Page 155: Nat And Same Security Level Interfaces
You might want to configure NAT exemption or identity NAT on same security interfaces to set connection limits. (See the “Setting Connection Limits in the NAT Configuration” section on page 9-16.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-11 OL-6392-01...
Page 156: Order Of Nat Commands Used To Match Local Addresses
For PAT, you can even use the IP address of the global interface. Addresses on a unique network. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-12 OL-6392-01...
Page 157: Dns And Nat
NAT configuration. You can configure DNS modification when you configure each NAT translation. For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the FWSM to statically translate the ftp.cisco.com local address (10.1.3.14) to a global address (209.165.201.10) that is visible on the outside network (See...
Page 158 Configuring Network Address Translation NAT Overview When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the global address (209.165.201.10). The FWSM refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14.
Page 159 DNS server on the outside. The FWSM has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real local address, 209.165.20.10. Because you want inside users to use the translated global address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply...
Page 160: Setting Connection Limits In The Nat Configuration
Using Dynamic NAT and PAT This section includes the following topics: Dynamic NAT and PAT Implementation, page 9-17 • Configuring NAT or PAT, page 9-23 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-16 OL-6392-01...
Page 161: Dynamic Nat And Pat Implementation
209.165.201.3 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-17 OL-6392-01...
Page 162 See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-18 OL-6392-01...
Page 163 See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 FWSM/contexta(config)# global (dmz) 1 10.1.1.23 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-19 OL-6392-01...
Page 164 See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (inside) 2 192.168.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 FWSM/contexta(config)# global (outside) 2 209.165.201.11 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-20 OL-6392-01...
Page 165 Inside and the Outside interfaces), then you must configure a separate NAT statement without the outside option. In this case, you can identify the same addresses in both statements and use the same Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-21...
Page 166 FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# static (inside,dmz) 10.1.2.27 10.1.1.5 netmask 255.255.255.255 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.4 FWSM/contexta(config)# global (inside) 1 10.1.2.30-1-10.1.2.40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-22 OL-6392-01...
Page 167: Configuring Nat Or Pat
10.1.1.0 in one statement, but 10.1.1.1 in another. The traffic is matched to a policy NAT statement in order, until the first match, or for regular NAT, using the best match. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-23...
Page 168 “Configuring Identity NAT” section on page 9-29 for more information about identity NAT. See the policy NAT command above for information about other options. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-24 OL-6392-01...
Page 169 255.255.255.255 eq 23 FWSM/contexta(config)# nat (inside) 1 access-list WEB FWSM/contexta(config)# global (outside) 1 209.165.202.129 FWSM/contexta(config)# nat (inside) 2 access-list TELNET FWSM/contexta(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-25 OL-6392-01...
Page 170: Using Static Nat
{ global_ip | interface} local_ip [netmask mask ] [dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ] See the “Configuring NAT or PAT” section on page 9-23 for information about the options. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-26 OL-6392-01...
Page 171: Using Static Pat
NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-27...
Page 172 Telnet traffic to the server. You need to create a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-28...
Page 173: Bypassing Nat
To configure identity NAT, enter the following command: FWSM/contexta(config)# nat ( local_interface ) 0 local_ip [ mask [dns] [outside | [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]]] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-29 OL-6392-01...
Page 174: Configuring Static Identity Nat
To configure regular static identity NAT, enter the following command: FWSM/contexta(config)# static ( local_interface , global_interface ) local_ip local_ip [netmask mask ] [dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-30 OL-6392-01...
Page 175: Configuring Nat Exemption
Because NAT exemption does not identify a global interface, the classifier does not consider those NAT statements for classification purposes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-31...
Page 176: Nat Examples
FWSM/contexta(config)# nat (inside) 0 access-list NET1 NAT Examples The following sections show typical scenarios that use NAT solutions: Overlapping Networks, page 9-33 • Redirecting Ports, page 9-34 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-32 OL-6392-01...
Page 177: Overlapping Networks
Configure the following static routes so that traffic to the dmz network can be routed correctly by the FWSM: FWSM/contexta(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 FWSM/contexta(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-33 OL-6392-01...
Page 178: Redirecting Ports
• • HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80 To implement this scenario, complete the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-34 OL-6392-01...
Page 179 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering Step 5 the following command: FWSM/contexta(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-35 OL-6392-01...
Page 180 Chapter 9 Configuring Network Address Translation NAT Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-36 OL-6392-01...
Page 181: Access Control List Overview
This section includes the following topics: Access Control List Types and Uses, page 10-2 • Access Control List Guidelines, page 10-6 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-1 OL-6392-01...
Page 182: Access Control List Types And Uses
See the “Stateful Inspection Feature” section on page 1-5 for more information. For connectionless protocols such as ICMP, however, you either need Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-2 OL-6392-01...
Page 183: Identifying Traffic For Aaa Rules (extended)
Permit entries in the ACL mark matching traffic for authorization, while deny entries exclude matching traffic from authorization. Apply the ACL using the aaa authorization match command in the “Configuring TACACS+ Authorization” section on page 12-24. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-3 OL-6392-01...
Page 184: Controlling Network Access For Ip Traffic For A Given User (extended)
Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended ACL. You can also optionally specify the source and destination ports. Regular NAT can only consider the local addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-4 OL-6392-01...
Page 185: Vpn Management Access (extended)
To control non-IP traffic, perform the following task: Create and apply the ACL according to the “Adding an EtherType Access Control List” section on • page 10-16. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-5 OL-6392-01...
Page 186: Redistributing Ospf Routes (standard)
FWSM does not commit the ACL until the waiting period has passed and you do not enter more entries. The FWSM displays a message similar to the following after it commits the ACL: Access Rules Download Complete: Memory Utilization: < 1% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-6 OL-6392-01...
Page 187: Maximum Number Of Aces
This guideline applies for both inbound and outbound ACLs: the direction does not determine the address used, only the interface does. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-7 OL-6392-01...
Page 188 209.165.201.4:port See the following commands for this example: FWSM/contexta(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 FWSM/contexta(config)# access-group INSIDE in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-8 OL-6392-01...
Page 189 Static NAT See the following commands for this example: FWSM/contexta(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 FWSM/contexta(config)# access-group OUTSIDE in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-9 OL-6392-01...
Page 190: Inbound And Outbound Access Control Lists
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-10...
Page 191 FWSM/contexta(config)# access-list HR extended permit ip any any FWSM/contexta(config)# access-group HR in interface hr FWSM/contexta(config)# access-list ENG extended permit ip any any FWSM/contexta(config)# access-group ENG in interface eng Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-11 OL-6392-01...
Page 192 FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.6 host 209.165.200.225 eq www FWSM/contexta(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www FWSM/contexta(config)# access-group OUTSIDE out interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-12 OL-6392-01...
Page 193: Access Control List Override
ACL information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-13...
Page 194 Note You specify a network mask in the access-list command (for example, 255.255.255.0 for a class C mask). This method is different from the Cisco IOS software access-list command, which uses wildcard bits (for example, 0.0.0.255). Add an ACE for a specific protocol by entering the following command: •...
Page 195 For example, you can allow BGP in an ACL in transparent mode, and you need to apply the ACL to both interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-15...
Page 196: Adding An Ethertype Access Control List
FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the FWSM:...
Page 197: Adding A Standard Access Control List
Standard ACLs identify the destination IP addresses of OSPF routes, and can be used in a route map for OSPF redistribution. Standard ACLs cannot be applied to interfaces to control traffic. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-17...
Page 198: Simplifying Access Control Lists With Object Grouping
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers. You can also nest object groups in other object groups. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-18 OL-6392-01...
Page 199: Adding Object Groups
The description can be up to 200 characters. To define the protocols in the group, enter the following command for each protocol: Step 3 FWSM/contexta(config-protocol)# protocol-object protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-19 OL-6392-01...
Page 200 You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-20...
Page 201 FWSM/contexta(config)# object-group icmp-type grp_id The grp_id is a text string up to 64 characters in length. The prompt changes to the ICMP type subcommand mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-21 OL-6392-01...
Page 202: Nesting Object Groups
FWSM/contexta(config-network)# object-group network finance FWSM/contexta(config-network)# network-object host 10.1.4.89 FWSM/contexta(config-network)# network-object host 10.1.4.100 You then nest all three groups together as follows: FWSM/contexta(config)# object-group network admin Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-22 OL-6392-01...
Page 203: Using Object Groups With An Access Control List
FWSM/contexta(config)# object-group network denied FWSM/contexta(config-network)# network-object host 10.1.1.4 FWSM/contexta(config-network)# network-object host 10.1.1.78 FWSM/contexta(config-network)# network-object host 10.1.1.89 FWSM/contexta(config-network)# object-group network web FWSM/contexta(config-network)# network-object host 209.165.201.29 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-23 OL-6392-01...
Page 204: Displaying Object Groups
ACL. See the “Access Control List Commit” section on page 10-6 for more information about committing ACLs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-24 OL-6392-01...
Page 205: Adding Remarks To Access Control Lists
For example, you can add remarks before each ACE, and the remark appears in the ACL in this location. Entering a dash (-) at the beginning of the remark helps set it apart from ACEs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-25...
Page 206: Logging Extended Access Control List Activity
At the end of each interval, the FWSM resets the hit count to 0. If no packets match the ACE during an interval, the FWSM deletes the flow entry. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-26...
Page 207: Configuring Logging For An Access Control Entry
For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide for detailed information about this system message.
Page 208: Managing Deny Flows
FWSM/contexta(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-28 OL-6392-01...
Page 209: Allowing Remote Management
100 connections divided between all contexts. See the “Rule Limits” section on page A-5 for information about the maximum number of Telnet rules allowed for the entire system. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-1 OL-6392-01...
Page 210: Allowing Ssh
SSH v1.x and v2 are entirely different protocols and are not compatible. Make sure that you download Note a client that supports SSH v1.x. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-2 OL-6392-01...
Page 211: Configuring Ssh Access
To allow all users on the 192.168.3.0 network to access the FWSM on the inside interface, the following command: FWSM/contexta(config)# ssh 192.168.3.0 255.255.255.0 inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-3 OL-6392-01...
Page 212: Using An Ssh Client
FWSM/contexta(config)# pdm history enable If you do not enable PDM metrics history, you can view real-time data only and not historical data. This step is optional. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-4 OL-6392-01...
Page 213: Allowing A Vpn Management Connection
VPN peers occurs over a secure tunnel, which means the packets are encrypted and authenticated by the peers. The FWSM can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using a site-to-site tunnel. You specify the peer networks that can communicate over the tunnel. In the case of the FWSM, the only address available on the FWSM end of the tunnel is the interface itself.
Page 214 For example, to configure the IKE policy and the IPSec transform sets, enter the following commands: FWSM/contexta(config)# isakmp policy 1 authentication pre-share FWSM/contexta(config)# isakmp policy 1 encryption 3des Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-6 OL-6392-01...
Page 215: Configuring Vpn Client Access
FWSM/contexta(config)# crypto ipsec transform-set site_to_site esp-3des ah-sha-hmac Configuring VPN Client Access A host with an installed version of the Cisco VPN Client can connect to the FWSM for management purposes over a public network, such as the Internet. To allow remote clients to connect to the FWSM for management access, first configure basic VPN settings (see “Configuring Basic Settings for All...
Page 216 FWSM/contexta(config)# vpngroup admin split-tunnel VPN_SPLIT FWSM/contexta(config)# vpngroup admin password $ecure23 FWSM/contexta(config)# telnet 10.1.1.1 255.255.255.255 outside FWSM/contexta(config)# telnet 10.1.1.2 255.255.255.255 outside FWSM/contexta(config)# telnet timeout 30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-8 OL-6392-01...
Page 217: Configuring A Site-to-site Tunnel
11-2. For example, the following commands allow hosts connected to the peer router (209.165.202.129) to use Telnet on the outside interface (209.165.200.225). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-9 OL-6392-01...
Page 218: Allowing Icmp To And From The Fwsm
For example, to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside interface, enter the following commands: FWSM/contexta(config)# icmp deny host 10.1.1.15 inside FWSM/contexta(config)# icmp permit any inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-10 OL-6392-01...
Page 219 To allow the host at 10.1.1.15 to use only ping to the inside interface, enter the following commands: FWSM/contexta(config)# icmp permit host 10.1.1.15 inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-11 OL-6392-01...
Page 220 Chapter 11 Allowing Remote Management Allowing ICMP to and from the FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-12 OL-6392-01...
Page 221: Configuring Aaa
You can use accounting alone, or with authentication and authorization. This section includes the following topics: AAA Performance, page 12-2 • About Authentication, page 12-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-1 OL-6392-01...
Page 222: Aaa Performance
A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for timeout values.) For...
Page 223: About Accounting
FWSM for the session, the service used, and the duration of each session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-3 OL-6392-01...
Page 224: Aaa Server And Local Database Support
You can configure the FWSM to send accounting information user or IP address to the RADIUS server about any traffic that passes through the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-4 OL-6392-01...
Page 225 1. The local database can act as a fallback method for each of these functions if the AAA server is unavailable. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-5 OL-6392-01...
Page 226: Configuring The Local Database
RADIUS or TACACS+. For multiple context mode, you can configure up to 4 servers in a maximum of 4 groups. In single mode, you can configure 16 servers in a maximum of 14 server groups. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-6...
Page 227 FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.2 TheUauthKey2 FWSM/contexta(config)# aaa-server AuthOutbound protocol radius FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-7 OL-6392-01...
Page 228: Configuring Authentication For Cli Access
See the following sections for information about these methods: • Configuring Authentication for the enable Command, page 12-9 Authenticating Users Using the login Command, page 12-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-8 OL-6392-01...
Page 229: Configuring Authentication For The Enable Command
The FWSM prompts for your username and password. After you enter your password, the FWSM places you in the privilege level that the local database specifies. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-9...
Page 230: Configuring Command Authorization
Default Command Privilege Levels, page 12-11 • Assigning Privilege Levels to Commands and Enabling Authorization, page 12-11 • Viewing Command Privilege Levels, page 12-13 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-10 OL-6392-01...
Page 231: Local Command Authorization Prerequisites
[mode {enable | configure}] command command Repeat this command for each command you want to reassign. See the following information about the options in this command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-11 OL-6392-01...
Page 232 This example shows an additional command, the configure command, that uses the mode keyword: FWSM/contexta(config)# privilege show level 5 mode configure command configure FWSM/contexta(config)# privilege clear level 15 mode configure command configure Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-12 OL-6392-01...
Page 233: Viewing Command Privilege Levels
If you enable TACACS+ command authorization, and a user enters a command at the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-13...
Page 234: Tacacs+ Command Authorization Prerequisites
The FWSM sends the commands to be authorized as “shell” commands, so configure the commands • on the TACACS+ server as shell commands. The Cisco Secure ACS server might include a command type called “pix-shell.” Do not use this Note type for FWSM command authorization.
Page 235 We recommend using this method so that you do not have to anticipate every variant of a command, including abbreviations and ?, which shows CLI usage. (See Figure 12-3.) Figure 12-3 Permitting All Related Commands Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-15 OL-6392-01...
Page 236 TACACS+ server, and not the expanded command show logging message. You can configure multiple spellings of the same argument to anticipate abbreviations. (See Figure 12-6.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-16 OL-6392-01...
Page 237: Enabling Tacacs+ Command Authorization
We recommend that you use the same username and password in the local database as the TACACS+ server because the FWSM prompt does not give any indication which method is being used. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-17...
Page 238: Viewing The Current Logged-in User
Current Mode/s Shows the access modes: P_UNPR—Unprivileged mode (levels 0 and 1) • P_PRIV—Privileged mode (levels 2 to 15) • P_CONF—Configuration mode • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-18 OL-6392-01...
Page 239: Recovering From A Lockout
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-19 OL-6392-01...
Page 240: Configuring Authentication For Network Access
Telnet; the user Telnets to a given IP address configured on the FWSM, and the FWSM provides a Telnet prompt. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the virtual telnet command.
Page 241: Enabling Network Access Authentication
FWSM/contexta(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq telnet FWSM/contexta(config)# aaa-server AuthInbound protocol tacacs+ FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey FWSM/contexta(config)# aaa authentication match TELNET_AUTH outside AuthInbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-21 OL-6392-01...
Page 242: Enabling Secure Authentication Of Web Clients
After enabling this feature, when a user accesses a web page requiring authentication, the FWSM displays the Authentication dialog box shown in Figure 12-7. Figure 12-7 Secure Authentication Page Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-22 OL-6392-01...
Page 243: Configuring Authorization For Network Access
If you do not enter a string using the auth-prompt command, this field will be blank. For the detailed syntax of this command, refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 244: Configuring Tacacs+ Authorization
FWSM/contexta(config)# aaa-server AuthOutbound protocol tacacs+ FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 TheUauthKey FWSM/contexta(config)# aaa authentication match TELNET_AUTH inside AuthOutbound FWSM/contexta(config)# aaa authorization match SERVER_AUTH inside AuthOutbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-24 OL-6392-01...
Page 245: Configuring Radius Authorization
| permit icmp any host 10.0.0.252 | permit ip any any +--------------------------------------------+ The downloaded ACL on the FWSM has the following name: #ACSACL#-ip- acl_name - number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-25 OL-6392-01...
Page 246 Downloaded ACLs have two spaces between the word “access-list” and the name. These spaces serve to differentiate a downloaded ACL from a local ACL. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-26 OL-6392-01...
Page 247: Configuring The Radius Server To Download Per-user Access Control List Names
FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 TheUauthKey FWSM/contexta(config)# aaa authentication match TELNET_AUTH inside AuthOutbound FWSM/contexta(config)# aaa authorization match SERVER_AUTH inside AuthOutbound FWSM/contexta(config)# aaa accounting match SERVER_AUTH inside AuthOutbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-27 OL-6392-01...
Page 248 Chapter 12 Configuring AAA Configuring Accounting for Network Access Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-28 OL-6392-01...
Page 249: Chapter 13 Configuring Application Protocol Inspection
When you enable application inspection for a service that embeds IP addresses, the FWSM translates embedded addresses and updates any checksum or other fields that are affected by the translation. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-1...
Page 250: Inspection Limitations
If a inspection engine does not support outside NAT, consider using the alias command instead of outside NAT. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the alias command.
Page 251 2. The FWSM is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed to be in a particular order, but the FWSM does not enforce the order. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-3...
Page 252: Configuring An Inspection Engine
FWSM/contexta(config)# fixup protocol ftp 9090 After entering these commands, the FWSM listens for FTP traffic on port 21, as well as 2100, 4254, and 9090. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-4 OL-6392-01...
Page 253: Detailed Information About Inspection Engines
H.323-standard format in H.323 mode. CUSeeMe is supported through H.323 inspection, as well as performing NAT on the CUSeeMe control stream, which operates on UDP port 7648. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-5 OL-6392-01...
Page 254: Dns Over Udp Inspection Engine
Command spoofing—The PORT command should always be sent from the client. The TCP connection is denied if a PORT command is sent from the server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-6...
Page 255: H.323 Inspection Engine
You can set the inspection engines for H.232 and RAS (h225 and ras) separately. The default port for h225 is 1720 (TCP), and the default ports for ras are 1718-1719 (UDP). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-7...
Page 256: Multiple Calls On One Call Signalling Connection
Real-Time Transport Protocol (RTP) uses the negotiated port number, while RTP Control Protocol (RTCP) uses the next higher port number. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-8...
Page 257 Each UDP connection with a packet going through the H.323 inspection engine is marked as an H.323 connection and will time out with the H.323 timeout as configured by the administrator using the timeout command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-9 OL-6392-01...
Page 258: Http Inspection Engine
Original packet NAT IP is changed to the Client IP – Original packet NAT port is changed to the Client Port – Original packet IP checksum is recalculated – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-10 OL-6392-01...
Page 259: Icmp Error Inspection Engine
ILS/LDAP follows a client/server model with sessions handled over a single TCP connection. Depending on the client’s actions, several of these sessions might be created. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-11...
Page 260: Mgcp Inspection Engine
This section includes the following topics: MGCP Overview, page 13-13 • Configuration for Multiple Call Agents and Gateways, page 13-13 • • Viewing MGCP Information, page 13-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-12 OL-6392-01...
Page 261: Mgcp Overview
The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295. It must correspond with the group_id of the call agents that are managing the gateway. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-13 OL-6392-01...
Page 262: Viewing Mgcp Information
The RealAudio inspection engine allows the data channel to go through the FWSM when the data channel source port is between UDP ports 6790 and 7170. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-14...
Page 263: Rsh Inspection Engine
FWSM/contexta(config)# fixup protocol rtsp [ port [- port ]] The default port is 554 (TCP). If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554 as follows: FWSM/contexta(config)# fixup protocol rtsp 554 FWSM/contexta(config)# fixup protocol rtsp 8554 The following restrictions apply to the RTSP inspection engine: The FWSM does not inspect RTSP messages passing through UDP ports.
Page 264: Sip Inspection Engine
Session Description Protocol (SDP) files as part of HTTP or RTSP messages. Packets could be fragmented, and the FWSM cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translations the FWSM performs on the SDP part of the message •...
Page 265: Sip Overview
If there is a failure to receive the response messages within one minute, the signaling connection will be torn down. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-17 OL-6392-01...
Page 266: Skinny Inspection Engine
NAT for the Cisco CallManager IP address, and you configure the TFTP server to serve a file with the local untranslated address of the Cisco CallManager, then the Cisco IP Phones cannot contact the Cisco CallManager. We recommend that you use the Cisco CallManager name instead of the IP address, and rely on the DNS server to provide the correct address.
Page 267: Problems With Fragmented Skinny Packets
The pipeline character (|) is deleted (changed to a blank space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded by “<”). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-19 OL-6392-01...
Page 268: Sql*net Inspection Engine
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend, Marker, Redirect, and Data) and all packets are scanned for ports and addresses. Addresses are NATed and port connections are opened. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-20 OL-6392-01...
Page 269: Sun Rpc Inspection Engine
The FWSM permits all UDP connections from a TFTP server back to a client source port if there is an existing TFTP connection between the server and client. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-21...
Page 270: Xdmcp Inspection Engine
When XDMCP is used, the display is negotiated using IP addresses, which the FWSM can NAT if needed. The XDCMP inspection engine does not support PAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-22...
Page 271: Filtering Overview
For FTP, the FWSM allows the successful FTP return code to reach the user unchanged. For • example, a successful return code is “250: CWD command successful.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-1 OL-6392-01...
Page 272: Configuring General Filtering Parameters
[timeout seconds ] [protocol tcp [version {1 | 4}] | udp] See the following options: (if_name)—The interface through which the FWSM communicates with the server. – ip_address—The Websense server IP address. – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-2 OL-6392-01...
Page 273: Buffering Replies
FWSM/contexta(config)# url-block block block-buffer-limit The block-buffer-limit sets the amount of memory assigned to the buffer from 0 to 128 blocks. Each block is 1550 bytes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-3 OL-6392-01...
Page 274: Setting The Maximum Length Of Long Http Urls
Caches the source and destination server address, so access is only cached for a given user • at the source address. kbytes—The cache size between 1 and 128 KB. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-4 OL-6392-01...
Page 275: Filtering Http Urls
FWSM/contexta(config)# filter url http 10.1.1.0 255.255.255.0 0 0 longurl-truncate cgi-truncate To filter users only on the 10.1.2.0 network, enter the following commands: FWSM/contexta(config)# filter url http 10.1.2.0 255.255.255.0 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-5 OL-6392-01...
Page 276: Filtering Https Urls
This section describes how to monitor filtering statistics, and includes the following topics: Viewing Filtering Server Statistics, page 14-7 • Viewing Caching Statistics, page 14-7 • Viewing Filtering Performance Statistics, page 14-8 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-6 OL-6392-01...
Page 277: Viewing Filtering Server Statistics
The following sample display shows how the cache is used: FWSM/contexta# show url-cache stats URL Filter Cache Stats ---------------------- Size : 128KB Entries : 1724 In Use : Lookups : Hits : Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-7 OL-6392-01...
Page 278: Viewing Filtering Performance Statistics
Xlates Connections TCP Conns UDP Conns URL Access URL Server Req TCP Fixup TCPIntercept HTTP Fixup FTP Fixup AAA Authen AAA Author AAA Account Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-8 OL-6392-01...
Page 279: Using Failover
• Primary/Secondary Status and Active/Standby Status, page 15-10 • Configuration Replication, page 15-10 • Failover Triggers, page 15-12 • Failover Actions, page 15-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-1 OL-6392-01...
Page 280: Failover Overview
After a failover occurs, the same connection information is available at the new active module. Supported end-user applications are not required to reconnect to keep the same communication session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-2 OL-6392-01...
Page 281: Failover And State Links
The IP address and MAC address for the state link do not change at failover. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-3 OL-6392-01...
Page 282: Module Placement
FWSM VLANs. Because this trunk also accommodates FWSM traffic when a module fails, this trunk should be at least as large as the maximum amount of Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-4...
Page 283 VLAN 10 Trunk: Active Standby VLANs 200, 201, VLAN 11 FWSM FWSM 202, 203, 10, 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-5 OL-6392-01...
Page 284 VLAN 10 VLAN 200 Trunk: Standby Active VLANs 200, 201, FWSM FWSM 202, 203, 10, 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-6 OL-6392-01...
Page 285 Figure 15-4 Switch/FWSM Failure Internet VLAN 100 Standby Switch Active Switch VLAN 200 Trunk Standby Active FWSM FWSM VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-7 OL-6392-01...
Page 286 VLAN 10 Trunk: Active Standby VLANs 200, 201, VLAN 11 FWSM FWSM 202, 203, 10, 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-8 OL-6392-01...
Page 287: Transparent Firewall Requirements
“Basic Failover Questions” section on page 15-25. Because the FWSMs bridge packets between the same two VLANs, loops can occur Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-9 OL-6392-01...
Page 288: Primary/secondary Status And Active/standby Status
IP addresses; when a module is standby, it uses the standby IP addresses. Because the configuration is the same on both modules, the host names, usernames, and passwords are Note also the same. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-10 OL-6392-01...
Page 289 Configuration Replication to mate.” During the replication, information cannot be entered on the FWSM terminal. Depending on the size of the configuration, replication can take several minutes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-11...
Page 290: Disabling Configuration Synchronization
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-12 OL-6392-01...
Page 291: Failover Monitoring
If the FWSM does not receive a response on any interface, then the standby module switches to active mode and classifies the other module as failed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-13...
Page 292: Interface Monitoring
If a failed module does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the module will fail again. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-14 OL-6392-01...
Page 293: Configuring Failover
(Stateful failover only) To set the IP address of the state interface, enter the following command: Step 4 primary(config)# failover interface ip state_interface ip_address mask standby ip_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-15 OL-6392-01...
Page 294 10, then that interval is used. (Optional) To set the time in seconds between hello messages on monitored interfaces, enter the Step 9 following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-16 OL-6392-01...
Page 295 Step 12 through Step 15 for each context. Step 16 See the “Failover Configuration Example” section on page 15-27 for a typical failover configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-17 OL-6392-01...
Page 296: Configuring The Secondary Module
“End Configuration Replication to mate” appear on the active module console. Step 7 To save the configuration to Flash memory, enter the following command: secondary(config)# copy running-config startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-18 OL-6392-01...
Page 297: Verifying The Failover Configuration
Interface inside (10.6.8.100): Normal admin Interface outside (70.1.1.3): Normal Stateful Failover Logical Update Statistics Link : Luifc Vlan 151 Stateful Obj xmit xerr rerr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-19 OL-6392-01...
Page 298 FWSM Last Failover The last time a failover occurred. This host: For each host, the display shows the following information. Other host: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-20 OL-6392-01...
Page 299 • rerr—Number of errors that occurred while receiving packets from • the other module. General Sum of all stateful objects. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-21 OL-6392-01...
Page 300: Viewing Monitored Interfaces
Force a failover to the standby module by entering the following command: Step 2 primary(config)# no failover active Use FTP to send another file between the same two hosts. Step 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-22 OL-6392-01...
Page 301: Forcing Failover
When a failover occurs, both FWSMs send out system messages. This section includes the following topics: Failover System Messages, page 15-24 • SNMP, page 15-24 • Debug Messages, page 15-24 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-23 OL-6392-01...
Page 302: Failover System Messages
Debug Messages To see debug messages, enter the debug fover command. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. Frequently Asked Failover Questions This section contains frequently asked questions about the failover features and includes the following...
Page 303: Basic Failover Questions
Yes, in the following circumstances: Both modules have configurations in Flash memory – – Both modules have failover enabled – The failover link is down at startup Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-25 OL-6392-01...
Page 304: Stateful Failover Questions
Other UDP connections. – Can I share the state link interface with the failover link? • Yes, however, we recommend that you use a separate interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-26 OL-6392-01...
Page 305: Failover Configuration Example
209.165.201.1 209.165.201.2 PAT: 209.165.201.5 192.168.253.1 192.168.253.2 Failover VLAN 10 State VLAN 11 192.168.253.5 192.168.253.6 192.168.2.1 192.168.2.2 VLAN 201 Inside Web Server 192.168.2.5 Static: 209.165.201.5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-27 OL-6392-01...
Page 306: System Configuration
Example 15-2 Failover Configuration: Secondary Unit failover lan interface faillink vlan 10 failover lan unit secondary failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2 failover Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-28 OL-6392-01...
Page 307: Chapter 16 Managing Software And Configuration Files
You cannot copy software to the other application partition. You might want to copy to the other partition if you want to keep the old version of software as a backup in the current partition. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-1...
Page 308: Installing Application Or Pdm Software To The Current Partition
The image option (default) copies the application software, and the pdm option copies the PDM software. The type can be one of the following keywords: ap—ASCII passive mode – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-2 OL-6392-01...
Page 309: Installing Application Software To Any Application Partition
For Cisco IOS software, enter the following command: Router# hw-module module mod_num reset cf:1 For Catalyst operating system software, enter the following command: • Console> (enable) reset mod_num boot cf:1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-3 OL-6392-01...
Page 310 Router# hw-module module mod_num reset cf:{4 | 5} • For Catalyst operating system software, enter the following command: Console> (enable) reset mod_num boot cf:{4 | 5} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-4 OL-6392-01...
Page 311: Installing Maintenance Software
This section describes how to download and back up configuration files, and includes the following sections: Downloading a Text Configuration, page 16-6 • Backing Up the Configuration, page 16-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-5 OL-6392-01...
Page 312: Downloading A Text Configuration
To copy the configuration from an FTP server, enter the following command: FWSM# copy ftp://admin:letmein@209.165.200.227/configs/startup.cfg;type=an startup-config To copy the configuration from an HTTP server, enter the following command: FWSM# copy http://209.165.200.228/configs/startup.cfg startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-6 OL-6392-01...
Page 313: Backing Up The Configuration
In single context mode, or from the system configuration in multiple mode, you can copy the startup configuration, running configuration, or a configuration file by name on disk (such as the admin.cfg). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-7...
Page 314: Copying The Configuration From The Terminal Display
To print the configuration to the terminal, enter the following command: FWSM# write terminal Copy the output from this command, and then paste the configuration into a text file. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-8 OL-6392-01...
Page 315: Chapter 17 Monitoring And Troubleshooting The Firewall Services Module
Using SNMP, page 17-1 • Using System Messages The FWSM provides extensive system messages. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide to configure logging and to view system message descriptions.
Page 316: Snmp Overview
Cisco Syslog MIB The FWSM supports the following trap: clogMessageGenerated • You cannot browse this MIB. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-2 OL-6392-01...
Page 317: Enabling Snmp
FWSM does not send SNMP traps. FWSM/contexta(config)# snmp-server host 192.168.3.2 FWSM/contexta(config)# snmp-server location building 42 FWSM/contexta(config)# snmp-server contact kim lee FWSM/contexta(config)# snmp-server community ohwhatakeyisthee Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-3 OL-6392-01...
Page 318: Troubleshooting The Firewall Services Module
To send the system messages to your Telnet or SSH session, enter the following command: Step 3 FWSM/contexta(config)# terminal monitor To enable system messages, enter the following command: Step 4 FWSM/contexta(config)# logging on Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-4 OL-6392-01...
Page 319: Pinging Fwsm Interfaces
192.168.2.2 192.168.0.2 192.168.4.2 10.1.0.2 Router Router Router Router 10.1.2.2 10.1.0.2 10.1.4.2 10.1.1.1 Host Host 10.1.2.90 10.1.0.34 10.1.4.67 Host Host 10.1.1.5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-5 OL-6392-01...
Page 320 17-4). In this case, the debug messages show that the ping was successful, but you see system message 110001 indicating a routing failure. Figure 17-4 Ping Failure Because the FWSM has no Route Ping Host Router FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-6 OL-6392-01...
Page 321: Pinging Through The Fwsm
Note through the FWSM to other hosts. Figure 17-5 Ping Failure Because the FWSM is not Translating Addresses Ping Host Router FWSM Router Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-7 OL-6392-01...
Page 322: Disabling The Test Configuration
In multiple mode, you can only reload from the system execution space. To reload the FWSM from the FWSM CLI, enter the following command: FWSM# reload Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-8 OL-6392-01...
Page 323: Reloading The Fwsm From The Switch
To log into the maintenance partition as root, enter the following command: Login: root Enter the password at the prompt: Step 4 Password: password By default, the password is “cisco.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-9 OL-6392-01...
Page 324: Recovering The Maintenance Partition Passwords
FWSM, debug messages can be useful. We recommend contacting technical support to help you debug your FWSM. To enable debug messages, see the debug commands in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 325: Viewing The Crash Dump
You did not enable multiple SVIs. Enable multiple SVIs according to the “Adding Switched Virtual Interfaces to Recommended Action the MSFC” section on page 2-5. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-11 OL-6392-01...
Page 326 Recommended Action Enable this feature according to the “Allowing Communication Between Interfaces on the Same Security Level” section on page 6-8. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-12 OL-6392-01...
Page 327 You did not assign the same VLANs for both units. Possible Cause Recommended Action Make sure to assign the same VLANs to both units in the switch configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-13 OL-6392-01...
Page 328 Chapter 17 Monitoring and Troubleshooting the Firewall Services Module Troubleshooting the Firewall Services Module Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-14 OL-6392-01...
Page 329: Appendix
Maximum four modules per switch. If you are using failover, you can still only have four modules per switch even if two of them are in standby mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 330: Feature Limits
You can share outside interfaces between contexts, and in some circumstances, you can share inside interfaces. Transparent Mode 2 per context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 331: Managed System Resources
PAT is the translation limit (256,000), not the higher connection limit. To use the connection limit, you need to use NAT, which allows multiple connections using the same translation session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 332: Fixed System Resources
27: TFTP, Sun RPC over UDP, NetBIOS NameServer, XDMCP, and CUSeeMe. The OraServ and RealAudio inspection engines, which are also enabled by default, do not affect this limit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 333: Rule Limits
1. For example, if you have 96 contexts evenly distributed among the 12 pools, so there are 8 contexts per pool, each context can use 75 filter rules, if evenly divided. 2. access control entries 3. Internet Control Message Protocol 4. HyperText Transfer Protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 334 Appendix A Specifications Rule Limits Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 335: Appendix
Each customer context belongs to a class that limits its resources (gold, silver, or bronze). Although inside IP addresses can be the same across contexts when the VLANs are unique, keeping them unique is easier to manage. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 336: Example 1: System Configuration
FWSM Version (blank means single mode, “<system>” means you are in multiple mode in the system configuration, and <context> means you are in multiple mode in a context). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 337: Example 1: Admin Context Configuration
10.1.1.75 255.255.255.255 inside nat (inside) 1 10.1.1.0 255.255.255.0 global (outside) 1 209.165.201.10-209.165.201.29 [ This context uses dynamic NAT for inside users that access the outside ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 338: Example 1: Customer A Context Configuration
10.1.4.1 255.255.255.0 ip address dmz 192.168.2.1 255.255.255.0 route outside 0 0 209.165.201.1 1 url-server (dmz) vendor websense host 192.168.2.2 url-block block 50 url-cache dst 128 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 339: Example 1: Switch Configuration
Because the FWSM does not advertise routes with RIP, the MSFC needs to use static routes for FWSM traffic (See Figure B-2.) The Department networks are allowed to access the Internet, and use PAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 340: Example 2: Fwsm Configuration
10.1.1.1 255.255.255.0 ip address dmz 192.168.2.1 255.255.255.0 route outside 0 0 209.165.201.1 1 nat (dept1) 1 10.1.1.0 255.255.255.0 nat (dept2) 1 10.1.2.0 255.255.255.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 341: Example 2: Switch Configuration
Catalyst OS on the supervisor: set vlan 3-5,9,10 firewall-vlan 8 Cisco IOS software on the MSFC: interface vlan 3 ip address 209.165.201.1 255.255.255.224 no shut Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 342: Example 3: Shared Resources For Multiple Contexts
Example 3: Department 1 Context Configuration, page B-10 • Example 3: Department 2 Context Configuration, page B-11 • Example 3: Switch Configuration, page B-11 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 343: Example 3: System Configuration
Note that the translated addresses are used. ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 344: Example 3: Department 1 Context Configuration
ACL must authenticate with the AAA server ] logging trap 4 logging host shared 10.1.1.8 [ System messages are sent to the syslog server on the Shared network ] logging on Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-10 OL-6392-01...
Page 345: Example 3: Department 2 Context Configuration
The secondary FWSM is also in routed, multiple context mode, and has the same software version. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-11...
Page 346: Example 4: Primary Fwsm Configuration
The mode and the activation key are not stored in the configuration file, even though they do endure reboots. If you view Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-12...
Page 347 (outside) 1 209.165.201.11 netmask 255.255.255.224 [ This context uses dynamic PAT for inside users that access the outside ] route outside 0 0 209.165.201.5 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-13 OL-6392-01...
Page 348: Example 4: Secondary Fwsm System Configuration
Example 4: Switch Configuration The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall module 1 vlan-group 1...
Page 349: Transparent Mode Examples
VLAN 7 10.1.1.3 10.1.2.3 10.1.3.3 10.1.4.3 Management host 10.1.1.75 192.168.1.1 192.168.2.1 192.168.3.1 192.168.4.1 Admin customerA customerB customerC Network 2 Network 2 Network 2 Network 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-15 OL-6392-01...
Page 350: Example 5: System Configuration
5% limit-resource rate conns 1000 limit-resource conns 10000 class bronze limit-resource all 3% limit-resource rate conns 500 limit-resource conns 5000 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-16 OL-6392-01...
Page 351: Example 5: Admin Context Configuration
INTERNET in interface inside [ Allows all inside hosts to access the outside for any IP traffic. Also allows OSPF. ] access-group OSPF in interface outside [ Allows OSPF. ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-17 OL-6392-01...
Page 352: Example 5: Customer C Context Configuration
B-4). Each context (A, B, and C) monitors the inside interface and outside interface. The secondary FWSM is also in transparent, multiple context mode, and has the same software version. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-18 OL-6392-01...
Page 353: Example 6: Primary Fwsm Configuration
The mode and the activation key are not stored in the configuration file, even though they do endure reboots. If you view Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-19...
Page 354 10.0.2.1 255.255.255.0 standby 10.0.2.2 monitor-interface inside monitor-interface outside route outside 0 0 10.0.2.4 1 telnet 10.0.2.14 255.255.255.255 inside access-list INTERNET extended permit ip any any Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-20 OL-6392-01...
Page 355: Example 6: Secondary Fwsm System Configuration
Example 6: Switch Configuration The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall multiple-vlan-interfaces firewall module 1 vlan-group 1...
Page 356 200 timers 5 15 standby 200 authentication Secret no shut interface range gigabitethernet 2/1-3 channel-group 2 mode on switchport trunk encapsulation dot1q no shut Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-22 OL-6392-01...
Page 357: Appendix
The CLI uses similar syntax and other conventions to the Cisco IOS CLI, but the FWSM operating Note system is not a version of Cisco IOS software. Do not assume that a Cisco IOS CLI command works or has the same function with the FWSM.
Page 358: Syntax Formatting
In addition, you can con te enter to represent 0.0.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 359: Command Line Editing
Replace regexp with any Cisco IOS regular expression. The regular expression is not enclosed in quotes or double-quotes, so be careful with trailing white spaces, which will be taken as part of the regular expression.
Page 360: Command Output Paging
Passwords, page C-6 • Multiple Security Context Files, page C-6 • To download the file, see the “Downloading a Text Configuration” section on page 16-6. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 361: Line Order
How Commands Correspond with Lines in the Text File The text configuration file includes lines that correspond with the commands described in this guide and in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 362: Passwords
In addition, you can enter any command by itself on the command line and then press Enter to view the command syntax. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 363: Appendix
Because Class A addresses have 16,777,214 host addresses, and Class B addresses 65,534 hosts, you can use subnet masking to break these huge networks into smaller subnets. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 364: Subnet Masks
You can also supernet multiple Class C networks into a larger network by using part of the third octet for the extended network prefix. For example, 192.168.0.0/20. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 365: Determining The Subnet Mask
The following sections describe how to determine the network address to use with a subnet mask for a Class C-size and a Class B-size network: • Class C-Size Network Address, page D-4 • Class B-Size Network Address, page D-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 366 10.1.240.0 to 10.1.255.255 1. The first and last address of a subnet are reserved. In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 367: Protocols And Applications
The FWSM does not pass multicast packets. Many routing protocols use multicast packets for data Note transfer. If you need to send routing protocols across the FWSM, configure the routers with the Cisco IOS software neighbor command. We consider it inherently dangerous to send routing protocols across the FWSM.
Page 368: Tcp And Udp Ports
DNSIX Session Management Module Audit Redirector echo TCP, UDP Echo exec Remote process execution finger Finger File Transfer Protocol (control port) ftp-data File Transfer Protocol (data port) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 369 Post Office Protocol - Version 3 pptp 1723 Point-to-Point Tunneling Protocol radius 1645 Remote Authentication Dial-In User Service radius-acct 1646 Remote Authentication Dial-In User Service (accounting) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 370 RFC 854 Telnet tftp Trivial File Transfer Protocol time Time uucp UNIX-to-UNIX Copy Program whois Who Is World Wide Web xdmcp X Display Manager Control Protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 371: Icmp Types
Table D-4 ICMP Types ICMP Number ICMP Name echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply conversion-error mobile-redirect Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 372 Appendix D Addresses, Protocols, and Ports Reference ICMP Types Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide D-10 OL-6392-01...
Page 373: Acronyms And Abbreviations
Bootstrap Protocol—Lets diskless workstations boot over the network and is described in RFC 951 and RFC 1542. BPDU bridge protocol data unit. Berkeley Standard Distribution. certification authority. Cisco Discovery Protocol. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 374 A collection of protocols that allow the transmission of voice data over TCP/IP networks. HTTP HyperText Transfer Protocol—The service that handles access to the World Wide Web. HTTPS HTTP over SSL. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 375 Telnet sessions to the console. MGCP Media Gateway Control Protocol. Management Information Base—Used with SNMP. MPLS Multiprotocol Label Switching. MSFC Multilayer Switch Feature Card. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 376 Routing Information Protocol. Remote Procedure Call. Rivest, Shamir, and Adelman. RSA is the trade name for RSA Data Security, Inc. Remote Shell—as in Remote Shell protocol. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 377 Triple Data Encryption Standard. Also known as 3DES. uauth User authentication. User Datagram Protocol. Universal Resource Locator. UUIE user-user information element. VLAN virtual LAN. VoIP Voice over IP. Virtual Private Network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 378 Acronyms and Abbreviations (continued) Abbreviation Description wide-area network. WINS Windows Internet Naming Service. World Wide Web. XDMCP X Display Manager Control Protocol. xlate Translation session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 379 10-25 access control lists standard 10-17 See ACLs acronyms accounting activation key 12-27 5-10 ACEs Active Directory 13-11 expanded active state, failover 10-7 15-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-1 OL-6392-01...
Page 380 12-23 Cisco IOS versions overview 12-2 Cisco IP/TV 13-15 Cisco IP Phones inspection engine 13-18 with DHCP 8-20 backing up configuration Cisco PDM 16-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-2 OL-6392-01...
Page 381: Command Prompts C
16-5 transparent firewall 10-3 examples DMZ, definition failover 15-10 minimum xxiii inspection engine 13-6 saving NAT effect on 9-13 switch protection from attacks Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-3 OL-6392-01...
Page 382 10-17 standby state 15-2 examples stateful failover extended ACL 10-13 overview 15-2 state information 15-3 state link 15-3 statistics 15-21 failover switch configuration 2-11 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-4 OL-6392-01...
Page 383 2-13 management connection 11-4 size maximum connections Flood Defender RSA key 11-4 Flood Guard Frag Guard fragment size ICMP authentication 12-21 10-15 filtering 14-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-5 OL-6392-01...
Page 384 11-5 client 13-16 11-7 Skinny management access 13-18 11-5 SMTP 13-19 transforms 11-6 SQL*Net IP spoofing, protection from 13-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-6 OL-6392-01...
Page 385 Flash login command 12-9 login password rules 10-7 changing message-of-the-day banner default MGCP inspection engine 13-12 MIBs 17-2 Microsoft Exchange 13-19 minimum configuration xxiii Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-7 OL-6392-01...
Page 386 NetMeeting 13-11 9-13 Network Activity test 15-14 dynamic NAT Network Address Translation configuring 9-23 See NAT implementation 9-17 network processors overview embryonic limit 9-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-8 OL-6392-01...
Page 387 NSSA 8-12 changing overview default packet pacing 8-16 maintenance partition processes changing redistributing routes default route calculation timers 8-15 troubleshooting 17-9 route map Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-9 OL-6392-01...
Page 388 12-8 from the module 17-8 prompt from the switch 2-13 privilege levels, for commands 12-11 resource management prompts Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-10 OL-6392-01...
Page 389 PIX comparison same security same security level communication setting embryonic connections 6-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-11 OL-6392-01...
Page 390 Sun RPC, inspection engine 16-2 13-21 maintenance supervisor engine versions 16-5 source quench, ICMP message supervisor IOS SPAN session SVIs specifications configuring Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-12 OL-6392-01...
Page 391: Syntax Formatting C
TCP intercept 5-29 maximum connections 6-11 overview mode, setting 4-16 security level requirements multicast traffic TCP ports and literal values 4-11 TCP sequence number randomization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-13 OL-6392-01...
Page 392 See security contexts Virtual Re-assembly VLANs adding to switch allocating to a context 5-20 assigning to FWSM assigning to switch ports failover interface 15-3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-14 OL-6392-01...

This manual is also suitable for:

7600 series