Setting The Name And Security Level - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 6
Configuring Basic Settings
•
•
•
These behaviors do not affect interfaces that are on the same security level. For example, you do not have
to perform NAT, nor do you have to configure the interfaces to bypass NAT. You can, however, optionally
configure NAT for these interfaces. Similarly, inspection engines are applied to both interfaces, as is
filtering.
By default, the Cisco PIX firewall allows traffic to flow freely from an inside network (higher security
Note
level) to an outside network (lower security level). However, the FWSM does not allow any traffic to
pass between interfaces unless you explicitly permit it with an access control list (ACL). While you still
have to specify the security level for an interface on the FWSM, the security level does not provide an
explicit permission for traffic to travel from a high security interface to a low security interface.
Setting the Name and Security Level
By default, all interfaces are enabled. However, you must assign a name and security level to each
interface before you can fully configure the FWSM. Many commands use the interface name instead of
the interface (VLAN) ID.
You can assign a name to a VLAN that has not yet been assigned to the FWSM (see the
VLANs to the Firewall Services Module" section on page
If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
Note
and stateful failover communications. See
state links.
For multiple context mode, follow these guidelines:
•
•
•
In transparent firewall mode, you can use only two interfaces, one inside and one outside.
OL-6392-01
TCP sequence randomization—Each TCP connection has two Initial Sequence Numbers (ISNs): one
generated by the client and one generated by the server. The FWSM randomizes the ISN that is
generated by the host/server on the higher security interface. At least one of the ISNs must be
randomly generated so that attackers cannot predict the next ISN and potentially hijack the session.
Maximum connections limit—You can set a limit on the number of TCP and UDP connections
allowed through the FWSM, but only connections from a higher security interface to a lower
security interface are tracked. This limit is set using the max_conns option in the nat and static
commands.
established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
Configure the context interfaces from within each context.
You can only configure context interfaces that you already assigned to the context in the system
configuration.
The system configuration does not include configurable interfaces, except for failover interfaces. Do
not configure failover interfaces with this procedure. See
information.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
2-2), but you see a warning message.
Chapter 15, "Using Failover,"
Chapter 15, "Using Failover,"
Configuring Interfaces
"Assigning
to configure the failover and
for more
6-7
Advertisement
Table of Contents
Troubleshooting
