Page 1
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI Release 4.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
C H A P T E R Switch Overview Verifying the Module Installation Assigning VLANs to the Firewall Services Module VLAN Guidelines Assigning VLANs to the FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 4
Context Configuration Files Context Configurations System Configuration Admin Context Configuration How the FWSM Classifies Packets Valid Classifier Criteria Invalid Classifier Criteria Classification Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 5
4-35 Monitoring Security Contexts 4-35 Viewing Context Information 4-35 Viewing Resource Allocation 4-36 Viewing Resource Usage 4-39 Monitoring SYN Attacks in Contexts 4-40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 6
Information About Bridge Groups Information About Device Management Guidelines and Limitations Configuring Transparent Firewall Interfaces for Through Traffic Assigning an IP Address to a Bridge Group Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 7
Redistributing Routes Between OSPF Processes 8-11 Configuring OSPF Interface Parameters 8-12 Configuring OSPF Area Parameters 8-14 Configuring OSPF NSSA 8-15 Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor 8-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 8
Configuring DHCP Options 8-37 Using Cisco IP Phones with a DHCP Server 8-38 Configuring DHCP Relay Services 8-39 DHCP Relay Overview 8-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM viii OL-20748-01...
Page 9
Configuring Neighbor Solicitation Messages 10-6 Configuring the Neighbor Solicitation Message Interval 10-7 Configuring the Neighbor Reachable Time 10-7 Configuring Router Advertisement Messages 10-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 10
C H A P T E R Public Key Cryptography 12-1 About Public Key Cryptography 12-1 Certificate Scalability 12-2 About Key Pairs 12-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 11
Simplifying Access Lists with Object Grouping 13-11 How Object Grouping Works 13-11 Adding Object Groups 13-12 Adding a Protocol Object Group 13-12 Adding a Network Object Group 13-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 12
Determining Which Type of Failover to Use 14-17 Regular and Stateful Failover 14-17 Regular Failover 14-18 Stateful Failover 14-18 Failover Health Monitoring 14-19 Unit Health Monitoring 14-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 13
NAT Overview 16-1 Introduction to NAT 16-2 NAT in Routed Mode 16-2 NAT in Transparent Mode 16-3 NAT Control 16-5 NAT Types 16-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xiii OL-20748-01...
Page 14
FWSM Authentication Prompts 17-2 Static PAT and HTTP 17-3 Authenticating Directly with the FWSM 17-3 Enabling Network Access Authentication 17-3 Configuring Custom Login Prompts 17-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 15
18-11 Configuring ARP Inspection and Bridging Parameters 19-1 C H A P T E R Configuring ARP Inspection 19-1 ARP Inspection Overview 19-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 16
Applying Inspection to HTTP Traffic Globally 20-21 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 20-22 Applying Inspection to HTTP Traffic with NAT 20-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 17
How Inspection Engines Work 22-2 Inspection Limitations 22-3 Default Inspection Policy 22-4 Configuring Application Inspection 22-6 CTIQBE Inspection 22-10 CTIQBE Inspection Overview 22-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xvii OL-20748-01...
Page 18
22-47 H.323 Inspection Overview 22-48 How H.323 Works 22-48 Limitations and Restrictions 22-49 Topologies Requiring H.225 Configuration 22-50 H.225 Map Commands 22-50 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xviii OL-20748-01...
Page 19
Configuring SIP Timeout Values 22-82 SIP Inspection Enhancement 22-82 Verifying and Monitoring SIP Inspection 22-86 SIP Sample Configuration 22-87 Skinny (SCCP) Inspection 22-89 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 20
CLI Access Overview 23-11 ASDM Access Overview 23-11 Authenticating Sessions from the Switch to the FWSM 23-11 Enabling CLI or ASDM Authentication 23-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 21
Backing Up a Context Configuration within a Context 24-17 Copying the Configuration from the Terminal Display 24-18 Configuring Auto Update Support 24-18 Configuring Communication with an Auto Update Server 24-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 22
Troubleshooting the Firewall Services Module 26-1 C H A P T E R Testing Your Configuration 26-1 Enabling ICMP Debug Messages and System Log Messages 26-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxii OL-20748-01...
Page 23
Admin Context Configuration (Example 1) Customer A Context Configuration (Example 1) Customer B Context Configuration (Example 1) Customer C Context Configuration (Example 1) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiii OL-20748-01...
Page 24
A P P E N D I X Firewall Mode and Security Context Mode Command Modes and Prompts Syntax Formatting Abbreviating Commands Command-Line Editing Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiv OL-20748-01...
Page 25
TCP and UDP Ports E-11 Local Ports and Protocols E-14 ICMP Types E-15 L O S S A R Y N D E X Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 26
Contents Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxvi OL-20748-01...
Help for less common scenarios. For more information, see: http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html. Document Conventions The FWSM command syntax descriptions use the following conventions: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxvii OL-20748-01...
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration • Guide using ASDM Release Notes for Cisco ASDM • Open Source Software Licenses for FWSM • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxviii OL-20748-01...
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 30
About This Guide Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 31
IP address. Step 8 Configuring a Default Route, page 8-4 Create a default route to an upstream router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxi OL-20748-01...
Page 32
Before you configure any settings, you must set the firewall mode to transparent mode. Changing the mode clears your configuration. In multiple context mode, set the mode in each context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxii OL-20748-01...
Page 33
Step 12 Applying an Access List to an Interface, page 15-4 Apply the access list to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiii OL-20748-01...
Page 34
Quick Start Steps Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiv OL-20748-01...
Page 35
A R T Getting Started and General Information...
Page 37
How the Firewall Services Module Works with the Switch, page 1-5 • Firewall Mode Overview, page 1-7 • Stateful Inspection Overview, page 1-8 • Security Context Overview, page 1-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
You can now set the timeout for GRE connectionss that are built as a result of PPTP inspection. The following command was modified: timeout pptp-gre. Management Features Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
This section includes the following topics: • Permitting or Denying Traffic with Access Lists, page 1-4 Applying NAT, page 1-4 • Protecting from IP Fragments, page 1-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Internet. We recommend that you use the FWSM in conjunction with a separate server running one of the following Internet filtering products: Websense Enterprise • Sentian by N2H2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
How the Firewall Services Module Works with the Switch You can install the FWSM in the Catalyst 6500 series switches and the Cisco 7600 series routers with Cisco IOS software on both the switch supervisor and the integrated MSFC (known as “supervisor IOS”).
In multiple context mode, you can choose the mode for each context independently, so some contexts can run in transparent mode while others can run in routed mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
IP checksum verification – Session lookup – TCP sequence number check – NAT translations based on existing sessions – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
• Switch Overview You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the “switch.” The switch includes a switch (the supervisor engine) as well as a router (the MSFC).
Virtual Switching System (VSS) support—No FWSM configuration required. • For Cisco IOS software Version 12.2(18)SX6 and earlier, for each FWSM in a switch, the SPAN Note reflector feature is enabled. This feature enables multicast traffic (and other traffic that requires central rewrite engine) to be switched when coming from the FWSM.
Assigning VLANs to the FWSM In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer.
2-2), then the MSFC routes between the FWSM and other Layer 3 VLANs. This section includes the following topics: • SVI Overview, page 2-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.) Figure 2-1 Multiple SVI Misconfiguration Internet VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 52
IPX traffic to pass on VLAN 201. Figure 2-2 Multiple SVIs for IPX Internet VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside IPX Host IP Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
To enable the interface, enter the following command: Step 4 Router(config-if)# no shutdown The following example shows a typical configuration with multiple SVIs: Router(config)# firewall vlan-group 50 55-57 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The switch supervisor sends an autostate message to the FWSM when: The last interface belonging to a VLAN goes down. • The first interface belonging to a VLAN comes up. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Application partitions (cf:4 and cf:5)—Stores the application software image, system configuration, and ASDM. By default, Cisco installs the images on cf:4. You can use cf:5 as a test partition. For example, if you want to upgrade your software, you can install the new software on cf:5, but maintain the old software as a backup in case you have problems.
% reset issued for module 9 Router# 00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap 00:26:55:SP:The PC in slot 8 is shutting down. Please wait ... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-11 OL-20748-01...
Page 58
Chapter 2 Configuring the Switch for the Firewall Services Module Managing the Firewall Services Module Boot Partitions Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-12 OL-20748-01...
Management access to the FWSM causes a degradation in performance. We recommend that you avoid Caution accessing the FWSM when high network performance is critical. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Logging out of the FWSM To end the FWSM session and access the switch CLI, enter the following command: hostname# exit Logoff Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
This section includes the following topics: Saving Each Context and System Separately, page 3-4 • Saving All Context Configurations at the Same Time, page 3-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 62
Unable to save the configuration for the following contexts as these contexts have read-only config-urls: context ‘a’ , context ‘b’ , context ‘c’ . Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
To erase settings, enter one of the following commands. • To clear all the configuration for a specified command, enter the following command: hostname(config)# clear configure configurationcommand [level2configurationcommand] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
How the FWSM Classifies Packets, page 4-3 • Sharing Interfaces Between Contexts, page 4-7 • Management Access to Security Contexts, page 4-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The system configuration does include a specialized failover interface for failover traffic only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
NAT sessions to classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
NAT affects them. For example, if a server sends a packet to www.example.com, then the DNS server needs to return the translated address. Your NAT configuration determines DNS entry management.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
You can access the FWSM as a system administrator in two ways: Session to the FWSM from the switch. • From the switch, you access the system execution space. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
Setting the Number of Memory Partitions, page 4-13 • Changing the Memory Partition Size, page 4-14 • Reallocating Rules Between Features for a Specific Memory Partition, page 4-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-11 OL-20748-01...
Inspect Rules 1537 Total Rules 19,219 1. Use the show resource rule command to view the default values for partitions other than 12. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-12 OL-20748-01...
:bandn, borders Number of contexts :2(RefCount:2) Number of rules :0(Max:53087) Partition #1 Mode :non-exclusive List of Contexts :admin, momandpopA, momandpopB, momandpopC momandpopD Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-13 OL-20748-01...
The FWSM lets you set the memory size of each partition. Changing the partition sizes requires you to reload the FWSM. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-14 OL-20748-01...
Page 79
19,219 rules, for a total of 249,847 rules. hostname(config)# show resource partition Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-15 OL-20748-01...
Page 81
Traffic loss can occur because both units are down at the same time. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-17...
Page 82
56616 hostname(config-partition)# resource partition 3 hostname(config-partition)# size 56615 hostname(config-partition)# show resource partition Bootup Current Partition Default Partition Configured Number Size Size Size Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-18 OL-20748-01...
0 Default Configured Absolute CLS Rule Limit Limit -----------+---------+----------+--------- Policy NAT 14801 14801 14801 Filter 1152 Fixup 1537 1537 3074 Est Ctl Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-19 OL-20748-01...
Page 84
See Step 1 to use the show resource rule command for the total number of rules allowed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-20 OL-20748-01...
The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can Note limit bandwidth per VLAN. See the switch documentation for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-21 OL-20748-01...
Gold Class can use more than the 97 percent of “unassigned” inspections; they can also use the 1 percent of inspections not currently in use by Context A, B, and C, even if that means that Context A, Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-22...
Step 2 • To set all resource limits (shown in Table 4-2), enter the following command: hostname(config-resmgmt)# limit-resource all {number% | 0} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-24 OL-20748-01...
Page 89
Table 4-2 lists the resource types and the limits. See also the show resource types command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-25 OL-20748-01...
Page 90
80 ASDM sessions represents a limit of 160 HTTPS sessions. 1 minimum 100 concurrent SSH sessions. 5 maximum concurrent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-26 OL-20748-01...
If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command: hostname(config)# admin-context name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-27 OL-20748-01...
Page 92
• alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-28 OL-20748-01...
Page 93
The type can be one of the following keywords: – ap—ASCII passive mode – an—ASCII normal mode ip—(Default) Binary passive mode – in—Binary normal mode – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-29 OL-20748-01...
Page 94
12 partitions, so the range is 0 to 11. See the “Setting the Number of Memory Partitions” section on page 4-13 to configure the number of memory partitions. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-30 OL-20748-01...
Only the current configuration displays. You can, however, save all context running configurations from the system execution space using the write memory all command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-31 OL-20748-01...
To remove all contexts (including the admin context), enter the following command in the system • execution space: hostname(config)# clear context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-32 OL-20748-01...
To enter the context configuration mode for the context you want to change, enter the following Step 3 command: hostname(config)# context name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-33 OL-20748-01...
The FWSM copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-34 OL-20748-01...
Shows the firewall mode for each context, either Routed or Transparent. Shows the URL from which the FWSM loads the context configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-35 OL-20748-01...
Page 101
26214 26214 9.99% bronze 13107 All Contexts: 26214 9.99% IPSec default gold 50.00% silver 10.00% bronze unlimited All Contexts: 110.00% default Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-37 OL-20748-01...
Page 102
The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-38...
Average Xlates Connections TCP Conns UDP Conns URL Access URL Server Req WebSns Req TCP Fixup HTTP Fixup FTP Fixup AAA Authen Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-40 OL-20748-01...
Page 105
TCP intercept for the entire system. (Sample text in italics shows the TCP intercept information.) hostname(config)# show resource usage summary detail Resource Current Peak Limit Denied Context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-41 OL-20748-01...
Page 106
0 Summary console-access-rul 4356(S) 0 Summary fixup-rules 8032(S) 0 Summary S = System: Total exceeds the system limit; the system limit is shown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-42 OL-20748-01...
We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the FWSM for extensive routing needs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The FWSM receives the packet and because it is a new session, the FWSM verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
DMZ web server. Figure 5-2 Outside to DMZ User Outside 209.165.201.2 Dest Addr Translation 209.165.201.3 10.1.1.13 FWSM 10.1.2.1 10.1.1.1 Inside Web Server 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
DMZ web server. Figure 5-3 Inside to DMZ Outside 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User Web Server 10.1.2.27 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
(access lists, filters, AAA). The packet is denied, and the FWSM drops the packet and logs the connection attempt. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The management IP address must be on the same subnet as the connected network. For another method of management, see the “Management Interface” section on page 5-8. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The inside router and hosts appear to be directly connected to the outside router. Figure 5-6 Transparent Firewall Network Internet 10.1.1.1 FWSM Management IP 10.1.1.2 Network A 10.1.1.3 192.168.1.2 Network B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
You can, however, allow multicast traffic through the FWSM by allowing it in an extended access list. Remote access VPN for management You can use site-to-site VPN for management. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-11 OL-20748-01...
An Outside User Visits a Web Server on the Inside Network, page 5-15 • An Outside User Attempts to Access an Inside Host, page 5-16 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-12 OL-20748-01...
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The FWSM forwards the packet to the inside user. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-13 OL-20748-01...
The FWSM performs NAT by translating the mapped address to the real address, 10.1.2.27. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-14...
If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-15...
If the outside user is attempting to attack the inside network, the FWSM employs many technologies to determine if a packet is valid for an already established session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-16...
• hostname(config)# firewall transparent To set the mode to routed, enter the following command in each context: • hostname(config)# no firewall transparent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-17 OL-20748-01...
Page 124
Chapter 5 Configuring the Firewall Mode Setting Transparent or Routed Firewall Mode Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-18 OL-20748-01...
NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover,” to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The following example configures parameters for VLAN 101: hostname(config)# interface vlan 101 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
For device management, you have two available mechanisms: Any bridge group management address—Connect to the bridge group network on which your • management station is located. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover,” to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Step 1 hostname(config)# interface bvi bridge_group_number Specify the IP address by entering the following command: Step 2 hostname(config-if)# ip address ip_address [mask] [standby ip_address] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Do not enter the no form, because that command causes all commands that refer to that name to be deleted. To set the security level, enter the following command: Step 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 132
Bridge group IP: Bridge group IP: 209.165.200.226 209.165.201.2 209.165.202.129 Inside Inside Inside Context C Context A Context B Context A hostname(config)# interface vlan500 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 133
30 hostname(config-if)# interface vlan106 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# bridge-group 30 hostname(config-if)# interface bvi 30 hostname(config-if)# ip address 209.165.202.129 255.255.255.224 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
(or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-10...
• Outside NAT is not supported. • You can configure static routes from one interface to another on the same security level. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-11 OL-20748-01...
To disable the interface, enter the following command: Step 2 hostname(config)# shutdown To reenable the interface, enter the following command: Step 3 hostname(config)# no shutdown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-12 OL-20748-01...
The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Change the root password by entering the following command: Step 5 root@localhost# passwd Enter the new password at the prompt: Step 6 Changing password for user root New password: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. context-CTX1-secondary %FWSM-5-111008: User 'enable_15' executed the 'logging console debug' command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The order in which you enter the keywords determines the order of the elements in the prompt, which are separated by a slash (/). See the following descriptions for the keywords: hostname—Displays the hostname. • domain—Displays the domain name. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
For example, to add a message-of-the-day banner, enter: hostname(config)# banner motd Welcome to $(hostname) hostname(config)# banner motd Contact me at admin@example.com for any hostname(config)# banner motd issues Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 142
Chapter 7 Configuring Basic Settings Configuring a Login Banner Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
FWSM processes this packet by looking up the route to select egress interface, then source-ip translation is performed (if necessary). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Your network is small and you can easily manage static routes. • You do not want the traffic or CPU overhead associated with routing protocols. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
However, static routes are removed from the routing table if the associated interface goes down. They are reinstated when the interface comes back up. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
FWSM for which there is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1, 192.168.2.2, 192.168.2.3. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
To match any routes that have a destination network that matches a standard access list, enter the • following command: hostname(config-route-map)# match ip address acl_id [acl_id] [...] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The FWSM supports BGP stub routing. The BGP stub routing process advertises static and directly connected routes but does not accept routes advertised by the BGP peer. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
To enable and configure a BGP routing process, perform the following steps: Create the BGP routing process by entering the following command: Step 1 hostname(config)# router bgp as-number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
• To view debug messages for the BGP routing process, enter the following command: hostname# debug ip bgp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
The cost can be configured to specify preferred paths. The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the following command: hostname(config-router)# network ip_address mask area area_id The following example shows how to enable OSPF: hostname(config)# router ospf 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-10 OL-20748-01...
The following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics. hostname(config)# router ospf 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-11 OL-20748-01...
To enable OSPF MD5 authentication, enter the following command: hostname(config-interface)# ospf message-digest-key key_id md5 key Set the following values: key_id—An identifier in the range from 1 to 255. – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-12 OL-20748-01...
Page 155
Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-13 OL-20748-01...
The following example shows how to configure the OSPF area parameters: hostname(config)# router ospf 2 hostname(config-router)# area 0 authentication hostname(config-router)# area 0 authentication message-digest hostname(config-router)# area 17 stub Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-14 OL-20748-01...
You can set a type 7 default route that can be used to reach external destinations. When – configured, the router generates a type 7 default into the NSSA or the NSSA area boundary router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-15 OL-20748-01...
To set the summary address, enter the following command: Step 2 hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag] OSPF does not support summary-address 0.0.0.0 0.0.0.0. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-17 OL-20748-01...
SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value of 0 means that there is no delay; that is, the SPF calculation is started immediately. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-18...
LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-19...
[process-id] summary-address To display OSPF-related virtual links information, enter the following command: • hostname# show ospf [process-id] virtual-links Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-20 OL-20748-01...
For example, enter the following commands: hostname(config)# rip inside default version 2 authentication md5 scorpius 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-21 OL-20748-01...
• EIGRP Routing Overview EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Neighbor discovery is the process that the FWSM uses to dynamically learn of other routers on directly attached networks.
EIGRP updates. Step 3 (Optional) To prevent an interface from sending or receiving EIGRP routing message, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-23 OL-20748-01...
Create the EIGRP routing process and enter router configuration mode for that process by entering the Step 1 following command: hostname(config)# router eigrp as-num Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-24 OL-20748-01...
% Asystem(100) specified does not exist The key argument can contain up to 16 characters. The key-id argument is a number from 0 to 255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-25...
To redistribute connected routes into the EIGRP routing process, enter the following command: • hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu] [route-map map_name] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-26 OL-20748-01...
192.168.0.0. To prevent the possibility of traffic being routed to the wrong location, you should disable automatic route summarization on the routers creating the conflicting summary addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-27 OL-20748-01...
Enter interface configuration mode for the interface on which you are disabling split horizon by entering Step 1 the following command: hostname(config)# interface phy_if Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-28 OL-20748-01...
Monitoring EIGRP You can use the following commands to monitor the EIGRP routing process. For examples and descriptions of the command output, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. To display the EIGRP event log, enter the following command: •...
2 header is rewritten and the packet is re-injected into the stream. This section contains the following topics: Adding Interfaces to ASR Groups, page 8-31 • Asymmetric Routing Support Example, page 8-31 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-30 OL-20748-01...
A is active. However, the return traffic is being routed through the unit where context B is active. Normally, the return traffic would be dropped because there is no session information Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-31...
A on the unit where context A is in the active state. This forwarding continues as needed until the session ends. Configuring Route Health Injection This feature depends on Cisco IOS Release 12.2(33)SXI or later, and is only available on the Catalyst Note 6500 switch.
NAT ID for multiple global commands on multiple interfaces, only those commands on the matching interface as the redistribute command are used. You can enter only one redistribute nat command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-33 OL-20748-01...
Page 176
(outside) 10 209.165.202.140-209.165.202.146 netmask 255.255.255.0 hostname(config)# global (outside) 20 209.165.202.150-209.165.202.155 netmask 255.255.255.0 hostname(config)# route-inject hostname(config-route-inject)# redistribute nat global-pool 10 interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-34 OL-20748-01...
In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-35...
Page 178
To enable the DHCP daemon within the FWSM to listen for DHCP client requests on the enabled Step 8 interface, enter the following command: hostname(config)# dhcpd enable interface_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-36 OL-20748-01...
DHCP options that are not supported by the dhcpd option command: Table 8-1 Unsupported DHCP Options Option Code Description DHCPOPT_PAD HCPOPT_SUBNET_MASK DHCPOPT_HOST_NAME DHCPOPT_REQUESTED_ADDRESS DHCPOPT_LEASE_TIME Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-37 OL-20748-01...
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the FWSM DHCP server provides values for both options in the response if they are configured on the FWSM.
Step 1 To configure an interface-specific server, enter the following commands: • hostname(config)# interface {vlan vlan_id | mapped_name} hostname(config-if)# dhcprelay server ip_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-39 OL-20748-01...
Page 182
209.165.200.225 outside hostname(config)# dhcprelay server 209.165.201.4 dmz hostname(config)# dhcprelay enable inside1 hostname(config)# dhcprelay setroute inside1 hostname(config)# dhcprelay enable inside2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-40 OL-20748-01...
Verifying the DHCP Relay Configuration To view the interface-specific DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay interface [vlan vlan_id | mapped_name] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-41 OL-20748-01...
Page 184
Configuring IP Routing and DHCP Services Configuring DHCP To view the global DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-42 OL-20748-01...
Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific state. The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Disabling IGMP on an Interface, page 9-3 • Configuring Group Membership, page 9-3 • Configuring a Statically Joined Group, page 9-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
To configure a statically joined multicast group on an interface, enter the following command: hostname(config-if)# igmp static-group group-address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
By default, the PIM designated router on the subnet is responsible for sending the query messages. By default, they are sent once every 125 seconds. To change this interval, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
To forward the host join and leave messages, enter the following command from the interface attached to the stub area: hostname(config-if)# igmp forward interface if_name Stub Multicast Routing and PIM are not supported concurrently. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
• Disabling PIM on an Interface You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Filtering PIM Register Messages You can configure the FWSM to filter PIM register messages. To filter PIM register messages, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
• configure • copy • http • name • • object-group • ping • show conn show local-host • show tcpstat • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-1 OL-20748-01...
You can configure both IPv6 and IPv4 addresses on an interface. You cannot configure IPv6 on an interface that is used by more than one context (a shared VLAN). Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-2 OL-20748-01...
Page 195
See the “Example 4: IPv6 Configuration Example” section on page B-13 for an example of IPv6 addresses applied to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-3 OL-20748-01...
Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just Note those used for duplicate address detection. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-4 OL-20748-01...
| deny—Determines whether the specified traffic is blocked or allowed to pass. • icmp—Indicates that the access list entry applies to ICMP traffic. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-5 OL-20748-01...
After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 10-1 shows the neighbor solicitation and response process. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-6 OL-20748-01...
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-7 OL-20748-01...
You can configure the following settings for router advertisement messages: The time interval between periodic router advertisement messages. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-8 OL-20748-01...
For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement Note messages must always be 64 bits. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-9 OL-20748-01...
The output for the command shows the following: • The name and status of the interface. • The link-local and global unicast addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-10 OL-20748-01...
This section includes the following topics: • About Authentication, page 11-2 • About Authorization, page 11-2 • About Accounting, page 11-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-1 OL-20748-01...
FWSM for the session, the service used, and the duration of each session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-2...
2. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. 3. Local command authorization is supported by privilege level only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-3 OL-20748-01...
The security appliance deletes the access list when the authentication session expires. TACACS+ Server Support The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-4 OL-20748-01...
FWSM uses NTLM Version 1 to for user authentication with the Microsoft Windows domain server. The FWSM grants or denies user access based on the response from the domain server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-5 OL-20748-01...
With the exception of fallback for network access authentication, the local database can act as a fallback method for the functions in Table 11-1. This behavior is designed to help you prevent accidental lockout from the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-6 OL-20748-01...
Step 1 Create the user account. To do so, enter the following command: hostname(config)# username username {nopassword | password password} [privilege level] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-7 OL-20748-01...
Page 212
The following commands creates a user account with a password, enters username mode, and specifies a few VPN attributes: hostname(config)# username user1 password gOgeOus hostname(config)# username user1 attributes Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-8 OL-20748-01...
For more information about this command, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-9 OL-20748-01...
Page 214
(indicated by “—”), use the command to specify the value. For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-10 OL-20748-01...
Page 215
AuthOutbound protocol radius hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3 hostname(config-aaa-server-host)# key RadUauthKey hostname(config-aaa-server-host)# exit hostname(config)# aaa-server NTAuth protocol nt Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-11 OL-20748-01...
Page 216
Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers hostname(config-aaa-server-group)# exit hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4 hostname(config-aaa-server-host)# nt-auth-domain-controller primary1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-12 OL-20748-01...
This process relies on the receiver having a copy of the public key of the sender and a high degree of certainty that this key belongs to the sender, not to someone pretending to be the sender. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-1...
Separate signing and encryption keys help reduce exposure of the keys. This is because SSL uses a key for encryption but not signing, while IKE uses a key for signing but not encryption. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-2...
If you do not assign a label, the key pair is automatically labeled Default-RSA-Key. To assign a label to each key pair, enter the following command: hostname/contexta (config)# crypto key generate rsa label key-pair-label Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-4 OL-20748-01...
For the aaa authentication include command, you can use only TACACS+ or RADIUS user accounting to be authenticated or authorized on a server designated by the aaa-server command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-5...
To configure secure authentication to the HTTP client, enter the following command: Step 2 hostname (config)# aaa authentication secure-http-client For more information about command usage, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Verifying Configurations for Specified Settings Before you import third-party certificates, you must have configured certain AAA settings, the AAA server, access lists, and optionally, virtual HTTP.
To control which trustpoint sharing a CA is used for validation of user certificates issued by that CA, enter the support-user-cert-validation command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-7...
Page 224
Inc. c=US Subject Name: cn=atl-lx-sbacchus.cisco.com o=Cisco Systems\, Inc sa=170 West Tasman Dr l=San Jose st=California pc=95134 c=US serialNumber=C1183477 2.5.4.15=#131256312e302c20436c6175736520352e286229 1.3.6.1.4.1.311.60.2.1.2=#130a43616c69666f726e6961 1.3.6.1.4.1.311.60.2.1.3=#13025553 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-8 OL-20748-01...
FWACL extended permit tcp any any eq https access-group FWACL in interface outside timeout uauth 0:05:00 absolute aaa-server TacacsServers protocol tacacs+ reactivation-mode depletion deadtime 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-9 OL-20748-01...
Page 226
The auth-prompt series of commands changes the prompt that users see, so you know that the FWSM is making the request. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-10 OL-20748-01...
IP Addresses Used for Access Lists When You Use NAT, page 13-3 • Access List Commitment, page 13-5 • Maximum Number of ACEs, page 13-6 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-1 OL-20748-01...
ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by making it inactive. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-2 OL-20748-01...
See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-3 OL-20748-01...
Page 230
See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-4 OL-20748-01...
For information about exceeding memory limits, see the “Maximum Number of ACEs” section. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-5 OL-20748-01...
ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-6...
(for example, INSIDE), or for the purpose for which it is created (for example, NO_NAT or VPN). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-7...
Page 234
When you specify a network mask, the method is different from the Cisco IOS software access-list command. The FWSM uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
IP traffic that you previously allowed with an extended access list. IPv4 and ARP traffic cannot be controlled with an EtherType access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-9...
FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the FWSM.
For example, consider the following three object groups: MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed • access to the internal network Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-11 OL-20748-01...
The description can be up to 200 characters. To define the protocols in the group, enter the following command for each protocol: Step 3 hostname(config-protocol)# protocol-object protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-12 OL-20748-01...
You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-14...
For example, you create network object groups for privileged users from various departments: hostname(config)# object-group network eng hostname(config-network)# network-object host 10.1.1.5 hostname(config-network)# network-object host 10.1.1.9 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network hr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-15 OL-20748-01...
[protocol | network | services | icmp-type] If you do not enter a type, all object groups are removed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-17 OL-20748-01...
Before optimization: access-list test extended permit udp 10.1.1.0 255.255.255.0 any [rule x] access-list test extended permit udp 10.1.1.1 255.255.255.255 any [rule y] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-18 OL-20748-01...
Page 245
80 130 log disable [rule y] After optimization: access-list test extended deny tcp any any range 50 100 log default [rule x] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-19 OL-20748-01...
The following is an example of an optimized access list configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-20 OL-20748-01...
Page 247
Show the optimized access list: hostname(config)# show access-list test optimization access-list test; 13 elements before optimization 7 elements after optimization Reduction rate = 46% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-21 OL-20748-01...
Page 248
Show the optimized access list range 6 through 9 in detail: hostname(config)# show access-list test optimization detail range 6 9 access-list test; 13 elements before optimization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-22 OL-20748-01...
Page 249
This will cause some rules to be deleted. Thus, it is considered a good practice to back up the original configuration before proceeding with disabling access list group optimization. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-23...
Because no end time and date are specified, the time range is in effect indefinitely. hostname(config)# time-range for2006 hostname(config-time-range)# absolute start 8:00 1 january 2006 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-24 OL-20748-01...
106100, which provides statistics for each ACE and lets you limit the number of system log messages produced. Alternatively, you can disable all logging. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-25 OL-20748-01...
ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages for detailed information about this system log message.
When the limit is reached, the FWSM does not create a new deny flow for logging until the existing flows expire. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-27...
Page 254
The seconds are between 1 and 3600. 300 is the default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-28 OL-20748-01...
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-2...
Even though both FWSMs are assigned the same VLANs, only the active module takes part in networking. The standby module does not pass any traffic. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-3...
FWSM VLANs (VLANs 10 and 11). FWSM failover is independent of the switch failover operation; however, FWSM works in any switch Note failover scenario. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-4 OL-20748-01...
Page 259
Failover Links: VLAN 10 Trunk: Active Standby VLANs 10 & 11 FWSM FWSM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-5 OL-20748-01...
Page 260
Failover Links: VLAN 10 Trunk: Failed Active VLANs 10 & 11 FWSM FWSM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-6 OL-20748-01...
Because the FWSMs bridge packets between the same two VLANs, loops can occur when inside packets destined for the outside get Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-7...
Device Initialization and Configuration Synchronization, page 14-9 • Command Replication, page 14-11 Failover Triggers, page 14-11 • Failover Actions, page 14-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-8 OL-20748-01...
Page 263
(except for the failover commands needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-9...
Page 264
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-10 OL-20748-01...
Page 265
The no failover active command is entered on the active unit or the failover active command is • entered on the standby unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-11 OL-20748-01...
• Primary/Secondary Status and Active/Standby Status, page 14-13 • Device Initialization and Configuration Synchronization, page 14-14 • Command Replication, page 14-14 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-12 OL-20748-01...
Page 267
Note FWSM does not provide load balancing services. Load balancing must be handled by a router passing traffic to FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-13 OL-20748-01...
Page 268
Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to become out of synchronization. Those changes may be lost the next time configuration synchronization occurs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-14 OL-20748-01...
Page 269
The unit has a software failure. • The no failover active or the failover active command is entered in the system execution space. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-15 OL-20748-01...
Page 270
No failover Become active Become active If the failover link is down at startup, both failover groups on both units will become active. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-16 OL-20748-01...
FWSM supports two types of failover, regular and stateful. This section includes the following topics: Regular Failover, page 14-18 • Stateful Failover, page 14-18 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-17 OL-20748-01...
• Note If failover occurs during an active Cisco IP SoftPhone session, the call will remain active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client will lose connection with the CallManager. This occurs because there is no session information for the CTIQBE hangup message on the standby unit.
5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-19...
For multiple context mode, all steps are performed in the system execution space unless otherwise noted. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-21...
Page 276
If the state link uses the failover link, skip this step. You have already defined the failover Note link active and standby IP addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-22 OL-20748-01...
Page 277
Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-23 OL-20748-01...
1200 seconds. If the delay is not specified, there is no delay. When the primary unit becomes active, the secondary unit enters the standby state. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-24...
Page 279
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-25...
Do not configure an IP address for the failover link or for the state link (if you are going to use Note Stateful Failover). hostname(config-if)# ip address active_addr netmask standby standby_addr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-26 OL-20748-01...
Page 281
Configure the failover groups. You can have at most two failover groups. The failover group command Step 4 creates the specified failover group if it does not exist and enters the failover group configuration mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-27 OL-20748-01...
Page 282
Enter this command exactly as you entered it on the primary unit when you configured the Note failover interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-28 OL-20748-01...
However, if one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-29...
Page 284
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-30...
This section includes the following topics: Viewing Failover Status for Active/Standby, page 14-32 • Viewing Failover Status for Active/Active, page 14-35 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-31 OL-20748-01...
Page 286
Interface outside (192.168.5.121): Normal Interface inside (192.168.0.1): Normal Peer context: Not Detected Active time: 0 (sec) Interface outside (192.168.5.131): Normal Interface inside (192.168.0.11): Normal Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-32 OL-20748-01...
Page 287
The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, will also show a value. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-33...
Page 288
L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-34 OL-20748-01...
Page 289
Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Group 1 State: Standby Ready Active time: 190 (sec) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-35 OL-20748-01...
Page 290
Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. RPC services TCP conn UDP conn ARP tbl Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-36 OL-20748-01...
Page 291
Unknown—FWSM cannot determine the status of the interface. • Waiting—Monitoring of the network interface on the other unit has • not yet started. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-37 OL-20748-01...
Page 292
GTP PDP update information. This information appears only if inspect GTP is enabled. GTP PDPMCB GTP PDPMCB update information. This information appears only if inspect GTP is enabled. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-38 OL-20748-01...
For Active/Active failover, enter the following command on the unit where failover group containing • the interface connecting your hosts is active: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-39 OL-20748-01...
Or, enter the following command in the system execution space of the unit where the failover group is in the active state: hostname# no failover active group group_id Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-40 OL-20748-01...
If previously active, a failover group will become active if it is configured with the preempt command and if the unit on which it failed is its preferred unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-41...
411001 and 411002. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-1...
Page 300
HR extended permit ip any any hostname(config)# access-group HR in interface hr hostname(config)# access-list ENG extended permit ip any any hostname(config)# access-group ENG in interface eng Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-2 OL-20748-01...
The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces: hostname(config)# access-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-4 OL-20748-01...
Page 303
Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface hostname(config)# access-group ETHER in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-5 OL-20748-01...
Page 304
Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-6 OL-20748-01...
Order of NAT Commands Used to Match Real Addresses, page 16-15 • Maximum Number of NAT Statements, page 16-15 • Mapped Address Guidelines, page 16-15 • DNS and NAT, page 16-16 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-1 OL-20748-01...
209.165.201.10, and the FWSM receives the packet. The FWSM then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27 before sending it on to the host. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-2 OL-20748-01...
ARP request to a host on the other side of the firewall, and the initiating host real address is mapped to a different address on the same subnet, then the real address remains visible in the ARP request. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-3 OL-20748-01...
Page 308
192.168.1.0 255.255.255.0 10.1.1.3 1 hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0 hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-4 OL-20748-01...
NAT. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-5 OL-20748-01...
IP address after the translation times out. (See the timeout xlate command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.) Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the FWSM rejects any attempt to connect to a real host address directly.
Page 311
Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-7...
(if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-8 OL-20748-01...
8080. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then undo translation to port 80. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-9...
IP addresses for the secondary channel. This way, the FWSM translates the secondary ports. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-10...
Page 315
(inside) 1 access-list NET1 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-11 OL-20748-01...
Page 316
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-12...
Because there is a maximum number of NAT sessions (see the “Managed System Resources” section on page A-4), these types of NAT sessions might cause you to run into the limit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-13 OL-20748-01...
These inspection engines include Skinny, SIP, and H.323. See the “Inspection Engine Overview” section on page 22-2 for supported inspection engines. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-14 OL-20748-01...
If you use OSPF to advertise mapped IP addresses that belong to a different subnet from the mapped interface, you need to create Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-15...
NAT it. The necessary route can be learned via static routing or by any other routing protocol, such as RIP or OSPF. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-16...
Page 321
See the following command for this example: hostname(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255 If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from Note the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though the user is not on the Inside interface referenced by the static command.
To enable NAT control, enter the following command: hostname(config)# nat-control To disable NAT control, enter the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-18 OL-20748-01...
This section describes how to configure dynamic NAT and PAT, and it includes the following topics: • Dynamic NAT and PAT Implementation, page 16-20 • Configuring Dynamic NAT or PAT, page 16-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-19 OL-20748-01...
NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-20 OL-20748-01...
Page 325
(inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-21 OL-20748-01...
Page 326
NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-22...
Page 327
PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports. (See Figure 16-18.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-23 OL-20748-01...
Page 328
Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-24...
Page 329
NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-25...
To identify the real addresses that you want to translate, enter one of the following commands: Step 1 Policy NAT: • hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-26 OL-20748-01...
Page 331
However, leaving ISN randomization enabled on both firewalls does not affect the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-27...
Page 332
(10.1.1.0), for example, to simplify routing, enter the following commands: hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns hostname(config)# global (inside) 1 10.1.1.45 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-28 OL-20748-01...
Figure 16-22 Static NAT FWSM 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.2 Inside Outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-29 OL-20748-01...
Page 334
The clear xlate command clears all connections, even when xlate-bypass is enabled and when a connection does not have an xlate. For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface. For more information about static PAT, see the “Static PAT” section on page 16-9. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-31 OL-20748-01...
Page 336
(10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following commands: hostname(config)# access-list TELNET permit tcp host 10.1.1.15 10.1.3.0 255.255.255.0 eq telnet Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-32 OL-20748-01...
NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate. (See the “Policy NAT” section on page 16-10 for more Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-34 OL-20748-01...
Page 339
For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside: hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-35 OL-20748-01...
NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered to be active for NAT exemption configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-36 OL-20748-01...
This section describes typical scenarios that use NAT solutions, and it includes the following topics: • Overlapping Networks, page 16-38 • Redirecting Ports, page 16-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-37 OL-20748-01...
Configure the following static routes so that traffic to the DMZ network can be routed correctly by the Step 3 FWSM: hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-38 OL-20748-01...
HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80. • To implement this scenario, perform the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-39 OL-20748-01...
Page 344
Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering Step 5 the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-40 OL-20748-01...
For HTTP, you log in using basic HTTP authentication supplied by the browser. For HTTPS, the FWSM generates custom login windows. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-2 OL-20748-01...
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Enabling Network Access Authentication To enable network access authentication, perform the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-3 OL-20748-01...
Page 348
MAIL_AUTH extended permit tcp any any eq smtp hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-4 OL-20748-01...
To show text when a user is rejected due to invalid credentials, enter the following command: Step 4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-5 OL-20748-01...
After enabling this feature, when a user accesses a web page requiring authentication, the FWSM displays the Authentication Proxy Login Page shown in Figure 17-1. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-6 OL-20748-01...
Page 351
PAT for web traffic and the second line must be added to support the HTTPS authentication configuration. static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-7 OL-20748-01...
If the user establishes the session with a protocol whose authentication challenge is enabled (such as HTTP), FTP traffic is allowed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-8...
17-3. If you have already enabled authentication, continue to the next step. To enable authorization, enter the following command: Step 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-9 OL-20748-01...
Configuring a RADIUS Server to Download Per-User Access Control List Names, page 17-12 Configuring a RADIUS Server to Download Per-User Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: Configuring Cisco Secure ACS for Downloadable Access Lists, page 17-11 •...
Page 355
On the FWSM, the downloaded access list has the following name: #ACSACL#-ip-acl_name-number The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding example), and number is a unique version ID generated by Cisco Secure ACS.
Page 356
FWSM. If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0...
Chapter 17 Applying AAA for Network Access Configuring Accounting for Network Access In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, Note omitting filter-id= and entering only acl_name. For information about making unique per user the filter-id attribute value, see the documentation for your RADIUS server.
To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following Step 2 command: hostname(config)# aaa mac-exempt match id Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-14 OL-20748-01...
Page 359
1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-15 OL-20748-01...
Page 360
Chapter 17 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-16 OL-20748-01...
This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing through the firewall. This section includes the following topics: ActiveX Filtering Overview, page 18-2 • Enabling ActiveX Filtering, page 18-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-1 OL-20748-01...
To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter activex 80 0 0 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-2...
To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-3...
You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter Note command. You must also remove all filtering command before you remove the filtering servers from the configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-4 OL-20748-01...
Page 365
(perimeter) vendor n2h2 host 10.0.1.1 hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.2 This identifies two Sentian filtering servers, both on a perimeter interface of the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-5 OL-20748-01...
Use the dst keyword to cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-6...
(Websense only) You can also configure the maximum size of the URL buffer memory pool with the following command: hostname(config)# url-block url-mempool memory_pool_size Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-7 OL-20748-01...
FWSM using HTTP or FTP before accessing HTTPS servers. To enable HTTPS filtering, enter the following command: hostname(config)# filter https port localIP local_mask foreign_IP foreign_mask [allow] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-8 OL-20748-01...
./files instead of cd /public/files. Viewing Filtering Statistics and Configuration This section describes how to monitor filtering statistics. This section includes the following topics: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-9 OL-20748-01...
128 url-block url-size 4 url-block block 128 This shows the configuration of the URL block buffer. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-10 OL-20748-01...
URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-11 OL-20748-01...
Page 372
Chapter 18 Applying Filtering Services Viewing Filtering Statistics and Configuration hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-12 OL-20748-01...
If the ARP packet does not match any entries in the static ARP table, then you can set the FWSM to • either forward the packet out all interfaces (flood), or to drop the packet. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-1 OL-20748-01...
To view the current settings for ARP inspection on all interfaces, enter the show arp-inspection command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-2 OL-20748-01...
The default timeout value for dynamic MAC address table entries is 5 minutes, but you can change the timeout. To change the timeout, enter the following command: hostname(config)# mac-address-table aging-time timeout_value Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-3 OL-20748-01...
The following is sample output from the show mac-address-table command that shows the table for the inside interface: hostname# show mac-address-table inside interface mac address type Age min) Group ----------------------------------------------------------------------- inside 0010.7cbe.6101 static inside 0009.7cbe.5101 dynamic Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-4 OL-20748-01...
Permitting or Denying Application Types with PISA Integration—See the “Permitting or Denying • Application Types with PISA Integration” section on page 21-4. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-1 OL-20748-01...
For example, you might want to drop all HTTP requests with a URL including the text “example.com.” Inspection Policy Map Actions Inspection Class Map/ Match Commands Regular Expression Statement/ Regular Expression Class Map Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-2 OL-20748-01...
Layer 3/4 class maps • Inspection class maps • Regular expression class maps • match commands used directly underneath an inspection policy map • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-4 OL-20748-01...
Default traffic for inspection—The class map matches the default TCP and UDP ports used by all • applications that the FWSM can inspect. hostname(config-cmap)# match default-inspection-traffic Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-5 OL-20748-01...
3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted upon as specified (for example, dropped or rate-limited). This section includes the following topics: Inspection Policy Map Overview, page 20-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-6 OL-20748-01...