Cisco Catalyst 6500 Series Configuration Manual page 71

Chapter 4 Configuring the Firewall Mode
An Inside User Visits a Website
Figure 4-2
Figure 4-9
The steps below describe how data moves through the FWSM (see
1.
2.
3.
4.
5.
6.
OL-6392-01
shows an inside user accessing an outside website.
Inside to Outside
www.cisco.com
Internet
Switch
209.165.201.2
VLAN 100
VLAN 200
The user on the inside network requests a web page from www.cisco.com.
The FWSM receives the packet on VLAN 200 and, because it is a new session, it verifies that the
packet is allowed according to the terms of the security policy (ACLs, filters, AAA).
For multiple context mode, the FWSM first classifies the packet according to either a unique VLAN
or a unique destination address. In this case, the VLAN would be unique. For transparent firewall
mode, each context has a unique VLAN on the inside and outside, so the IP address would not be
considered.
The FWSM records that a session is established.
If the destination MAC address is in its table, the FWSM forwards the packet out of the outside
interface on VLAN 100.
If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC
address by sending an ARP request and a ping. The first packet is dropped.
When the web server responds to the request, the packet goes through the FWSM, and because the
session is already established, the packet bypasses the many lookups associated with a new
connection.
The FWSM forwards the packet to the inside user.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
FWSM
209.165.201.6
Host
209.165.201.3
Firewall Mode Overview
Figure 4-2):
4-13