Routed Mode Overview
The following steps describe how data moves through the FWSM (see
1.
2.
3.
4.
5.
6.
An Inside User Visits a Web Server on the DMZ
Figure 5-3
Figure 5-3
Inside
User
10.1.2.27
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
5-4
A user on the outside network requests a web page from the DMZ web server using the mapped
address of 209.165.201.3, which is on the outside interface subnet.
The FWSM receives the packet and because it is a new session, the FWSM verifies that the packet
is allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the FWSM first classifies the packet according to either a unique
interface or a unique destination address associated with a context; the destination address is
associated by matching an address translation in a context. In this case, the classifier "knows" that
the DMZ web server address belongs to a certain context because of the server address translation.
The FWSM translates the destination address to the real address 10.1.1.3.
The FWSM then adds a session entry to the fast path and forwards the packet from the DMZ
interface.
When the DMZ web server responds to the request, the packet goes through the FWSM and because
the session is already established, the packet bypasses the many lookups associated with a new
connection. The FWSM performs NAT by translating the real address to 209.165.201.3.
The FWSM forwards the packet to the outside user.
shows an inside user accessing the DMZ web server.
Inside to DMZ
Outside
209.165.201.2
FWSM
10.1.2.1
10.1.1.1
Web Server
10.1.1.3
DMZ
Chapter 5
Configuring the Firewall Mode
Figure
5-2):
OL-20748-01