Scalable, intelligent lan switching for campus, branch, and data center networks of all sizes (59 pages)
Summary of Contents for Cisco Catalyst 6500 Series
Page 1
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Release 2.3 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-6392-01...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco...
Page 3
VLAN Interfaces How the Firewall Services Module Works with the Switch Using the MSFC 1-10 Routed Firewall and Transparent Firewall Modes 1-11 Security Contexts 1-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Firewall Mode Overview Routed Mode Overview IP Routing Support Network Address Translation How Data Moves Through the FWSM in Routed Firewall Mode Transparent Mode Overview Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 5
Changing the Security Context URL 5-23 Reloading a Security Context 5-24 Reloading by Clearing the Configuration 5-24 Reloading by Removing and Re-adding the Context 5-24 Monitoring Security Contexts 5-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 6
Assigning IP Addresses to Interfaces for a Routed Firewall Setting the Management IP Address for a Transparent Firewall Configuring the Default Route Configuring Static Routes Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 7
Outside NAT 9-10 NAT and Same Security Level Interfaces 9-11 Order of NAT Commands Used to Match Local Addresses 9-12 Maximum Number of NAT Statements 9-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 8
Access Control List Override 10-13 Adding an Extended Access Control List 10-13 Adding an EtherType Access Control List 10-16 Adding a Standard Access Control List 10-17 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide viii OL-6392-01...
Page 9
12-1 AAA Performance 12-2 About Authentication 12-2 About Authorization 12-2 About Accounting 12-3 AAA Server and Local Database Support 12-4 Configuring the Local Database 12-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 10
13-2 Inspection Support 13-2 Configuring an Inspection Engine 13-4 Detailed Information About Inspection Engines 13-5 CUSeeMe Inspection Engine 13-5 DNS over UDP Inspection Engine 13-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 11
Configuring General Filtering Parameters 14-2 Identifying the Filtering Server 14-2 Buffering Replies 14-3 Setting the Maximum Length of Long HTTP URLs 14-4 Caching URL Servers 14-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 12
15-19 Viewing Monitored Interfaces 15-22 Testing the Failover Functionality 15-22 Forcing Failover 15-23 Disabling Failover 15-23 Monitoring Failover 15-23 Failover System Messages 15-24 SNMP 15-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 13
17-9 Clearing the Application Partition Passwords and AAA Settings 17-9 Recovering the Maintenance Partition Passwords 17-10 Other Troubleshooting Tools 17-10 Viewing Debug Messages 17-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xiii OL-6392-01...
Page 14
Example 5: System Configuration B-16 Example 5: Admin Context Configuration B-17 Example 5: Customer A Context Configuration B-17 Example 5: Customer B Context Configuration B-17 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 15
Private Networks Subnet Masks Determining the Subnet Mask Determining the Address to Use with the Subnet Mask Protocols and Applications TCP and UDP Ports ICMP Types Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 16
Contents Acronyms and Abbreviations A P P E N D I X N D E X Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
This guide is for network managers who perform any of the following tasks: Managing network security • • Installing and configuring firewalls Managing default and static routes, and TCP and UDP services • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xvii OL-6392-01...
Messages Guide Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation • Note Release Notes for the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services • Module Document Organization This guide includes the following chapters and appendixes: •...
Chapter 17, “Monitoring and Troubleshooting the Firewall Services Module,” tells how to monitor • and troubleshoot the FWSM. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide for detailed information about system logging. •...
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL: http://tools.cisco.com/RPF/register/register.do...
Page 21
Cisco TAC engineer. The TAC Service Request Tool is located at this URL: http://www.cisco.com/techsupport/servicerequest For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
• Cisco Marketplace, the company store, at this URL: http://www.cisco.com/go/marketplace/ The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as • ordering and customer support services. Access the Cisco Product Catalog at this URL: http://cisco.com/univercd/cc/td/doc/pcat/ Cisco Press publishes a wide range of general networking, training and certification titles.
Page 23
Assign an IP address to each interface. page 8-2 Step 9 Configuring the Default Route, page 8-2 Create a default route to an upstream router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxiii OL-6392-01...
Page 24
Adding an Extended Access Control List, page 10-13 Before any traffic can go through the FWSM, you must create an ACL that permits traffic, and then apply it to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxiv OL-6392-01...
Page 25
Adding an Extended Access Control List, page 10-13 Before any traffic can go through the FWSM, you must create an ACL that permits traffic, and then apply it to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 26
Quick Start Steps Transparent Firewall Configuration Steps Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide xxvi OL-6392-01...
Page 27
The Firewall Services Module (FWSM) is a high-performance, space-saving, stateful firewall module that installs in the Catalyst 6500 series switches and the Cisco 7600 series routers. Firewalls protect inside networks from unauthorized access by users on an outside network. The firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network.
Page 28
1. The FWSM does not support the supervisor 1 or 1A. 2. Supports multiple switched VLAN interfaces (SVIs) between the MSFC and FWSM. An SVI is a VLAN interface that is routed on the MSFC. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 29
Other releases that do not support BPDU forwarding only support transparent mode without failover. 4. When you use Catalyst OS on the supervisor, you can use any of the supported Cisco IOS releases above on the MSFC. (When you use Cisco IOS software on the supervisor, you use the same release on the MSFC.) The supervisor software determines...
Page 30
2. Open Shortest Path First 3. Routing Information Protocol 4. access control lists 5. Dynamic Host Configuration Protocol 6. Firewall Management Center 7. command-line interface Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 31
For UDP, which does not have sessions, the FWSM creates UDP connection state information so that it can also use the fast path. ICMP control packets – Data packets for protocols that require Layer 7 inspection – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 32
(or bastion host) system. Mail Guard enforces a safe minimal set of SMTP commands to avoid an SMTP server system from being compromised. Enable this feature using the fixup protocol smtp 25 command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 33
IP packets that lack a verifiable IP source address. Enable this feature using the ip verify reverse-path command. 1. Domain Name System 2. denial of service 3. Simple Mail Transfer Protocol 4. synchronization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
By default, no traffic can pass through the firewall. By applying ACLs to interfaces, you can determine which IP addresses and traffic types can pass through the interfaces to access other networks. By default, the Cisco PIX firewall allows traffic to flow freely from an inside network (higher security Note level) to an outside network (lower security level).
Page 35
VLAN 202 How the Firewall Services Module Works with the Switch You can install the FWSM in the Catalyst 6500 series switches and the Cisco 7600 series routers. The configuration of both series is identical, except for the following variations: The Catalyst 6500 series switches supports two software modes: •...
Page 37
ACLs to allow traffic through. Transparent mode can also optionally use EtherType ACLs to allow non-IP traffic. Transparent mode only supports two interfaces, an inside interface and an outside interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 1-11 OL-6392-01...
Page 38
You can run all your contexts in routed mode or transparent mode; you cannot run some contexts in one mode and others in another. Multiple context mode supports static routing only. Note Chapter 5, “Managing Security Contexts,” for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 1-12 OL-6392-01...
Managing the Firewall Services Module Boot Partitions, page 2-12 Switch Overview You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the “switch.”...
See the following topics: Prerequisites, page 2-3 • Assigning VLANs in Cisco IOS Software, page 2-3 • Assigning VLANs in Catalyst Operating System Software, page 2-5 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Assigning VLANs in Cisco IOS Software In Cisco IOS software, create one or more firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer.
Page 42
50 55-57 51 70-85 52 100 To view VLAN group numbers for all modules, enter the following command: Router# show firewall module Module Vlan-groups 50,52 51,52 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Configuring SVIs for Cisco IOS Software on the Supervisor Engine, page 2-8 • Configuring SVIs for Catalyst Operating System Software on the Supervisor Engine, page 2-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.) Figure 2-1 Multiple SVI Misconfiguration Internet Switch VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 45
ACL that allows only IPX traffic to pass on VLAN 201. Figure 2-2 Multiple SVIs for IPX Internet Switch VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside IPX Host IP Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Customer B Configuring SVIs for Cisco IOS Software on the Supervisor Engine If you are running Cisco IOS software on the supervisor engine, follow these steps to add an SVI to the MSFC: (Optional) To allow you to add more than one SVI to the FWSM, enter the following command:...
(Optional) To allow you to add more than one SVI to the FWSM. enter the following command: Step 1 Console> (enable) set firewall multiple-vlan-interfaces enable To disable this setting, enter the following command: Console> (enable) set firewall multiple-vlan-interfaces disable Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 48
255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type:ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:08, output hang never Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-10 OL-6392-01...
Assigning VLANs to the Secondary Firewall Services Module, page 2-12 • Adding a Trunk Between a Primary Switch and Secondary Switch, page 2-12 • Ensuring Compatibility with Transparent Firewall Mode, page 2-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-11 OL-6392-01...
Flash Memory Overview, page 2-13 • Setting the Default Boot Partition, page 2-13 • • Resetting the FWSM or Booting from a Specific Partition, page 2-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-12 OL-6392-01...
The reset process might take several minutes. For Cisco IOS software, when you reset the FWSM, you can also choose to run a full memory test. When the FWSM initially boots, it only runs a partial memory test. A full memory test takes approximately six minutes.
1 (maintenance), 4 (application), or 5 (application). If you do not specify the partition, the default partition is used (typically cf:4). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 2-14...
For multiple context mode, see the “Logging into the FWSM in Multiple Context Mode” section on Note page 5-9 for more information about logging into security contexts. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 54
(privileged mode, configuration mode, etc.). Step 5 To access configuration mode, enter the following command: FWSM# configure terminal The prompt changes to the following: FWSM(config)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
To view the running configuration, enter the following command: • FWSM# show running-config To view the startup configuration, enter the following command: • FWSM# show startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is “FWSM(config)#”: FWSM(config)# class gold Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 57
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: class gold See the “Text Configuration Files” section on page C-4 for more information about formatting the file. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 58
Chapter 3 Connecting to the Firewall Services Module and Managing the Configuration Managing the Configuration at the CLI Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
IP Routing Support, page 4-2 • Network Address Translation, page 4-2 • How Data Moves Through the FWSM in Routed Firewall Mode, page 4-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
The FWSM receives the packet, and because it is a new session, the FWSM verifies that the packet is allowed according to the terms of the security policy (ACLs, filters, AAA). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 62
For multiple context mode, the FWSM first classifies the packet according to either a unique VLAN or a unique destination address. In this case, the VLAN would be unique; the www.cisco.com IP address is not located uniquely within a context and is not a unique destination address.
Page 63
DMZ website. Figure 4-4 Inside to DMZ Outside Switch 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User Web Server 10.1.2.27 10.1.1.3 Source Addr Translation 10.1.2.27 10.1.1.15 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 64
The FWSM forwards the packet to the inside user. An Outside User Attempts to Access an Inside Host Figure 4-5 shows an outside user attempting to access the inside network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 65
If the outside user is attempting to attack the inside network, the FWSM employs many technologies to determine if a packet is valid for an already established session. See the “Other Protection Features” section on page 1-6 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Using the Transparent Firewall in Your Network, page 4-10 • Transparent Firewall Guidelines, page 4-11 • How Data Moves Through the Transparent Firewall, page 4-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
FWSM can reach that subnet. See the “Configuring Static Routes” section on page 8-3 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
You must use an extended ACL to allow Layer 3 traffic, such as IP traffic, through the FWSM. • You can also optionally use an EtherType ACL to allow non-IP traffic through. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-11 OL-6392-01...
An Outside User Visits a Website on the Inside Network, page 4-14 • An Outside User Attempts to Access an Inside Host, page 4-15 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-12 OL-6392-01...
Page 71
The FWSM forwards the packet to the inside user. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-13 OL-6392-01...
Page 72
VLAN on the inside and outside, so the IP address would not be considered. The FWSM records that a session is established. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-14 OL-6392-01...
Page 73
See the “Other Protection Features” section on page 1-6 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-15 OL-6392-01...
• To set the mode to routed, enter the following command in the system execution space: FWSM(config)# no firewall transparent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 4-16 OL-6392-01...
Typically, the admin context provides network access to network-wide resources, such as a syslog server or context configuration server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context to send a packet. The classifier checks for the following characteristics: • Source interface (VLAN) Destination address • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 77
Context A Context B Context C Context VLAN 201 VLAN 202 VLAN 203 VLAN 204 Inside Admin Inside Inside Customer C Network Customer A Customer B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 78
Context B Context C Context Classifier VLAN 201 VLAN 202 VLAN 203 VLAN 204 Inside Admin Inside Inside Customer C Network Customer A Customer B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
This section includes the following topics: Sharing Resources, page 5-6 • Shared Interface Limitations, page 5-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
VLAN 202 VLAN 203 VLAN 204 Inside Inside Inside Admin Customer C Customer A Network Customer B VLAN 300 Shared Network Syslog Server AAA Server Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
VLAN, the classifier cannot use the VLAN to classify traffic). However, the FWSM classifier only “knows” about context addresses from already existing NAT translations (returning traffic) and from static NAT translations. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 82
NAT statements for classification purposes. For example, if you send a packet from a host on an inside shared VLAN to www.cisco.com, the FWSM does not know to which context to send the packet unless you statically translate the www.cisco.com IP address in one of the contexts.
The system execution space does not support any AAA commands, but you can configure its own login and enable passwords, as well as usernames in the local database to provide individual logins. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. To view the mode, enter show mode.
Total Number of System Connections = 999,900 Max. 20% (199,800) Maximum connections allowed. (159,984) Connections in use. (119,988) Connections denied because system limit (79,992) was reached. (39,996) Contexts in Class Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-12 OL-6392-01...
FWSM(config)# class name The name is a string up to 20 characters long. To set the limits for the default class, enter default for the name. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-14 OL-6392-01...
Page 89
10,000 per second (rate) Application inspection. hosts 256 K concurrent Hosts that can connect through the FWSM. ipsec 1 minimum 10 concurrent IPSec sessions 5 maximum concurrent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-15 OL-6392-01...
Page 90
To add a class called silver with all resources set to 3 percent, except for syslogs, with a setting of 500 per second, enter the following commands: FWSM(config)# class silver FWSM(config-class)# limit-resource all 3% FWSM(config-class)# limit-resource rate syslogs 500 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-16 OL-6392-01...
If you are using a failover configuration, you must use these recommended command sequences: On the active module, use this sequence: resource acl-partition X write mem reload On the redundant module, use this sequence: reload Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-17 OL-6392-01...
“count” or “detail.” “system” is a reserved name, and cannot be used. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-19...
Page 94
To identify the URL from which the system downloads the context configuration, enter the following command: FWSM(config-context)# config-url url When you add a context URL, the system immediately loads the context so that it is running. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-20 OL-6392-01...
For example, you cannot view all running configurations (system plus all contexts) by entering the show running-config command. Only the current configuration displays. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-22 OL-6392-01...
To enter the new URL, enter the following command: Step 4 FWSM(config)# config-url new_url The system immediately loads the context so that it is running. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-23 OL-6392-01...
“Configuring a Security Context” section on page 5-19 Monitoring Security Contexts This section describes how to view and monitor context information, and includes the following topics: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-24 OL-6392-01...
Context "contexta", is active Config URL: disk:/contexta.cfg Interfaces: vlan10,100-101 Class: default, Flags: 0x00000055, ID: 2 The “Flags” and “ID” fields are for internal use only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-25 OL-6392-01...
FWSM converts the percentage to an absolute number for this display. % of Avail The percentage of the total system resources that is allocated across all contexts. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-26 OL-6392-01...
Page 101
5.00% silver 10.00% bronze All Contexts: 20.00% Xlates default unlimited gold unlimited silver 23040 23040 10.00% bronze 11520 All Contexts: 23040 10.00% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-27 OL-6392-01...
Enter the top n keyword to show the contexts that are the top n users of the specified resource. You must specify a single resource type, and not resource all, with this option. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-28...
TCP intercept for the entire system using the show resource usage summary detail command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-29...
Page 105
116448(S) 0 Summary console-access-rul 4356(S) 0 Summary fixup-rules 8032(S) 0 Summary S = System:Total exceeds the system limit; the system limit is shown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-31 OL-6392-01...
Page 106
Chapter 5 Managing Security Contexts Monitoring Security Contexts Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 5-32 OL-6392-01...
Changing the Maintenance Partition Passwords, page 6-2 • In multiple context mode, every context and the system execution space has its own login policies and Note passwords. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
The default password is “cisco.” guest—Lets you configure the network partition parameters and show crash dump information. • The default password is “cisco.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
This example shows how to set the password for the root account: root@localhost# passwd Changing password for user root New password: *sh1p Retype new password: *sh1p passwd: all authentication tokens updated successfully Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
For a context, this name is used for RSA key generation. If you do not set a host name within a context, the context name is used for the host name in the key. You can view a context host name using the show hostname command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
For example, to add a message-of-the-day banner, enter: FWSM/contexta(config)# banner motd Welcome to the $(hostname) firewall. FWSM/contexta(config)# banner motd Contact me at admin@admin.com for any FWSM/contexta(config)# banner motd issues. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
“Other Protection Features” section on page 1-6 for more information about TCP intercept. This feature is configured using the emb_limit option in the nat and static commands. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
NAT for these interfaces. Similarly, inspection engines are applied to both interfaces, as is filtering. By default, the Cisco PIX firewall allows traffic to flow freely from an inside network (higher security Note level) to an outside network (lower security level). However, the FWSM does not allow any traffic to pass between interfaces unless you explicitly permit it with an access control list (ACL).
TCP intercept, and connection limits. If you enable same security interface communication, you can still configure interfaces at different security levels as usual. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 115
Communication Between Hosts on the Same Interface Host IP cloud-2 Vlan60 10.6.37.0 MSFC Vlan70 Vlan10 IP cloud-1 IP cloud-3 10.6.36.0 10.6.35.0 Host Host SVI, Vlan20 10.6.34.0 FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
NAT, including NAT exemption. See the “Bypassing NAT” section on page 9-29 for more information. For transparent mode, the FWSM supports only the following method.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-10 OL-6392-01...
Page 117
For example, to set options for the host 10.1.1.1, enter the following command: FWSM/contexta(config)# static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255 norandomseq tcp 1000 200 udp 1000 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-11 OL-6392-01...
Page 118
Chapter 6 Configuring Basic Settings Configuring Connection Limits for Non-NAT Configurations Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 6-12 OL-6392-01...
Packets for remote devices—The FWSM generates a ping to the destination IP address so that the • FWSM can learn which interface receives the ping reply. The original packet is dropped. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
MAC address table. You can disable MAC address learning if desired. To disable MAC address learning, enter the following command: FWSM/contexta(config)# mac-learn interface_name disable The no form of this command reenables MAC address learning. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
ARP spoofing can enable a “man-in-the-middle” attack. For example, a host sends an ARP request to the gateway router; the gateway router responds with the gateway router MAC address. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
For example, to enable ARP inspection on the outside interface, and to drop all non-matching ARP packets, enter the following command: FWSM/contexta(config)# arp-inspection outside enable no-flood Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Assigning IP Addresses to Interfaces for a Routed Firewall, page 8-2 • Setting the Management IP Address for a Transparent Firewall, page 8-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Traffic that originates on the FWSM might include communications to a syslog server, Websense or N2H2 server, or AAA server. The FWSM supports up to three equal cost routes on the same interface for load balancing. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
For example, to send all traffic destined for 10.1.1.0/24 to the router (10.1.2.45) connected to the inside interface, enter the following command: FWSM/contexta(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each of the router usable interfaces and reachable neighbors. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum of two processes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
“Adding a Standard Access Control List” section on page 10-17 to add the standard ACL. If you specify more than one ACL, then the route can match any of the ACLs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 129
(LSAs) with a metric of 5, metric type of Type 1, and a tag equal to 1. FWSM(config)# route-map 1-to-2 permit FWSM(config-route-map)# match metric 1 FWSM(config-route-map)# set metric 5 FWSM(config-route-map)# set metric-type type-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 130
In the following example, the link-state cost is specified as 5, and the metric type is set to external, indicating that it has lower priority than internal metrics. FWSM(config)# router ospf 1 FWSM(config-router)# redistribute ospf 2 metric 5 metric-type external Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
To specify the length of time between the hello packets that the FWSM sends on an OSPF interface, • enter the following command: FWSM(config-interface)# ospf hello-interval seconds The value must be the same for all nodes on the network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
To enable authentication for an OSPF area, enter the following command: FWSM(config-router)# area area-id authentication To enable MD5 authentication for an OSPF area, enter the following command: • FWSM(config-router)# area area-id authentication message-digest Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-11 OL-6392-01...
Step 2 Enter any of the following commands: To define an NSSA area, enter the following command: • FWSM(config-router)# area area-id nssa [no-redistribution] [default-information-originate] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-12 OL-6392-01...
FWSM(config-router)# area area-id range ip-address mask [advertise | not-advertise] This example shows how to configure route summarization between OSPF areas: FWSM(config)# router ospf 1 FWSM(config-router)# area 17 range 12.1.0.0 255.255.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-13 OL-6392-01...
To force the autonomous system boundary router to generate a default route, enter the following Step 2 command: FWSM(config-router)# default-information originate [always] [metric metric-value ] [metric-type {1 | 2}] [route-map map-name ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-14 OL-6392-01...
Configure log-adj-changes detail if you want to see messages for each state change. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-15...
You can also display information about node reachability and discover the routing path that your device packets are taking through the network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-16 OL-6392-01...
To restart an OSPF process, clear redistribution, or counters, enter the following command: FWSM(config)# clear ip ospf pid {process | redistribution | counters [neighbor [ neighbor-interface ] [ neighbor-id ]]} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-17 OL-6392-01...
[authentication {text | md5} key key_id ]}] You can both types of RIP on an interface by entering the command two times, one for each method. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-18...
The address pool must be on the same subnet as the FWSM interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-19 OL-6392-01...
Cisco IP Phones might also include DHCP option 3 in their requests, which lists the IP addresses of default routers. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the FWSM DHCP server provides values for both options in the response if they are configured on the FWSM.
FWSM/contexta(config)# dhcprelay enable interface (Optional) To set the number of seconds allowed for relay address negotiation, enter the following Step 3 command: FWSM/contexta(config)# dhcprelay timeout seconds Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-21 OL-6392-01...
Page 144
The following example enables the FWSM to forward DHCP requests from clients connected to the inside interface to a DHCP server on the outside interface: FWSM/contexta(config)# dhcprelay server 201.168.200.4 FWSM/contexta(config)# dhcprelay enable inside FWSM/contexta(config)# dhcprelay setroute inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 8-22 OL-6392-01...
Order of NAT Commands Used to Match Local Addresses, page 9-12 Maximum Number of NAT Statements, page 9-12 • • Global Address Guidelines, page 9-12 DNS and NAT, page 9-13 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
You can resolve IP routing problems such as overlapping addresses. Table 13-1 on page 13-2 for information about protocols that are not supported by NAT. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
The global pool can include fewer addresses than the local group. When a local host accesses the destination network, the FWSM assigns it an IP address from the global pool. Because the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
IP address after the translation times out (see the timeout xlate command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access control list (ACL)).
This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you cannot use the same global address for multiple static NAT statements). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 150
8080 port. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then translate them to port 80 on the local network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
The classifier only looks at static statements where the global interface matches the source interface of the packet. Because NAT exemption does not identify a global interface, the classifier does not consider those NAT statements for classification purposes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
FWSM/contexta(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224 FWSM/contexta(config)# nat (inside) 1 access-list NET1 FWSM/contexta(config)# global (outside) 1 209.165.202.129 FWSM/contexta(config)# nat (inside) 2 access-list NET2 FWSM/contexta(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 153
Figure 9-5 shows a global host connecting to a local host. The local host has a policy Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Because the inside host is also typically translated using a static NAT statement, both host addresses are translated. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-10...
You might want to configure NAT exemption or identity NAT on same security interfaces to set connection limits. (See the “Setting Connection Limits in the NAT Configuration” section on page 9-16.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-11 OL-6392-01...
For PAT, you can even use the IP address of the global interface. Addresses on a unique network. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-12 OL-6392-01...
NAT configuration. You can configure DNS modification when you configure each NAT translation. For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the FWSM to statically translate the ftp.cisco.com local address (10.1.3.14) to a global address (209.165.201.10) that is visible on the outside network (See...
Page 158
Configuring Network Address Translation NAT Overview When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the global address (209.165.201.10). The FWSM refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14.
Page 159
DNS server on the outside. The FWSM has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real local address, 209.165.20.10. Because you want inside users to use the translated global address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply...
Using Dynamic NAT and PAT This section includes the following topics: Dynamic NAT and PAT Implementation, page 9-17 • Configuring NAT or PAT, page 9-23 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-16 OL-6392-01...
209.165.201.3 NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-17 OL-6392-01...
Page 162
See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-18 OL-6392-01...
Page 163
See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 FWSM/contexta(config)# global (dmz) 1 10.1.1.23 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-19 OL-6392-01...
Page 164
See the following commands for this example: FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0 FWSM/contexta(config)# nat (inside) 2 192.168.1.0 255.255.255.0 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.10 FWSM/contexta(config)# global (outside) 2 209.165.201.11 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-20 OL-6392-01...
Page 165
Inside and the Outside interfaces), then you must configure a separate NAT statement without the outside option. In this case, you can identify the same addresses in both statements and use the same Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-21...
Page 166
FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside FWSM/contexta(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 FWSM/contexta(config)# static (inside,dmz) 10.1.2.27 10.1.1.5 netmask 255.255.255.255 FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.4 FWSM/contexta(config)# global (inside) 1 10.1.2.30-1-10.1.2.40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-22 OL-6392-01...
10.1.1.0 in one statement, but 10.1.1.1 in another. The traffic is matched to a policy NAT statement in order, until the first match, or for regular NAT, using the best match. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-23...
Page 168
“Configuring Identity NAT” section on page 9-29 for more information about identity NAT. See the policy NAT command above for information about other options. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-24 OL-6392-01...
Page 169
255.255.255.255 eq 23 FWSM/contexta(config)# nat (inside) 1 access-list WEB FWSM/contexta(config)# global (outside) 1 209.165.202.129 FWSM/contexta(config)# nat (inside) 2 access-list TELNET FWSM/contexta(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-25 OL-6392-01...
{ global_ip | interface} local_ip [netmask mask ] [dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ] See the “Configuring NAT or PAT” section on page 9-23 for information about the options. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-26 OL-6392-01...
NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-27...
Page 172
Telnet traffic to the server. You need to create a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-28...
Because NAT exemption does not identify a global interface, the classifier does not consider those NAT statements for classification purposes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-31...
Configure the following static routes so that traffic to the dmz network can be routed correctly by the FWSM: FWSM/contexta(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 FWSM/contexta(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-33 OL-6392-01...
• • HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80 To implement this scenario, complete the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-34 OL-6392-01...
Page 179
Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering Step 5 the following command: FWSM/contexta(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-35 OL-6392-01...
Page 180
Chapter 9 Configuring Network Address Translation NAT Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 9-36 OL-6392-01...
This section includes the following topics: Access Control List Types and Uses, page 10-2 • Access Control List Guidelines, page 10-6 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-1 OL-6392-01...
See the “Stateful Inspection Feature” section on page 1-5 for more information. For connectionless protocols such as ICMP, however, you either need Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-2 OL-6392-01...
Permit entries in the ACL mark matching traffic for authorization, while deny entries exclude matching traffic from authorization. Apply the ACL using the aaa authorization match command in the “Configuring TACACS+ Authorization” section on page 12-24. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-3 OL-6392-01...
Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended ACL. You can also optionally specify the source and destination ports. Regular NAT can only consider the local addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-4 OL-6392-01...
To control non-IP traffic, perform the following task: Create and apply the ACL according to the “Adding an EtherType Access Control List” section on • page 10-16. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-5 OL-6392-01...
FWSM does not commit the ACL until the waiting period has passed and you do not enter more entries. The FWSM displays a message similar to the following after it commits the ACL: Access Rules Download Complete: Memory Utilization: < 1% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-6 OL-6392-01...
This guideline applies for both inbound and outbound ACLs: the direction does not determine the address used, only the interface does. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-7 OL-6392-01...
Page 188
209.165.201.4:port See the following commands for this example: FWSM/contexta(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 FWSM/contexta(config)# access-group INSIDE in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-8 OL-6392-01...
Page 189
Static NAT See the following commands for this example: FWSM/contexta(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 FWSM/contexta(config)# access-group OUTSIDE in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-9 OL-6392-01...
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-10...
Page 191
FWSM/contexta(config)# access-list HR extended permit ip any any FWSM/contexta(config)# access-group HR in interface hr FWSM/contexta(config)# access-list ENG extended permit ip any any FWSM/contexta(config)# access-group ENG in interface eng Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-11 OL-6392-01...
ACL information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-13...
Page 194
Note You specify a network mask in the access-list command (for example, 255.255.255.0 for a class C mask). This method is different from the Cisco IOS software access-list command, which uses wildcard bits (for example, 0.0.0.255). Add an ACE for a specific protocol by entering the following command: •...
Page 195
For example, you can allow BGP in an ACL in transparent mode, and you need to apply the ACL to both interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-15...
FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the FWSM:...
Standard ACLs identify the destination IP addresses of OSPF routes, and can be used in a route map for OSPF redistribution. Standard ACLs cannot be applied to interfaces to control traffic. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-17...
After creating these groups, you could use a single ACE to allow trusted hosts to make specific service requests to a group of public servers. You can also nest object groups in other object groups. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-18 OL-6392-01...
The description can be up to 200 characters. To define the protocols in the group, enter the following command for each protocol: Step 3 FWSM/contexta(config-protocol)# protocol-object protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-19 OL-6392-01...
Page 200
You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-20...
Page 201
FWSM/contexta(config)# object-group icmp-type grp_id The grp_id is a text string up to 64 characters in length. The prompt changes to the ICMP type subcommand mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-21 OL-6392-01...
FWSM/contexta(config-network)# object-group network finance FWSM/contexta(config-network)# network-object host 10.1.4.89 FWSM/contexta(config-network)# network-object host 10.1.4.100 You then nest all three groups together as follows: FWSM/contexta(config)# object-group network admin Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-22 OL-6392-01...
ACL. See the “Access Control List Commit” section on page 10-6 for more information about committing ACLs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-24 OL-6392-01...
For example, you can add remarks before each ACE, and the remark appears in the ACL in this location. Entering a dash (-) at the beginning of the remark helps set it apart from ACEs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-25...
At the end of each interval, the FWSM resets the hit count to 0. If no packets match the ACE during an interval, the FWSM deletes the flow entry. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-26...
For connectionless protocols, such as ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide for detailed information about this system message.
FWSM/contexta(config)# access-list alert-interval secs The seconds are between 1 and 3600. 300 is the default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 10-28 OL-6392-01...
100 connections divided between all contexts. See the “Rule Limits” section on page A-5 for information about the maximum number of Telnet rules allowed for the entire system. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-1 OL-6392-01...
SSH v1.x and v2 are entirely different protocols and are not compatible. Make sure that you download Note a client that supports SSH v1.x. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-2 OL-6392-01...
To allow all users on the 192.168.3.0 network to access the FWSM on the inside interface, the following command: FWSM/contexta(config)# ssh 192.168.3.0 255.255.255.0 inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-3 OL-6392-01...
FWSM/contexta(config)# pdm history enable If you do not enable PDM metrics history, you can view real-time data only and not historical data. This step is optional. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-4 OL-6392-01...
VPN peers occurs over a secure tunnel, which means the packets are encrypted and authenticated by the peers. The FWSM can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using a site-to-site tunnel. You specify the peer networks that can communicate over the tunnel. In the case of the FWSM, the only address available on the FWSM end of the tunnel is the interface itself.
Page 214
For example, to configure the IKE policy and the IPSec transform sets, enter the following commands: FWSM/contexta(config)# isakmp policy 1 authentication pre-share FWSM/contexta(config)# isakmp policy 1 encryption 3des Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-6 OL-6392-01...
FWSM/contexta(config)# crypto ipsec transform-set site_to_site esp-3des ah-sha-hmac Configuring VPN Client Access A host with an installed version of the Cisco VPN Client can connect to the FWSM for management purposes over a public network, such as the Internet. To allow remote clients to connect to the FWSM for management access, first configure basic VPN settings (see “Configuring Basic Settings for All...
11-2. For example, the following commands allow hosts connected to the peer router (209.165.202.129) to use Telnet on the outside interface (209.165.200.225). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-9 OL-6392-01...
For example, to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside interface, enter the following commands: FWSM/contexta(config)# icmp deny host 10.1.1.15 inside FWSM/contexta(config)# icmp permit any inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-10 OL-6392-01...
Page 219
To allow the host at 10.1.1.15 to use only ping to the inside interface, enter the following commands: FWSM/contexta(config)# icmp permit host 10.1.1.15 inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-11 OL-6392-01...
Page 220
Chapter 11 Allowing Remote Management Allowing ICMP to and from the FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 11-12 OL-6392-01...
You can use accounting alone, or with authentication and authorization. This section includes the following topics: AAA Performance, page 12-2 • About Authentication, page 12-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-1 OL-6392-01...
A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for timeout values.) For...
FWSM for the session, the service used, and the duration of each session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-3 OL-6392-01...
You can configure the FWSM to send accounting information user or IP address to the RADIUS server about any traffic that passes through the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-4 OL-6392-01...
Page 225
1. The local database can act as a fallback method for each of these functions if the AAA server is unavailable. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-5 OL-6392-01...
RADIUS or TACACS+. For multiple context mode, you can configure up to 4 servers in a maximum of 4 groups. In single mode, you can configure 16 servers in a maximum of 14 server groups. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-6...
See the following sections for information about these methods: • Configuring Authentication for the enable Command, page 12-9 Authenticating Users Using the login Command, page 12-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-8 OL-6392-01...
The FWSM prompts for your username and password. After you enter your password, the FWSM places you in the privilege level that the local database specifies. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-9...
[mode {enable | configure}] command command Repeat this command for each command you want to reassign. See the following information about the options in this command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-11 OL-6392-01...
Page 232
This example shows an additional command, the configure command, that uses the mode keyword: FWSM/contexta(config)# privilege show level 5 mode configure command configure FWSM/contexta(config)# privilege clear level 15 mode configure command configure Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-12 OL-6392-01...
If you enable TACACS+ command authorization, and a user enters a command at the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-13...
The FWSM sends the commands to be authorized as “shell” commands, so configure the commands • on the TACACS+ server as shell commands. The Cisco Secure ACS server might include a command type called “pix-shell.” Do not use this Note type for FWSM command authorization.
Page 235
We recommend using this method so that you do not have to anticipate every variant of a command, including abbreviations and ?, which shows CLI usage. (See Figure 12-3.) Figure 12-3 Permitting All Related Commands Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-15 OL-6392-01...
Page 236
TACACS+ server, and not the expanded command show logging message. You can configure multiple spellings of the same argument to anticipate abbreviations. (See Figure 12-6.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-16 OL-6392-01...
We recommend that you use the same username and password in the local database as the TACACS+ server because the FWSM prompt does not give any indication which method is being used. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-17...
Telnet; the user Telnets to a given IP address configured on the FWSM, and the FWSM provides a Telnet prompt. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the virtual telnet command.
After enabling this feature, when a user accesses a web page requiring authentication, the FWSM displays the Authentication dialog box shown in Figure 12-7. Figure 12-7 Secure Authentication Page Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-22 OL-6392-01...
If you do not enter a string using the auth-prompt command, this field will be blank. For the detailed syntax of this command, refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
| permit icmp any host 10.0.0.252 | permit ip any any +--------------------------------------------+ The downloaded ACL on the FWSM has the following name: #ACSACL#-ip- acl_name - number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-25 OL-6392-01...
Page 246
Downloaded ACLs have two spaces between the word “access-list” and the name. These spaces serve to differentiate a downloaded ACL from a local ACL. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 12-26 OL-6392-01...
When you enable application inspection for a service that embeds IP addresses, the FWSM translates embedded addresses and updates any checksum or other fields that are affected by the translation. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-1...
If a inspection engine does not support outside NAT, consider using the alias command instead of outside NAT. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the alias command.
Page 251
2. The FWSM is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed to be in a particular order, but the FWSM does not enforce the order. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-3...
FWSM/contexta(config)# fixup protocol ftp 9090 After entering these commands, the FWSM listens for FTP traffic on port 21, as well as 2100, 4254, and 9090. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-4 OL-6392-01...
H.323-standard format in H.323 mode. CUSeeMe is supported through H.323 inspection, as well as performing NAT on the CUSeeMe control stream, which operates on UDP port 7648. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-5 OL-6392-01...
Command spoofing—The PORT command should always be sent from the client. The TCP connection is denied if a PORT command is sent from the server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-6...
You can set the inspection engines for H.232 and RAS (h225 and ras) separately. The default port for h225 is 1720 (TCP), and the default ports for ras are 1718-1719 (UDP). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-7...
Real-Time Transport Protocol (RTP) uses the negotiated port number, while RTP Control Protocol (RTCP) uses the next higher port number. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-8...
Page 257
Each UDP connection with a packet going through the H.323 inspection engine is marked as an H.323 connection and will time out with the H.323 timeout as configured by the administrator using the timeout command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-9 OL-6392-01...
Original packet NAT IP is changed to the Client IP – Original packet NAT port is changed to the Client Port – Original packet IP checksum is recalculated – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-10 OL-6392-01...
ILS/LDAP follows a client/server model with sessions handled over a single TCP connection. Depending on the client’s actions, several of these sessions might be created. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-11...
This section includes the following topics: MGCP Overview, page 13-13 • Configuration for Multiple Call Agents and Gateways, page 13-13 • • Viewing MGCP Information, page 13-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-12 OL-6392-01...
The IP address of the gateway is specified with the ip_address option. The group_id option is a number from 0 to 4294967295. It must correspond with the group_id of the call agents that are managing the gateway. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-13 OL-6392-01...
The RealAudio inspection engine allows the data channel to go through the FWSM when the data channel source port is between UDP ports 6790 and 7170. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-14...
FWSM/contexta(config)# fixup protocol rtsp [ port [- port ]] The default port is 554 (TCP). If you are using Cisco IP/TV, use RTSP TCP port 554 and TCP 8554 as follows: FWSM/contexta(config)# fixup protocol rtsp 554 FWSM/contexta(config)# fixup protocol rtsp 8554 The following restrictions apply to the RTSP inspection engine: The FWSM does not inspect RTSP messages passing through UDP ports.
Session Description Protocol (SDP) files as part of HTTP or RTSP messages. Packets could be fragmented, and the FWSM cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of translations the FWSM performs on the SDP part of the message •...
If there is a failure to receive the response messages within one minute, the signaling connection will be torn down. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-17 OL-6392-01...
NAT for the Cisco CallManager IP address, and you configure the TFTP server to serve a file with the local untranslated address of the Cisco CallManager, then the Cisco IP Phones cannot contact the Cisco CallManager. We recommend that you use the Cisco CallManager name instead of the IP address, and rely on the DNS server to provide the correct address.
The pipeline character (|) is deleted (changed to a blank space) and “<” ‚”>” are only allowed if they are used to define a mail address (“>” must be preceded by “<”). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-19 OL-6392-01...
SQL*Net Version 1 is assumed for all other cases. TNSFrame types (Connect, Accept, Refuse, Resend, Marker, Redirect, and Data) and all packets are scanned for ports and addresses. Addresses are NATed and port connections are opened. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-20 OL-6392-01...
The FWSM permits all UDP connections from a TFTP server back to a client source port if there is an existing TFTP connection between the server and client. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-21...
When XDMCP is used, the display is negotiated using IP addresses, which the FWSM can NAT if needed. The XDCMP inspection engine does not support PAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 13-22...
For FTP, the FWSM allows the successful FTP return code to reach the user unchanged. For • example, a successful return code is “250: CWD command successful.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-1 OL-6392-01...
[timeout seconds ] [protocol tcp [version {1 | 4}] | udp] See the following options: (if_name)—The interface through which the FWSM communicates with the server. – ip_address—The Websense server IP address. – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-2 OL-6392-01...
FWSM/contexta(config)# url-block block block-buffer-limit The block-buffer-limit sets the amount of memory assigned to the buffer from 0 to 128 blocks. Each block is 1550 bytes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-3 OL-6392-01...
Caches the source and destination server address, so access is only cached for a given user • at the source address. kbytes—The cache size between 1 and 128 KB. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-4 OL-6392-01...
FWSM/contexta(config)# filter url http 10.1.1.0 255.255.255.0 0 0 longurl-truncate cgi-truncate To filter users only on the 10.1.2.0 network, enter the following commands: FWSM/contexta(config)# filter url http 10.1.2.0 255.255.255.0 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-5 OL-6392-01...
This section describes how to monitor filtering statistics, and includes the following topics: Viewing Filtering Server Statistics, page 14-7 • Viewing Caching Statistics, page 14-7 • Viewing Filtering Performance Statistics, page 14-8 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-6 OL-6392-01...
The following sample display shows how the cache is used: FWSM/contexta# show url-cache stats URL Filter Cache Stats ---------------------- Size : 128KB Entries : 1724 In Use : Lookups : Hits : Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 14-7 OL-6392-01...
After a failover occurs, the same connection information is available at the new active module. Supported end-user applications are not required to reconnect to keep the same communication session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-2 OL-6392-01...
The IP address and MAC address for the state link do not change at failover. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-3 OL-6392-01...
FWSM VLANs. Because this trunk also accommodates FWSM traffic when a module fails, this trunk should be at least as large as the maximum amount of Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-4...
“Basic Failover Questions” section on page 15-25. Because the FWSMs bridge packets between the same two VLANs, loops can occur Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-9 OL-6392-01...
IP addresses; when a module is standby, it uses the standby IP addresses. Because the configuration is the same on both modules, the host names, usernames, and passwords are Note also the same. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-10 OL-6392-01...
Page 289
Configuration Replication to mate.” During the replication, information cannot be entered on the FWSM terminal. Depending on the size of the configuration, replication can take several minutes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-11...
If the FWSM does not receive a response on any interface, then the standby module switches to active mode and classifies the other module as failed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-13...
If a failed module does not recover and you believe it should not be failed, you can reset the state by entering the failover reset command. If the failover condition persists, however, the module will fail again. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-14 OL-6392-01...
(Stateful failover only) To set the IP address of the state interface, enter the following command: Step 4 primary(config)# failover interface ip state_interface ip_address mask standby ip_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-15 OL-6392-01...
Page 294
10, then that interval is used. (Optional) To set the time in seconds between hello messages on monitored interfaces, enter the Step 9 following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-16 OL-6392-01...
Page 295
Step 12 through Step 15 for each context. Step 16 See the “Failover Configuration Example” section on page 15-27 for a typical failover configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-17 OL-6392-01...
“End Configuration Replication to mate” appear on the active module console. Step 7 To save the configuration to Flash memory, enter the following command: secondary(config)# copy running-config startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-18 OL-6392-01...
Interface inside (10.6.8.100): Normal admin Interface outside (70.1.1.3): Normal Stateful Failover Logical Update Statistics Link : Luifc Vlan 151 Stateful Obj xmit xerr rerr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-19 OL-6392-01...
Page 298
FWSM Last Failover The last time a failover occurred. This host: For each host, the display shows the following information. Other host: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-20 OL-6392-01...
Page 299
• rerr—Number of errors that occurred while receiving packets from • the other module. General Sum of all stateful objects. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-21 OL-6392-01...
Force a failover to the standby module by entering the following command: Step 2 primary(config)# no failover active Use FTP to send another file between the same two hosts. Step 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-22 OL-6392-01...
When a failover occurs, both FWSMs send out system messages. This section includes the following topics: Failover System Messages, page 15-24 • SNMP, page 15-24 • Debug Messages, page 15-24 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-23 OL-6392-01...
Debug Messages To see debug messages, enter the debug fover command. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. Frequently Asked Failover Questions This section contains frequently asked questions about the failover features and includes the following...
Yes, in the following circumstances: Both modules have configurations in Flash memory – – Both modules have failover enabled – The failover link is down at startup Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-25 OL-6392-01...
Other UDP connections. – Can I share the state link interface with the failover link? • Yes, however, we recommend that you use a separate interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-26 OL-6392-01...
Example 15-2 Failover Configuration: Secondary Unit failover lan interface faillink vlan 10 failover lan unit secondary failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2 failover Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 15-28 OL-6392-01...
You cannot copy software to the other application partition. You might want to copy to the other partition if you want to keep the old version of software as a backup in the current partition. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-1...
The image option (default) copies the application software, and the pdm option copies the PDM software. The type can be one of the following keywords: ap—ASCII passive mode – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-2 OL-6392-01...
For Cisco IOS software, enter the following command: Router# hw-module module mod_num reset cf:1 For Catalyst operating system software, enter the following command: • Console> (enable) reset mod_num boot cf:1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-3 OL-6392-01...
Page 310
Router# hw-module module mod_num reset cf:{4 | 5} • For Catalyst operating system software, enter the following command: Console> (enable) reset mod_num boot cf:{4 | 5} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-4 OL-6392-01...
This section describes how to download and back up configuration files, and includes the following sections: Downloading a Text Configuration, page 16-6 • Backing Up the Configuration, page 16-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-5 OL-6392-01...
To copy the configuration from an FTP server, enter the following command: FWSM# copy ftp://admin:letmein@209.165.200.227/configs/startup.cfg;type=an startup-config To copy the configuration from an HTTP server, enter the following command: FWSM# copy http://209.165.200.228/configs/startup.cfg startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-6 OL-6392-01...
In single context mode, or from the system configuration in multiple mode, you can copy the startup configuration, running configuration, or a configuration file by name on disk (such as the admin.cfg). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-7...
To print the configuration to the terminal, enter the following command: FWSM# write terminal Copy the output from this command, and then paste the configuration into a text file. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 16-8 OL-6392-01...
Using SNMP, page 17-1 • Using System Messages The FWSM provides extensive system messages. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Messages Guide to configure logging and to view system message descriptions.
Cisco Syslog MIB The FWSM supports the following trap: clogMessageGenerated • You cannot browse this MIB. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-2 OL-6392-01...
FWSM does not send SNMP traps. FWSM/contexta(config)# snmp-server host 192.168.3.2 FWSM/contexta(config)# snmp-server location building 42 FWSM/contexta(config)# snmp-server contact kim lee FWSM/contexta(config)# snmp-server community ohwhatakeyisthee Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-3 OL-6392-01...
To send the system messages to your Telnet or SSH session, enter the following command: Step 3 FWSM/contexta(config)# terminal monitor To enable system messages, enter the following command: Step 4 FWSM/contexta(config)# logging on Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-4 OL-6392-01...
Page 320
17-4). In this case, the debug messages show that the ping was successful, but you see system message 110001 indicating a routing failure. Figure 17-4 Ping Failure Because the FWSM has no Route Ping Host Router FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-6 OL-6392-01...
Note through the FWSM to other hosts. Figure 17-5 Ping Failure Because the FWSM is not Translating Addresses Ping Host Router FWSM Router Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-7 OL-6392-01...
In multiple mode, you can only reload from the system execution space. To reload the FWSM from the FWSM CLI, enter the following command: FWSM# reload Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-8 OL-6392-01...
To log into the maintenance partition as root, enter the following command: Login: root Enter the password at the prompt: Step 4 Password: password By default, the password is “cisco.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-9 OL-6392-01...
FWSM, debug messages can be useful. We recommend contacting technical support to help you debug your FWSM. To enable debug messages, see the debug commands in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
You did not enable multiple SVIs. Enable multiple SVIs according to the “Adding Switched Virtual Interfaces to Recommended Action the MSFC” section on page 2-5. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-11 OL-6392-01...
Page 326
Recommended Action Enable this feature according to the “Allowing Communication Between Interfaces on the Same Security Level” section on page 6-8. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-12 OL-6392-01...
Page 327
You did not assign the same VLANs for both units. Possible Cause Recommended Action Make sure to assign the same VLANs to both units in the switch configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-13 OL-6392-01...
Page 328
Chapter 17 Monitoring and Troubleshooting the Firewall Services Module Troubleshooting the Firewall Services Module Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide 17-14 OL-6392-01...
Maximum four modules per switch. If you are using failover, you can still only have four modules per switch even if two of them are in standby mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
You can share outside interfaces between contexts, and in some circumstances, you can share inside interfaces. Transparent Mode 2 per context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
PAT is the translation limit (256,000), not the higher connection limit. To use the connection limit, you need to use NAT, which allows multiple connections using the same translation session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
27: TFTP, Sun RPC over UDP, NetBIOS NameServer, XDMCP, and CUSeeMe. The OraServ and RealAudio inspection engines, which are also enabled by default, do not affect this limit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
1. For example, if you have 96 contexts evenly distributed among the 12 pools, so there are 8 contexts per pool, each context can use 75 filter rules, if evenly divided. 2. access control entries 3. Internet Control Message Protocol 4. HyperText Transfer Protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 334
Appendix A Specifications Rule Limits Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Each customer context belongs to a class that limits its resources (gold, silver, or bronze). Although inside IP addresses can be the same across contexts when the VLANs are unique, keeping them unique is easier to manage. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
FWSM Version (blank means single mode, “<system>” means you are in multiple mode in the system configuration, and <context> means you are in multiple mode in a context). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Because the FWSM does not advertise routes with RIP, the MSFC needs to use static routes for FWSM traffic (See Figure B-2.) The Department networks are allowed to access the Internet, and use PAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Catalyst OS on the supervisor: set vlan 3-5,9,10 firewall-vlan 8 Cisco IOS software on the MSFC: interface vlan 3 ip address 209.165.201.1 255.255.255.224 no shut Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Example 3: Department 1 Context Configuration, page B-10 • Example 3: Department 2 Context Configuration, page B-11 • Example 3: Switch Configuration, page B-11 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Note that the translated addresses are used. ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
ACL must authenticate with the AAA server ] logging trap 4 logging host shared 10.1.1.8 [ System messages are sent to the syslog server on the Shared network ] logging on Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-10 OL-6392-01...
The secondary FWSM is also in routed, multiple context mode, and has the same software version. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-11...
The mode and the activation key are not stored in the configuration file, even though they do endure reboots. If you view Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-12...
Page 347
(outside) 1 209.165.201.11 netmask 255.255.255.224 [ This context uses dynamic PAT for inside users that access the outside ] route outside 0 0 209.165.201.5 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-13 OL-6392-01...
Example 4: Switch Configuration The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall module 1 vlan-group 1...
INTERNET in interface inside [ Allows all inside hosts to access the outside for any IP traffic. Also allows OSPF. ] access-group OSPF in interface outside [ Allows OSPF. ] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-17 OL-6392-01...
B-4). Each context (A, B, and C) monitors the inside interface and outside interface. The secondary FWSM is also in transparent, multiple context mode, and has the same software version. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-18 OL-6392-01...
The mode and the activation key are not stored in the configuration file, even though they do endure reboots. If you view Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-19...
Page 354
10.0.2.1 255.255.255.0 standby 10.0.2.2 monitor-interface inside monitor-interface outside route outside 0 0 10.0.2.4 1 telnet 10.0.2.14 255.255.255.255 inside access-list INTERNET extended permit ip any any Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-20 OL-6392-01...
Example 6: Switch Configuration The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall multiple-vlan-interfaces firewall module 1 vlan-group 1...
Page 356
200 timers 5 15 standby 200 authentication Secret no shut interface range gigabitethernet 2/1-3 channel-group 2 mode on switchport trunk encapsulation dot1q no shut Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide B-22 OL-6392-01...
The CLI uses similar syntax and other conventions to the Cisco IOS CLI, but the FWSM operating Note system is not a version of Cisco IOS software. Do not assume that a Cisco IOS CLI command works or has the same function with the FWSM.
In addition, you can con te enter to represent 0.0.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Replace regexp with any Cisco IOS regular expression. The regular expression is not enclosed in quotes or double-quotes, so be careful with trailing white spaces, which will be taken as part of the regular expression.
Passwords, page C-6 • Multiple Security Context Files, page C-6 • To download the file, see the “Downloading a Text Configuration” section on page 16-6. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
How Commands Correspond with Lines in the Text File The text configuration file includes lines that correspond with the commands described in this guide and in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
In addition, you can enter any command by itself on the command line and then press Enter to view the command syntax. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Because Class A addresses have 16,777,214 host addresses, and Class B addresses 65,534 hosts, you can use subnet masking to break these huge networks into smaller subnets. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
You can also supernet multiple Class C networks into a larger network by using part of the third octet for the extended network prefix. For example, 192.168.0.0/20. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
The following sections describe how to determine the network address to use with a subnet mask for a Class C-size and a Class B-size network: • Class C-Size Network Address, page D-4 • Class B-Size Network Address, page D-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 366
10.1.240.0 to 10.1.255.255 1. The first and last address of a subnet are reserved. In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
The FWSM does not pass multicast packets. Many routing protocols use multicast packets for data Note transfer. If you need to send routing protocols across the FWSM, configure the routers with the Cisco IOS software neighbor command. We consider it inherently dangerous to send routing protocols across the FWSM.
DNSIX Session Management Module Audit Redirector echo TCP, UDP Echo exec Remote process execution finger Finger File Transfer Protocol (control port) ftp-data File Transfer Protocol (data port) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 369
Post Office Protocol - Version 3 pptp 1723 Point-to-Point Tunneling Protocol radius 1645 Remote Authentication Dial-In User Service radius-acct 1646 Remote Authentication Dial-In User Service (accounting) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 370
RFC 854 Telnet tftp Trivial File Transfer Protocol time Time uucp UNIX-to-UNIX Copy Program whois Who Is World Wide Web xdmcp X Display Manager Control Protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Bootstrap Protocol—Lets diskless workstations boot over the network and is described in RFC 951 and RFC 1542. BPDU bridge protocol data unit. Berkeley Standard Distribution. certification authority. Cisco Discovery Protocol. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 374
A collection of protocols that allow the transmission of voice data over TCP/IP networks. HTTP HyperText Transfer Protocol—The service that handles access to the World Wide Web. HTTPS HTTP over SSL. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 375
Telnet sessions to the console. MGCP Media Gateway Control Protocol. Management Information Base—Used with SNMP. MPLS Multiprotocol Label Switching. MSFC Multilayer Switch Feature Card. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 376
Routing Information Protocol. Remote Procedure Call. Rivest, Shamir, and Adelman. RSA is the trade name for RSA Data Security, Inc. Remote Shell—as in Remote Shell protocol. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 377
Triple Data Encryption Standard. Also known as 3DES. uauth User authentication. User Datagram Protocol. Universal Resource Locator. UUIE user-user information element. VLAN virtual LAN. VoIP Voice over IP. Virtual Private Network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 378
Acronyms and Abbreviations (continued) Abbreviation Description wide-area network. WINS Windows Internet Naming Service. World Wide Web. XDMCP X Display Manager Control Protocol. xlate Translation session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-6392-01...
Page 379
10-25 access control lists standard 10-17 See ACLs acronyms accounting activation key 12-27 5-10 ACEs Active Directory 13-11 expanded active state, failover 10-7 15-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-1 OL-6392-01...
Page 380
12-23 Cisco IOS versions overview 12-2 Cisco IP/TV 13-15 Cisco IP Phones inspection engine 13-18 with DHCP 8-20 backing up configuration Cisco PDM 16-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-2 OL-6392-01...
Page 388
12-8 from the module 17-8 prompt from the switch 2-13 privilege levels, for commands 12-11 resource management prompts Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-10 OL-6392-01...
Page 389
PIX comparison same security same security level communication setting embryonic connections 6-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-11 OL-6392-01...
Page 390
Sun RPC, inspection engine 16-2 13-21 maintenance supervisor engine versions 16-5 source quench, ICMP message supervisor IOS SPAN session SVIs specifications configuring Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-12 OL-6392-01...
TCP intercept 5-29 maximum connections 6-11 overview mode, setting 4-16 security level requirements multicast traffic TCP ports and literal values 4-11 TCP sequence number randomization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-13 OL-6392-01...
Page 392
See security contexts Virtual Re-assembly VLANs adding to switch allocating to a context 5-20 assigning to FWSM assigning to switch ports failover interface 15-3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide IN-14 OL-6392-01...