Download  Print this page

Cisco 7604 Configuration Manual

Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli.
Hide thumbs
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742

Advertisement

Catalyst 6500 Series Switch and
Cisco 7600 Series Router Firewall Services
Module Configuration Guide Using the CLI
Release 4.1
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Customer Order Number: N/A, Online only
Text Part Number: OL-20748-01

Advertisement

Table of Contents

   Related Manuals for Cisco 7604

   Summary of Contents for Cisco 7604

  • Page 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI Release 4.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
  • Page 3: Table Of Contents

    C H A P T E R Switch Overview Verifying the Module Installation Assigning VLANs to the Firewall Services Module VLAN Guidelines Assigning VLANs to the FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 4 Context Configuration Files Context Configurations System Configuration Admin Context Configuration How the FWSM Classifies Packets Valid Classifier Criteria Invalid Classifier Criteria Classification Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 5 4-35 Monitoring Security Contexts 4-35 Viewing Context Information 4-35 Viewing Resource Allocation 4-36 Viewing Resource Usage 4-39 Monitoring SYN Attacks in Contexts 4-40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 6 Information About Bridge Groups Information About Device Management Guidelines and Limitations Configuring Transparent Firewall Interfaces for Through Traffic Assigning an IP Address to a Bridge Group Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 7 Redistributing Routes Between OSPF Processes 8-11 Configuring OSPF Interface Parameters 8-12 Configuring OSPF Area Parameters 8-14 Configuring OSPF NSSA 8-15 Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor 8-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 8 Configuring DHCP Options 8-37 Using Cisco IP Phones with a DHCP Server 8-38 Configuring DHCP Relay Services 8-39 DHCP Relay Overview 8-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM viii OL-20748-01...
  • Page 9 Configuring Neighbor Solicitation Messages 10-6 Configuring the Neighbor Solicitation Message Interval 10-7 Configuring the Neighbor Reachable Time 10-7 Configuring Router Advertisement Messages 10-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 10 C H A P T E R Public Key Cryptography 12-1 About Public Key Cryptography 12-1 Certificate Scalability 12-2 About Key Pairs 12-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 11 Simplifying Access Lists with Object Grouping 13-11 How Object Grouping Works 13-11 Adding Object Groups 13-12 Adding a Protocol Object Group 13-12 Adding a Network Object Group 13-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 12 Determining Which Type of Failover to Use 14-17 Regular and Stateful Failover 14-17 Regular Failover 14-18 Stateful Failover 14-18 Failover Health Monitoring 14-19 Unit Health Monitoring 14-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 13 NAT Overview 16-1 Introduction to NAT 16-2 NAT in Routed Mode 16-2 NAT in Transparent Mode 16-3 NAT Control 16-5 NAT Types 16-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xiii OL-20748-01...
  • Page 14 FWSM Authentication Prompts 17-2 Static PAT and HTTP 17-3 Authenticating Directly with the FWSM 17-3 Enabling Network Access Authentication 17-3 Configuring Custom Login Prompts 17-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 15 18-11 Configuring ARP Inspection and Bridging Parameters 19-1 C H A P T E R Configuring ARP Inspection 19-1 ARP Inspection Overview 19-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 16 Applying Inspection to HTTP Traffic Globally 20-21 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 20-22 Applying Inspection to HTTP Traffic with NAT 20-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 17 How Inspection Engines Work 22-2 Inspection Limitations 22-3 Default Inspection Policy 22-4 Configuring Application Inspection 22-6 CTIQBE Inspection 22-10 CTIQBE Inspection Overview 22-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xvii OL-20748-01...
  • Page 18 22-47 H.323 Inspection Overview 22-48 How H.323 Works 22-48 Limitations and Restrictions 22-49 Topologies Requiring H.225 Configuration 22-50 H.225 Map Commands 22-50 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xviii OL-20748-01...
  • Page 19 Configuring SIP Timeout Values 22-82 SIP Inspection Enhancement 22-82 Verifying and Monitoring SIP Inspection 22-86 SIP Sample Configuration 22-87 Skinny (SCCP) Inspection 22-89 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 20 CLI Access Overview 23-11 ASDM Access Overview 23-11 Authenticating Sessions from the Switch to the FWSM 23-11 Enabling CLI or ASDM Authentication 23-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 21 Backing Up a Context Configuration within a Context 24-17 Copying the Configuration from the Terminal Display 24-18 Configuring Auto Update Support 24-18 Configuring Communication with an Auto Update Server 24-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 22 Troubleshooting the Firewall Services Module 26-1 C H A P T E R Testing Your Configuration 26-1 Enabling ICMP Debug Messages and System Log Messages 26-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxii OL-20748-01...
  • Page 23 Admin Context Configuration (Example 1) Customer A Context Configuration (Example 1) Customer B Context Configuration (Example 1) Customer C Context Configuration (Example 1) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiii OL-20748-01...
  • Page 24 A P P E N D I X Firewall Mode and Security Context Mode Command Modes and Prompts Syntax Formatting Abbreviating Commands Command-Line Editing Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiv OL-20748-01...
  • Page 25 TCP and UDP Ports E-11 Local Ports and Protocols E-14 ICMP Types E-15 L O S S A R Y N D E X Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 26 Contents Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxvi OL-20748-01...
  • Page 27: About This Guide

    Help for less common scenarios. For more information, see: http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html. Document Conventions The FWSM command syntax descriptions use the following conventions: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxvii OL-20748-01...
  • Page 28: Related Documentation

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration • Guide using ASDM Release Notes for Cisco ASDM • Open Source Software Licenses for FWSM • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxviii OL-20748-01...
  • Page 29: Obtaining Documentation And Submitting A Service Request

    Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 30 About This Guide Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 31 IP address. Step 8 Configuring a Default Route, page 8-4 Create a default route to an upstream router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxi OL-20748-01...
  • Page 32 Before you configure any settings, you must set the firewall mode to transparent mode. Changing the mode clears your configuration. In multiple context mode, set the mode in each context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxii OL-20748-01...
  • Page 33 Step 12 Applying an Access List to an Interface, page 15-4 Apply the access list to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiii OL-20748-01...
  • Page 34 Quick Start Steps Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiv OL-20748-01...
  • Page 35 A R T Getting Started and General Information...
  • Page 37 How the Firewall Services Module Works with the Switch, page 1-5 • Firewall Mode Overview, page 1-7 • Stateful Inspection Overview, page 1-8 • Security Context Overview, page 1-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 38: C H A P T E R 1 Introduction To The Firewall Services Module

    You can now set the timeout for GRE connectionss that are built as a result of PPTP inspection. The following command was modified: timeout pptp-gre. Management Features Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 39: Security Policy Overview

    This section includes the following topics: • Permitting or Denying Traffic with Access Lists, page 1-4 Applying NAT, page 1-4 • Protecting from IP Fragments, page 1-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 40: Permitting Or Denying Traffic With Access Lists

    Internet. We recommend that you use the FWSM in conjunction with a separate server running one of the following Internet filtering products: Websense Enterprise • Sentian by N2H2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 41: Applying Application Inspection

    How the Firewall Services Module Works with the Switch You can install the FWSM in the Catalyst 6500 series switches and the Cisco 7600 series routers with Cisco IOS software on both the switch supervisor and the integrated MSFC (known as “supervisor IOS”).
  • Page 42: Using The Msfc

    VLAN 200 MSFC FWSM VLAN 200 VLAN 201 FWSM MSFC VLAN 301 VLAN 303 VLAN 201 VLAN 203 Inside Inside VLAN 302 VLAN 202 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 43: Firewall Mode Overview

    In multiple context mode, you can choose the mode for each context independently, so some contexts can run in transparent mode while others can run in routed mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 44: Stateful Inspection Overview

    IP checksum verification – Session lookup – TCP sequence number check – NAT translations based on existing sessions – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 45: Security Context Overview

    Multiple context mode supports static routing only. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 46 Chapter 1 Introduction to the Firewall Services Module Security Context Overview Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-10 OL-20748-01...
  • Page 47: Switch Overview

    • Switch Overview You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the “switch.” The switch includes a switch (the supervisor engine) as well as a router (the MSFC).
  • Page 48: C H A P T E R 2 Configuring The Switch For The Firewall Services Module

    Virtual Switching System (VSS) support—No FWSM configuration required. • For Cisco IOS software Version 12.2(18)SX6 and earlier, for each FWSM in a switch, the SPAN Note reflector feature is enabled. This feature enables multicast traffic (and other traffic that requires central rewrite engine) to be switched when coming from the FWSM.
  • Page 49: Vlan Guidelines

    Assigning VLANs to the FWSM In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer.
  • Page 50: Adding Switched Virtual Interfaces To The Msfc

    2-2), then the MSFC routes between the FWSM and other Layer 3 VLANs. This section includes the following topics: • SVI Overview, page 2-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 51: Svi Overview

    FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.) Figure 2-1 Multiple SVI Misconfiguration Internet VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 52 IPX traffic to pass on VLAN 201. Figure 2-2 Multiple SVIs for IPX Internet VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside IPX Host IP Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 53: Configuring Svis

    To enable the interface, enter the following command: Step 4 Router(config-if)# no shutdown The following example shows a typical configuration with multiple SVIs: Router(config)# firewall vlan-group 50 55-57 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 54: Customizing The Fwsm Internal Interface

    Router(config)# port-channel load-balance {dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-mac | src-dst-port | src-ip | src-mac | src-port} The default is src-dst-ip. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 55: Configuring The Switch For Failover

    The switch supervisor sends an autostate message to the FWSM when: The last interface belonging to a VLAN goes down. • The first interface belonging to a VLAN comes up. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 56: Managing The Firewall Services Module Boot Partitions

    Application partitions (cf:4 and cf:5)—Stores the application software image, system configuration, and ASDM. By default, Cisco installs the images on cf:4. You can use cf:5 as a test partition. For example, if you want to upgrade your software, you can install the new software on cf:5, but maintain the old software as a backup in case you have problems.
  • Page 57: Resetting The Fwsm Or Booting From A Specific Partition

    % reset issued for module 9 Router# 00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap 00:26:55:SP:The PC in slot 8 is shutting down. Please wait ... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-11 OL-20748-01...
  • Page 58 Chapter 2 Configuring the Switch for the Firewall Services Module Managing the Firewall Services Module Boot Partitions Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-12 OL-20748-01...
  • Page 59: Chapter 3 Connecting To The Firewall Services Module And Managing The Configuration

    Management access to the FWSM causes a degradation in performance. We recommend that you avoid Caution accessing the FWSM when high network performance is critical. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 60: Logging Out Of The Fwsm

    Logging out of the FWSM To end the FWSM session and access the switch CLI, enter the following command: hostname# exit Logoff Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 61: Managing The Configuration

    This section includes the following topics: Saving Each Context and System Separately, page 3-4 • Saving All Context Configurations at the Same Time, page 3-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 62 Unable to save the configuration for the following contexts as these contexts have read-only config-urls: context ‘a’ , context ‘b’ , context ‘c’ . Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 63: Copying The Startup Configuration To The Running Configuration

    To erase settings, enter one of the following commands. • To clear all the configuration for a specified command, enter the following command: hostname(config)# clear configure configurationcommand [level2configurationcommand] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 64: Creating Text Configuration Files Offline

    In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 65: Security Context Overview

    How the FWSM Classifies Packets, page 4-3 • Sharing Interfaces Between Contexts, page 4-7 • Management Access to Security Contexts, page 4-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 66: Security Context Overview

    The system configuration does include a specialized failover interface for failover traffic only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 67: Admin Context Configuration

    Context A: • static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 Context B: • static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0 Context C: • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 68: Invalid Classifier Criteria

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 69: Classification Examples

    Dest Addr Translation 10.1.1.13 209.165.201.3 VLAN 200 VLAN 250 VLAN 300 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 70 FWSM FWSM Classifier VLAN 200 VLAN 250 VLAN 300 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 71: Sharing Interfaces Between Contexts

    NAT sessions to classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 72: Nat And Origination Of Traffic

    NAT affects them. For example, if a server sends a packet to www.example.com, then the DNS server needs to return the translated address. Your NAT configuration determines DNS entry management.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 73: Management Access To Security Contexts

    You can access the FWSM as a system administrator in two ways: Session to the FWSM from the switch. • From the switch, you access the system execution space. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 74: Context Administrator Access

    Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
  • Page 75: Restoring Single Context Mode

    Setting the Number of Memory Partitions, page 4-13 • Changing the Memory Partition Size, page 4-14 • Reallocating Rules Between Features for a Specific Memory Partition, page 4-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-11 OL-20748-01...
  • Page 76: About Memory Partitions

    Inspect Rules 1537 Total Rules 19,219 1. Use the show resource rule command to view the default values for partitions other than 12. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-12 OL-20748-01...
  • Page 77: Setting The Number Of Memory Partitions

    :bandn, borders Number of contexts :2(RefCount:2) Number of rules :0(Max:53087) Partition #1 Mode :non-exclusive List of Contexts :admin, momandpopA, momandpopB, momandpopC momandpopD Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-13 OL-20748-01...
  • Page 78: Changing The Memory Partition Size

    The FWSM lets you set the memory size of each partition. Changing the partition sizes requires you to reload the FWSM. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-14 OL-20748-01...
  • Page 79 19,219 rules, for a total of 249,847 rules. hostname(config)# show resource partition Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-15 OL-20748-01...
  • Page 80 15000 19219 19219 15000 19219 19219 15000 19219 19219 15000 19219 19219 15000 19219 19219 19219 19219 19219 19219 19219 19219 19219 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-16 OL-20748-01...
  • Page 81 Traffic loss can occur because both units are down at the same time. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-17...
  • Page 82 56616 hostname(config-partition)# resource partition 3 hostname(config-partition)# size 56615 hostname(config-partition)# show resource partition Bootup Current Partition Default Partition Configured Number Size Size Size Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-18 OL-20748-01...
  • Page 83: Reallocating Rules Between Features For A Specific Memory Partition

    0 Default Configured Absolute CLS Rule Limit Limit -----------+---------+----------+--------- Policy NAT 14801 14801 14801 Filter 1152 Fixup 1537 1537 3074 Est Ctl Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-19 OL-20748-01...
  • Page 84 See Step 1 to use the show resource rule command for the total number of rules allowed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-20 OL-20748-01...
  • Page 85: Configuring Resource Management

    The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can Note limit bandwidth per VLAN. See the switch documentation for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-21 OL-20748-01...
  • Page 86: Classes And Class Members Overview

    Gold Class can use more than the 97 percent of “unassigned” inspections; they can also use the 1 percent of inspections not currently in use by Context A, B, and C, even if that means that Context A, Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-22...
  • Page 87: Default Class

    • Telnet sessions—5 sessions. • SSH sessions—5 sessions. IPSec sessions—5 sessions. • MAC addresses—65,535 entries. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-23 OL-20748-01...
  • Page 88: Class Members

    Step 2 • To set all resource limits (shown in Table 4-2), enter the following command: hostname(config-resmgmt)# limit-resource all {number% | 0} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-24 OL-20748-01...
  • Page 89 Table 4-2 lists the resource types and the limits. See also the show resource types command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-25 OL-20748-01...
  • Page 90 80 ASDM sessions represents a limit of 160 HTTPS sessions. 1 minimum 100 concurrent SSH sessions. 5 maximum concurrent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-26 OL-20748-01...
  • Page 91: Configuring A Security Context

    If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command: hostname(config)# admin-context name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-27 OL-20748-01...
  • Page 92 • alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-28 OL-20748-01...
  • Page 93 The type can be one of the following keywords: – ap—ASCII passive mode – an—ASCII normal mode ip—(Default) Binary passive mode – in—Binary normal mode – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-29 OL-20748-01...
  • Page 94 12 partitions, so the range is 0 to 11. See the “Setting the Number of Memory Partitions” section on page 4-13 to configure the number of memory partitions. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-30 OL-20748-01...
  • Page 95: Changing Between Contexts And The System Execution Space

    Only the current configuration displays. You can, however, save all context running configurations from the system execution space using the write memory all command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-31 OL-20748-01...
  • Page 96: Managing Security Contexts

    To remove all contexts (including the admin context), enter the following command in the system • execution space: hostname(config)# clear context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-32 OL-20748-01...
  • Page 97: Changing The Admin Context

    To enter the context configuration mode for the context you want to change, enter the following Step 3 command: hostname(config)# context name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-33 OL-20748-01...
  • Page 98: Reloading A Security Context

    The FWSM copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-34 OL-20748-01...
  • Page 99: Monitoring Security Contexts

    Shows the firewall mode for each context, either Routed or Transparent. Shows the URL from which the FWSM loads the context configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-35 OL-20748-01...
  • Page 100: Viewing Resource Allocation

    Conns [rate] 35000 35.00% Fixups [rate] 35000 35.00% Syslogs [rate] 10500 35.00% Conns 305000 30.50% Hosts 78842 30.07% IPsec 35.00% 35.00% Telnet 35.00% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-36 OL-20748-01...
  • Page 101 26214 26214 9.99% bronze 13107 All Contexts: 26214 9.99% IPSec default gold 50.00% silver 10.00% bronze unlimited All Contexts: 110.00% default Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-37 OL-20748-01...
  • Page 102 The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-38...
  • Page 103: Viewing Resource Usage

    Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 12000(U) 0 Summary Conns 100000(S) 0 Summary Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-39 OL-20748-01...
  • Page 104: Monitoring Syn Attacks In Contexts

    Average Xlates Connections TCP Conns UDP Conns URL Access URL Server Req WebSns Req TCP Fixup HTTP Fixup FTP Fixup AAA Authen Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-40 OL-20748-01...
  • Page 105 TCP intercept for the entire system. (Sample text in italics shows the TCP intercept information.) hostname(config)# show resource usage summary detail Resource Current Peak Limit Denied Context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-41 OL-20748-01...
  • Page 106 0 Summary console-access-rul 4356(S) 0 Summary fixup-rules 8032(S) 0 Summary S = System: Total exceeds the system limit; the system limit is shown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-42 OL-20748-01...
  • Page 107: Chapter 5 Configuring The Firewall Mode

    We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the FWSM for extensive routing needs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 108: How Data Moves Through The Fwsm In Routed Firewall Mode

    The FWSM receives the packet and because it is a new session, the FWSM verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 109: An Outside User Visits A Web Server On The Dmz

    DMZ web server. Figure 5-2 Outside to DMZ User Outside 209.165.201.2 Dest Addr Translation 209.165.201.3 10.1.1.13 FWSM 10.1.2.1 10.1.1.1 Inside Web Server 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 110: An Inside User Visits A Web Server On The Dmz

    DMZ web server. Figure 5-3 Inside to DMZ Outside 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User Web Server 10.1.2.27 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 111: An Outside User Attempts To Access An Inside Host

    Figure 5-4 Outside to Inside www.example.com Outside 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User 10.1.2.27 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 112: A Dmz User Attempts To Access An Inside Host

    (access lists, filters, AAA). The packet is denied, and the FWSM drops the packet and logs the connection attempt. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 113: Transparent Mode Overview

    The management IP address must be on the same subnet as the connected network. For another method of management, see the “Management Interface” section on page 5-8. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 114: Management Interface

    DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 115: Mac Address Vs. Route Lookups

    The inside router and hosts appear to be directly connected to the outside router. Figure 5-6 Transparent Firewall Network Internet 10.1.1.1 FWSM Management IP 10.1.1.2 Network A 10.1.1.3 192.168.1.2 Network B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 116: Transparent Firewall Guidelines

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-10...
  • Page 117: Unsupported Features In Transparent Mode

    You can, however, allow multicast traffic through the FWSM by allowing it in an extended access list. Remote access VPN for management You can use site-to-site VPN for management. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-11 OL-20748-01...
  • Page 118: How Data Moves Through The Transparent Firewall

    An Outside User Visits a Web Server on the Inside Network, page 5-15 • An Outside User Attempts to Access an Inside Host, page 5-16 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-12 OL-20748-01...
  • Page 119: An Inside User Visits A Web Server

    The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The FWSM forwards the packet to the inside user. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-13 OL-20748-01...
  • Page 120: An Inside User Visits A Web Server Using Nat

    The FWSM performs NAT by translating the mapped address to the real address, 10.1.2.27. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-14...
  • Page 121: An Outside User Visits A Web Server On The Inside Network

    If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-15...
  • Page 122: An Outside User Attempts To Access An Inside Host

    If the outside user is attempting to attack the inside network, the FWSM employs many technologies to determine if a packet is valid for an already established session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-16...
  • Page 123: Setting Transparent Or Routed Firewall Mode

    • hostname(config)# firewall transparent To set the mode to routed, enter the following command in each context: • hostname(config)# no firewall transparent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-17 OL-20748-01...
  • Page 124 Chapter 5 Configuring the Firewall Mode Setting Transparent or Routed Firewall Mode Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-18 OL-20748-01...
  • Page 125: Chapter 6 Configuring Interface Parameters

    NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 126: Configuring Interfaces For Routed Firewall Mode

    If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover,” to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 127: Configuring An Interface

    The following example configures parameters for VLAN 101: hostname(config)# interface vlan 101 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 128: Configuring Interfaces For Transparent Firewall Mode

    For device management, you have two available mechanisms: Any bridge group management address—Connect to the bridge group network on which your • management station is located. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 129: Guidelines And Limitations

    If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover,” to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 130: Configuring Transparent Firewall Interfaces For Through Traffic

    Step 1 hostname(config)# interface bvi bridge_group_number Specify the IP address by entering the following command: Step 2 hostname(config-if)# ip address ip_address [mask] [standby ip_address] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 131: Adding A Management Interface

    Do not enter the no form, because that command causes all commands that refer to that name to be deleted. To set the security level, enter the following command: Step 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 132 Bridge group IP: Bridge group IP: 209.165.200.226 209.165.201.2 209.165.202.129 Inside Inside Inside Context C Context A Context B Context A hostname(config)# interface vlan500 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 133 30 hostname(config-if)# interface vlan106 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# bridge-group 30 hostname(config-if)# interface bvi 30 hostname(config-if)# ip address 209.165.202.129 255.255.255.224 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 134: Allowing Communication Between Interfaces On The Same Security Level

    (or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-10...
  • Page 135: Configuring Intra-interface Communication

    • Outside NAT is not supported. • You can configure static routes from one interface to another on the same security level. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-11 OL-20748-01...
  • Page 136: Turning Off And Turning On Interfaces

    To disable the interface, enter the following command: Step 2 hostname(config)# shutdown To reenable the interface, enter the following command: Step 3 hostname(config)# no shutdown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-12 OL-20748-01...
  • Page 137: Changing The Passwords

    The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 138: Chapter 7 Configuring Basic Setting

    Change the root password by entering the following command: Step 5 root@localhost# passwd Enter the new password at the prompt: Step 6 Changing password for user root New password: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 139: Setting The Hostname

    Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. context-CTX1-secondary %FWSM-5-111008: User 'enable_15' executed the 'logging console debug' command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 140: Setting The Domain Name

    The order in which you enter the keywords determines the order of the elements in the prompt, which are separated by a slash (/). See the following descriptions for the keywords: hostname—Displays the hostname. • domain—Displays the domain name. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 141: Configuring A Login Banner

    For example, to add a message-of-the-day banner, enter: hostname(config)# banner motd Welcome to $(hostname) hostname(config)# banner motd Contact me at admin@example.com for any hostname(config)# banner motd issues Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 142 Chapter 7 Configuring Basic Settings Configuring a Login Banner Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 143: How Routing Behaves Within Fwsm

    FWSM processes this packet by looking up the route to select egress interface, then source-ip translation is performed (if necessary). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 144: Next Hop Selection Process

    Your network is small and you can easily manage static routes. • You do not want the traffic or CPU overhead associated with routing protocols. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 145: C H A P T E R 8 Configuring Ip Routing And Dhcp Services

    However, static routes are removed from the routing table if the associated interface goes down. They are reinstated when the interface comes back up. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 146: Configuring A Default Route

    FWSM for which there is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1, 192.168.2.2, 192.168.2.3. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 147: Monitoring A Static Or Default Route

    To match any routes that have a destination network that matches a standard access list, enter the • following command: hostname(config-route-map)# match ip address acl_id [acl_id] [...] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 148: Configuring Bgp Stub Routing

    The FWSM supports BGP stub routing. The BGP stub routing process advertises static and directly connected routes but does not accept routes advertised by the BGP peer. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 149: Bgp Stub Limitations

    To enable and configure a BGP routing process, perform the following steps: Create the BGP routing process by entering the following command: Step 1 hostname(config)# router bgp as-number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 150: Monitoring Bgp Stub Routing

    • To view debug messages for the BGP routing process, enter the following command: hostname# debug ip bgp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 151: Restarting The Bgp Stub Routing Process

    The cost can be configured to specify preferred paths. The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 152: Enabling Ospf

    To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the following command: hostname(config-router)# network ip_address mask area area_id The following example shows how to enable OSPF: hostname(config)# router ospf 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-10 OL-20748-01...
  • Page 153: Redistributing Routes Between Ospf Processes

    The following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics. hostname(config)# router ospf 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-11 OL-20748-01...
  • Page 154: Configuring Ospf Interface Parameters

    To enable OSPF MD5 authentication, enter the following command: hostname(config-interface)# ospf message-digest-key key_id md5 key Set the following values: key_id—An identifier in the range from 1 to 255. – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-12 OL-20748-01...
  • Page 155 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-13 OL-20748-01...
  • Page 156: Configuring Ospf Area Parameters

    The following example shows how to configure the OSPF area parameters: hostname(config)# router ospf 2 hostname(config-router)# area 0 authentication hostname(config-router)# area 0 authentication message-digest hostname(config-router)# area 17 stub Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-14 OL-20748-01...
  • Page 157: Configuring Ospf Nssa

    You can set a type 7 default route that can be used to reach external destinations. When – configured, the router generates a type 7 default into the NSSA or the NSSA area boundary router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-15 OL-20748-01...
  • Page 158: Configuring A Point-to-point, Non-broadcast Ospf Neighbor

    10.3.3.0 255.255.255.0 10.1.1.99 1 hostname(config)# interface Vlan55 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2 hostname(config-if)# ospf network point-to-point non-broadcast Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-16 OL-20748-01...
  • Page 159: Configuring Route Summarization Between Ospf Areas

    To set the summary address, enter the following command: Step 2 hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag] OSPF does not support summary-address 0.0.0.0 0.0.0.0. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-17 OL-20748-01...
  • Page 160: Generating A Default Route

    SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value of 0 means that there is no delay; that is, the SPF calculation is started immediately. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-18...
  • Page 161: Logging Neighbors Going Up Or Down

    LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-19...
  • Page 162: Monitoring Ospf

    [process-id] summary-address To display OSPF-related virtual links information, enter the following command: • hostname# show ospf [process-id] virtual-links Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-20 OL-20748-01...
  • Page 163: Restarting The Ospf Process

    For example, enter the following commands: hostname(config)# rip inside default version 2 authentication md5 scorpius 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-21 OL-20748-01...
  • Page 164: Configuring Eigrp

    • EIGRP Routing Overview EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Neighbor discovery is the process that the FWSM uses to dynamically learn of other routers on directly attached networks.
  • Page 165: Enabling And Configuring Eigrp Routing

    EIGRP updates. Step 3 (Optional) To prevent an interface from sending or receiving EIGRP routing message, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-23 OL-20748-01...
  • Page 166: Enabling And Configuring Eigrp Stub Routing

    Create the EIGRP routing process and enter router configuration mode for that process by entering the Step 1 following command: hostname(config)# router eigrp as-num Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-24 OL-20748-01...
  • Page 167: Enabling Eigrp Authentication

    % Asystem(100) specified does not exist The key argument can contain up to 16 characters. The key-id argument is a number from 0 to 255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-25...
  • Page 168: Defining An Eigrp Neighbor

    To redistribute connected routes into the EIGRP routing process, enter the following command: • hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu] [route-map map_name] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-26 OL-20748-01...
  • Page 169: Configuring The Eigrp Hello Interval And Hold Time

    192.168.0.0. To prevent the possibility of traffic being routed to the wrong location, you should disable automatic route summarization on the routers creating the conflicting summary addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-27 OL-20748-01...
  • Page 170: Configuring Summary Aggregate Addresses

    Enter interface configuration mode for the interface on which you are disabling split horizon by entering Step 1 the following command: hostname(config)# interface phy_if Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-28 OL-20748-01...
  • Page 171: Changing The Interface Delay Value

    Monitoring EIGRP You can use the following commands to monitor the EIGRP routing process. For examples and descriptions of the command output, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. To display the EIGRP event log, enter the following command: •...
  • Page 172: Disabling Neighbor Change And Warning Message Logging

    2 header is rewritten and the packet is re-injected into the stream. This section contains the following topics: Adding Interfaces to ASR Groups, page 8-31 • Asymmetric Routing Support Example, page 8-31 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-30 OL-20748-01...
  • Page 173: Adding Interfaces To Asr Groups

    A is active. However, the return traffic is being routed through the unit where context B is active. Normally, the return traffic would be dropped because there is no session information Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-31...
  • Page 174: Configuring Route Health Injection

    A on the unit where context A is in the active state. This forwarding continues as needed until the session ends. Configuring Route Health Injection This feature depends on Cisco IOS Release 12.2(33)SXI or later, and is only available on the Catalyst Note 6500 switch.
  • Page 175: Rhi Guidelines

    NAT ID for multiple global commands on multiple interfaces, only those commands on the matching interface as the redistribute command are used. You can enter only one redistribute nat command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-33 OL-20748-01...
  • Page 176 (outside) 10 209.165.202.140-209.165.202.146 netmask 255.255.255.0 hostname(config)# global (outside) 20 209.165.202.150-209.165.202.155 netmask 255.255.255.0 hostname(config)# route-inject hostname(config-route-inject)# redistribute nat global-pool 10 interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-34 OL-20748-01...
  • Page 177: Configuring Dhcp

    In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-35...
  • Page 178 To enable the DHCP daemon within the FWSM to listen for DHCP client requests on the enabled Step 8 interface, enter the following command: hostname(config)# dhcpd enable interface_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-36 OL-20748-01...
  • Page 179: Configuring Dhcp Options

    DHCP options that are not supported by the dhcpd option command: Table 8-1 Unsupported DHCP Options Option Code Description DHCPOPT_PAD HCPOPT_SUBNET_MASK DHCPOPT_HOST_NAME DHCPOPT_REQUESTED_ADDRESS DHCPOPT_LEASE_TIME Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-37 OL-20748-01...
  • Page 180: Using Cisco Ip Phones With A Dhcp Server

    Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the FWSM DHCP server provides values for both options in the response if they are configured on the FWSM.
  • Page 181: Configuring Dhcp Relay Services

    Step 1 To configure an interface-specific server, enter the following commands: • hostname(config)# interface {vlan vlan_id | mapped_name} hostname(config-if)# dhcprelay server ip_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-39 OL-20748-01...
  • Page 182 209.165.200.225 outside hostname(config)# dhcprelay server 209.165.201.4 dmz hostname(config)# dhcprelay enable inside1 hostname(config)# dhcprelay setroute inside1 hostname(config)# dhcprelay enable inside2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-40 OL-20748-01...
  • Page 183: Preserving Dhcp Option 82

    Verifying the DHCP Relay Configuration To view the interface-specific DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay interface [vlan vlan_id | mapped_name] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-41 OL-20748-01...
  • Page 184 Configuring IP Routing and DHCP Services Configuring DHCP To view the global DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-42 OL-20748-01...
  • Page 185: Multicast Routing Overview

    Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific state. The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 186: C H A P T E R 9 Configuring Multicast Routing

    Disabling IGMP on an Interface, page 9-3 • Configuring Group Membership, page 9-3 • Configuring a Statically Joined Group, page 9-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 187: Disabling Igmp On An Interface

    To configure a statically joined multicast group on an interface, enter the following command: hostname(config-if)# igmp static-group group-address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 188: Controlling Access To Multicast Groups

    By default, the PIM designated router on the subnet is responsible for sending the query messages. By default, they are sent once every 125 seconds. To change this interval, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 189: Changing The Query Response Time

    To forward the host join and leave messages, enter the following command from the interface attached to the stub area: hostname(config-if)# igmp forward interface if_name Stub Multicast Routing and PIM are not supported concurrently. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 190: Configuring A Static Multicast Route

    • Disabling PIM on an Interface You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 191: Configuring A Static Rendezvous Point Address

    Filtering PIM Register Messages You can configure the FWSM to filter PIM register messages. To filter PIM register messages, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 192: Configuring Pim Message Intervals

    RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
  • Page 193: Ipv6-enabled Commands

    • configure • copy • http • name • • object-group • ping • show conn show local-host • show tcpstat • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-1 OL-20748-01...
  • Page 194: Configuring Ipv6 On An Interface

    You can configure both IPv6 and IPv4 addresses on an interface. You cannot configure IPv6 on an interface that is used by more than one context (a shared VLAN). Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-2 OL-20748-01...
  • Page 195 See the “Example 4: IPv6 Configuration Example” section on page B-13 for an example of IPv6 addresses applied to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-3 OL-20748-01...
  • Page 196: Configuring A Dual Ip Stack On An Interface

    Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just Note those used for duplicate address detection. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-4 OL-20748-01...
  • Page 197: Configuring Ipv6 Default And Static Routes

    | deny—Determines whether the specified traffic is blocked or allowed to pass. • icmp—Indicates that the access list entry applies to ICMP traffic. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-5 OL-20748-01...
  • Page 198: Configuring Ipv6 Neighbor Discovery

    After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 10-1 shows the neighbor solicitation and response process. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-6 OL-20748-01...
  • Page 199: Configuring The Neighbor Solicitation Message Interval

    To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-7 OL-20748-01...
  • Page 200: Configuring Router Advertisement Messages

    You can configure the following settings for router advertisement messages: The time interval between periodic router advertisement messages. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-8 OL-20748-01...
  • Page 201: Configuring The Router Advertisement Transmission Interval

    For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement Note messages must always be 64 bits. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-9 OL-20748-01...
  • Page 202: Suppressing Router Advertisement Messages

    The output for the command shows the following: • The name and status of the interface. • The link-local and global unicast addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-10 OL-20748-01...
  • Page 203: Viewing Ipv6 Routes

    O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 fe80::/10 [0/0] via ::, inside fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside fec0:0:0:a::/64 [0/0] via ::, inside ff00::/8 [0/0] via ::, inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-11 OL-20748-01...
  • Page 204 Chapter 10 Configuring IPv6 Verifying the IPv6 Configuration Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-12 OL-20748-01...
  • Page 205: Aaa Overview

    This section includes the following topics: • About Authentication, page 11-2 • About Authorization, page 11-2 • About Accounting, page 11-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-1 OL-20748-01...
  • Page 206: C H A P T E R 11 Configuring Aaa Servers And The Local Database

    FWSM for the session, the service used, and the duration of each session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-2...
  • Page 207: Aaa Server And Local Database Support

    2. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. 3. Local command authorization is supported by privilege level only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-3 OL-20748-01...
  • Page 208: Radius Server Support

    The security appliance deletes the access list when the authentication session expires. TACACS+ Server Support The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-4 OL-20748-01...
  • Page 209: Sdi Server Support

    FWSM uses NTLM Version 1 to for user authentication with the Microsoft Windows domain server. The FWSM grants or denies user access based on the response from the domain server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-5 OL-20748-01...
  • Page 210: Kerberos Server Support

    With the exception of fallback for network access authentication, the local database can act as a fallback method for the functions in Table 11-1. This behavior is designed to help you prevent accidental lockout from the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-6 OL-20748-01...
  • Page 211: Configuring The Local Database

    Step 1 Create the user account. To do so, enter the following command: hostname(config)# username username {nopassword | password password} [privilege level] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-7 OL-20748-01...
  • Page 212 The following commands creates a user account with a password, enters username mode, and specifies a few VPN attributes: hostname(config)# username user1 password gOgeOus hostname(config)# username user1 attributes Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-8 OL-20748-01...
  • Page 213: Identifying Aaa Server Groups And Servers

    For more information about this command, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-9 OL-20748-01...
  • Page 214 (indicated by “—”), use the command to specify the value. For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-10 OL-20748-01...
  • Page 215 AuthOutbound protocol radius hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3 hostname(config-aaa-server-host)# key RadUauthKey hostname(config-aaa-server-host)# exit hostname(config)# aaa-server NTAuth protocol nt Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-11 OL-20748-01...
  • Page 216 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers hostname(config-aaa-server-group)# exit hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4 hostname(config-aaa-server-host)# nt-auth-domain-controller primary1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-12 OL-20748-01...
  • Page 217: Public Key Cryptography

    This process relies on the receiver having a copy of the public key of the sender and a high degree of certainty that this key belongs to the sender, not to someone pretending to be the sender. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-1...
  • Page 218: C H A P T E R 12 Configuring Certificates

    Separate signing and encryption keys help reduce exposure of the keys. This is because SSL uses a key for encryption but not signing, while IKE uses a key for signing but not encryption. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-2...
  • Page 219: About Trustpoints

    Exporting and Importing Keypairs and Certificates, page 12-7 Linking Certificates to a Trustpoint, page 12-9 • Configuration Example: Cut-Through-Proxy Authentication, page 12-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-3 OL-20748-01...
  • Page 220: Preparing For Certificates

    If you do not assign a label, the key pair is automatically labeled Default-RSA-Key. To assign a label to each key pair, enter the following command: hostname/contexta (config)# crypto key generate rsa label key-pair-label Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-4 OL-20748-01...
  • Page 221: Removing Key Pairs

    For the aaa authentication include command, you can use only TACACS+ or RADIUS user accounting to be authenticated or authorized on a server designated by the aaa-server command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-5...
  • Page 222: Verifying Configurations For Specified Settings

    To configure secure authentication to the HTTP client, enter the following command: Step 2 hostname (config)# aaa authentication secure-http-client For more information about command usage, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Verifying Configurations for Specified Settings Before you import third-party certificates, you must have configured certain AAA settings, the AAA server, access lists, and optionally, virtual HTTP.
  • Page 223: Exporting And Importing Keypairs And Certificates

    To control which trustpoint sharing a CA is used for validation of user certificates issued by that CA, enter the support-user-cert-validation command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-7...
  • Page 224 Inc. c=US Subject Name: cn=atl-lx-sbacchus.cisco.com o=Cisco Systems\, Inc sa=170 West Tasman Dr l=San Jose st=California pc=95134 c=US serialNumber=C1183477 2.5.4.15=#131256312e302c20436c6175736520352e286229 1.3.6.1.4.1.311.60.2.1.2=#130a43616c69666f726e6961 1.3.6.1.4.1.311.60.2.1.3=#13025553 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-8 OL-20748-01...
  • Page 225: Linking Certificates To A Trustpoint

    FWACL extended permit tcp any any eq https access-group FWACL in interface outside timeout uauth 0:05:00 absolute aaa-server TacacsServers protocol tacacs+ reactivation-mode depletion deadtime 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-9 OL-20748-01...
  • Page 226 The auth-prompt series of commands changes the prompt that users see, so you know that the FWSM is making the request. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-10 OL-20748-01...
  • Page 227: Access List Overview

    IP Addresses Used for Access Lists When You Use NAT, page 13-3 • Access List Commitment, page 13-5 • Maximum Number of ACEs, page 13-6 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-1 OL-20748-01...
  • Page 228: Access List Types

    ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by making it inactive. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-2 OL-20748-01...
  • Page 229: C H A P T E R 13 Identifying Traffic With Access Lists

    See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-3 OL-20748-01...
  • Page 230 See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-4 OL-20748-01...
  • Page 231: Access List Commitment

    For information about exceeding memory limits, see the “Maximum Number of ACEs” section. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-5 OL-20748-01...
  • Page 232: Maximum Number Of Aces

    ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-6...
  • Page 233: Allowing Broadcast And Multicast Traffic Through The Transparent Firewall

    (for example, INSIDE), or for the purpose for which it is created (for example, NO_NAT or VPN). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-7...
  • Page 234 When you specify a network mask, the method is different from the Cisco IOS software access-list command. The FWSM uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
  • Page 235: Adding An Ethertype Access List

    IP traffic that you previously allowed with an extended access list. IPv4 and ARP traffic cannot be controlled with an EtherType access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-9...
  • Page 236: Using Extended And Ethertype Access Lists On The Same Interface

    FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the FWSM.
  • Page 237: Adding A Standard Access List

    For example, consider the following three object groups: MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed • access to the internal network Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-11 OL-20748-01...
  • Page 238: Adding Object Groups

    The description can be up to 200 characters. To define the protocols in the group, enter the following command for each protocol: Step 3 hostname(config-protocol)# protocol-object protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-12 OL-20748-01...
  • Page 239: Adding A Network Object Group

    Administrator Addresses hostname(config-network)# network-object host 10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-13 OL-20748-01...
  • Page 240: Adding A Service Object Group

    You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-14...
  • Page 241: Nesting Object Groups

    For example, you create network object groups for privileged users from various departments: hostname(config)# object-group network eng hostname(config-network)# network-object host 10.1.1.5 hostname(config-network)# network-object host 10.1.1.9 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network hr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-15 OL-20748-01...
  • Page 242: Using Object Groups With An Access List

    ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78 eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-16 OL-20748-01...
  • Page 243: Displaying Object Groups

    [protocol | network | services | icmp-type] If you do not enter a type, all object groups are removed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-17 OL-20748-01...
  • Page 244: Adding Remarks To Access Lists

    Before optimization: access-list test extended permit udp 10.1.1.0 255.255.255.0 any [rule x] access-list test extended permit udp 10.1.1.1 255.255.255.255 any [rule y] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-18 OL-20748-01...
  • Page 245 80 130 log disable [rule y] After optimization: access-list test extended deny tcp any any range 50 100 log default [rule x] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-19 OL-20748-01...
  • Page 246: Configuring Access List Group Optimization

    The following is an example of an optimized access list configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-20 OL-20748-01...
  • Page 247 Show the optimized access list: hostname(config)# show access-list test optimization access-list test; 13 elements before optimization 7 elements after optimization Reduction rate = 46% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-21 OL-20748-01...
  • Page 248 Show the optimized access list range 6 through 9 in detail: hostname(config)# show access-list test optimization detail range 6 9 access-list test; 13 elements before optimization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-22 OL-20748-01...
  • Page 249 This will cause some rules to be deleted. Thus, it is considered a good practice to back up the original configuration before proceeding with disabling access list group optimization. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-23...
  • Page 250: Scheduling Extended Access List Activation

    Because no end time and date are specified, the time range is in effect indefinitely. hostname(config)# time-range for2006 hostname(config-time-range)# absolute start 8:00 1 january 2006 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-24 OL-20748-01...
  • Page 251: Applying The Time Range To An Ace

    106100, which provides statistics for each ACE and lets you limit the number of system log messages produced. Alternatively, you can disable all logging. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-25 OL-20748-01...
  • Page 252: Configuring Logging For An Ace

    ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages for detailed information about this system log message.
  • Page 253: Managing Deny Flows

    When the limit is reached, the FWSM does not create a new deny flow for logging until the existing flows expire. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-27...
  • Page 254 The seconds are between 1 and 3600. 300 is the default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-28 OL-20748-01...
  • Page 255: Understanding Failover

    Transparent Firewall Requirements, page 14-7 • Active/Standby and Active/Active Failover, page 14-8 • • Regular and Stateful Failover, page 14-17 • Failover Health Monitoring, page 14-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-1 OL-20748-01...
  • Page 256: Chapter 14 Configuring Failover

    All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-2...
  • Page 257: State Link

    Even though both FWSMs are assigned the same VLANs, only the active module takes part in networking. The standby module does not pass any traffic. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-3...
  • Page 258: Inter-chassis Failover

    FWSM VLANs (VLANs 10 and 11). FWSM failover is independent of the switch failover operation; however, FWSM works in any switch Note failover scenario. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-4 OL-20748-01...
  • Page 259 Failover Links: VLAN 10 Trunk: Active Standby VLANs 10 & 11 FWSM FWSM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-5 OL-20748-01...
  • Page 260 Failover Links: VLAN 10 Trunk: Failed Active VLANs 10 & 11 FWSM FWSM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-6 OL-20748-01...
  • Page 261: Transparent Firewall Requirements

    Because the FWSMs bridge packets between the same two VLANs, loops can occur when inside packets destined for the outside get Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-7...
  • Page 262: Active/standby And Active/active Failover

    Device Initialization and Configuration Synchronization, page 14-9 • Command Replication, page 14-11 Failover Triggers, page 14-11 • Failover Actions, page 14-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-8 OL-20748-01...
  • Page 263 (except for the failover commands needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-9...
  • Page 264 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-10 OL-20748-01...
  • Page 265 The no failover active command is entered on the active unit or the failover active command is • entered on the standby unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-11 OL-20748-01...
  • Page 266: Active/active Failover

    • Primary/Secondary Status and Active/Standby Status, page 14-13 • Device Initialization and Configuration Synchronization, page 14-14 • Command Replication, page 14-14 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-12 OL-20748-01...
  • Page 267 Note FWSM does not provide load balancing services. Load balancing must be handled by a router passing traffic to FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-13 OL-20748-01...
  • Page 268 Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to become out of synchronization. Those changes may be lost the next time configuration synchronization occurs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-14 OL-20748-01...
  • Page 269 The unit has a software failure. • The no failover active or the failover active command is entered in the system execution space. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-15 OL-20748-01...
  • Page 270 No failover Become active Become active If the failover link is down at startup, both failover groups on both units will become active. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-16 OL-20748-01...
  • Page 271: Determining Which Type Of Failover To Use

    FWSM supports two types of failover, regular and stateful. This section includes the following topics: Regular Failover, page 14-18 • Stateful Failover, page 14-18 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-17 OL-20748-01...
  • Page 272: Regular Failover

    • Note If failover occurs during an active Cisco IP SoftPhone session, the call will remain active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client will lose connection with the CallManager. This occurs because there is no session information for the CTIQBE hangup message on the standby unit.
  • Page 273: Failover Health Monitoring

    5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-19...
  • Page 274: Rapid Link Failure Detection

    Using Active/Standby Failover, page 14-21 • Using Active/Active Failover, page 14-26 • Configuring Failover Communication Authentication/Encryption, page 14-31 • Verifying the Failover Configuration, page 14-31 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-20 OL-20748-01...
  • Page 275: Failover Configuration Limitations

    For multiple context mode, all steps are performed in the system execution space unless otherwise noted. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-21...
  • Page 276 If the state link uses the failover link, skip this step. You have already defined the failover Note link active and standby IP addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-22 OL-20748-01...
  • Page 277 Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-23 OL-20748-01...
  • Page 278: Configuring Optional Active/standby Failover Settings

    1200 seconds. If the delay is not specified, there is no delay. When the primary unit becomes active, the secondary unit enters the standby state. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-24...
  • Page 279 When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-25...
  • Page 280: Using Active/active Failover

    Do not configure an IP address for the failover link or for the state link (if you are going to use Note Stateful Failover). hostname(config-if)# ip address active_addr netmask standby standby_addr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-26 OL-20748-01...
  • Page 281 Configure the failover groups. You can have at most two failover groups. The failover group command Step 4 creates the specified failover group if it does not exist and enters the failover group configuration mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-27 OL-20748-01...
  • Page 282 Enter this command exactly as you entered it on the primary unit when you configured the Note failover interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-28 OL-20748-01...
  • Page 283: Configuring Optional Active/active Failover Settings

    However, if one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-29...
  • Page 284 When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-30...
  • Page 285: Configuring Failover Communication Authentication/encryption

    This section includes the following topics: Viewing Failover Status for Active/Standby, page 14-32 • Viewing Failover Status for Active/Active, page 14-35 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-31 OL-20748-01...
  • Page 286 Interface outside (192.168.5.121): Normal Interface inside (192.168.0.1): Normal Peer context: Not Detected Active time: 0 (sec) Interface outside (192.168.5.131): Normal Interface inside (192.168.0.11): Normal Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-32 OL-20748-01...
  • Page 287 The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, will also show a value. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-33...
  • Page 288 L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-34 OL-20748-01...
  • Page 289 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Group 1 State: Standby Ready Active time: 190 (sec) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-35 OL-20748-01...
  • Page 290 Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. RPC services TCP conn UDP conn ARP tbl Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-36 OL-20748-01...
  • Page 291 Unknown—FWSM cannot determine the status of the interface. • Waiting—Monitoring of the network interface on the other unit has • not yet started. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-37 OL-20748-01...
  • Page 292 GTP PDP update information. This information appears only if inspect GTP is enabled. GTP PDPMCB GTP PDPMCB update information. This information appears only if inspect GTP is enabled. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-38 OL-20748-01...
  • Page 293: Viewing Monitored Interfaces

    For Active/Active failover, enter the following command on the unit where failover group containing • the interface connecting your hosts is active: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-39 OL-20748-01...
  • Page 294: Controlling And Monitoring Failover

    Or, enter the following command in the system execution space of the unit where the failover group is in the active state: hostname# no failover active group group_id Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-40 OL-20748-01...
  • Page 295: Disabling Failover

    If previously active, a failover group will become active if it is configured with the preempt command and if the unit on which it failed is its preferred unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-41...
  • Page 296: Monitoring Failover

    411001 and 411002. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
  • Page 297 A R T Configuring the Security Policy...
  • Page 299: Chapter 15 Permitting Or Denying Network Access

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-1...
  • Page 300 HR extended permit ip any any hostname(config)# access-group HR in interface hr hostname(config)# access-list ENG extended permit ip any any hostname(config)# access-group ENG in interface eng Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-2 OL-20748-01...
  • Page 301: Inbound And Outbound Access List Overview

    209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www hostname(config)# access-group OUTSIDE out interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-3 OL-20748-01...
  • Page 302: Applying An Access List To An Interface

    The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces: hostname(config)# access-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-4 OL-20748-01...
  • Page 303 Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface hostname(config)# access-group ETHER in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-5 OL-20748-01...
  • Page 304 Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-6 OL-20748-01...
  • Page 305: Configuring Nat

    Order of NAT Commands Used to Match Real Addresses, page 16-15 • Maximum Number of NAT Statements, page 16-15 • Mapped Address Guidelines, page 16-15 • DNS and NAT, page 16-16 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-1 OL-20748-01...
  • Page 306: Chapter 16 Configuring Nat

    209.165.201.10, and the FWSM receives the packet. The FWSM then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27 before sending it on to the host. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-2 OL-20748-01...
  • Page 307: Nat In Transparent Mode

    ARP request to a host on the other side of the firewall, and the initiating host real address is mapped to a different address on the same subnet, then the real address remains visible in the ARP request. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-3 OL-20748-01...
  • Page 308 192.168.1.0 255.255.255.0 10.1.1.3 1 hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0 hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-4 OL-20748-01...
  • Page 309: Nat Control

    NAT. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-5 OL-20748-01...
  • Page 310: Nat Types

    IP address after the translation times out. (See the timeout xlate command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.) Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the FWSM rejects any attempt to connect to a real host address directly.
  • Page 311 Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-7...
  • Page 312: Pat

    (if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-8 OL-20748-01...
  • Page 313: Static Pat

    8080. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then undo translation to port 80. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-9...
  • Page 314: Bypassing Nat When Nat Control Is Enabled

    IP addresses for the secondary channel. This way, the FWSM translates the secondary ports. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-10...
  • Page 315 (inside) 1 access-list NET1 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-11 OL-20748-01...
  • Page 316 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-12...
  • Page 317: Nat Session (xlate) Creation

    Because there is a maximum number of NAT sessions (see the “Managed System Resources” section on page A-4), these types of NAT sessions might cause you to run into the limit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-13 OL-20748-01...
  • Page 318: Nat And Pat Global Pool Usage

    These inspection engines include Skinny, SIP, and H.323. See the “Inspection Engine Overview” section on page 22-2 for supported inspection engines. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-14 OL-20748-01...
  • Page 319: Order Of Nat Commands Used To Match Real Addresses

    If you use OSPF to advertise mapped IP addresses that belong to a different subnet from the mapped interface, you need to create Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-15...
  • Page 320: Dns And Nat

    NAT it. The necessary route can be learned via static routing or by any other routing protocol, such as RIP or OSPF. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-16...
  • Page 321 See the following command for this example: hostname(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255 If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from Note the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though the user is not on the Inside interface referenced by the static command.
  • Page 322: Configuring Nat Control

    To enable NAT control, enter the following command: hostname(config)# nat-control To disable NAT control, enter the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-18 OL-20748-01...
  • Page 323: Configuring Xlate Bypass

    This section describes how to configure dynamic NAT and PAT, and it includes the following topics: • Dynamic NAT and PAT Implementation, page 16-20 • Configuring Dynamic NAT or PAT, page 16-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-19 OL-20748-01...
  • Page 324: Dynamic Nat And Pat Implementation

    NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-20 OL-20748-01...
  • Page 325 (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-21 OL-20748-01...
  • Page 326 NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-22...
  • Page 327 PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports. (See Figure 16-18.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-23 OL-20748-01...
  • Page 328 Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-24...
  • Page 329 NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-25...
  • Page 330: Configuring Dynamic Nat Or Pat

    To identify the real addresses that you want to translate, enter one of the following commands: Step 1 Policy NAT: • hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-26 OL-20748-01...
  • Page 331 However, leaving ISN randomization enabled on both firewalls does not affect the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-27...
  • Page 332 (10.1.1.0), for example, to simplify routing, enter the following commands: hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns hostname(config)# global (inside) 1 10.1.1.45 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-28 OL-20748-01...
  • Page 333: Using Static Nat

    Figure 16-22 Static NAT FWSM 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.2 Inside Outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-29 OL-20748-01...
  • Page 334 The clear xlate command clears all connections, even when xlate-bypass is enabled and when a connection does not have an xlate. For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
  • Page 335: Using Static Pat

    Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface. For more information about static PAT, see the “Static PAT” section on page 16-9. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-31 OL-20748-01...
  • Page 336 (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following commands: hostname(config)# access-list TELNET permit tcp host 10.1.1.15 10.1.3.0 255.255.255.0 eq telnet Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-32 OL-20748-01...
  • Page 337: Bypassing Nat

    This section includes the following topics: • Configuring Identity NAT, page 16-34 • Configuring Static Identity NAT, page 16-34 • Configuring NAT Exemption, page 16-36 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-33 OL-20748-01...
  • Page 338: Configuring Identity Nat

    NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate. (See the “Policy NAT” section on page 16-10 for more Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-34 OL-20748-01...
  • Page 339 For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside: hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-35 OL-20748-01...
  • Page 340: Configuring Nat Exemption

    NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered to be active for NAT exemption configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-36 OL-20748-01...
  • Page 341: Nat Examples

    This section describes typical scenarios that use NAT solutions, and it includes the following topics: • Overlapping Networks, page 16-38 • Redirecting Ports, page 16-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-37 OL-20748-01...
  • Page 342: Overlapping Networks

    Configure the following static routes so that traffic to the DMZ network can be routed correctly by the Step 3 FWSM: hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-38 OL-20748-01...
  • Page 343: Redirecting Ports

    HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80. • To implement this scenario, perform the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-39 OL-20748-01...
  • Page 344 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering Step 5 the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-40 OL-20748-01...
  • Page 345: Chapter 17 Applying Aaa For Network Access

    Configuring Custom Login Prompts, page 17-5 • Enabling Secure Authentication of Web Clients, page 17-6 Disabling Authentication Challenge per Protocol, page 17-8 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-1 OL-20748-01...
  • Page 346: Authentication Overview

    For HTTP, you log in using basic HTTP authentication supplied by the browser. For HTTPS, the FWSM generates custom login windows. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-2 OL-20748-01...
  • Page 347: Static Pat And Http

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Enabling Network Access Authentication To enable network access authentication, perform the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-3 OL-20748-01...
  • Page 348 MAIL_AUTH extended permit tcp any any eq smtp hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-4 OL-20748-01...
  • Page 349: Configuring Custom Login Prompts

    To show text when a user is rejected due to invalid credentials, enter the following command: Step 4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-5 OL-20748-01...
  • Page 350: Enabling Secure Authentication Of Web Clients

    After enabling this feature, when a user accesses a web page requiring authentication, the FWSM displays the Authentication Proxy Login Page shown in Figure 17-1. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-6 OL-20748-01...
  • Page 351 PAT for web traffic and the second line must be added to support the HTTPS authentication configuration. static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-7 OL-20748-01...
  • Page 352: Disabling Authentication Challenge Per Protocol

    If the user establishes the session with a protocol whose authentication challenge is enabled (such as HTTP), FTP traffic is allowed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-8...
  • Page 353: Configuring Authorization For Network Access

    17-3. If you have already enabled authentication, continue to the next step. To enable authorization, enter the following command: Step 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-9 OL-20748-01...
  • Page 354: Configuring Radius Authorization

    Configuring a RADIUS Server to Download Per-User Access Control List Names, page 17-12 Configuring a RADIUS Server to Download Per-User Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: Configuring Cisco Secure ACS for Downloadable Access Lists, page 17-11 •...
  • Page 355 On the FWSM, the downloaded access list has the following name: #ACSACL#-ip-acl_name-number The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding example), and number is a unique version ID generated by Cisco Secure ACS.
  • Page 356 FWSM. If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0...
  • Page 357: Configuring Accounting For Network Access

    Chapter 17 Applying AAA for Network Access Configuring Accounting for Network Access In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, Note omitting filter-id= and entering only acl_name. For information about making unique per user the filter-id attribute value, see the documentation for your RADIUS server.
  • Page 358: Using Mac Addresses To Exempt Traffic From Authentication And Authorization

    To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following Step 2 command: hostname(config)# aaa mac-exempt match id Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-14 OL-20748-01...
  • Page 359 1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-15 OL-20748-01...
  • Page 360 Chapter 17 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-16 OL-20748-01...
  • Page 361: Chapter 18 Applying Filtering Services

    This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing through the firewall. This section includes the following topics: ActiveX Filtering Overview, page 18-2 • Enabling ActiveX Filtering, page 18-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-1 OL-20748-01...
  • Page 362: Activex Filtering Overview

    To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter activex 80 0 0 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-2...
  • Page 363: Filtering Java Applets

    To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-3...
  • Page 364: Filtering Urls And Ftp Requests With An External Server

    You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter Note command. You must also remove all filtering command before you remove the filtering servers from the configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-4 OL-20748-01...
  • Page 365 (perimeter) vendor n2h2 host 10.0.1.1 hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.2 This identifies two Sentian filtering servers, both on a perimeter interface of the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-5 OL-20748-01...
  • Page 366: Buffering The Content Server Response

    Use the dst keyword to cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-6...
  • Page 367: Filtering Http Urls

    (Websense only) You can also configure the maximum size of the URL buffer memory pool with the following command: hostname(config)# url-block url-mempool memory_pool_size Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-7 OL-20748-01...
  • Page 368: Exempting Traffic From Filtering

    FWSM using HTTP or FTP before accessing HTTPS servers. To enable HTTPS filtering, enter the following command: hostname(config)# filter https port localIP local_mask foreign_IP foreign_mask [allow] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-8 OL-20748-01...
  • Page 369: Filtering Ftp Requests

    ./files instead of cd /public/files. Viewing Filtering Statistics and Configuration This section describes how to monitor filtering statistics. This section includes the following topics: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-9 OL-20748-01...
  • Page 370: Viewing Filtering Server Statistics

    128 url-block url-size 4 url-block block 128 This shows the configuration of the URL block buffer. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-10 OL-20748-01...
  • Page 371: Viewing Caching Statistics

    URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-11 OL-20748-01...
  • Page 372 Chapter 18 Applying Filtering Services Viewing Filtering Statistics and Configuration hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-12 OL-20748-01...
  • Page 373: Chapter 19 Configuring Arp Inspection And Bridging Parameters

    If the ARP packet does not match any entries in the static ARP table, then you can set the FWSM to • either forward the packet out all interfaces (flood), or to drop the packet. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-1 OL-20748-01...
  • Page 374: Adding A Static Arp Entry

    To view the current settings for ARP inspection on all interfaces, enter the show arp-inspection command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-2 OL-20748-01...
  • Page 375: Customizing The Mac Address Table

    The default timeout value for dynamic MAC address table entries is 5 minutes, but you can change the timeout. To change the timeout, enter the following command: hostname(config)# mac-address-table aging-time timeout_value Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-3 OL-20748-01...
  • Page 376: Disabling Mac Address Learning

    The following is sample output from the show mac-address-table command that shows the table for the inside interface: hostname# show mac-address-table inside interface mac address type Age min) Group ----------------------------------------------------------------------- inside 0010.7cbe.6101 static inside 0009.7cbe.5101 dynamic Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-4 OL-20748-01...
  • Page 377: Chapter 20 Using Modular Policy Framework

    Permitting or Denying Application Types with PISA Integration—See the “Permitting or Denying • Application Types with PISA Integration” section on page 21-4. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-1 OL-20748-01...
  • Page 378: Modular Policy Framework Configuration Overview

    For example, you might want to drop all HTTP requests with a URL including the text “example.com.” Inspection Policy Map Actions Inspection Class Map/ Match Commands Regular Expression Statement/ Regular Expression Class Map Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-2 OL-20748-01...
  • Page 379: Default Global Policy

    Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-3 OL-20748-01...
  • Page 380: Identifying Traffic (layer 3/4 Class Map)

    Layer 3/4 class maps • Inspection class maps • Regular expression class maps • match commands used directly underneath an inspection policy map • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-4 OL-20748-01...
  • Page 381: Creating A Layer 3/4 Class Map For Through Traffic

    Default traffic for inspection—The class map matches the default TCP and UDP ports used by all • applications that the FWSM can inspect. hostname(config-cmap)# match default-inspection-traffic Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-5 OL-20748-01...
  • Page 382: Configuring Special Actions For Application Inspections (inspection Policy Map)

    3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted upon as specified (for example, dropped or rate-limited). This section includes the following topics: Inspection Policy Map Overview, page 20-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-6 OL-20748-01...
  • Page 383: Inspection Policy Map Overview

    20-10. Alternatively, you can identify the traffic directly within the policy map. Step 2 To create the inspection policy map, enter the following command: hostname(config)# policy-map type inspect application policy_map_name hostname(config-pmap)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-7 OL-20748-01...
  • Page 384 100 reset match request method get Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-8 OL-20748-01...
  • Page 385 The following is an example of an HTTP inspection policy map and the related class maps. This policy map is activated by the Layer 3/4 policy map, which is enabled by the service policy. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-9...
  • Page 386: Identifying Traffic In An Inspection Class Map

    “Creating a Regular Expression Class Map” section on page 20-14. Create a class map by entering the following command: Step 2 hostname(config)# class-map type inspect application [match-all] class_map_name hostname(config-cmap)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-10 OL-20748-01...
  • Page 387: Creating A Regular Expression

    Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]g to enter d?g in the configuration. See the regex command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for performance impact information when matching a regular expression to packets.
  • Page 388 Specifies the beginning of a line. Escape character When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-12 OL-20748-01...
  • Page 389 The following example creates two regular expressions for use in an inspection policy map: hostname(config)# regex url_example example\.com hostname(config)# regex url_example2 example2\.com Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-13 OL-20748-01...
  • Page 390: Creating A Regular Expression Class Map

    Information About Layer 3/4 Policy Maps, page 20-15 • Default Layer 3/4 Policy Map, page 20-18 Adding a Layer 3/4 Policy Map, page 20-18 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-14 OL-20748-01...
  • Page 391: Information About Layer 3/4 Policy Maps

    If a packet matches a class map for application inspection, but also matches another class map that includes application inspection, then the second class map actions are not applied. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-15...
  • Page 392: Order In Which Multiple Feature Actions Are Applied

    ICMP error MGCP NetBIOS PPTP Sun RPC RTSP Skinny SMTP SNMP SQL*Net TFTP XDMCP DCERPC Permitting or Denying Application Types with PISA Integration Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-16 OL-20748-01...
  • Page 393: Incompatibility Of Certain Feature Actions

    [it should be 21] match port tcp 80 class-map http match port tcp 80 policy-map test class http inspect http class ftp inspect ftp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-17 OL-20748-01...
  • Page 394: Feature Matching Guidelines For Multiple Policy Maps

    The maximum number of policy maps is 64. To create a Layer 3/4 policy map, perform the following steps: Add the policy map by entering the following command: Step 1 hostname(config)# policy-map policy_map_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-18 OL-20748-01...
  • Page 395 The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-19...
  • Page 396: Applying Actions To An Interface (service Policy)

    The following commands disable the default global policy, and enables a new one called new_global_policy on all other FWSM interfaces: hostname(config)# no service-policy global_policy global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-20 OL-20748-01...
  • Page 397: Modular Policy Framework Examples

    80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_traffic_policy global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-21 OL-20748-01...
  • Page 398: Applying Inspection And Connection Limits To Http Traffic To Specific Servers

    IP address in the access list in the class map. If you applied it to the outside interface, you would use the mapped addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-22...
  • Page 399 10.1.1.1 any eq 80 hostname(config)# class-map http_client hostname(config-cmap)# match access-list http_client hostname(config)# policy-map http_client hostname(config-pmap)# class http_client hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_client interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-23 OL-20748-01...
  • Page 400 Chapter 20 Using Modular Policy Framework Modular Policy Framework Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-24 OL-20748-01...
  • Page 401: Chapter 21 Configuring Advanced Connection Features

    TCP sequence continues to be randomized. You can also configure maximum connections and TCP sequence randomization in the NAT Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-1 OL-20748-01...
  • Page 402 65535. The default is 0, which means no limit on the connection rate. The random-sequence-number {enable | disable} keyword enables or disables TCP sequence number randomization. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-2 OL-20748-01...
  • Page 403 Step 6 To activate the policy map on one or more interfaces, enter the following command: hostname(config)# service-policy policymap_name {global | interface interface_name} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-3 OL-20748-01...
  • Page 404: Permitting Or Denying Application Types With Pisa Integration

    0:0:40 half-closed 0:20:0 Permitting or Denying Application Types with PISA Integration This feature depends on Cisco IOS Release 12.2(18)ZYA or later, and is only available on the Catalyst Note 6500 switch.
  • Page 405: Pisa Integration Overview

    The GRE encapsulation adds 32 bytes (20 bytes for the outer IP header and 12 bytes for the GRE header). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-5...
  • Page 406: Failover Support

    For example, to permit all traffic except for Skype, eDonkey, and Yahoo, enter the following commands: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-6...
  • Page 407: Configuring The Switch For Pisa/fwsm Integration

    Sample Switch Configurations for PISA Integration, page 21-9 • PISA Limitations and Restrictions The following limitations and restrictions apply to the PISA: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-7 OL-20748-01...
  • Page 408: Configuring Classification On The Pisa

    Classification and tagging need to be enabled on the same port; for example, you cannot enable Note classification on access ports and tagging on a trunk port. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-8 OL-20748-01...
  • Page 409: Sample Switch Configurations For Pisa Integration

    ! Allows packet sizes up to 9216 bytes without fragmenting Example 21-2 Layer 2 Mode (Interface-based, Protocol Discovery on Uplink Ports) Router(config)# interface gigabitethernet 6/1 Router(config-if)# ip nbar protocol-discovery ! Classification Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-9 OL-20748-01...
  • Page 410: Monitoring Pisa Connections

    This section describes how to configure TCP state bypass, and includes the following topics: TCP State Bypass Overview, page 21-11 • Enabling TCP State Bypass, page 21-13 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-10 OL-20748-01...
  • Page 411: Tcp State Bypass Overview

    FWSM 1, then the packets will match the entry in the accelerated path, and are passed through. But if subsequent packets go to FWSM 2, where there was not a SYN packet that went Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-11...
  • Page 412: Unsupported Features

    FWSMs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session on FWSM 1 will differ from the address chosen for the session on FWSM 2. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-12...
  • Page 413: Connection Timeout

    The following is an example configuration for TCP state bypass: hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0 hostname(config)# class-map tcp_bypass Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-13 OL-20748-01...
  • Page 414: Disabling Tcp Normalization

    Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet. To enable Unicast RPF, enter the following command: hostname(config)# ip verify reverse-path interface interface_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-14 OL-20748-01...
  • Page 415: Configuring The Fragment Size

    VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other contexts. Step 3 To remove the shun, enter the following command: hostname(config)# no shun src_ip [vlan vlan_id] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-15 OL-20748-01...
  • Page 416 Chapter 21 Configuring Advanced Connection Features Blocking Unwanted Connections Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-16 OL-20748-01...
  • Page 417: Chapter 22 Applying Application Layer Protocol Inspection

    NetBIOS Inspection, page 22-72 PPTP Inspection, page 22-73 • RSH Inspection, page 22-73 • RTSP Inspection, page 22-73 • SIP Inspection, page 22-76 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-1 OL-20748-01...
  • Page 418: Inspection Engine Overview

    Connections (XLATE and CONN tables)—Maintains state and other information about each established connection. This information is used by the Adaptive Security Algorithm and cut-through proxy to efficiently forward traffic within established sessions. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-2 OL-20748-01...
  • Page 419: Inspection Limitations

    Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security • interfaces. See “Default Inspection Policy” for more information about NAT support. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-3 OL-20748-01...
  • Page 420: Default Inspection Policy

    No PTR records are changed. No NAT support is available for Default maximum packet length is 512 name resolution through bytes. WINS. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-4 OL-20748-01...
  • Page 421 Does not handle TFTP uploaded Cisco (SCCP) IP Phone configurations under certain No NAT on same security circumstances. interfaces. SMTP TCP/25 — RFC 821, 1123 — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-5 OL-20748-01...
  • Page 422: Configuring Application Inspection

    Applying inspections to the traffic. For some applications, you can perform special actions when you enable inspection. Activating inspections on an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-6 OL-20748-01...
  • Page 423 Application maps use commands in the form protocol-map. DCERPC—See the “Configuring a DCERPC Inspection Policy Map for Additional Inspection • Control” section on page 22-17. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-7 OL-20748-01...
  • Page 424 “Configuring a DCERPC Inspection Policy Map for Additional Inspection Control” section on page 22-17, identify the map name in this command. dns [map_name] — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-8 OL-20748-01...
  • Page 425 If you added an SNMP application map according to “Enabling and Configuring SNMP Application Inspection” section on page 22-98, identify the map name in this command. sqlnet — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-9 OL-20748-01...
  • Page 426: Ctiqbe Inspection

    NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the FWSM. TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager.
  • Page 427: Enabling And Configuring Ctiqbe Inspection

    Cisco TSP configuration on the PC. • When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed.
  • Page 428: Verifying And Monitoring Ctiqbe Inspection

    CTIQBE session setup across the FWSM. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco CallManager at 209.165.201.2, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds.
  • Page 429: Ctiqbe Sample Configurations

    - awaiting outside SYN, T - SIP, t - SIP transient, U - up CTIQBE Sample Configurations The following figure shows a sample configuration for a single transparent firewall for Cisco IP SoftPhone (Figure 22-2). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-13 OL-20748-01...
  • Page 430 The following figure shows a sample configuration for a single transparent firewall for Cisco IP SoftPhone with NetMeeting enabled (Figure 22-3). Cisco IP SoftPhone is configured with the collaboration setting of NetMeeting. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-14 OL-20748-01...
  • Page 431 Flags: A - awaiting inside ACK to SYN,a - awaiting outside ACK to SYN B - initial SYN from outsideC - CTIQBE media, D - DNS, d - dump, Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-15...
  • Page 432: Dcerpc Inspection

    • RemoteCreateInstance • Any message that does not contain an IP address or port information because these messages do not require inspection Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-16 OL-20748-01...
  • Page 433: Configuring A Dcerpc Inspection Policy Map For Additional Inspection Control

    135 hostname(config)# policy-map global-policy hostname(config-pmap)# class dcerpc hostname(config-pmap-c)# inspect dcerpc dcerpc-map hostname(config)# service-policy global-policy global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-17 OL-20748-01...
  • Page 434: Dns Inspection

    DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-18...
  • Page 435: How Dns Rewrite Works

    For an illustration and configuration instructions for this scenario, see the “DNS Rewrite with Three NAT Zones” section on page 22-22. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-19 OL-20748-01...
  • Page 436: Configuring Dns Rewrite

    The following example specifies that the address 192.168.100.10 on the inside interface is translated into 209.165.201.5 on the outside interface: hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.10 dns Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-20 OL-20748-01...
  • Page 437: Configuring Dns Rewrite With Two Nat Zones

    Example 22-2 DNS Rewrite with Two NAT Zones hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.1 netmask 255.255.255.255 dns hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-21 OL-20748-01...
  • Page 438: Dns Rewrite With Three Nat Zones

    The host running the web client sends the DNS server a request for the IP address of server.example.com. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-22 OL-20748-01...
  • Page 439: Configuring Dns Rewrite With Three Nat Zones

    • Step 2 Create an access list that permits traffic to the port that the web server listens to for HTTP requests. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-23 OL-20748-01...
  • Page 440: Configuring Dns Inspection

    Use the match port command to identify DNS traffic. The default port for DNS is UDP port 53. Step 2 hostname(config-cmap)# match port udp eq 53 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-24 OL-20748-01...
  • Page 441: Verifying And Monitoring Dns Inspection

    DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-25...
  • Page 442: Dns Guard

    ESMTP inspection according to the “Configuring Application Inspection” section on page 22-6. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-26 OL-20748-01...
  • Page 443 To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# To configure a local domain name, enter the following command: hostname(config-pmap-p)# mail-relay domain-name action [drop-connection | log]] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-27 OL-20748-01...
  • Page 444 (Optional) To match the number of invalid recipients, enter the following command: hostname(config-pmap-p)# match invalid-recipients count gt count Where count is the number of invalid recipients. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-28 OL-20748-01...
  • Page 445 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-29 OL-20748-01...
  • Page 446: Ftp Inspection

    The 227 and PORT commands are checked to ensure they do not appear in an error string. Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP Caution RFCs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-30 OL-20748-01...
  • Page 447: The Request-command Deny Command

    Disallows the command that provides help information. Disallows the command that makes a directory on the server. Disallows the client command for sending a file to the server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-31 OL-20748-01...
  • Page 448: Configuring Ftp Inspection

    If you need to identify a range of contiguous ports for a single protocol, use match port command with the range keyword, as follows: hostname(config-cmap)# match port tcp range begin_port_number end_port_number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-32 OL-20748-01...
  • Page 449 If you want to enable strict FTP inspection, use the inspect ftp command with the strict keyword, • as follows: hostname(config-pmap-c)# inspect ftp strict Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-33 OL-20748-01...
  • Page 450: Verifying And Monitoring Ftp Inspection

    In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-34...
  • Page 451: Gtp Inspection

    UTRAN is the networking protocol used for implementing wireless networks in this system. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN and the UTRAN. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-35 OL-20748-01...
  • Page 452: Gtp Maps And Commands

    GTP inspection parameters. These commands are available in GTP map configuration mode. For the detailed syntax of each command, see the applicable command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
  • Page 453: Enabling And Configuring Gtp Inspection

    GTP map. The CLI enters GTP map configuration mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-37 OL-20748-01...
  • Page 454 20 max 300 hostname(config-gtp-map)# drop message 20 hostname(config-gtp-map)# tunnel-limit 10000 hostname(config)# policy-map sample_policy hostname(config-pmap)# class gtp-traffic hostname(config-pmap-c)# inspect gtp sample_map hostname(config)# service-policy sample_policy outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-38 OL-20748-01...
  • Page 455: Verifying And Monitoring Gtp Inspection

    You can use the vertical bar (|) to filter the display, as in the following example: hostname# show service-policy gtp statistics | grep gsn Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-39...
  • Page 456: Ggsn Load Balancing

    SGSN. To do so, use the gtp-map and permit responses commands. hostname(config)# gtp-map map_name hostname(config-gtp-map)# permit response to-object-group SGSN-name from-object-group GSN-pool-name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-40 OL-20748-01...
  • Page 457: Gtp Sample Configuration

    Sample configuration of SLB (IOS SLB, MSFC used), GGSN (MWAM module used) and FWSM. SLB and MWAM configuration on supervisor/MSFC. The MWAM is a Cisco IOS application module that you can install in the Cisco Catalyst 6500 Series switch. Each MWAM contains three processor complexes, with two CPUs each and Each CPU can be used to run an independent IOS image.
  • Page 458 10.2.1.29 udp 3386 service gtp serverfarm GGSN-POOL inservice ip slb vserver GTP-V1 virtual 10.2.1.29 udp 2123 service gtp serverfarm GGSN-POOL inservice Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-42 OL-20748-01...
  • Page 459 GigabitEthernet0/0 no ip address interface GigabitEthernet0/0.1 interface GigabitEthernet0/0.8 encapsulation dot1Q 8 ip address 10.1.1.2 255.255.255.0 no snmp trap link-status Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-43 OL-20748-01...
  • Page 460 1111 password cisco inservice ip cef no ip domain lookup Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-44 OL-20748-01...
  • Page 461 100 ip address 172.21.64.35 255.255.255.128 standby 172.21.64.36 interface Vlan5 nameif inside security-level 100 ip address 10.2.1.41 255.255.255.0 standby 10.2.1.40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-45 OL-20748-01...
  • Page 462 14400 nat-control no xlate-bypass static (outside,inside) 10.5.1.1 10.5.1.1 netmask 255.255.255.255 static (inside,outside) 10.4.1.31 10.4.1.31 netmask 255.255.255.255 static (inside,outside) 10.4.1.32 10.4.1.32 netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-46 OL-20748-01...
  • Page 463: H.323 Inspection

    • Limitations and Restrictions, page 22-49 • Enabling and Configuring H.323 Inspection, page 22-51 • Topologies Requiring H.225 Configuration, page 22-50 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-47 OL-20748-01...
  • Page 464: H.323 Inspection Overview

    The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports. UDP port 1718—Gate Keeper Discovery • UDP port 1719—RAS • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-48 OL-20748-01...
  • Page 465: Limitations And Restrictions

    If you configure a network static address where the network static address is the same as a third-party netmask and address, then any outbound H.323 connection fails. Dynamic NAT (PAT) is not supported for H.323-GUP inspection. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-49 OL-20748-01...
  • Page 466: Topologies Requiring H.225 Configuration

    H.225 configuration. The FWSM is not aware of the existence of the Cisco CallManager in this topology. With only the packet flows that happen through the security appliance, the FWSM cannot open a proper pinhole to allow such a call to be successful.
  • Page 467: Enabling And Configuring H.323 Inspection

    Identify an HSI group. To do so, use the hsi-group command, as follows. hostname(config-h225-map)# hsi-group group_ID hostname(config-h225-map-hsi-grp)# where group_ID is a number, from 0 to 2147483647, that identifies the HSI group. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-51 OL-20748-01...
  • Page 468 The FWSM begins inspecting H.323 traffic, as specified. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-52 OL-20748-01...
  • Page 469: Configuring H.323 And H.225 Timeout Values

    This section describes how to display information about H.323 sessions. This section includes the following topics: • Monitoring H.225 Sessions, page 22-54 • Monitoring H.245 Sessions, page 22-54 • Monitoring H.323 RAS Sessions, page 22-55 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-53 OL-20748-01...
  • Page 470: Monitoring H.225 Sessions

    4-byte header. The foreign host endpoint is 172.30.254.203, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-54...
  • Page 471: Monitoring H.323 Ras Sessions

    • employed because GUP is a Cisco proprietary protocol. • Dynamic NAT and dynamic PAT are not supported in H.323 GUP inspection. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-55 OL-20748-01...
  • Page 472: H.323 Gup Configuration

    RAS inspection should be turned on for interfaces through which the gatekeeper running GUP protocol is reachable. In this example, RAS inspection is turned on for both inside and outside interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-56...
  • Page 473: H.323 Sample Configuration

    50 209.100.100.2 10.100.100.2 Analog Analog Cisco 3745 Cisco 3745 phone phone Firewall Service Module H.323 Gateway H.323 Gateway (FWSM) Cisco 3745 Gatekeeper Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-57 OL-20748-01...
  • Page 474 101 voip hostname(config-dial-peer)#destination-pattern 4085550100 hostname(config-dial-peer)#session target ras Forward all voice calls destined to 4085550199 to voice port 3/0/0: hostname(config)#dial-peer voice 102 pots Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-58 OL-20748-01...
  • Page 475 FLAGS - H Network Processor 2 connections Multicast sessions: Network Processor 1 connections Network Processor 2 connections IPv6 connections: FWSM/admin# show h225 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-59 OL-20748-01...
  • Page 476: Http Inspection

    You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the inspection policy map remains enabled. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-60...
  • Page 477 Step 2. The length gt max_bytes is the maximum message body length in bytes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-61 OL-20748-01...
  • Page 478 Step Create an HTTP inspection policy map, enter the following command: Step 4 hostname(config)# policy-map type inspect http policy_map_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-62 OL-20748-01...
  • Page 479 To substitute a string for the server header field, enter the following command: hostname(config-pmap-p)# spoof-server string Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-63 OL-20748-01...
  • Page 480: Icmp Inspection

    For information about ILS inspection, see the inspect ils command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-64...
  • Page 481: Mgcp Inspection

    Figure 22-11 illustrates how NAT can be used with MGCP. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-65 OL-20748-01...
  • Page 482 Response header, optionally followed by a session description. To use MGCP, you usually need to configure inspection for traffic sent to two ports: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-66...
  • Page 483: Configuring Mgcp Call Agents And Gateways

    MGCP port and port-2 is the second MGCP port. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-67...
  • Page 484 MGCP map that you may have created in optional Step Use the service-policy command to apply the policy map globally or to a specific interface, as follows: Step 8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-68 OL-20748-01...
  • Page 485: Configuring Mgcp Timeout Values

    The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
  • Page 486: Mgcp Sample Configuration

    Media lcl port 6166 Media rmt IP 192.168.5.7 Media rmt port 6058 MGCP Sample Configuration Figure 22-12 shows a sample configuration for MGCP inspection: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-70 OL-20748-01...
  • Page 487 Apply the above access lists on the inside and outside interfaces for incoming traffic: hostname(config)# access-group mgcp in interface outside hostname(config)# access-group mgcp in interface inside Configure call agent (IP address of the Cisco CallManager) and the IP address of the IOS MGCP gateway in an MGCP map: hostname(config)# mgcp-map mgcp-inspect hostname(config-mgcp-map)# call-agent 15.0.0.210 101...
  • Page 488: Netbios Inspection

    101 pots hostname(config-dial-peer)# application mgcpapp hostname(config-dial-peer)# port 3/0/0 NetBIOS Inspection NetBIOS inspection is enabled by default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-72 OL-20748-01...
  • Page 489: Pptp Inspection

    If the response message is outbound, then the FWSM does not need to open dynamic channels. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-73...
  • Page 490: Using Realplayer

    SDP files as part of HTTP or RTSP messages. Packets could be fragmented and FWSM cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of NATs the FWSM performs on the SDP part of the message is •...
  • Page 491 RTSP inspection engine RTSP traffic on the default ports (554 and 8554). The service policy is then applied to the outside interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-75...
  • Page 492: Sip Inspection

    – The port is missing in the contact field in the REGISTER message sent by the endpoint to the – proxy server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-76 OL-20748-01...
  • Page 493: Sip Instant Messaging

    INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface does not traverse the FWSM, unless the FWSM configuration specifically allows it. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-77...
  • Page 494: Ip Address Privacy

    The match-any keyword specifies that the traffic matches the class map if any of the match commands in the class map is matched. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-78...
  • Page 495 Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-79 OL-20748-01...
  • Page 496 To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# To enable or disable instant messaging, enter the following command. Instant messaging is enabled by default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-80 OL-20748-01...
  • Page 497 {mask | log} [log] The following example shows how to disable instant messaging over SIP: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-81 OL-20748-01...
  • Page 498: Configuring Sip Timeout Values

    200 OK for the CANCEL SIP message, and 200 OK for 4xx/5xx/6xx SIP messages, instead of waiting for the idle timeout. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-82 OL-20748-01...
  • Page 499 Figure 22-13, when 200 OK is not received for the BYE message, media connections are removed after the timeout sip-disconnect occurs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-83 OL-20748-01...
  • Page 500 22-14, the media connection is cleared after 200 OK is received for the CANCEL message. If 200 OK is not received for the CANCEL SIP message, the media connection is cleared after the timeout sip-disconnect occurs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-84 OL-20748-01...
  • Page 501 SIP INVITE message, the timeout for provisional responses is set to the value configured using the timeout sip-invite command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-85 OL-20748-01...
  • Page 502: Verifying And Monitoring Sip Inspection

    Active, idle 0:00:06 This sample shows two active SIP sessions on the FWSM (as shown in the Total field). Each call-id represents a call. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-86 OL-20748-01...
  • Page 503: Sip Sample Configuration

    ! hostname(config)# nat-control hostname(config)# static (inside, outside) 10.3.100.115 209.165.201.115 netmask 255.255.255.255 hostname(config)# static (inside, outside) 10.3.100.118 209.165.201.118 netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-87 OL-20748-01...
  • Page 504: Router Configuration

    IP address. RTP traffic is not switched via the same subnet. Instead it is getting routed via the FWSM. hostname(config)# show conn 6 in use, 28 most used Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-88 OL-20748-01...
  • Page 505: Skinny (sccp) Inspection

    SCCP (Skinny) Sample Configuration, page 22-93 SCCP Inspection Overview Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals.
  • Page 506: Supporting Cisco Ip Phones

    Cisco CallManager server. When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an access list to connect to the protected TFTP server on UDP port 69. While you do need a static identity entry for the TFTP server, this does not have to be an identity static entry.
  • Page 507 (Optional) To change the default port used by the FWSM for receiving SCCP traffic, enter the following command: hostname(config-pmap-c)# inspect skinny Step 6 Return to policy map configuration mode by entering the following command: hostname(config-pmap-c)# exit hostname(config-pmap)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-91 OL-20748-01...
  • Page 508: Verifying And Monitoring Sccp Inspection

    VIDEO 10.0.0.22/20798 172.18.1.11/22948 The output indicates that a call has been established between two internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively. The following is sample output from the show xlate debug command for these Skinny connections:...
  • Page 509: Sccp (skinny) Sample Configuration

    209.165.201.210 eq 2000 Apply the above access lists on the inside and outside interfaces for incoming traffic: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-93...
  • Page 510: Smtp And Extended Smtp Inspection

    SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-94...
  • Page 511 Because of the change in the packed, the TCP checksum has to be recalculated or adjusted. TCP stream editing. • Command pipelining. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-95 OL-20748-01...
  • Page 512: Configuring And Enabling Smtp And Extended Smtp Application Inspection

    To enable extended SMTP application inspection, enter the following command: hostname(config-pmap-c)# inspect esmtp To enable SMTP application inspection, enter the following command: hostname(config-pmap-c)# inspect smtp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-96 OL-20748-01...
  • Page 513: Snmp Inspection

    The FWSM can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by using the deny version command in SNMP map configuration mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-97...
  • Page 514: Enabling And Configuring Snmp Application Inspection

    Step 2, that identifies the SNMP traffic. Use the class command to do Step 7 so, as follows: hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-98 OL-20748-01...
  • Page 515: Sql*net Inspection

    Sun RPC Inspection Overview, page 22-100 • Enabling and Configuring Sun RPC Inspection, page 22-100 • Managing Sun RPC Services, page 22-102 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-99 OL-20748-01...
  • Page 516: Sun Rpc Inspection Overview

    If the port mapper process listens to a single port, you can use the match port command to identify traffic sent to that port, as follows: hostname(config-cmap)# match port tcp eq port_number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-100 OL-20748-01...
  • Page 517 111 hostname(config-cmap)# policy-map sample_policy hostname(config-pmap)# class sunrpc_port hostname(config-pmap-c)# inspect sunrpc hostname(config-pmap-c)# service-policy sample_policy interface outside hostname(config)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-101 OL-20748-01...
  • Page 518: Managing Sun Rpc Services

    UDP out 209.165.200.5:800 in 192.168.100.2:2049 idle 0:00:04 flags - UDP out 209.165.200.5:714 in 192.168.100.2:111 idle 0:00:04 flags - UDP out 209.165.200.5:712 in 192.168.100.2:647 idle 0:00:05 flags - Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-102 OL-20748-01...
  • Page 519 In this output, port 647 corresponds to the mountd daemon running over UDP. The mountd process would more commonly be using port 32780, but it uses TCP port 650 in this example. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-103...
  • Page 520: Tftp Inspection

    For information about XDMCP inspection, see the established and inspect pptp and command pages in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-104 OL-20748-01...
  • Page 521 A R T System Administration...
  • Page 523: Chapter 23 Configuring Management Access

    Please note that concurrent access to the FWSM is not recommended. In some cases, two Telnet sessions issuing the same commands might cause one of the sessions to hang until a key is depressed on the other session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-1 OL-20748-01...
  • Page 524: Allowing Ssh Access

    XML management over SSL and SSH are not supported. Note This section includes the following topics: Configuring SSH Access, page 23-3 • Using an SSH Client, page 23-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-2 OL-20748-01...
  • Page 525: Configuring Ssh Access

    When starting an SSH session, a dot (.) displays on the FWSM console before the SSH user authentication prompt appears, as follows: hostname(config)# . Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-3 OL-20748-01...
  • Page 526: Allowing Https Access For Asdm

    The FWSM can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using a site-to-site tunnel. You specify the peer networks that can communicate over the tunnel. In the case of the FWSM, the only address available on the FWSM end of the tunnel is the interface itself.
  • Page 527: Configuring Basic Settings For All Tunnels

    Although you can specify authentication alone, or encryption alone, these methods are not secure. You refer to this transform set when you configure the VPN client group or a site-to-site tunnel. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-5...
  • Page 528: Configuring Vpn Client Access

    Configuring VPN Client Access In routed mode, a host with Version 3.0 or 4.0 of the Cisco VPN client can connect to the FWSM for management purposes over a public network, such as the Internet.
  • Page 529 “admin” and the password “passw0rd” can connect to the FWSM. hostname(config)# isakmp policy 1 authentication pre-share hostname(config)# isakmp policy 1 encryption 3des Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-7 OL-20748-01...
  • Page 530: Configuring A Site-to-site Tunnel

    “Configuring Basic Settings for All Tunnels” section on page 23-5), enter the following command: hostname(config)# crypto map crypto_map_name priority set transform-set transform_set1 [transform_set2] [...] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-8 OL-20748-01...
  • Page 531: Allowing Icmp To And From The Fwsm

    (0) (FWSM to host) or echo (8) (host to FWSM). See the “ICMP Types” section on page E-15 for a list of ICMP types. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-9 OL-20748-01...
  • Page 532: Aaa For System Administrators

    This section explains how to configure CLI authentication when you use Telnet or SSH, and how to configure ASDM authentication. This section includes the following topics: CLI Access Overview, page 23-11 • • ASDM Access Overview, page 23-11 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-10 OL-20748-01...
  • Page 533: Cli Access Overview

    FWSM (which enters the system execution space). The admin context AAA server or local user database are used in this instance. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-11...
  • Page 534: Enabling Cli Or Asdm Authentication

    You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.41 ... Open User Access Verification Username: myRADIUSusername Password: myRADIUSpassword Type help or ‘?’ for a list of available commands. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-12 OL-20748-01...
  • Page 535: Configuring Authentication To Access Privileged Exec Mode

    15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the “Configuring Local Command Authorization” section on page 23-15 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-13 OL-20748-01...
  • Page 536: Configuring Command Authorization

    • after they authenticate for CLI access. Every command that a user enters at the CLI is checked with the TACACS+ server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-14 OL-20748-01...
  • Page 537: Configuring Local Command Authorization

    Default Command Privilege Levels, page 23-16 • Assigning Privilege Levels to Commands and Enabling Authorization, page 23-16 • Viewing Command Privilege Levels, page 23-18 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-15 OL-20748-01...
  • Page 538 [show | clear | cmd] level level [mode {enable | cmd}] command command Repeat this command for each command you want to reassign. See the following information about the options in this command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-16 OL-20748-01...
  • Page 539 The following example shows an additional command, the configure command, that uses the mode keyword: hostname(config)# privilege show level 5 mode cmd command configure Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-17 OL-20748-01...
  • Page 540: Configuring Tacacs+ Command Authorization

    If you enable TACACS+ command authorization, and a user enters a command at the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-18...
  • Page 541 23-13). Configuring Commands on the TACACS+ Server You can configure commands on a Cisco Secure Access Control Server (ACS) as a shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see your server documentation for more information about command authorization support.
  • Page 542 Be sure to check the Permit Unmatched Args check box so that enable alone is still allowed (see Figure 23-3). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-20 OL-20748-01...
  • Page 543 We recommend that you allow the following basic commands for all users: • show checksum – show curpriv – – enable – help – show history login – logout – pager – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-21 OL-20748-01...
  • Page 544: Configuring Command Accounting

    See the following sample show curpriv command output. A description of each field follows. hostname# show curpriv Username : admin Current privilege level : 15 Current Mode/s : P_PRIV Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-22 OL-20748-01...
  • Page 545: Recovering From A Lockout

    Configure the local database as a fallback method so you do not get locked out when the server is down. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-23 OL-20748-01...
  • Page 546 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-24 OL-20748-01...
  • Page 547: Chapter 24 Managing Software, Licenses, And Configurations

    Downloading and Backing Up Configuration Files, page 24-14 • Configuring Auto Update Support, page 24-18 • Because the FWSM runs its own operating system, upgrading the Cisco IOS software does not affect the Note operation of the FWSM. Managing Licenses When you install the software, the existing activation key is extracted from the original image and stored in a file in the FWSM file system.
  • Page 548: Entering A New Activation Key

    Installing Application Software from the FWSM CLI, page 24-3 • Installing Application Software from the Maintenance Partition, page 24-5 • Installing ASDM from the FWSM CLI, page 24-8 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-2 OL-20748-01...
  • Page 549: Installation Overview

    To copy from an FTP server, enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename flash: • To copy from an HTTP or HTTPS server, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-3 OL-20748-01...
  • Page 550 At the “Proceed with reload?” prompt, press Enter to confirm the command. Rebooting... If you have a failover pair, see the “Upgrading Failover Pairs” section on page 24-9. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-4 OL-20748-01...
  • Page 551: Installing Application Software From The Maintenance Partition

    To view the current boot partition, enter the command for your operating system. Note the current boot Step 3 partition so you can set a new default boot partition. Cisco IOS software • Router# show boot device [mod_num] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-5 OL-20748-01...
  • Page 552 To set network parameters, perform the following steps: Step 8 To assign an IP address to the maintenance partition, enter the following command: root@localhost# ip address ip_address netmask Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-6 OL-20748-01...
  • Page 553 • Console> (enable) session module_number By default, the password to log in to the FWSM is cisco (set by the password command). If this partition does not have a startup configuration, the default password is used. Enter privileged EXEC mode using the following command: Step 13 hostname>...
  • Page 554: Installing Asdm From The Fwsm Cli

    To use secure copy, first enable SSH, and then enter the following command: • hostname# ssh scopy enable Then from a Linux client, enter the following command: scp -v -pw password filename username@fwsm_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-8 OL-20748-01...
  • Page 555: Upgrading Failover Pairs

    Upgrading an Active/Standby Failover Pair to a New Maintenance Release, page 24-10 • Upgrading an Active/Active Failover Pair to a New Maintenance Release, page 24-10 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-9 OL-20748-01...
  • Page 556: Upgrading An Active/standby Failover Pair To A New Maintenance Release

    In multiple context mode, enter the write memory all command from the system execution space. This command saves all context configurations to which the FWSM has write access. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-10...
  • Page 557: Upgrading Failover Pairs To A New Minor Or Major Release

    Enter the following command separately on each unit: primary(config)# reload Proceed with reload? [confirm] At the “Proceed with reload?” prompt, press Enter to confirm the command. Rebooting... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-11 OL-20748-01...
  • Page 558: Installing Maintenance Software

    Console> (enable) session module_number To log in to the FWSM maintenance partition as root, enter the following command: Step 4 Login: root Password: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-12 OL-20748-01...
  • Page 559: Upgrading The Maintenance Software

    To session in to the FWSM, enter the command for your operating system: – Cisco IOS software Router# session slot number processor 1 Catalyst operating system software – Console> (enable) session module_number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-13 OL-20748-01...
  • Page 560: Downloading And Backing Up Configuration Files

    Downloading a Text Configuration to the Startup or Running Configuration, page 24-15 • • Downloading a Context Configuration to Disk, page 24-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-14 OL-20748-01...
  • Page 561: Viewing Files In Flash Memory

    To copy the startup configuration or running configuration from the server to the FWSM, enter one of the following commands for the appropriate download server: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-15...
  • Page 562: Downloading A Context Configuration To Disk

    • hostname# copy ftp://[user[:password]@]server[/path]/filename disk:[path/]filename To copy from an HTTP or HTTPS server, enter the following command: • hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename disk:[path/]filename Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-16 OL-20748-01...
  • Page 563: Backing Up The Configuration

    To copy the running configuration to the startup configuration server (connected to the admin context), enter the following command: hostname/contexta# copy running-config startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-17 OL-20748-01...
  • Page 564: Copying The Configuration From The Terminal Display

    IPSec VPN tunnel used for management access. The verify-certificate keyword verifies the certificate returned by the AUS. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-18 OL-20748-01...
  • Page 565 FWSM will try to reconnect to the AUS 10 times, and wait 3 minutes between attempts at reconnecting. hostname(config)# auto-update server https://jcrichton:farscape@209.165.200.224:1742/management source outside verify-certificate hostname(config)# auto-update device-id hostname hostname(config)# auto-update poll-period 600 10 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-19 OL-20748-01...
  • Page 566: Viewing Auto Update Server Status

    Next poll in 4.93 minutes Last poll: 11:36:46 PST Tue Nov 13 2004 Last PDM update: 23:36:46 PST Tue Nov 12 2004 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-20 OL-20748-01...
  • Page 567: Chapter 25 Monitoring The Firewall Services Module

    For more information about logging and syslog messages, see Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-1...
  • Page 568: Security Contexts And Logging

    If you do not specify an output destination, the FWSM does not save syslog messages that are generated when events occur. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-2...
  • Page 569: Disabling Logging To All Configured Output Destinations

    Syslog logging: enabled Facility: 20 Timestamp logging: enabled Name logging: disabled Standby logging: disabled Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-3 OL-20748-01...
  • Page 570: Configuring Log Output Destinations

    The syslog server must run a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows 95 and Windows 98, obtain a syslogd server from another vendor. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-4 OL-20748-01...
  • Page 571 Step 3 following command: hostname(config)# logging facility number Most UNIX systems expect the syslog messages to arrive at facility 20. hostname(config)# logging Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-5 OL-20748-01...
  • Page 572: Sending Syslog Messages To An E-mail Address

    If a severity level is not specified, the default severity level is used (error condition, severity level 3). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-6 OL-20748-01...
  • Page 573: Sending Syslog Messages To Asdm

    The following example shows how to enable logging and send syslog messages of severity levels 0, 1, and 2 to the ASDM log buffer: hostname(config)# logging asdm 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-7 OL-20748-01...
  • Page 574: Sending Syslog Messages To A Switch Session, Telnet Session, Or Ssh Session

    For information about creating custom message lists, see the “Filtering Syslog Messages with Custom Message Lists” section on page 25-14. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-8 OL-20748-01...
  • Page 575: Sending Syslog Messages To The Log Buffer

    For information about creating custom message lists, see the “Filtering Syslog Messages with Custom Message Lists” section on page 25-14. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-9 OL-20748-01...
  • Page 576 To specify that messages in the log buffer should be saved to internal flash memory each time the buffer wraps, enter the following command: hostname(config)# logging flash-bufferwrap Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-10 OL-20748-01...
  • Page 577: Filtering Syslog Messages

    Message Filtering Overview, page 25-12 • Filtering Syslog Messages by Class, page 25-12 Filtering Syslog Messages with Custom Message Lists, page 25-14 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-11 OL-20748-01...