Cisco 7604 Configuration Manual

Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs

Advertisement

Table of Contents
Catalyst 6500 Series Switch and
Cisco 7600 Series Router Firewall Services
Module Configuration Guide Using the CLI
Release 4.1
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number: N/A, Online only
Text Part Number: OL-20748-01

Advertisement

Table of Contents
loading

  Related Manuals for Cisco 7604

  Summary of Contents for Cisco 7604

  • Page 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI Release 4.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
  • Page 3: Table Of Contents

    C H A P T E R Switch Overview Verifying the Module Installation Assigning VLANs to the Firewall Services Module VLAN Guidelines Assigning VLANs to the FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 4 Context Configuration Files Context Configurations System Configuration Admin Context Configuration How the FWSM Classifies Packets Valid Classifier Criteria Invalid Classifier Criteria Classification Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 5 4-35 Monitoring Security Contexts 4-35 Viewing Context Information 4-35 Viewing Resource Allocation 4-36 Viewing Resource Usage 4-39 Monitoring SYN Attacks in Contexts 4-40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 6 Information About Bridge Groups Information About Device Management Guidelines and Limitations Configuring Transparent Firewall Interfaces for Through Traffic Assigning an IP Address to a Bridge Group Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 7 Redistributing Routes Between OSPF Processes 8-11 Configuring OSPF Interface Parameters 8-12 Configuring OSPF Area Parameters 8-14 Configuring OSPF NSSA 8-15 Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor 8-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 8 Configuring DHCP Options 8-37 Using Cisco IP Phones with a DHCP Server 8-38 Configuring DHCP Relay Services 8-39 DHCP Relay Overview 8-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM viii OL-20748-01...
  • Page 9 Configuring Neighbor Solicitation Messages 10-6 Configuring the Neighbor Solicitation Message Interval 10-7 Configuring the Neighbor Reachable Time 10-7 Configuring Router Advertisement Messages 10-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 10 C H A P T E R Public Key Cryptography 12-1 About Public Key Cryptography 12-1 Certificate Scalability 12-2 About Key Pairs 12-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 11 Simplifying Access Lists with Object Grouping 13-11 How Object Grouping Works 13-11 Adding Object Groups 13-12 Adding a Protocol Object Group 13-12 Adding a Network Object Group 13-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 12 Determining Which Type of Failover to Use 14-17 Regular and Stateful Failover 14-17 Regular Failover 14-18 Stateful Failover 14-18 Failover Health Monitoring 14-19 Unit Health Monitoring 14-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 13 NAT Overview 16-1 Introduction to NAT 16-2 NAT in Routed Mode 16-2 NAT in Transparent Mode 16-3 NAT Control 16-5 NAT Types 16-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xiii OL-20748-01...
  • Page 14 FWSM Authentication Prompts 17-2 Static PAT and HTTP 17-3 Authenticating Directly with the FWSM 17-3 Enabling Network Access Authentication 17-3 Configuring Custom Login Prompts 17-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 15 18-11 Configuring ARP Inspection and Bridging Parameters 19-1 C H A P T E R Configuring ARP Inspection 19-1 ARP Inspection Overview 19-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 16 Applying Inspection to HTTP Traffic Globally 20-21 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 20-22 Applying Inspection to HTTP Traffic with NAT 20-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 17 How Inspection Engines Work 22-2 Inspection Limitations 22-3 Default Inspection Policy 22-4 Configuring Application Inspection 22-6 CTIQBE Inspection 22-10 CTIQBE Inspection Overview 22-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xvii OL-20748-01...
  • Page 18 22-47 H.323 Inspection Overview 22-48 How H.323 Works 22-48 Limitations and Restrictions 22-49 Topologies Requiring H.225 Configuration 22-50 H.225 Map Commands 22-50 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xviii OL-20748-01...
  • Page 19 Configuring SIP Timeout Values 22-82 SIP Inspection Enhancement 22-82 Verifying and Monitoring SIP Inspection 22-86 SIP Sample Configuration 22-87 Skinny (SCCP) Inspection 22-89 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 20 CLI Access Overview 23-11 ASDM Access Overview 23-11 Authenticating Sessions from the Switch to the FWSM 23-11 Enabling CLI or ASDM Authentication 23-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 21 Backing Up a Context Configuration within a Context 24-17 Copying the Configuration from the Terminal Display 24-18 Configuring Auto Update Support 24-18 Configuring Communication with an Auto Update Server 24-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 22 Troubleshooting the Firewall Services Module 26-1 C H A P T E R Testing Your Configuration 26-1 Enabling ICMP Debug Messages and System Log Messages 26-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxii OL-20748-01...
  • Page 23 Admin Context Configuration (Example 1) Customer A Context Configuration (Example 1) Customer B Context Configuration (Example 1) Customer C Context Configuration (Example 1) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiii OL-20748-01...
  • Page 24 A P P E N D I X Firewall Mode and Security Context Mode Command Modes and Prompts Syntax Formatting Abbreviating Commands Command-Line Editing Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiv OL-20748-01...
  • Page 25 TCP and UDP Ports E-11 Local Ports and Protocols E-14 ICMP Types E-15 L O S S A R Y N D E X Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 26 Contents Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxvi OL-20748-01...
  • Page 27: About This Guide

    Help for less common scenarios. For more information, see: http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html. Document Conventions The FWSM command syntax descriptions use the following conventions: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxvii OL-20748-01...
  • Page 28: Related Documentation

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration • Guide using ASDM Release Notes for Cisco ASDM • Open Source Software Licenses for FWSM • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxviii OL-20748-01...
  • Page 29: Obtaining Documentation And Submitting A Service Request

    Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 30 About This Guide Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 31 IP address. Step 8 Configuring a Default Route, page 8-4 Create a default route to an upstream router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxi OL-20748-01...
  • Page 32 Before you configure any settings, you must set the firewall mode to transparent mode. Changing the mode clears your configuration. In multiple context mode, set the mode in each context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxii OL-20748-01...
  • Page 33 Step 12 Applying an Access List to an Interface, page 15-4 Apply the access list to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiii OL-20748-01...
  • Page 34 Quick Start Steps Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiv OL-20748-01...
  • Page 35 A R T Getting Started and General Information...
  • Page 37 How the Firewall Services Module Works with the Switch, page 1-5 • Firewall Mode Overview, page 1-7 • Stateful Inspection Overview, page 1-8 • Security Context Overview, page 1-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 38: C H A P T E R 1 Introduction To The Firewall Services Module

    You can now set the timeout for GRE connectionss that are built as a result of PPTP inspection. The following command was modified: timeout pptp-gre. Management Features Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 39: Security Policy Overview

    This section includes the following topics: • Permitting or Denying Traffic with Access Lists, page 1-4 Applying NAT, page 1-4 • Protecting from IP Fragments, page 1-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 40: Permitting Or Denying Traffic With Access Lists

    Internet. We recommend that you use the FWSM in conjunction with a separate server running one of the following Internet filtering products: Websense Enterprise • Sentian by N2H2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 41: Applying Application Inspection

    How the Firewall Services Module Works with the Switch You can install the FWSM in the Catalyst 6500 series switches and the Cisco 7600 series routers with Cisco IOS software on both the switch supervisor and the integrated MSFC (known as “supervisor IOS”).
  • Page 42: Using The Msfc

    VLAN 200 MSFC FWSM VLAN 200 VLAN 201 FWSM MSFC VLAN 301 VLAN 303 VLAN 201 VLAN 203 Inside Inside VLAN 302 VLAN 202 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 43: Firewall Mode Overview

    In multiple context mode, you can choose the mode for each context independently, so some contexts can run in transparent mode while others can run in routed mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 44: Stateful Inspection Overview

    IP checksum verification – Session lookup – TCP sequence number check – NAT translations based on existing sessions – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 45: Security Context Overview

    Multiple context mode supports static routing only. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 46 Chapter 1 Introduction to the Firewall Services Module Security Context Overview Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-10 OL-20748-01...
  • Page 47: Switch Overview

    • Switch Overview You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the “switch.” The switch includes a switch (the supervisor engine) as well as a router (the MSFC).
  • Page 48: C H A P T E R 2 Configuring The Switch For The Firewall Services Module

    Virtual Switching System (VSS) support—No FWSM configuration required. • For Cisco IOS software Version 12.2(18)SX6 and earlier, for each FWSM in a switch, the SPAN Note reflector feature is enabled. This feature enables multicast traffic (and other traffic that requires central rewrite engine) to be switched when coming from the FWSM.
  • Page 49: Vlan Guidelines

    Assigning VLANs to the FWSM In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer.
  • Page 50: Adding Switched Virtual Interfaces To The Msfc

    2-2), then the MSFC routes between the FWSM and other Layer 3 VLANs. This section includes the following topics: • SVI Overview, page 2-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 51: Svi Overview

    FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.) Figure 2-1 Multiple SVI Misconfiguration Internet VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 52 IPX traffic to pass on VLAN 201. Figure 2-2 Multiple SVIs for IPX Internet VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside IPX Host IP Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 53: Configuring Svis

    To enable the interface, enter the following command: Step 4 Router(config-if)# no shutdown The following example shows a typical configuration with multiple SVIs: Router(config)# firewall vlan-group 50 55-57 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 54: Customizing The Fwsm Internal Interface

    Router(config)# port-channel load-balance {dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-mac | src-dst-port | src-ip | src-mac | src-port} The default is src-dst-ip. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 55: Configuring The Switch For Failover

    The switch supervisor sends an autostate message to the FWSM when: The last interface belonging to a VLAN goes down. • The first interface belonging to a VLAN comes up. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 56: Managing The Firewall Services Module Boot Partitions

    Application partitions (cf:4 and cf:5)—Stores the application software image, system configuration, and ASDM. By default, Cisco installs the images on cf:4. You can use cf:5 as a test partition. For example, if you want to upgrade your software, you can install the new software on cf:5, but maintain the old software as a backup in case you have problems.
  • Page 57: Resetting The Fwsm Or Booting From A Specific Partition

    % reset issued for module 9 Router# 00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap 00:26:55:SP:The PC in slot 8 is shutting down. Please wait ... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-11 OL-20748-01...
  • Page 58 Chapter 2 Configuring the Switch for the Firewall Services Module Managing the Firewall Services Module Boot Partitions Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-12 OL-20748-01...
  • Page 59: Chapter 3 Connecting To The Firewall Services Module And Managing The Configuration

    Management access to the FWSM causes a degradation in performance. We recommend that you avoid Caution accessing the FWSM when high network performance is critical. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 60: Logging Out Of The Fwsm

    Logging out of the FWSM To end the FWSM session and access the switch CLI, enter the following command: hostname# exit Logoff Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 61: Managing The Configuration

    This section includes the following topics: Saving Each Context and System Separately, page 3-4 • Saving All Context Configurations at the Same Time, page 3-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 62 Unable to save the configuration for the following contexts as these contexts have read-only config-urls: context ‘a’ , context ‘b’ , context ‘c’ . Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 63: Copying The Startup Configuration To The Running Configuration

    To erase settings, enter one of the following commands. • To clear all the configuration for a specified command, enter the following command: hostname(config)# clear configure configurationcommand [level2configurationcommand] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 64: Creating Text Configuration Files Offline

    In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 65: Security Context Overview

    How the FWSM Classifies Packets, page 4-3 • Sharing Interfaces Between Contexts, page 4-7 • Management Access to Security Contexts, page 4-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 66: Security Context Overview

    The system configuration does include a specialized failover interface for failover traffic only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 67: Admin Context Configuration

    Context A: • static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 Context B: • static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0 Context C: • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 68: Invalid Classifier Criteria

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 69: Classification Examples

    Dest Addr Translation 10.1.1.13 209.165.201.3 VLAN 200 VLAN 250 VLAN 300 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 70 FWSM FWSM Classifier VLAN 200 VLAN 250 VLAN 300 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 71: Sharing Interfaces Between Contexts

    NAT sessions to classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 72: Nat And Origination Of Traffic

    NAT affects them. For example, if a server sends a packet to www.example.com, then the DNS server needs to return the translated address. Your NAT configuration determines DNS entry management.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 73: Management Access To Security Contexts

    You can access the FWSM as a system administrator in two ways: Session to the FWSM from the switch. • From the switch, you access the system execution space. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 74: Context Administrator Access

    Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
  • Page 75: Restoring Single Context Mode

    Setting the Number of Memory Partitions, page 4-13 • Changing the Memory Partition Size, page 4-14 • Reallocating Rules Between Features for a Specific Memory Partition, page 4-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-11 OL-20748-01...
  • Page 76: About Memory Partitions

    Inspect Rules 1537 Total Rules 19,219 1. Use the show resource rule command to view the default values for partitions other than 12. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-12 OL-20748-01...
  • Page 77: Setting The Number Of Memory Partitions

    :bandn, borders Number of contexts :2(RefCount:2) Number of rules :0(Max:53087) Partition #1 Mode :non-exclusive List of Contexts :admin, momandpopA, momandpopB, momandpopC momandpopD Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-13 OL-20748-01...
  • Page 78: Changing The Memory Partition Size

    The FWSM lets you set the memory size of each partition. Changing the partition sizes requires you to reload the FWSM. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-14 OL-20748-01...
  • Page 79 19,219 rules, for a total of 249,847 rules. hostname(config)# show resource partition Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-15 OL-20748-01...
  • Page 80 15000 19219 19219 15000 19219 19219 15000 19219 19219 15000 19219 19219 15000 19219 19219 19219 19219 19219 19219 19219 19219 19219 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-16 OL-20748-01...
  • Page 81 Traffic loss can occur because both units are down at the same time. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-17...
  • Page 82 56616 hostname(config-partition)# resource partition 3 hostname(config-partition)# size 56615 hostname(config-partition)# show resource partition Bootup Current Partition Default Partition Configured Number Size Size Size Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-18 OL-20748-01...
  • Page 83: Reallocating Rules Between Features For A Specific Memory Partition

    0 Default Configured Absolute CLS Rule Limit Limit -----------+---------+----------+--------- Policy NAT 14801 14801 14801 Filter 1152 Fixup 1537 1537 3074 Est Ctl Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-19 OL-20748-01...
  • Page 84 See Step 1 to use the show resource rule command for the total number of rules allowed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-20 OL-20748-01...
  • Page 85: Configuring Resource Management

    The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can Note limit bandwidth per VLAN. See the switch documentation for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-21 OL-20748-01...
  • Page 86: Classes And Class Members Overview

    Gold Class can use more than the 97 percent of “unassigned” inspections; they can also use the 1 percent of inspections not currently in use by Context A, B, and C, even if that means that Context A, Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-22...
  • Page 87: Default Class

    • Telnet sessions—5 sessions. • SSH sessions—5 sessions. IPSec sessions—5 sessions. • MAC addresses—65,535 entries. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-23 OL-20748-01...
  • Page 88: Class Members

    Step 2 • To set all resource limits (shown in Table 4-2), enter the following command: hostname(config-resmgmt)# limit-resource all {number% | 0} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-24 OL-20748-01...
  • Page 89 Table 4-2 lists the resource types and the limits. See also the show resource types command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-25 OL-20748-01...
  • Page 90 80 ASDM sessions represents a limit of 160 HTTPS sessions. 1 minimum 100 concurrent SSH sessions. 5 maximum concurrent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-26 OL-20748-01...
  • Page 91: Configuring A Security Context

    If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command: hostname(config)# admin-context name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-27 OL-20748-01...
  • Page 92 • alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-28 OL-20748-01...
  • Page 93 The type can be one of the following keywords: – ap—ASCII passive mode – an—ASCII normal mode ip—(Default) Binary passive mode – in—Binary normal mode – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-29 OL-20748-01...
  • Page 94 12 partitions, so the range is 0 to 11. See the “Setting the Number of Memory Partitions” section on page 4-13 to configure the number of memory partitions. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-30 OL-20748-01...
  • Page 95: Changing Between Contexts And The System Execution Space

    Only the current configuration displays. You can, however, save all context running configurations from the system execution space using the write memory all command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-31 OL-20748-01...
  • Page 96: Managing Security Contexts

    To remove all contexts (including the admin context), enter the following command in the system • execution space: hostname(config)# clear context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-32 OL-20748-01...
  • Page 97: Changing The Admin Context

    To enter the context configuration mode for the context you want to change, enter the following Step 3 command: hostname(config)# context name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-33 OL-20748-01...
  • Page 98: Reloading A Security Context

    The FWSM copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-34 OL-20748-01...
  • Page 99: Monitoring Security Contexts

    Shows the firewall mode for each context, either Routed or Transparent. Shows the URL from which the FWSM loads the context configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-35 OL-20748-01...
  • Page 100: Viewing Resource Allocation

    Conns [rate] 35000 35.00% Fixups [rate] 35000 35.00% Syslogs [rate] 10500 35.00% Conns 305000 30.50% Hosts 78842 30.07% IPsec 35.00% 35.00% Telnet 35.00% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-36 OL-20748-01...
  • Page 101 26214 26214 9.99% bronze 13107 All Contexts: 26214 9.99% IPSec default gold 50.00% silver 10.00% bronze unlimited All Contexts: 110.00% default Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-37 OL-20748-01...
  • Page 102 The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-38...
  • Page 103: Viewing Resource Usage

    Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 12000(U) 0 Summary Conns 100000(S) 0 Summary Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-39 OL-20748-01...
  • Page 104: Monitoring Syn Attacks In Contexts

    Average Xlates Connections TCP Conns UDP Conns URL Access URL Server Req WebSns Req TCP Fixup HTTP Fixup FTP Fixup AAA Authen Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-40 OL-20748-01...
  • Page 105 TCP intercept for the entire system. (Sample text in italics shows the TCP intercept information.) hostname(config)# show resource usage summary detail Resource Current Peak Limit Denied Context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-41 OL-20748-01...
  • Page 106 0 Summary console-access-rul 4356(S) 0 Summary fixup-rules 8032(S) 0 Summary S = System: Total exceeds the system limit; the system limit is shown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-42 OL-20748-01...
  • Page 107: Chapter 5 Configuring The Firewall Mode

    We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the FWSM for extensive routing needs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 108: How Data Moves Through The Fwsm In Routed Firewall Mode

    The FWSM receives the packet and because it is a new session, the FWSM verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 109: An Outside User Visits A Web Server On The Dmz

    DMZ web server. Figure 5-2 Outside to DMZ User Outside 209.165.201.2 Dest Addr Translation 209.165.201.3 10.1.1.13 FWSM 10.1.2.1 10.1.1.1 Inside Web Server 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 110: An Inside User Visits A Web Server On The Dmz

    DMZ web server. Figure 5-3 Inside to DMZ Outside 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User Web Server 10.1.2.27 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 111: An Outside User Attempts To Access An Inside Host

    Figure 5-4 Outside to Inside www.example.com Outside 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User 10.1.2.27 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 112: A Dmz User Attempts To Access An Inside Host

    (access lists, filters, AAA). The packet is denied, and the FWSM drops the packet and logs the connection attempt. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 113: Transparent Mode Overview

    The management IP address must be on the same subnet as the connected network. For another method of management, see the “Management Interface” section on page 5-8. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 114: Management Interface

    DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 115: Mac Address Vs. Route Lookups

    The inside router and hosts appear to be directly connected to the outside router. Figure 5-6 Transparent Firewall Network Internet 10.1.1.1 FWSM Management IP 10.1.1.2 Network A 10.1.1.3 192.168.1.2 Network B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 116: Transparent Firewall Guidelines

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-10...
  • Page 117: Unsupported Features In Transparent Mode

    You can, however, allow multicast traffic through the FWSM by allowing it in an extended access list. Remote access VPN for management You can use site-to-site VPN for management. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-11 OL-20748-01...
  • Page 118: How Data Moves Through The Transparent Firewall

    An Outside User Visits a Web Server on the Inside Network, page 5-15 • An Outside User Attempts to Access an Inside Host, page 5-16 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-12 OL-20748-01...
  • Page 119: An Inside User Visits A Web Server

    The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The FWSM forwards the packet to the inside user. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-13 OL-20748-01...
  • Page 120: An Inside User Visits A Web Server Using Nat

    The FWSM performs NAT by translating the mapped address to the real address, 10.1.2.27. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-14...
  • Page 121: An Outside User Visits A Web Server On The Inside Network

    If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-15...
  • Page 122: An Outside User Attempts To Access An Inside Host

    If the outside user is attempting to attack the inside network, the FWSM employs many technologies to determine if a packet is valid for an already established session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-16...
  • Page 123: Setting Transparent Or Routed Firewall Mode

    • hostname(config)# firewall transparent To set the mode to routed, enter the following command in each context: • hostname(config)# no firewall transparent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-17 OL-20748-01...
  • Page 124 Chapter 5 Configuring the Firewall Mode Setting Transparent or Routed Firewall Mode Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-18 OL-20748-01...
  • Page 125: Chapter 6 Configuring Interface Parameters

    NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 126: Configuring Interfaces For Routed Firewall Mode

    If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover,” to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 127: Configuring An Interface

    The following example configures parameters for VLAN 101: hostname(config)# interface vlan 101 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 128: Configuring Interfaces For Transparent Firewall Mode

    For device management, you have two available mechanisms: Any bridge group management address—Connect to the bridge group network on which your • management station is located. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 129: Guidelines And Limitations

    If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover,” to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 130: Configuring Transparent Firewall Interfaces For Through Traffic

    Step 1 hostname(config)# interface bvi bridge_group_number Specify the IP address by entering the following command: Step 2 hostname(config-if)# ip address ip_address [mask] [standby ip_address] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 131: Adding A Management Interface

    Do not enter the no form, because that command causes all commands that refer to that name to be deleted. To set the security level, enter the following command: Step 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 132 Bridge group IP: Bridge group IP: 209.165.200.226 209.165.201.2 209.165.202.129 Inside Inside Inside Context C Context A Context B Context A hostname(config)# interface vlan500 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 133 30 hostname(config-if)# interface vlan106 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# bridge-group 30 hostname(config-if)# interface bvi 30 hostname(config-if)# ip address 209.165.202.129 255.255.255.224 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 134: Allowing Communication Between Interfaces On The Same Security Level

    (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-10...
  • Page 135: Configuring Intra-Interface Communication

    • Outside NAT is not supported. • You can configure static routes from one interface to another on the same security level. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-11 OL-20748-01...
  • Page 136: Turning Off And Turning On Interfaces

    To disable the interface, enter the following command: Step 2 hostname(config)# shutdown To reenable the interface, enter the following command: Step 3 hostname(config)# no shutdown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-12 OL-20748-01...
  • Page 137: Changing The Passwords

    The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 138: Chapter 7 Configuring Basic Setting

    Change the root password by entering the following command: Step 5 root@localhost# passwd Enter the new password at the prompt: Step 6 Changing password for user root New password: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 139: Setting The Hostname

    Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. context-CTX1-secondary %FWSM-5-111008: User 'enable_15' executed the 'logging console debug' command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 140: Setting The Domain Name

    The order in which you enter the keywords determines the order of the elements in the prompt, which are separated by a slash (/). See the following descriptions for the keywords: hostname—Displays the hostname. • domain—Displays the domain name. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 141: Configuring A Login Banner

    For example, to add a message-of-the-day banner, enter: hostname(config)# banner motd Welcome to $(hostname) hostname(config)# banner motd Contact me at admin@example.com for any hostname(config)# banner motd issues Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 142 Chapter 7 Configuring Basic Settings Configuring a Login Banner Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 143: How Routing Behaves Within Fwsm

    FWSM processes this packet by looking up the route to select egress interface, then source-ip translation is performed (if necessary). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 144: Next Hop Selection Process

    Your network is small and you can easily manage static routes. • You do not want the traffic or CPU overhead associated with routing protocols. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 145: C H A P T E R 8 Configuring Ip Routing And Dhcp Services

    However, static routes are removed from the routing table if the associated interface goes down. They are reinstated when the interface comes back up. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 146: Configuring A Default Route

    FWSM for which there is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1, 192.168.2.2, 192.168.2.3. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 147: Monitoring A Static Or Default Route

    To match any routes that have a destination network that matches a standard access list, enter the • following command: hostname(config-route-map)# match ip address acl_id [acl_id] [...] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 148: Configuring Bgp Stub Routing

    The FWSM supports BGP stub routing. The BGP stub routing process advertises static and directly connected routes but does not accept routes advertised by the BGP peer. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 149: Bgp Stub Limitations

    To enable and configure a BGP routing process, perform the following steps: Create the BGP routing process by entering the following command: Step 1 hostname(config)# router bgp as-number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 150: Monitoring Bgp Stub Routing

    • To view debug messages for the BGP routing process, enter the following command: hostname# debug ip bgp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 151: Restarting The Bgp Stub Routing Process

    The cost can be configured to specify preferred paths. The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 152: Enabling Ospf

    To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the following command: hostname(config-router)# network ip_address mask area area_id The following example shows how to enable OSPF: hostname(config)# router ospf 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-10 OL-20748-01...
  • Page 153: Redistributing Routes Between Ospf Processes

    The following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics. hostname(config)# router ospf 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-11 OL-20748-01...
  • Page 154: Configuring Ospf Interface Parameters

    To enable OSPF MD5 authentication, enter the following command: hostname(config-interface)# ospf message-digest-key key_id md5 key Set the following values: key_id—An identifier in the range from 1 to 255. – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-12 OL-20748-01...
  • Page 155 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-13 OL-20748-01...
  • Page 156: Configuring Ospf Area Parameters

    The following example shows how to configure the OSPF area parameters: hostname(config)# router ospf 2 hostname(config-router)# area 0 authentication hostname(config-router)# area 0 authentication message-digest hostname(config-router)# area 17 stub Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-14 OL-20748-01...
  • Page 157: Configuring Ospf Nssa

    You can set a type 7 default route that can be used to reach external destinations. When – configured, the router generates a type 7 default into the NSSA or the NSSA area boundary router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-15 OL-20748-01...
  • Page 158: Configuring A Point-To-Point, Non-Broadcast Ospf Neighbor

    10.3.3.0 255.255.255.0 10.1.1.99 1 hostname(config)# interface Vlan55 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2 hostname(config-if)# ospf network point-to-point non-broadcast Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-16 OL-20748-01...
  • Page 159: Configuring Route Summarization Between Ospf Areas

    To set the summary address, enter the following command: Step 2 hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag] OSPF does not support summary-address 0.0.0.0 0.0.0.0. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-17 OL-20748-01...
  • Page 160: Generating A Default Route

    SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value of 0 means that there is no delay; that is, the SPF calculation is started immediately. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-18...
  • Page 161: Logging Neighbors Going Up Or Down

    LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-19...
  • Page 162: Monitoring Ospf

    [process-id] summary-address To display OSPF-related virtual links information, enter the following command: • hostname# show ospf [process-id] virtual-links Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-20 OL-20748-01...
  • Page 163: Restarting The Ospf Process

    For example, enter the following commands: hostname(config)# rip inside default version 2 authentication md5 scorpius 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-21 OL-20748-01...
  • Page 164: Configuring Eigrp

    • EIGRP Routing Overview EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Neighbor discovery is the process that the FWSM uses to dynamically learn of other routers on directly attached networks.
  • Page 165: Enabling And Configuring Eigrp Routing

    EIGRP updates. Step 3 (Optional) To prevent an interface from sending or receiving EIGRP routing message, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-23 OL-20748-01...
  • Page 166: Enabling And Configuring Eigrp Stub Routing

    Create the EIGRP routing process and enter router configuration mode for that process by entering the Step 1 following command: hostname(config)# router eigrp as-num Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-24 OL-20748-01...
  • Page 167: Enabling Eigrp Authentication

    % Asystem(100) specified does not exist The key argument can contain up to 16 characters. The key-id argument is a number from 0 to 255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-25...
  • Page 168: Defining An Eigrp Neighbor

    To redistribute connected routes into the EIGRP routing process, enter the following command: • hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu] [route-map map_name] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-26 OL-20748-01...
  • Page 169: Configuring The Eigrp Hello Interval And Hold Time

    192.168.0.0. To prevent the possibility of traffic being routed to the wrong location, you should disable automatic route summarization on the routers creating the conflicting summary addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-27 OL-20748-01...
  • Page 170: Configuring Summary Aggregate Addresses

    Enter interface configuration mode for the interface on which you are disabling split horizon by entering Step 1 the following command: hostname(config)# interface phy_if Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-28 OL-20748-01...
  • Page 171: Changing The Interface Delay Value

    Monitoring EIGRP You can use the following commands to monitor the EIGRP routing process. For examples and descriptions of the command output, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. To display the EIGRP event log, enter the following command: •...
  • Page 172: Disabling Neighbor Change And Warning Message Logging

    2 header is rewritten and the packet is re-injected into the stream. This section contains the following topics: Adding Interfaces to ASR Groups, page 8-31 • Asymmetric Routing Support Example, page 8-31 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-30 OL-20748-01...
  • Page 173: Adding Interfaces To Asr Groups

    A is active. However, the return traffic is being routed through the unit where context B is active. Normally, the return traffic would be dropped because there is no session information Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-31...
  • Page 174: Configuring Route Health Injection

    A on the unit where context A is in the active state. This forwarding continues as needed until the session ends. Configuring Route Health Injection This feature depends on Cisco IOS Release 12.2(33)SXI or later, and is only available on the Catalyst Note 6500 switch.
  • Page 175: Rhi Guidelines

    NAT ID for multiple global commands on multiple interfaces, only those commands on the matching interface as the redistribute command are used. You can enter only one redistribute nat command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-33 OL-20748-01...
  • Page 176 (outside) 10 209.165.202.140-209.165.202.146 netmask 255.255.255.0 hostname(config)# global (outside) 20 209.165.202.150-209.165.202.155 netmask 255.255.255.0 hostname(config)# route-inject hostname(config-route-inject)# redistribute nat global-pool 10 interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-34 OL-20748-01...
  • Page 177: Configuring Dhcp

    In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-35...
  • Page 178 To enable the DHCP daemon within the FWSM to listen for DHCP client requests on the enabled Step 8 interface, enter the following command: hostname(config)# dhcpd enable interface_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-36 OL-20748-01...
  • Page 179: Configuring Dhcp Options

    DHCP options that are not supported by the dhcpd option command: Table 8-1 Unsupported DHCP Options Option Code Description DHCPOPT_PAD HCPOPT_SUBNET_MASK DHCPOPT_HOST_NAME DHCPOPT_REQUESTED_ADDRESS DHCPOPT_LEASE_TIME Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-37 OL-20748-01...
  • Page 180: Using Cisco Ip Phones With A Dhcp Server

    Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the FWSM DHCP server provides values for both options in the response if they are configured on the FWSM.
  • Page 181: Configuring Dhcp Relay Services

    Step 1 To configure an interface-specific server, enter the following commands: • hostname(config)# interface {vlan vlan_id | mapped_name} hostname(config-if)# dhcprelay server ip_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-39 OL-20748-01...
  • Page 182 209.165.200.225 outside hostname(config)# dhcprelay server 209.165.201.4 dmz hostname(config)# dhcprelay enable inside1 hostname(config)# dhcprelay setroute inside1 hostname(config)# dhcprelay enable inside2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-40 OL-20748-01...
  • Page 183: Preserving Dhcp Option 82

    Verifying the DHCP Relay Configuration To view the interface-specific DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay interface [vlan vlan_id | mapped_name] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-41 OL-20748-01...
  • Page 184 Configuring IP Routing and DHCP Services Configuring DHCP To view the global DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-42 OL-20748-01...
  • Page 185: Multicast Routing Overview

    Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific state. The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 186: C H A P T E R 9 Configuring Multicast Routing

    Disabling IGMP on an Interface, page 9-3 • Configuring Group Membership, page 9-3 • Configuring a Statically Joined Group, page 9-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 187: Disabling Igmp On An Interface

    To configure a statically joined multicast group on an interface, enter the following command: hostname(config-if)# igmp static-group group-address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 188: Controlling Access To Multicast Groups

    By default, the PIM designated router on the subnet is responsible for sending the query messages. By default, they are sent once every 125 seconds. To change this interval, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 189: Changing The Query Response Time

    To forward the host join and leave messages, enter the following command from the interface attached to the stub area: hostname(config-if)# igmp forward interface if_name Stub Multicast Routing and PIM are not supported concurrently. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 190: Configuring A Static Multicast Route

    • Disabling PIM on an Interface You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 191: Configuring A Static Rendezvous Point Address

    Filtering PIM Register Messages You can configure the FWSM to filter PIM register messages. To filter PIM register messages, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 192: Configuring Pim Message Intervals

    RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 193: Ipv6-Enabled Commands

    • configure • copy • http • name • • object-group • ping • show conn show local-host • show tcpstat • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-1 OL-20748-01...
  • Page 194: Configuring Ipv6 On An Interface

    You can configure both IPv6 and IPv4 addresses on an interface. You cannot configure IPv6 on an interface that is used by more than one context (a shared VLAN). Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-2 OL-20748-01...
  • Page 195 See the “Example 4: IPv6 Configuration Example” section on page B-13 for an example of IPv6 addresses applied to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-3 OL-20748-01...
  • Page 196: Configuring A Dual Ip Stack On An Interface

    Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just Note those used for duplicate address detection. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-4 OL-20748-01...
  • Page 197: Configuring Ipv6 Default And Static Routes

    | deny—Determines whether the specified traffic is blocked or allowed to pass. • icmp—Indicates that the access list entry applies to ICMP traffic. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-5 OL-20748-01...
  • Page 198: Configuring Ipv6 Neighbor Discovery

    After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 10-1 shows the neighbor solicitation and response process. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-6 OL-20748-01...
  • Page 199: Configuring The Neighbor Solicitation Message Interval

    To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-7 OL-20748-01...
  • Page 200: Configuring Router Advertisement Messages

    You can configure the following settings for router advertisement messages: The time interval between periodic router advertisement messages. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-8 OL-20748-01...
  • Page 201: Configuring The Router Advertisement Transmission Interval

    For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement Note messages must always be 64 bits. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-9 OL-20748-01...
  • Page 202: Suppressing Router Advertisement Messages

    The output for the command shows the following: • The name and status of the interface. • The link-local and global unicast addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-10 OL-20748-01...
  • Page 203: Viewing Ipv6 Routes

    O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 fe80::/10 [0/0] via ::, inside fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside fec0:0:0:a::/64 [0/0] via ::, inside ff00::/8 [0/0] via ::, inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-11 OL-20748-01...
  • Page 204 Chapter 10 Configuring IPv6 Verifying the IPv6 Configuration Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-12 OL-20748-01...
  • Page 205: Aaa Overview

    This section includes the following topics: • About Authentication, page 11-2 • About Authorization, page 11-2 • About Accounting, page 11-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-1 OL-20748-01...
  • Page 206: C H A P T E R 11 Configuring Aaa Servers And The Local Database

    FWSM for the session, the service used, and the duration of each session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-2...
  • Page 207: Aaa Server And Local Database Support

    2. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. 3. Local command authorization is supported by privilege level only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-3 OL-20748-01...
  • Page 208: Radius Server Support

    The security appliance deletes the access list when the authentication session expires. TACACS+ Server Support The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-4 OL-20748-01...
  • Page 209: Sdi Server Support

    FWSM uses NTLM Version 1 to for user authentication with the Microsoft Windows domain server. The FWSM grants or denies user access based on the response from the domain server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-5 OL-20748-01...
  • Page 210: Kerberos Server Support

    With the exception of fallback for network access authentication, the local database can act as a fallback method for the functions in Table 11-1. This behavior is designed to help you prevent accidental lockout from the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-6 OL-20748-01...
  • Page 211: Configuring The Local Database

    Step 1 Create the user account. To do so, enter the following command: hostname(config)# username username {nopassword | password password} [privilege level] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-7 OL-20748-01...
  • Page 212 The following commands creates a user account with a password, enters username mode, and specifies a few VPN attributes: hostname(config)# username user1 password gOgeOus hostname(config)# username user1 attributes Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-8 OL-20748-01...
  • Page 213: Identifying Aaa Server Groups And Servers

    For more information about this command, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-9 OL-20748-01...
  • Page 214 (indicated by “—”), use the command to specify the value. For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-10 OL-20748-01...
  • Page 215 AuthOutbound protocol radius hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3 hostname(config-aaa-server-host)# key RadUauthKey hostname(config-aaa-server-host)# exit hostname(config)# aaa-server NTAuth protocol nt Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-11 OL-20748-01...
  • Page 216 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers hostname(config-aaa-server-group)# exit hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4 hostname(config-aaa-server-host)# nt-auth-domain-controller primary1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-12 OL-20748-01...
  • Page 217: Public Key Cryptography

    This process relies on the receiver having a copy of the public key of the sender and a high degree of certainty that this key belongs to the sender, not to someone pretending to be the sender. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-1...
  • Page 218: C H A P T E R 12 Configuring Certificates

    Separate signing and encryption keys help reduce exposure of the keys. This is because SSL uses a key for encryption but not signing, while IKE uses a key for signing but not encryption. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-2...
  • Page 219: About Trustpoints

    Exporting and Importing Keypairs and Certificates, page 12-7 Linking Certificates to a Trustpoint, page 12-9 • Configuration Example: Cut-Through-Proxy Authentication, page 12-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-3 OL-20748-01...
  • Page 220: Preparing For Certificates

    If you do not assign a label, the key pair is automatically labeled Default-RSA-Key. To assign a label to each key pair, enter the following command: hostname/contexta (config)# crypto key generate rsa label key-pair-label Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-4 OL-20748-01...
  • Page 221: Removing Key Pairs

    For the aaa authentication include command, you can use only TACACS+ or RADIUS user accounting to be authenticated or authorized on a server designated by the aaa-server command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-5...
  • Page 222: Verifying Configurations For Specified Settings

    To configure secure authentication to the HTTP client, enter the following command: Step 2 hostname (config)# aaa authentication secure-http-client For more information about command usage, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Verifying Configurations for Specified Settings Before you import third-party certificates, you must have configured certain AAA settings, the AAA server, access lists, and optionally, virtual HTTP.
  • Page 223: Exporting And Importing Keypairs And Certificates

    To control which trustpoint sharing a CA is used for validation of user certificates issued by that CA, enter the support-user-cert-validation command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-7...
  • Page 224 Inc. c=US Subject Name: cn=atl-lx-sbacchus.cisco.com o=Cisco Systems\, Inc sa=170 West Tasman Dr l=San Jose st=California pc=95134 c=US serialNumber=C1183477 2.5.4.15=#131256312e302c20436c6175736520352e286229 1.3.6.1.4.1.311.60.2.1.2=#130a43616c69666f726e6961 1.3.6.1.4.1.311.60.2.1.3=#13025553 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-8 OL-20748-01...
  • Page 225: Linking Certificates To A Trustpoint

    FWACL extended permit tcp any any eq https access-group FWACL in interface outside timeout uauth 0:05:00 absolute aaa-server TacacsServers protocol tacacs+ reactivation-mode depletion deadtime 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-9 OL-20748-01...
  • Page 226 The auth-prompt series of commands changes the prompt that users see, so you know that the FWSM is making the request. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-10 OL-20748-01...
  • Page 227: Access List Overview

    IP Addresses Used for Access Lists When You Use NAT, page 13-3 • Access List Commitment, page 13-5 • Maximum Number of ACEs, page 13-6 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-1 OL-20748-01...
  • Page 228: Access List Types

    ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by making it inactive. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-2 OL-20748-01...
  • Page 229: C H A P T E R 13 Identifying Traffic With Access Lists

    See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-3 OL-20748-01...
  • Page 230 See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-4 OL-20748-01...
  • Page 231: Access List Commitment

    For information about exceeding memory limits, see the “Maximum Number of ACEs” section. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-5 OL-20748-01...
  • Page 232: Maximum Number Of Aces

    ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-6...
  • Page 233: Allowing Broadcast And Multicast Traffic Through The Transparent Firewall

    (for example, INSIDE), or for the purpose for which it is created (for example, NO_NAT or VPN). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-7...
  • Page 234 When you specify a network mask, the method is different from the Cisco IOS software access-list command. The FWSM uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
  • Page 235: Adding An Ethertype Access List

    IP traffic that you previously allowed with an extended access list. IPv4 and ARP traffic cannot be controlled with an EtherType access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-9...
  • Page 236: Using Extended And Ethertype Access Lists On The Same Interface

    FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the FWSM.
  • Page 237: Adding A Standard Access List

    For example, consider the following three object groups: MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed • access to the internal network Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-11 OL-20748-01...
  • Page 238: Adding Object Groups

    The description can be up to 200 characters. To define the protocols in the group, enter the following command for each protocol: Step 3 hostname(config-protocol)# protocol-object protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-12 OL-20748-01...
  • Page 239: Adding A Network Object Group

    Administrator Addresses hostname(config-network)# network-object host 10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-13 OL-20748-01...
  • Page 240: Adding A Service Object Group

    You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-14...
  • Page 241: Nesting Object Groups

    For example, you create network object groups for privileged users from various departments: hostname(config)# object-group network eng hostname(config-network)# network-object host 10.1.1.5 hostname(config-network)# network-object host 10.1.1.9 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network hr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-15 OL-20748-01...
  • Page 242: Using Object Groups With An Access List

    ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78 eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-16 OL-20748-01...
  • Page 243: Displaying Object Groups

    [protocol | network | services | icmp-type] If you do not enter a type, all object groups are removed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-17 OL-20748-01...
  • Page 244: Adding Remarks To Access Lists

    Before optimization: access-list test extended permit udp 10.1.1.0 255.255.255.0 any [rule x] access-list test extended permit udp 10.1.1.1 255.255.255.255 any [rule y] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-18 OL-20748-01...
  • Page 245 80 130 log disable [rule y] After optimization: access-list test extended deny tcp any any range 50 100 log default [rule x] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-19 OL-20748-01...
  • Page 246: Configuring Access List Group Optimization

    The following is an example of an optimized access list configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-20 OL-20748-01...
  • Page 247 Show the optimized access list: hostname(config)# show access-list test optimization access-list test; 13 elements before optimization 7 elements after optimization Reduction rate = 46% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-21 OL-20748-01...
  • Page 248 Show the optimized access list range 6 through 9 in detail: hostname(config)# show access-list test optimization detail range 6 9 access-list test; 13 elements before optimization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-22 OL-20748-01...
  • Page 249 This will cause some rules to be deleted. Thus, it is considered a good practice to back up the original configuration before proceeding with disabling access list group optimization. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-23...
  • Page 250: Scheduling Extended Access List Activation

    Because no end time and date are specified, the time range is in effect indefinitely. hostname(config)# time-range for2006 hostname(config-time-range)# absolute start 8:00 1 january 2006 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-24 OL-20748-01...
  • Page 251: Applying The Time Range To An Ace

    106100, which provides statistics for each ACE and lets you limit the number of system log messages produced. Alternatively, you can disable all logging. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-25 OL-20748-01...
  • Page 252: Configuring Logging For An Ace

    ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages for detailed information about this system log message.
  • Page 253: Managing Deny Flows

    When the limit is reached, the FWSM does not create a new deny flow for logging until the existing flows expire. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-27...
  • Page 254 The seconds are between 1 and 3600. 300 is the default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-28 OL-20748-01...
  • Page 255: Understanding Failover

    Transparent Firewall Requirements, page 14-7 • Active/Standby and Active/Active Failover, page 14-8 • • Regular and Stateful Failover, page 14-17 • Failover Health Monitoring, page 14-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-1 OL-20748-01...
  • Page 256: Chapter 14 Configuring Failover

    All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-2...
  • Page 257: State Link

    Even though both FWSMs are assigned the same VLANs, only the active module takes part in networking. The standby module does not pass any traffic. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-3...
  • Page 258: Inter-Chassis Failover

    FWSM VLANs (VLANs 10 and 11). FWSM failover is independent of the switch failover operation; however, FWSM works in any switch Note failover scenario. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-4 OL-20748-01...
  • Page 259 Failover Links: VLAN 10 Trunk: Active Standby VLANs 10 & 11 FWSM FWSM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-5 OL-20748-01...
  • Page 260 Failover Links: VLAN 10 Trunk: Failed Active VLANs 10 & 11 FWSM FWSM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-6 OL-20748-01...
  • Page 261: Transparent Firewall Requirements

    Because the FWSMs bridge packets between the same two VLANs, loops can occur when inside packets destined for the outside get Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-7...
  • Page 262: Active/Standby And Active/Active Failover

    Device Initialization and Configuration Synchronization, page 14-9 • Command Replication, page 14-11 Failover Triggers, page 14-11 • Failover Actions, page 14-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-8 OL-20748-01...
  • Page 263 (except for the failover commands needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-9...
  • Page 264 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-10 OL-20748-01...
  • Page 265 The no failover active command is entered on the active unit or the failover active command is • entered on the standby unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-11 OL-20748-01...
  • Page 266: Active/Active Failover

    • Primary/Secondary Status and Active/Standby Status, page 14-13 • Device Initialization and Configuration Synchronization, page 14-14 • Command Replication, page 14-14 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-12 OL-20748-01...
  • Page 267 Note FWSM does not provide load balancing services. Load balancing must be handled by a router passing traffic to FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-13 OL-20748-01...
  • Page 268 Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to become out of synchronization. Those changes may be lost the next time configuration synchronization occurs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-14 OL-20748-01...
  • Page 269 The unit has a software failure. • The no failover active or the failover active command is entered in the system execution space. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-15 OL-20748-01...
  • Page 270 No failover Become active Become active If the failover link is down at startup, both failover groups on both units will become active. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-16 OL-20748-01...
  • Page 271: Determining Which Type Of Failover To Use

    FWSM supports two types of failover, regular and stateful. This section includes the following topics: Regular Failover, page 14-18 • Stateful Failover, page 14-18 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-17 OL-20748-01...
  • Page 272: Regular Failover

    • Note If failover occurs during an active Cisco IP SoftPhone session, the call will remain active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client will lose connection with the CallManager. This occurs because there is no session information for the CTIQBE hangup message on the standby unit.
  • Page 273: Failover Health Monitoring

    5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-19...
  • Page 274: Rapid Link Failure Detection

    Using Active/Standby Failover, page 14-21 • Using Active/Active Failover, page 14-26 • Configuring Failover Communication Authentication/Encryption, page 14-31 • Verifying the Failover Configuration, page 14-31 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-20 OL-20748-01...
  • Page 275: Failover Configuration Limitations

    For multiple context mode, all steps are performed in the system execution space unless otherwise noted. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-21...
  • Page 276 If the state link uses the failover link, skip this step. You have already defined the failover Note link active and standby IP addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-22 OL-20748-01...
  • Page 277 Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-23 OL-20748-01...
  • Page 278: Configuring Optional Active/Standby Failover Settings

    1200 seconds. If the delay is not specified, there is no delay. When the primary unit becomes active, the secondary unit enters the standby state. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-24...
  • Page 279 When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-25...
  • Page 280: Using Active/Active Failover

    Do not configure an IP address for the failover link or for the state link (if you are going to use Note Stateful Failover). hostname(config-if)# ip address active_addr netmask standby standby_addr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-26 OL-20748-01...
  • Page 281 Configure the failover groups. You can have at most two failover groups. The failover group command Step 4 creates the specified failover group if it does not exist and enters the failover group configuration mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-27 OL-20748-01...
  • Page 282 Enter this command exactly as you entered it on the primary unit when you configured the Note failover interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-28 OL-20748-01...
  • Page 283: Configuring Optional Active/Active Failover Settings

    However, if one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-29...
  • Page 284 When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-30...
  • Page 285: Configuring Failover Communication Authentication/Encryption

    This section includes the following topics: Viewing Failover Status for Active/Standby, page 14-32 • Viewing Failover Status for Active/Active, page 14-35 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-31 OL-20748-01...
  • Page 286 Interface outside (192.168.5.121): Normal Interface inside (192.168.0.1): Normal Peer context: Not Detected Active time: 0 (sec) Interface outside (192.168.5.131): Normal Interface inside (192.168.0.11): Normal Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-32 OL-20748-01...
  • Page 287 The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, will also show a value. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-33...
  • Page 288 L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-34 OL-20748-01...
  • Page 289 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Group 1 State: Standby Ready Active time: 190 (sec) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-35 OL-20748-01...
  • Page 290 Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. RPC services TCP conn UDP conn ARP tbl Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-36 OL-20748-01...
  • Page 291 Unknown—FWSM cannot determine the status of the interface. • Waiting—Monitoring of the network interface on the other unit has • not yet started. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-37 OL-20748-01...
  • Page 292 GTP PDP update information. This information appears only if inspect GTP is enabled. GTP PDPMCB GTP PDPMCB update information. This information appears only if inspect GTP is enabled. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-38 OL-20748-01...
  • Page 293: Viewing Monitored Interfaces

    For Active/Active failover, enter the following command on the unit where failover group containing • the interface connecting your hosts is active: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-39 OL-20748-01...
  • Page 294: Controlling And Monitoring Failover

    Or, enter the following command in the system execution space of the unit where the failover group is in the active state: hostname# no failover active group group_id Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-40 OL-20748-01...
  • Page 295: Disabling Failover

    If previously active, a failover group will become active if it is configured with the preempt command and if the unit on which it failed is its preferred unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-41...
  • Page 296: Monitoring Failover

    411001 and 411002. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
  • Page 297 A R T Configuring the Security Policy...
  • Page 299: Chapter 15 Permitting Or Denying Network Access

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-1...
  • Page 300 HR extended permit ip any any hostname(config)# access-group HR in interface hr hostname(config)# access-list ENG extended permit ip any any hostname(config)# access-group ENG in interface eng Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-2 OL-20748-01...
  • Page 301: Inbound And Outbound Access List Overview

    209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www hostname(config)# access-group OUTSIDE out interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-3 OL-20748-01...
  • Page 302: Applying An Access List To An Interface</