An Inside User Visits A Web Server On The Dmz - Cisco 7604 Configuration Manual

Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli

Hide thumbs Also See for 7604:

Table of Contents

Routed Mode Overview

The following steps describe how data moves through the FWSM (see

An Inside User Visits a Web Server on the DMZ

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

A user on the outside network requests a web page from the DMZ web server using the mapped

address of 209.165.201.3, which is on the outside interface subnet.

The FWSM receives the packet and because it is a new session, the FWSM verifies that the packet

is allowed according to the terms of the security policy (access lists, filters, AAA).

For multiple context mode, the FWSM first classifies the packet according to either a unique

interface or a unique destination address associated with a context; the destination address is

associated by matching an address translation in a context. In this case, the classifier "knows" that

the DMZ web server address belongs to a certain context because of the server address translation.

The FWSM translates the destination address to the real address 10.1.1.3.

The FWSM then adds a session entry to the fast path and forwards the packet from the DMZ

When the DMZ web server responds to the request, the packet goes through the FWSM and because

the session is already established, the packet bypasses the many lookups associated with a new

connection. The FWSM performs NAT by translating the real address to 209.165.201.3.

The FWSM forwards the packet to the outside user.

shows an inside user accessing the DMZ web server.

Inside to DMZ

209.165.201.2

Configuring the Firewall Mode

Show Quick Links

Table of Contents