Page 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI Release 4.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 2 OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
Page 3: Table Of Contents
C H A P T E R Switch Overview Verifying the Module Installation Assigning VLANs to the Firewall Services Module VLAN Guidelines Assigning VLANs to the FWSM Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 4 Context Configuration Files Context Configurations System Configuration Admin Context Configuration How the FWSM Classifies Packets Valid Classifier Criteria Invalid Classifier Criteria Classification Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 5 4-35 Monitoring Security Contexts 4-35 Viewing Context Information 4-35 Viewing Resource Allocation 4-36 Viewing Resource Usage 4-39 Monitoring SYN Attacks in Contexts 4-40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 6 Information About Bridge Groups Information About Device Management Guidelines and Limitations Configuring Transparent Firewall Interfaces for Through Traffic Assigning an IP Address to a Bridge Group Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 7 Redistributing Routes Between OSPF Processes 8-11 Configuring OSPF Interface Parameters 8-12 Configuring OSPF Area Parameters 8-14 Configuring OSPF NSSA 8-15 Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor 8-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 8 Configuring DHCP Options 8-37 Using Cisco IP Phones with a DHCP Server 8-38 Configuring DHCP Relay Services 8-39 DHCP Relay Overview 8-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM viii OL-20748-01...
Page 9 Configuring Neighbor Solicitation Messages 10-6 Configuring the Neighbor Solicitation Message Interval 10-7 Configuring the Neighbor Reachable Time 10-7 Configuring Router Advertisement Messages 10-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 10 C H A P T E R Public Key Cryptography 12-1 About Public Key Cryptography 12-1 Certificate Scalability 12-2 About Key Pairs 12-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 11 Simplifying Access Lists with Object Grouping 13-11 How Object Grouping Works 13-11 Adding Object Groups 13-12 Adding a Protocol Object Group 13-12 Adding a Network Object Group 13-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 12 Determining Which Type of Failover to Use 14-17 Regular and Stateful Failover 14-17 Regular Failover 14-18 Stateful Failover 14-18 Failover Health Monitoring 14-19 Unit Health Monitoring 14-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 13 NAT Overview 16-1 Introduction to NAT 16-2 NAT in Routed Mode 16-2 NAT in Transparent Mode 16-3 NAT Control 16-5 NAT Types 16-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xiii OL-20748-01...
Page 14 FWSM Authentication Prompts 17-2 Static PAT and HTTP 17-3 Authenticating Directly with the FWSM 17-3 Enabling Network Access Authentication 17-3 Configuring Custom Login Prompts 17-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 15 18-11 Configuring ARP Inspection and Bridging Parameters 19-1 C H A P T E R Configuring ARP Inspection 19-1 ARP Inspection Overview 19-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 16 Applying Inspection to HTTP Traffic Globally 20-21 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 20-22 Applying Inspection to HTTP Traffic with NAT 20-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 17 How Inspection Engines Work 22-2 Inspection Limitations 22-3 Default Inspection Policy 22-4 Configuring Application Inspection 22-6 CTIQBE Inspection 22-10 CTIQBE Inspection Overview 22-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xvii OL-20748-01...
Page 18 22-47 H.323 Inspection Overview 22-48 How H.323 Works 22-48 Limitations and Restrictions 22-49 Topologies Requiring H.225 Configuration 22-50 H.225 Map Commands 22-50 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xviii OL-20748-01...
Page 19 Configuring SIP Timeout Values 22-82 SIP Inspection Enhancement 22-82 Verifying and Monitoring SIP Inspection 22-86 SIP Sample Configuration 22-87 Skinny (SCCP) Inspection 22-89 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 20 CLI Access Overview 23-11 ASDM Access Overview 23-11 Authenticating Sessions from the Switch to the FWSM 23-11 Enabling CLI or ASDM Authentication 23-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 21 Backing Up a Context Configuration within a Context 24-17 Copying the Configuration from the Terminal Display 24-18 Configuring Auto Update Support 24-18 Configuring Communication with an Auto Update Server 24-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 22 Troubleshooting the Firewall Services Module 26-1 C H A P T E R Testing Your Configuration 26-1 Enabling ICMP Debug Messages and System Log Messages 26-1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxii OL-20748-01...
Page 23 Admin Context Configuration (Example 1) Customer A Context Configuration (Example 1) Customer B Context Configuration (Example 1) Customer C Context Configuration (Example 1) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiii OL-20748-01...
Page 24 A P P E N D I X Firewall Mode and Security Context Mode Command Modes and Prompts Syntax Formatting Abbreviating Commands Command-Line Editing Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiv OL-20748-01...
Page 25 TCP and UDP Ports E-11 Local Ports and Protocols E-14 ICMP Types E-15 L O S S A R Y N D E X Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 26 Contents Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxvi OL-20748-01...
Page 27: About This Guide
Help for less common scenarios. For more information, see: http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html. Document Conventions The FWSM command syntax descriptions use the following conventions: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxvii OL-20748-01...
Page 28: Related Documentation
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration • Guide using ASDM Release Notes for Cisco ASDM • Open Source Software Licenses for FWSM • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxviii OL-20748-01...
Page 29: Obtaining Documentation And Submitting A Service Request
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 30 About This Guide Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 31 IP address. Step 8 Configuring a Default Route, page 8-4 Create a default route to an upstream router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxi OL-20748-01...
Page 32 Before you configure any settings, you must set the firewall mode to transparent mode. Changing the mode clears your configuration. In multiple context mode, set the mode in each context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxii OL-20748-01...
Page 33 Step 12 Applying an Access List to an Interface, page 15-4 Apply the access list to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiii OL-20748-01...
Page 34 Quick Start Steps Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiv OL-20748-01...
Page 35 A R T Getting Started and General Information...
Page 37 How the Firewall Services Module Works with the Switch, page 1-5 • Firewall Mode Overview, page 1-7 • Stateful Inspection Overview, page 1-8 • Security Context Overview, page 1-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 38: C H A P T E R 1 Introduction To The Firewall Services Module
You can now set the timeout for GRE connectionss that are built as a result of PPTP inspection. The following command was modified: timeout pptp-gre. Management Features Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 39: Security Policy Overview
This section includes the following topics: • Permitting or Denying Traffic with Access Lists, page 1-4 Applying NAT, page 1-4 • Protecting from IP Fragments, page 1-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 40: Permitting Or Denying Traffic With Access Lists
Internet. We recommend that you use the FWSM in conjunction with a separate server running one of the following Internet filtering products: Websense Enterprise • Sentian by N2H2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 41: Applying Application Inspection
How the Firewall Services Module Works with the Switch You can install the FWSM in the Catalyst 6500 series switches and the Cisco 7600 series routers with Cisco IOS software on both the switch supervisor and the integrated MSFC (known as “supervisor IOS”).
Page 42: Using The Msfc
VLAN 200 MSFC FWSM VLAN 200 VLAN 201 FWSM MSFC VLAN 301 VLAN 303 VLAN 201 VLAN 203 Inside Inside VLAN 302 VLAN 202 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 43: Firewall Mode Overview
In multiple context mode, you can choose the mode for each context independently, so some contexts can run in transparent mode while others can run in routed mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 44: Stateful Inspection Overview
IP checksum verification – Session lookup – TCP sequence number check – NAT translations based on existing sessions – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 45: Security Context Overview
Multiple context mode supports static routing only. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 46 Chapter 1 Introduction to the Firewall Services Module Security Context Overview Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-10 OL-20748-01...
Page 47: Switch Overview
• Switch Overview You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the “switch.” The switch includes a switch (the supervisor engine) as well as a router (the MSFC).
Page 48: C H A P T E R 2 Configuring The Switch For The Firewall Services Module
Virtual Switching System (VSS) support—No FWSM configuration required. • For Cisco IOS software Version 12.2(18)SX6 and earlier, for each FWSM in a switch, the SPAN Note reflector feature is enabled. This feature enables multicast traffic (and other traffic that requires central rewrite engine) to be switched when coming from the FWSM.
Page 49: Vlan Guidelines
Assigning VLANs to the FWSM In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer.
Page 50: Adding Switched Virtual Interfaces To The Msfc
2-2), then the MSFC routes between the FWSM and other Layer 3 VLANs. This section includes the following topics: • SVI Overview, page 2-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 51: Svi Overview
FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.) Figure 2-1 Multiple SVI Misconfiguration Internet VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 52 IPX traffic to pass on VLAN 201. Figure 2-2 Multiple SVIs for IPX Internet VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 201 Inside IPX Host IP Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 53: Configuring Svis
To enable the interface, enter the following command: Step 4 Router(config-if)# no shutdown The following example shows a typical configuration with multiple SVIs: Router(config)# firewall vlan-group 50 55-57 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 54: Customizing The Fwsm Internal Interface
Router(config)# port-channel load-balance {dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-mac | src-dst-port | src-ip | src-mac | src-port} The default is src-dst-ip. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 55: Configuring The Switch For Failover
The switch supervisor sends an autostate message to the FWSM when: The last interface belonging to a VLAN goes down. • The first interface belonging to a VLAN comes up. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 56: Managing The Firewall Services Module Boot Partitions
Application partitions (cf:4 and cf:5)—Stores the application software image, system configuration, and ASDM. By default, Cisco installs the images on cf:4. You can use cf:5 as a test partition. For example, if you want to upgrade your software, you can install the new software on cf:5, but maintain the old software as a backup in case you have problems.
Page 57: Resetting The Fwsm Or Booting From A Specific Partition
% reset issued for module 9 Router# 00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap 00:26:55:SP:The PC in slot 8 is shutting down. Please wait ... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-11 OL-20748-01...
Page 58 Chapter 2 Configuring the Switch for the Firewall Services Module Managing the Firewall Services Module Boot Partitions Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-12 OL-20748-01...
Page 59: Chapter 3 Connecting To The Firewall Services Module And Managing The Configuration
Management access to the FWSM causes a degradation in performance. We recommend that you avoid Caution accessing the FWSM when high network performance is critical. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 60: Logging Out Of The Fwsm
Logging out of the FWSM To end the FWSM session and access the switch CLI, enter the following command: hostname# exit Logoff Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 61: Managing The Configuration
This section includes the following topics: Saving Each Context and System Separately, page 3-4 • Saving All Context Configurations at the Same Time, page 3-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 62 Unable to save the configuration for the following contexts as these contexts have read-only config-urls: context ‘a’ , context ‘b’ , context ‘c’ . Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 63: Copying The Startup Configuration To The Running Configuration
To erase settings, enter one of the following commands. • To clear all the configuration for a specified command, enter the following command: hostname(config)# clear configure configurationcommand [level2configurationcommand] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 64: Creating Text Configuration Files Offline
In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows: context a For additional information about formatting the file, see Appendix C, “Using the Command-Line Interface.” Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 65: Security Context Overview
How the FWSM Classifies Packets, page 4-3 • Sharing Interfaces Between Contexts, page 4-7 • Management Access to Security Contexts, page 4-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 66: Security Context Overview
The system configuration does include a specialized failover interface for failover traffic only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 67: Admin Context Configuration
Context A: • static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 Context B: • static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0 Context C: • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 68: Invalid Classifier Criteria
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 69: Classification Examples
Dest Addr Translation 10.1.1.13 209.165.201.3 VLAN 200 VLAN 250 VLAN 300 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 70 FWSM FWSM Classifier VLAN 200 VLAN 250 VLAN 300 Inside Admin Inside Customer B Network Customer A Host Host Host 10.1.1.13 10.1.1.13 10.1.1.13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 71: Sharing Interfaces Between Contexts
NAT sessions to classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 72: Nat And Origination Of Traffic
NAT affects them. For example, if a server sends a packet to www.example.com, then the DNS server needs to return the translated address. Your NAT configuration determines DNS entry management.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 73: Management Access To Security Contexts
You can access the FWSM as a system administrator in two ways: Session to the FWSM from the switch. • From the switch, you access the system execution space. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 74: Context Administrator Access
Your FWSM might already be configured for multiple security contexts depending on how you ordered it from Cisco. If you are upgrading, however, you might need to convert from single mode to multiple mode by following the procedures in this section. ASDM does not support changing modes, so you need to change modes using the CLI.
Page 75: Restoring Single Context Mode
Setting the Number of Memory Partitions, page 4-13 • Changing the Memory Partition Size, page 4-14 • Reallocating Rules Between Features for a Specific Memory Partition, page 4-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-11 OL-20748-01...
Page 76: About Memory Partitions
Inspect Rules 1537 Total Rules 19,219 1. Use the show resource rule command to view the default values for partitions other than 12. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-12 OL-20748-01...
Page 77: Setting The Number Of Memory Partitions
:bandn, borders Number of contexts :2(RefCount:2) Number of rules :0(Max:53087) Partition #1 Mode :non-exclusive List of Contexts :admin, momandpopA, momandpopB, momandpopC momandpopD Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-13 OL-20748-01...
Page 78: Changing The Memory Partition Size
The FWSM lets you set the memory size of each partition. Changing the partition sizes requires you to reload the FWSM. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-14 OL-20748-01...
Page 79 19,219 rules, for a total of 249,847 rules. hostname(config)# show resource partition Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-15 OL-20748-01...
Page 80 15000 19219 19219 15000 19219 19219 15000 19219 19219 15000 19219 19219 15000 19219 19219 19219 19219 19219 19219 19219 19219 19219 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-16 OL-20748-01...
Page 81 Traffic loss can occur because both units are down at the same time. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-17...
Page 82 56616 hostname(config-partition)# resource partition 3 hostname(config-partition)# size 56615 hostname(config-partition)# show resource partition Bootup Current Partition Default Partition Configured Number Size Size Size Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-18 OL-20748-01...
Page 83: Reallocating Rules Between Features For A Specific Memory Partition
0 Default Configured Absolute CLS Rule Limit Limit -----------+---------+----------+--------- Policy NAT 14801 14801 14801 Filter 1152 Fixup 1537 1537 3074 Est Ctl Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-19 OL-20748-01...
Page 84 See Step 1 to use the show resource rule command for the total number of rules allowed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-20 OL-20748-01...
Page 85: Configuring Resource Management
The FWSM does not limit the bandwidth per context; however, the switch containing the FWSM can Note limit bandwidth per VLAN. See the switch documentation for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-21 OL-20748-01...
Page 86: Classes And Class Members Overview
Gold Class can use more than the 97 percent of “unassigned” inspections; they can also use the 1 percent of inspections not currently in use by Context A, B, and C, even if that means that Context A, Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-22...
Page 87: Default Class
• Telnet sessions—5 sessions. • SSH sessions—5 sessions. IPSec sessions—5 sessions. • MAC addresses—65,535 entries. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-23 OL-20748-01...
Page 88: Class Members
Step 2 • To set all resource limits (shown in Table 4-2), enter the following command: hostname(config-resmgmt)# limit-resource all {number% | 0} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-24 OL-20748-01...
Page 89 Table 4-2 lists the resource types and the limits. See also the show resource types command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-25 OL-20748-01...
Page 90 80 ASDM sessions represents a limit of 160 HTTPS sessions. 1 minimum 100 concurrent SSH sessions. 5 maximum concurrent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-26 OL-20748-01...
Page 91: Configuring A Security Context
If you do not have an admin context (for example, if you clear the configuration) then you must first specify the admin context name by entering the following command: hostname(config)# admin-context name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-27 OL-20748-01...
Page 92 • alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-28 OL-20748-01...
Page 93 The type can be one of the following keywords: – ap—ASCII passive mode – an—ASCII normal mode ip—(Default) Binary passive mode – in—Binary normal mode – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-29 OL-20748-01...
Page 94 12 partitions, so the range is 0 to 11. See the “Setting the Number of Memory Partitions” section on page 4-13 to configure the number of memory partitions. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-30 OL-20748-01...
Page 95: Changing Between Contexts And The System Execution Space
Only the current configuration displays. You can, however, save all context running configurations from the system execution space using the write memory all command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-31 OL-20748-01...
Page 96: Managing Security Contexts
To remove all contexts (including the admin context), enter the following command in the system • execution space: hostname(config)# clear context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-32 OL-20748-01...
Page 97: Changing The Admin Context
To enter the context configuration mode for the context you want to change, enter the following Step 3 command: hostname(config)# context name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-33 OL-20748-01...
Page 98: Reloading A Security Context
The FWSM copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-34 OL-20748-01...
Page 99: Monitoring Security Contexts
Shows the firewall mode for each context, either Routed or Transparent. Shows the URL from which the FWSM loads the context configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-35 OL-20748-01...
Page 100: Viewing Resource Allocation
Conns [rate] 35000 35.00% Fixups [rate] 35000 35.00% Syslogs [rate] 10500 35.00% Conns 305000 30.50% Hosts 78842 30.07% IPsec 35.00% 35.00% Telnet 35.00% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-36 OL-20748-01...
Page 101 26214 26214 9.99% bronze 13107 All Contexts: 26214 9.99% IPSec default gold 50.00% silver 10.00% bronze unlimited All Contexts: 110.00% default Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-37 OL-20748-01...
Page 102 The percentage of the total system resources that is allocated across all contexts in the class. If the resource is unlimited, this display is blank. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-38...
Page 103: Viewing Resource Usage
Resource Current Peak Limit Denied Context Syslogs [rate] 1743 2132 12000(U) 0 Summary Conns 100000(S) 0 Summary Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-39 OL-20748-01...
Page 104: Monitoring Syn Attacks In Contexts
Average Xlates Connections TCP Conns UDP Conns URL Access URL Server Req WebSns Req TCP Fixup HTTP Fixup FTP Fixup AAA Authen Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-40 OL-20748-01...
Page 105 TCP intercept for the entire system. (Sample text in italics shows the TCP intercept information.) hostname(config)# show resource usage summary detail Resource Current Peak Limit Denied Context Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-41 OL-20748-01...
Page 106 0 Summary console-access-rul 4356(S) 0 Summary fixup-rules 8032(S) 0 Summary S = System: Total exceeds the system limit; the system limit is shown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-42 OL-20748-01...
Page 107: Chapter 5 Configuring The Firewall Mode
We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the FWSM for extensive routing needs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 108: How Data Moves Through The Fwsm In Routed Firewall Mode
The FWSM receives the packet and because it is a new session, the FWSM verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 109: An Outside User Visits A Web Server On The Dmz
DMZ web server. Figure 5-2 Outside to DMZ User Outside 209.165.201.2 Dest Addr Translation 209.165.201.3 10.1.1.13 FWSM 10.1.2.1 10.1.1.1 Inside Web Server 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 110: An Inside User Visits A Web Server On The Dmz
DMZ web server. Figure 5-3 Inside to DMZ Outside 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User Web Server 10.1.2.27 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 111: An Outside User Attempts To Access An Inside Host
Figure 5-4 Outside to Inside www.example.com Outside 209.165.201.2 FWSM 10.1.2.1 10.1.1.1 Inside User 10.1.2.27 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 112: A Dmz User Attempts To Access An Inside Host
(access lists, filters, AAA). The packet is denied, and the FWSM drops the packet and logs the connection attempt. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 113: Transparent Mode Overview
The management IP address must be on the same subnet as the connected network. For another method of management, see the “Management Interface” section on page 5-8. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 114: Management Interface
DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 115: Mac Address Vs. Route Lookups
The inside router and hosts appear to be directly connected to the outside router. Figure 5-6 Transparent Firewall Network Internet 10.1.1.1 FWSM Management IP 10.1.1.2 Network A 10.1.1.3 192.168.1.2 Network B Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 116: Transparent Firewall Guidelines
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-10...
Page 117: Unsupported Features In Transparent Mode
You can, however, allow multicast traffic through the FWSM by allowing it in an extended access list. Remote access VPN for management You can use site-to-site VPN for management. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-11 OL-20748-01...
Page 118: How Data Moves Through The Transparent Firewall
An Outside User Visits a Web Server on the Inside Network, page 5-15 • An Outside User Attempts to Access an Inside Host, page 5-16 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-12 OL-20748-01...
Page 119: An Inside User Visits A Web Server
The web server responds to the request; because the session is already established, the packet bypasses the many lookups associated with a new connection. The FWSM forwards the packet to the inside user. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-13 OL-20748-01...
Page 120: An Inside User Visits A Web Server Using Nat
The FWSM performs NAT by translating the mapped address to the real address, 10.1.2.27. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-14...
Page 121: An Outside User Visits A Web Server On The Inside Network
If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-15...
Page 122: An Outside User Attempts To Access An Inside Host
If the outside user is attempting to attack the inside network, the FWSM employs many technologies to determine if a packet is valid for an already established session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-16...
Page 123: Setting Transparent Or Routed Firewall Mode
• hostname(config)# firewall transparent To set the mode to routed, enter the following command in each context: • hostname(config)# no firewall transparent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-17 OL-20748-01...
Page 124 Chapter 5 Configuring the Firewall Mode Setting Transparent or Routed Firewall Mode Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-18 OL-20748-01...
Page 125: Chapter 6 Configuring Interface Parameters
NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 126: Configuring Interfaces For Routed Firewall Mode
If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover,” to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 127: Configuring An Interface
The following example configures parameters for VLAN 101: hostname(config)# interface vlan 101 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 128: Configuring Interfaces For Transparent Firewall Mode
For device management, you have two available mechanisms: Any bridge group management address—Connect to the bridge group network on which your • management station is located. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 129: Guidelines And Limitations
If you are using failover, do not use this section to name interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, “Configuring Failover,” to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 130: Configuring Transparent Firewall Interfaces For Through Traffic
Step 1 hostname(config)# interface bvi bridge_group_number Specify the IP address by entering the following command: Step 2 hostname(config-if)# ip address ip_address [mask] [standby ip_address] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 131: Adding A Management Interface
Do not enter the no form, because that command causes all commands that refer to that name to be deleted. To set the security level, enter the following command: Step 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 132 Bridge group IP: Bridge group IP: 209.165.200.226 209.165.201.2 209.165.202.129 Inside Inside Inside Context C Context A Context B Context A hostname(config)# interface vlan500 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 133 30 hostname(config-if)# interface vlan106 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# bridge-group 30 hostname(config-if)# interface bvi 30 hostname(config-if)# ip address 209.165.202.129 255.255.255.224 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 134: Allowing Communication Between Interfaces On The Same Security Level
(or a virus) on the internal network that scans thousands of Internet hosts, all entries in the xlate table may be quickly exhausted. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-10...
Page 135: Configuring Intra-Interface Communication
• Outside NAT is not supported. • You can configure static routes from one interface to another on the same security level. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-11 OL-20748-01...
Page 136: Turning Off And Turning On Interfaces
To disable the interface, enter the following command: Step 2 hostname(config)# shutdown To reenable the interface, enter the following command: Step 3 hostname(config)# no shutdown Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-12 OL-20748-01...
Page 137: Changing The Passwords
The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 138: Chapter 7 Configuring Basic Setting
Change the root password by entering the following command: Step 5 root@localhost# passwd Enter the new password at the prompt: Step 6 Changing password for user root New password: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 139: Setting The Hostname
Configuration Replication is NOT performed from Standby unit to Active unit. Configurations are no longer synchronized. context-CTX1-secondary %FWSM-5-111008: User 'enable_15' executed the 'logging console debug' command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 140: Setting The Domain Name
The order in which you enter the keywords determines the order of the elements in the prompt, which are separated by a slash (/). See the following descriptions for the keywords: hostname—Displays the hostname. • domain—Displays the domain name. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 141: Configuring A Login Banner
For example, to add a message-of-the-day banner, enter: hostname(config)# banner motd Welcome to $(hostname) hostname(config)# banner motd Contact me at admin@example.com for any hostname(config)# banner motd issues Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 142 Chapter 7 Configuring Basic Settings Configuring a Login Banner Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 143: How Routing Behaves Within Fwsm
FWSM processes this packet by looking up the route to select egress interface, then source-ip translation is performed (if necessary). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 144: Next Hop Selection Process
Your network is small and you can easily manage static routes. • You do not want the traffic or CPU overhead associated with routing protocols. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 145: C H A P T E R 8 Configuring Ip Routing And Dhcp Services
However, static routes are removed from the routing table if the associated interface goes down. They are reinstated when the interface comes back up. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 146: Configuring A Default Route
FWSM for which there is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1, 192.168.2.2, 192.168.2.3. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 147: Monitoring A Static Or Default Route
To match any routes that have a destination network that matches a standard access list, enter the • following command: hostname(config-route-map)# match ip address acl_id [acl_id] [...] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 148: Configuring Bgp Stub Routing
The FWSM supports BGP stub routing. The BGP stub routing process advertises static and directly connected routes but does not accept routes advertised by the BGP peer. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 149: Bgp Stub Limitations
To enable and configure a BGP routing process, perform the following steps: Create the BGP routing process by entering the following command: Step 1 hostname(config)# router bgp as-number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 150: Monitoring Bgp Stub Routing
• To view debug messages for the BGP routing process, enter the following command: hostname# debug ip bgp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 151: Restarting The Bgp Stub Routing Process
The cost can be configured to specify preferred paths. The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 152: Enabling Ospf
To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the following command: hostname(config-router)# network ip_address mask area area_id The following example shows how to enable OSPF: hostname(config)# router ospf 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-10 OL-20748-01...
Page 153: Redistributing Routes Between Ospf Processes
The following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics. hostname(config)# router ospf 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-11 OL-20748-01...
Page 154: Configuring Ospf Interface Parameters
To enable OSPF MD5 authentication, enter the following command: hostname(config-interface)# ospf message-digest-key key_id md5 key Set the following values: key_id—An identifier in the range from 1 to 255. – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-12 OL-20748-01...
Page 155 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-13 OL-20748-01...
Page 156: Configuring Ospf Area Parameters
The following example shows how to configure the OSPF area parameters: hostname(config)# router ospf 2 hostname(config-router)# area 0 authentication hostname(config-router)# area 0 authentication message-digest hostname(config-router)# area 17 stub Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-14 OL-20748-01...
Page 157: Configuring Ospf Nssa
You can set a type 7 default route that can be used to reach external destinations. When – configured, the router generates a type 7 default into the NSSA or the NSSA area boundary router. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-15 OL-20748-01...
Page 158: Configuring A Point-To-Point, Non-Broadcast Ospf Neighbor
10.3.3.0 255.255.255.0 10.1.1.99 1 hostname(config)# interface Vlan55 hostname(config-if)# nameif outside hostname(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2 hostname(config-if)# ospf network point-to-point non-broadcast Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-16 OL-20748-01...
Page 159: Configuring Route Summarization Between Ospf Areas
To set the summary address, enter the following command: Step 2 hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag] OSPF does not support summary-address 0.0.0.0 0.0.0.0. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-17 OL-20748-01...
Page 160: Generating A Default Route
SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value of 0 means that there is no delay; that is, the SPF calculation is started immediately. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-18...
Page 161: Logging Neighbors Going Up Or Down
LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-19...
Page 162: Monitoring Ospf
[process-id] summary-address To display OSPF-related virtual links information, enter the following command: • hostname# show ospf [process-id] virtual-links Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-20 OL-20748-01...
Page 163: Restarting The Ospf Process
For example, enter the following commands: hostname(config)# rip inside default version 2 authentication md5 scorpius 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-21 OL-20748-01...
Page 164: Configuring Eigrp
• EIGRP Routing Overview EIGRP is an enhanced version of IGRP developed by Cisco. Unlike IGRP and RIP, EIGRP does not send out periodic route updates. EIGRP updates are sent out only when the network topology changes. Neighbor discovery is the process that the FWSM uses to dynamically learn of other routers on directly attached networks.
Page 165: Enabling And Configuring Eigrp Routing
EIGRP updates. Step 3 (Optional) To prevent an interface from sending or receiving EIGRP routing message, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-23 OL-20748-01...
Page 166: Enabling And Configuring Eigrp Stub Routing
Create the EIGRP routing process and enter router configuration mode for that process by entering the Step 1 following command: hostname(config)# router eigrp as-num Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-24 OL-20748-01...
Page 167: Enabling Eigrp Authentication
% Asystem(100) specified does not exist The key argument can contain up to 16 characters. The key-id argument is a number from 0 to 255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-25...
Page 168: Defining An Eigrp Neighbor
To redistribute connected routes into the EIGRP routing process, enter the following command: • hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu] [route-map map_name] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-26 OL-20748-01...
Page 169: Configuring The Eigrp Hello Interval And Hold Time
192.168.0.0. To prevent the possibility of traffic being routed to the wrong location, you should disable automatic route summarization on the routers creating the conflicting summary addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-27 OL-20748-01...
Page 170: Configuring Summary Aggregate Addresses
Enter interface configuration mode for the interface on which you are disabling split horizon by entering Step 1 the following command: hostname(config)# interface phy_if Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-28 OL-20748-01...
Page 171: Changing The Interface Delay Value
Monitoring EIGRP You can use the following commands to monitor the EIGRP routing process. For examples and descriptions of the command output, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. To display the EIGRP event log, enter the following command: •...
Page 172: Disabling Neighbor Change And Warning Message Logging
2 header is rewritten and the packet is re-injected into the stream. This section contains the following topics: Adding Interfaces to ASR Groups, page 8-31 • Asymmetric Routing Support Example, page 8-31 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-30 OL-20748-01...
Page 173: Adding Interfaces To Asr Groups
A is active. However, the return traffic is being routed through the unit where context B is active. Normally, the return traffic would be dropped because there is no session information Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-31...
Page 174: Configuring Route Health Injection
A on the unit where context A is in the active state. This forwarding continues as needed until the session ends. Configuring Route Health Injection This feature depends on Cisco IOS Release 12.2(33)SXI or later, and is only available on the Catalyst Note 6500 switch.
Page 175: Rhi Guidelines
NAT ID for multiple global commands on multiple interfaces, only those commands on the matching interface as the redistribute command are used. You can enter only one redistribute nat command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-33 OL-20748-01...
Page 176 (outside) 10 209.165.202.140-209.165.202.146 netmask 255.255.255.0 hostname(config)# global (outside) 20 209.165.202.150-209.165.202.155 netmask 255.255.255.0 hostname(config)# route-inject hostname(config-route-inject)# redistribute nat global-pool 10 interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-34 OL-20748-01...
Page 177: Configuring Dhcp
In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-35...
Page 178 To enable the DHCP daemon within the FWSM to listen for DHCP client requests on the enabled Step 8 interface, enter the following command: hostname(config)# dhcpd enable interface_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-36 OL-20748-01...
Page 179: Configuring Dhcp Options
DHCP options that are not supported by the dhcpd option command: Table 8-1 Unsupported DHCP Options Option Code Description DHCPOPT_PAD HCPOPT_SUBNET_MASK DHCPOPT_HOST_NAME DHCPOPT_REQUESTED_ADDRESS DHCPOPT_LEASE_TIME Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-37 OL-20748-01...
Page 180: Using Cisco Ip Phones With A Dhcp Server
Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route. Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the FWSM DHCP server provides values for both options in the response if they are configured on the FWSM.
Page 181: Configuring Dhcp Relay Services
Step 1 To configure an interface-specific server, enter the following commands: • hostname(config)# interface {vlan vlan_id | mapped_name} hostname(config-if)# dhcprelay server ip_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-39 OL-20748-01...
Page 182 209.165.200.225 outside hostname(config)# dhcprelay server 209.165.201.4 dmz hostname(config)# dhcprelay enable inside1 hostname(config)# dhcprelay setroute inside1 hostname(config)# dhcprelay enable inside2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-40 OL-20748-01...
Page 183: Preserving Dhcp Option 82
Verifying the DHCP Relay Configuration To view the interface-specific DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay interface [vlan vlan_id | mapped_name] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-41 OL-20748-01...
Page 184 Configuring IP Routing and DHCP Services Configuring DHCP To view the global DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-42 OL-20748-01...
Page 185: Multicast Routing Overview
Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific state. The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 186: C H A P T E R 9 Configuring Multicast Routing
Disabling IGMP on an Interface, page 9-3 • Configuring Group Membership, page 9-3 • Configuring a Statically Joined Group, page 9-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 187: Disabling Igmp On An Interface
To configure a statically joined multicast group on an interface, enter the following command: hostname(config-if)# igmp static-group group-address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 188: Controlling Access To Multicast Groups
By default, the PIM designated router on the subnet is responsible for sending the query messages. By default, they are sent once every 125 seconds. To change this interval, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 189: Changing The Query Response Time
To forward the host join and leave messages, enter the following command from the interface attached to the stub area: hostname(config-if)# igmp forward interface if_name Stub Multicast Routing and PIM are not supported concurrently. Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 190: Configuring A Static Multicast Route
• Disabling PIM on an Interface You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 191: Configuring A Static Rendezvous Point Address
Filtering PIM Register Messages You can configure the FWSM to filter PIM register messages. To filter PIM register messages, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 192: Configuring Pim Message Intervals
RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 193: Ipv6-Enabled Commands
• configure • copy • http • name • • object-group • ping • show conn show local-host • show tcpstat • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-1 OL-20748-01...
Page 194: Configuring Ipv6 On An Interface
You can configure both IPv6 and IPv4 addresses on an interface. You cannot configure IPv6 on an interface that is used by more than one context (a shared VLAN). Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-2 OL-20748-01...
Page 195 See the “Example 4: IPv6 Configuration Example” section on page B-13 for an example of IPv6 addresses applied to an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-3 OL-20748-01...
Page 196: Configuring A Dual Ip Stack On An Interface
Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just Note those used for duplicate address detection. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-4 OL-20748-01...
Page 197: Configuring Ipv6 Default And Static Routes
| deny—Determines whether the specified traffic is blocked or allowed to pass. • icmp—Indicates that the access list entry applies to ICMP traffic. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-5 OL-20748-01...
Page 198: Configuring Ipv6 Neighbor Discovery
After the source node receives the neighbor advertisement, the source node and destination node can communicate. Figure 10-1 shows the neighbor solicitation and response process. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-6 OL-20748-01...
Page 199: Configuring The Neighbor Solicitation Message Interval
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-7 OL-20748-01...
Page 200: Configuring Router Advertisement Messages
You can configure the following settings for router advertisement messages: The time interval between periodic router advertisement messages. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-8 OL-20748-01...
Page 201: Configuring The Router Advertisement Transmission Interval
For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement Note messages must always be 64 bits. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-9 OL-20748-01...
Page 202: Suppressing Router Advertisement Messages
The output for the command shows the following: • The name and status of the interface. • The link-local and global unicast addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-10 OL-20748-01...
Page 203: Viewing Ipv6 Routes
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 fe80::/10 [0/0] via ::, inside fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside fec0:0:0:a::/64 [0/0] via ::, inside ff00::/8 [0/0] via ::, inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-11 OL-20748-01...
Page 204 Chapter 10 Configuring IPv6 Verifying the IPv6 Configuration Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-12 OL-20748-01...
Page 205: Aaa Overview
This section includes the following topics: • About Authentication, page 11-2 • About Authorization, page 11-2 • About Accounting, page 11-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-1 OL-20748-01...
Page 206: C H A P T E R 11 Configuring Aaa Servers And The Local Database
FWSM for the session, the service used, and the duration of each session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-2...
Page 207: Aaa Server And Local Database Support
2. For firewall sessions, RADIUS authorization is supported with user-specific access lists only, which are received or specified in a RADIUS authentication response. 3. Local command authorization is supported by privilege level only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-3 OL-20748-01...
Page 208: Radius Server Support
The security appliance deletes the access list when the authentication session expires. TACACS+ Server Support The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-4 OL-20748-01...
Page 209: Sdi Server Support
FWSM uses NTLM Version 1 to for user authentication with the Microsoft Windows domain server. The FWSM grants or denies user access based on the response from the domain server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-5 OL-20748-01...
Page 210: Kerberos Server Support
With the exception of fallback for network access authentication, the local database can act as a fallback method for the functions in Table 11-1. This behavior is designed to help you prevent accidental lockout from the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-6 OL-20748-01...
Page 211: Configuring The Local Database
Step 1 Create the user account. To do so, enter the following command: hostname(config)# username username {nopassword | password password} [privilege level] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-7 OL-20748-01...
Page 212 The following commands creates a user account with a password, enters username mode, and specifies a few VPN attributes: hostname(config)# username user1 password gOgeOus hostname(config)# username user1 attributes Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-8 OL-20748-01...
Page 213: Identifying Aaa Server Groups And Servers
For more information about this command, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-9 OL-20748-01...
Page 214 (indicated by “—”), use the command to specify the value. For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-10 OL-20748-01...
Page 215 AuthOutbound protocol radius hostname(config-aaa-server-group)# exit hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.3 hostname(config-aaa-server-host)# key RadUauthKey hostname(config-aaa-server-host)# exit hostname(config)# aaa-server NTAuth protocol nt Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-11 OL-20748-01...
Page 216 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers hostname(config-aaa-server-group)# exit hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4 hostname(config-aaa-server-host)# nt-auth-domain-controller primary1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-12 OL-20748-01...
Page 217: Public Key Cryptography
This process relies on the receiver having a copy of the public key of the sender and a high degree of certainty that this key belongs to the sender, not to someone pretending to be the sender. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-1...
Page 218: C H A P T E R 12 Configuring Certificates
Separate signing and encryption keys help reduce exposure of the keys. This is because SSL uses a key for encryption but not signing, while IKE uses a key for signing but not encryption. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-2...
Page 219: About Trustpoints
Exporting and Importing Keypairs and Certificates, page 12-7 Linking Certificates to a Trustpoint, page 12-9 • Configuration Example: Cut-Through-Proxy Authentication, page 12-9 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-3 OL-20748-01...
Page 220: Preparing For Certificates
If you do not assign a label, the key pair is automatically labeled Default-RSA-Key. To assign a label to each key pair, enter the following command: hostname/contexta (config)# crypto key generate rsa label key-pair-label Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-4 OL-20748-01...
Page 221: Removing Key Pairs
For the aaa authentication include command, you can use only TACACS+ or RADIUS user accounting to be authenticated or authorized on a server designated by the aaa-server command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-5...
Page 222: Verifying Configurations For Specified Settings
To configure secure authentication to the HTTP client, enter the following command: Step 2 hostname (config)# aaa authentication secure-http-client For more information about command usage, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Verifying Configurations for Specified Settings Before you import third-party certificates, you must have configured certain AAA settings, the AAA server, access lists, and optionally, virtual HTTP.
Page 223: Exporting And Importing Keypairs And Certificates
To control which trustpoint sharing a CA is used for validation of user certificates issued by that CA, enter the support-user-cert-validation command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-7...
Page 224 Inc. c=US Subject Name: cn=atl-lx-sbacchus.cisco.com o=Cisco Systems\, Inc sa=170 West Tasman Dr l=San Jose st=California pc=95134 c=US serialNumber=C1183477 2.5.4.15=#131256312e302c20436c6175736520352e286229 1.3.6.1.4.1.311.60.2.1.2=#130a43616c69666f726e6961 1.3.6.1.4.1.311.60.2.1.3=#13025553 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-8 OL-20748-01...
Page 225: Linking Certificates To A Trustpoint
FWACL extended permit tcp any any eq https access-group FWACL in interface outside timeout uauth 0:05:00 absolute aaa-server TacacsServers protocol tacacs+ reactivation-mode depletion deadtime 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-9 OL-20748-01...
Page 226 The auth-prompt series of commands changes the prompt that users see, so you know that the FWSM is making the request. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-10 OL-20748-01...
Page 227: Access List Overview
IP Addresses Used for Access Lists When You Use NAT, page 13-3 • Access List Commitment, page 13-5 • Maximum Number of ACEs, page 13-6 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-1 OL-20748-01...
Page 228: Access List Types
ACEs are checked. For example, if you create an ACE at the beginning of an access list that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by making it inactive. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-2 OL-20748-01...
Page 229: C H A P T E R 13 Identifying Traffic With Access Lists
See the following commands for this example: hostname(config)# access-list INSIDE extended permit ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-3 OL-20748-01...
Page 230 See the following commands for this example: hostname(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host 209.165.201.5 hostname(config)# access-group OUTSIDE in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-4 OL-20748-01...
Page 231: Access List Commitment
For information about exceeding memory limits, see the “Maximum Number of ACEs” section. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-5 OL-20748-01...
Page 232: Maximum Number Of Aces
ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-6...
Page 233: Allowing Broadcast And Multicast Traffic Through The Transparent Firewall
(for example, INSIDE), or for the purpose for which it is created (for example, NO_NAT or VPN). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-7...
Page 234 When you specify a network mask, the method is different from the Cisco IOS software access-list command. The FWSM uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
Page 235: Adding An Ethertype Access List
IP traffic that you previously allowed with an extended access list. IPv4 and ARP traffic cannot be controlled with an EtherType access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-9...
Page 236: Using Extended And Ethertype Access Lists On The Same Interface
FWSM to use the IP address on the FWSM interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.) On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the FWSM.
Page 237: Adding A Standard Access List
For example, consider the following three object groups: MyServices—Includes the TCP and UDP port numbers of the service requests that are allowed • access to the internal network Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-11 OL-20748-01...
Page 238: Adding Object Groups
The description can be up to 200 characters. To define the protocols in the group, enter the following command for each protocol: Step 3 hostname(config-protocol)# protocol-object protocol Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-12 OL-20748-01...
Page 239: Adding A Network Object Group
Administrator Addresses hostname(config-network)# network-object host 10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-13 OL-20748-01...
Page 240: Adding A Service Object Group
You do not need to reenter existing objects; the commands you already set remain in place unless you remove them with the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-14...
Page 241: Nesting Object Groups
For example, you create network object groups for privileged users from various departments: hostname(config)# object-group network eng hostname(config-network)# network-object host 10.1.1.5 hostname(config-network)# network-object host 10.1.1.9 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network hr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-15 OL-20748-01...
Page 242: Using Object Groups With An Access List
ACL_IN extended deny tcp host 10.1.1.89 host 209.165.201.78 eq www hostname(config)# access-list ACL_IN extended permit ip any any hostname(config)# access-group ACL_IN in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-16 OL-20748-01...
Page 243: Displaying Object Groups
[protocol | network | services | icmp-type] If you do not enter a type, all object groups are removed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-17 OL-20748-01...
Page 244: Adding Remarks To Access Lists
Before optimization: access-list test extended permit udp 10.1.1.0 255.255.255.0 any [rule x] access-list test extended permit udp 10.1.1.1 255.255.255.255 any [rule y] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-18 OL-20748-01...
Page 245 80 130 log disable [rule y] After optimization: access-list test extended deny tcp any any range 50 100 log default [rule x] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-19 OL-20748-01...
Page 246: Configuring Access List Group Optimization
The following is an example of an optimized access list configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-20 OL-20748-01...
Page 247 Show the optimized access list: hostname(config)# show access-list test optimization access-list test; 13 elements before optimization 7 elements after optimization Reduction rate = 46% Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-21 OL-20748-01...
Page 248 Show the optimized access list range 6 through 9 in detail: hostname(config)# show access-list test optimization detail range 6 9 access-list test; 13 elements before optimization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-22 OL-20748-01...
Page 249 This will cause some rules to be deleted. Thus, it is considered a good practice to back up the original configuration before proceeding with disabling access list group optimization. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-23...
Page 250: Scheduling Extended Access List Activation
Because no end time and date are specified, the time range is in effect indefinitely. hostname(config)# time-range for2006 hostname(config-time-range)# absolute start 8:00 1 january 2006 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-24 OL-20748-01...
Page 251: Applying The Time Range To An Ace
106100, which provides statistics for each ACE and lets you limit the number of system log messages produced. Alternatively, you can disable all logging. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-25 OL-20748-01...
Page 252: Configuring Logging For An Ace
ICMP, all packets are logged even if they are permitted, and all denied packets are logged. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages for detailed information about this system log message.
Page 253: Managing Deny Flows
When the limit is reached, the FWSM does not create a new deny flow for logging until the existing flows expire. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-27...
Page 254 The seconds are between 1 and 3600. 300 is the default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-28 OL-20748-01...
Page 255: Understanding Failover
Transparent Firewall Requirements, page 14-7 • Active/Standby and Active/Active Failover, page 14-8 • • Regular and Stateful Failover, page 14-17 • Failover Health Monitoring, page 14-19 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-1 OL-20748-01...
Page 256: Chapter 14 Configuring Failover
All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-2...
Page 257: State Link
Even though both FWSMs are assigned the same VLANs, only the active module takes part in networking. The standby module does not pass any traffic. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-3...
Page 258: Inter-Chassis Failover
FWSM VLANs (VLANs 10 and 11). FWSM failover is independent of the switch failover operation; however, FWSM works in any switch Note failover scenario. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-4 OL-20748-01...
Page 259 Failover Links: VLAN 10 Trunk: Active Standby VLANs 10 & 11 FWSM FWSM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-5 OL-20748-01...
Page 260 Failover Links: VLAN 10 Trunk: Failed Active VLANs 10 & 11 FWSM FWSM VLAN 11 VLAN 203 Mktg VLAN 202 Inside VLAN 201 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-6 OL-20748-01...
Page 261: Transparent Firewall Requirements
Because the FWSMs bridge packets between the same two VLANs, loops can occur when inside packets destined for the outside get Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-7...
Page 262: Active/Standby And Active/Active Failover
Device Initialization and Configuration Synchronization, page 14-9 • Command Replication, page 14-11 Failover Triggers, page 14-11 • Failover Actions, page 14-12 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-8 OL-20748-01...
Page 263 (except for the failover commands needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-9...
Page 264 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-10 OL-20748-01...
Page 265 The no failover active command is entered on the active unit or the failover active command is • entered on the standby unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-11 OL-20748-01...
Page 266: Active/Active Failover
• Primary/Secondary Status and Active/Standby Status, page 14-13 • Device Initialization and Configuration Synchronization, page 14-14 • Command Replication, page 14-14 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-12 OL-20748-01...
Page 267 Note FWSM does not provide load balancing services. Load balancing must be handled by a router passing traffic to FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-13 OL-20748-01...
Page 268 Failure to enter the commands on the appropriate unit for command replication to occur will cause the configurations to become out of synchronization. Those changes may be lost the next time configuration synchronization occurs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-14 OL-20748-01...
Page 269 The unit has a software failure. • The no failover active or the failover active command is entered in the system execution space. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-15 OL-20748-01...
Page 270 No failover Become active Become active If the failover link is down at startup, both failover groups on both units will become active. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-16 OL-20748-01...
Page 271: Determining Which Type Of Failover To Use
FWSM supports two types of failover, regular and stateful. This section includes the following topics: Regular Failover, page 14-18 • Stateful Failover, page 14-18 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-17 OL-20748-01...
Page 272: Regular Failover
• Note If failover occurs during an active Cisco IP SoftPhone session, the call will remain active because the call session state information is replicated to the standby unit. When the call is terminated, the IP SoftPhone client will lose connection with the CallManager. This occurs because there is no session information for the CTIQBE hangup message on the standby unit.
Page 273: Failover Health Monitoring
5 seconds. If any packets are received at any time during this interval, the interface is considered operational and testing stops. If no traffic is received, the ARP test begins. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-19...
Page 274: Rapid Link Failure Detection
Using Active/Standby Failover, page 14-21 • Using Active/Active Failover, page 14-26 • Configuring Failover Communication Authentication/Encryption, page 14-31 • Verifying the Failover Configuration, page 14-31 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-20 OL-20748-01...
Page 275: Failover Configuration Limitations
For multiple context mode, all steps are performed in the system execution space unless otherwise noted. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-21...
Page 276 If the state link uses the failover link, skip this step. You have already defined the failover Note link active and standby IP addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-22 OL-20748-01...
Page 277 Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-23 OL-20748-01...
Page 278: Configuring Optional Active/Standby Failover Settings
1200 seconds. If the delay is not specified, there is no delay. When the primary unit becomes active, the secondary unit enters the standby state. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-24...
Page 279 When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-25...
Page 280: Using Active/Active Failover
Do not configure an IP address for the failover link or for the state link (if you are going to use Note Stateful Failover). hostname(config-if)# ip address active_addr netmask standby standby_addr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-26 OL-20748-01...
Page 281 Configure the failover groups. You can have at most two failover groups. The failover group command Step 4 creates the specified failover group if it does not exist and enters the failover group configuration mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-27 OL-20748-01...
Page 282 Enter this command exactly as you entered it on the primary unit when you configured the Note failover interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-28 OL-20748-01...
Page 283: Configuring Optional Active/Active Failover Settings
However, if one unit boots before the other, then both failover groups become active on that unit. When the other unit comes online, any failover groups Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-29...
Page 284 When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-30...
Page 285: Configuring Failover Communication Authentication/Encryption
This section includes the following topics: Viewing Failover Status for Active/Standby, page 14-32 • Viewing Failover Status for Active/Active, page 14-35 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-31 OL-20748-01...
Page 286 Interface outside (192.168.5.121): Normal Interface inside (192.168.0.1): Normal Peer context: Not Detected Active time: 0 (sec) Interface outside (192.168.5.131): Normal Interface inside (192.168.0.11): Normal Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-32 OL-20748-01...
Page 287 The amount of time the unit has been active. This time is cumulative, so the standby unit, if it was active in the past, will also show a value. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-33...
Page 288 L2BRIDGE tbl Layer 2 bridge table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-34 OL-20748-01...
Page 289 Interface outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Secondary Group 1 State: Standby Ready Active time: 190 (sec) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-35 OL-20748-01...
Page 290 Interface outside (192.168.5.131): Normal admin Interface inside (192.168.0.11): Normal Stateful Failover Logical Update Statistics Status: Configured. RPC services TCP conn UDP conn ARP tbl Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-36 OL-20748-01...
Page 291 Unknown—FWSM cannot determine the status of the interface. • Waiting—Monitoring of the network interface on the other unit has • not yet started. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-37 OL-20748-01...
Page 292 GTP PDP update information. This information appears only if inspect GTP is enabled. GTP PDPMCB GTP PDPMCB update information. This information appears only if inspect GTP is enabled. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-38 OL-20748-01...
Page 293: Viewing Monitored Interfaces
For Active/Active failover, enter the following command on the unit where failover group containing • the interface connecting your hosts is active: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-39 OL-20748-01...
Page 294: Controlling And Monitoring Failover
Or, enter the following command in the system execution space of the unit where the failover group is in the active state: hostname# no failover active group group_id Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-40 OL-20748-01...
Page 295: Disabling Failover
If previously active, a failover group will become active if it is configured with the preempt command and if the unit on which it failed is its preferred unit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-41...
Page 296: Monitoring Failover
411001 and 411002. This is normal activity. Debug Messages To see debug messages, enter the debug fover command. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. Because debugging output is assigned high priority in the CPU process, it can drastically affect system Note performance.
Page 297 A R T Configuring the Security Policy...
Page 299: Chapter 15 Permitting Or Denying Network Access
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-1...
Page 300 HR extended permit ip any any hostname(config)# access-group HR in interface hr hostname(config)# access-list ENG extended permit ip any any hostname(config)# access-group ENG in interface eng Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-2 OL-20748-01...
Page 301: Inbound And Outbound Access List Overview
209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 209.165.201.8 host 209.165.200.225 eq www hostname(config)# access-group OUTSIDE out interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-3 OL-20748-01...
Page 302: Applying An Access List To An Interface
The following access list denies traffic with EtherType 0x1256 but allows all others on both interfaces: hostname(config)# access-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-4 OL-20748-01...
Page 303 Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface hostname(config)# access-group ETHER in interface outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-5 OL-20748-01...
Page 304 Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-6 OL-20748-01...
Page 305: Configuring Nat
Order of NAT Commands Used to Match Real Addresses, page 16-15 • Maximum Number of NAT Statements, page 16-15 • Mapped Address Guidelines, page 16-15 • DNS and NAT, page 16-16 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-1 OL-20748-01...
Page 306: Chapter 16 Configuring Nat
209.165.201.10, and the FWSM receives the packet. The FWSM then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27 before sending it on to the host. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-2 OL-20748-01...
Page 307: Nat In Transparent Mode
ARP request to a host on the other side of the firewall, and the initiating host real address is mapped to a different address on the same subnet, then the real address remains visible in the ARP request. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-3 OL-20748-01...
Page 308 192.168.1.0 255.255.255.0 10.1.1.3 1 hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0 hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-4 OL-20748-01...
Page 309: Nat Control
NAT. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-5 OL-20748-01...
Page 310: Nat Types
IP address after the translation times out. (See the timeout xlate command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.) Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access list), and the FWSM rejects any attempt to connect to a real host address directly.
Page 311 Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-7...
Page 312: Pat
(if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-8 OL-20748-01...
Page 313: Static Pat
8080. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then undo translation to port 80. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-9...
Page 314: Bypassing Nat When Nat Control Is Enabled
IP addresses for the secondary channel. This way, the FWSM translates the secondary ports. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-10...
Page 315 (inside) 1 access-list NET1 hostname(config)# global (outside) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-11 OL-20748-01...
Page 316 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-12...
Page 317: Nat Session (Xlate) Creation
Because there is a maximum number of NAT sessions (see the “Managed System Resources” section on page A-4), these types of NAT sessions might cause you to run into the limit. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-13 OL-20748-01...
Page 318: Nat And Pat Global Pool Usage
These inspection engines include Skinny, SIP, and H.323. See the “Inspection Engine Overview” section on page 22-2 for supported inspection engines. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-14 OL-20748-01...
Page 319: Order Of Nat Commands Used To Match Real Addresses
If you use OSPF to advertise mapped IP addresses that belong to a different subnet from the mapped interface, you need to create Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-15...
Page 320: Dns And Nat
NAT it. The necessary route can be learned via static routing or by any other routing protocol, such as RIP or OSPF. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-16...
Page 321 See the following command for this example: hostname(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask 255.255.255.255 If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from Note the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though the user is not on the Inside interface referenced by the static command.
Page 322: Configuring Nat Control
To enable NAT control, enter the following command: hostname(config)# nat-control To disable NAT control, enter the no form of the command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-18 OL-20748-01...
Page 323: Configuring Xlate Bypass
This section describes how to configure dynamic NAT and PAT, and it includes the following topics: • Dynamic NAT and PAT Implementation, page 16-20 • Configuring Dynamic NAT or PAT, page 16-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-19 OL-20748-01...
Page 324: Dynamic Nat And Pat Implementation
NAT 1: 10.1.2.0/24 Inside 10.1.2.27 See the following commands for this example: hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-20 OL-20748-01...
Page 325 (inside) 1 10.1.2.0 255.255.255.0 hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0 hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-21 OL-20748-01...
Page 326 NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-22...
Page 327 PAT statement in case all the dynamic NAT addresses are depleted. Similarly, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports. (See Figure 16-18.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-23 OL-20748-01...
Page 328 Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-24...
Page 329 NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-25...
Page 330: Configuring Dynamic Nat Or Pat
To identify the real addresses that you want to translate, enter one of the following commands: Step 1 Policy NAT: • hostname(config)# nat (real_interface) nat_id access-list acl_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-26 OL-20748-01...
Page 331 However, leaving ISN randomization enabled on both firewalls does not affect the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-27...
Page 332 (10.1.1.0), for example, to simplify routing, enter the following commands: hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns hostname(config)# global (inside) 1 10.1.1.45 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-28 OL-20748-01...
Page 333: Using Static Nat
Figure 16-22 Static NAT FWSM 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.2 Inside Outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-29 OL-20748-01...
Page 334 The clear xlate command clears all connections, even when xlate-bypass is enabled and when a connection does not have an xlate. For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 335: Using Static Pat
Do not use a mapped address in the static command that is also defined in a global command for the same mapped interface. For more information about static PAT, see the “Static PAT” section on page 16-9. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-31 OL-20748-01...
Page 336 (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following commands: hostname(config)# access-list TELNET permit tcp host 10.1.1.15 10.1.3.0 255.255.255.0 eq telnet Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-32 OL-20748-01...
Page 337: Bypassing Nat
This section includes the following topics: • Configuring Identity NAT, page 16-34 • Configuring Static Identity NAT, page 16-34 • Configuring NAT Exemption, page 16-36 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-33 OL-20748-01...
Page 338: Configuring Identity Nat
NAT or policy NAT. Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate. (See the “Policy NAT” section on page 16-10 for more Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-34 OL-20748-01...
Page 339 For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside: hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-35 OL-20748-01...
Page 340: Configuring Nat Exemption
NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered to be active for NAT exemption configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-36 OL-20748-01...
Page 341: Nat Examples
This section describes typical scenarios that use NAT solutions, and it includes the following topics: • Overlapping Networks, page 16-38 • Redirecting Ports, page 16-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-37 OL-20748-01...
Page 342: Overlapping Networks
Configure the following static routes so that traffic to the DMZ network can be routed correctly by the Step 3 FWSM: hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1 hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-38 OL-20748-01...
Page 343: Redirecting Ports
HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80. • To implement this scenario, perform the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-39 OL-20748-01...
Page 344 Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering Step 5 the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-40 OL-20748-01...
Page 345: Chapter 17 Applying Aaa For Network Access
Configuring Custom Login Prompts, page 17-5 • Enabling Secure Authentication of Web Clients, page 17-6 Disabling Authentication Challenge per Protocol, page 17-8 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-1 OL-20748-01...
Page 346: Authentication Overview
For HTTP, you log in using basic HTTP authentication supplied by the browser. For HTTPS, the FWSM generates custom login windows. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-2 OL-20748-01...
Page 347: Static Pat And Http
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Enabling Network Access Authentication To enable network access authentication, perform the following steps: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-3 OL-20748-01...
Page 348 MAIL_AUTH extended permit tcp any any eq smtp hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-4 OL-20748-01...
Page 349: Configuring Custom Login Prompts
To show text when a user is rejected due to invalid credentials, enter the following command: Step 4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-5 OL-20748-01...
Page 350: Enabling Secure Authentication Of Web Clients
After enabling this feature, when a user accesses a web page requiring authentication, the FWSM displays the Authentication Proxy Login Page shown in Figure 17-1. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-6 OL-20748-01...
Page 351 PAT for web traffic and the second line must be added to support the HTTPS authentication configuration. static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-7 OL-20748-01...
Page 352: Disabling Authentication Challenge Per Protocol
If the user establishes the session with a protocol whose authentication challenge is enabled (such as HTTP), FTP traffic is allowed. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-8...
Page 353: Configuring Authorization For Network Access
17-3. If you have already enabled authentication, continue to the next step. To enable authorization, enter the following command: Step 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-9 OL-20748-01...
Page 354: Configuring Radius Authorization
Configuring a RADIUS Server to Download Per-User Access Control List Names, page 17-12 Configuring a RADIUS Server to Download Per-User Access Control Lists This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: Configuring Cisco Secure ACS for Downloadable Access Lists, page 17-11 •...
Page 355 On the FWSM, the downloaded access list has the following name: #ACSACL#-ip-acl_name-number The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding example), and number is a unique version ID generated by Cisco Secure ACS.
Page 356 FWSM. If this parameter is omitted, the sequence value is 0, and the order of the ACEs inside the cisco-av-pair RADIUS VSA is used. The following example is an access list definition as it should be configured for a cisco-av-pair VSA on a RADIUS server: ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0...
Page 357: Configuring Accounting For Network Access
Chapter 17 Applying AAA for Network Access Configuring Accounting for Network Access In Cisco Secure ACS, the value for filter-id attributes are specified in boxes in the HTML interface, Note omitting filter-id= and entering only acl_name. For information about making unique per user the filter-id attribute value, see the documentation for your RADIUS server.
Page 358: Using Mac Addresses To Exempt Traffic From Authentication And Authorization
To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following Step 2 command: hostname(config)# aaa mac-exempt match id Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-14 OL-20748-01...
Page 359 1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-15 OL-20748-01...
Page 360 Chapter 17 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-16 OL-20748-01...
Page 361: Chapter 18 Applying Filtering Services
This section describes how to apply filtering to remove ActiveX objects from HTTP traffic passing through the firewall. This section includes the following topics: ActiveX Filtering Overview, page 18-2 • Enabling ActiveX Filtering, page 18-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-1 OL-20748-01...
Page 362: Activex Filtering Overview
To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter activex 80 0 0 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-2...
Page 363: Filtering Java Applets
To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-3...
Page 364: Filtering Urls And Ftp Requests With An External Server
You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter Note command. You must also remove all filtering command before you remove the filtering servers from the configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-4 OL-20748-01...
Page 365 (perimeter) vendor n2h2 host 10.0.1.1 hostname(config)# url-server (perimeter) vendor n2h2 host 10.0.1.2 This identifies two Sentian filtering servers, both on a perimeter interface of the FWSM. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-5 OL-20748-01...
Page 366: Buffering The Content Server Response
Use the dst keyword to cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-6...
Page 367: Filtering Http Urls
(Websense only) You can also configure the maximum size of the URL buffer memory pool with the following command: hostname(config)# url-block url-mempool memory_pool_size Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-7 OL-20748-01...
Page 368: Exempting Traffic From Filtering
FWSM using HTTP or FTP before accessing HTTPS servers. To enable HTTPS filtering, enter the following command: hostname(config)# filter https port localIP local_mask foreign_IP foreign_mask [allow] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-8 OL-20748-01...
Page 369: Filtering Ftp Requests
./files instead of cd /public/files. Viewing Filtering Statistics and Configuration This section describes how to monitor filtering statistics. This section includes the following topics: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-9 OL-20748-01...
Page 370: Viewing Filtering Server Statistics
128 url-block url-size 4 url-block block 128 This shows the configuration of the URL block buffer. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-10 OL-20748-01...
Page 371: Viewing Caching Statistics
URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-11 OL-20748-01...
Page 372 Chapter 18 Applying Filtering Services Viewing Filtering Statistics and Configuration hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-12 OL-20748-01...
Page 373: Chapter 19 Configuring Arp Inspection And Bridging Parameters
If the ARP packet does not match any entries in the static ARP table, then you can set the FWSM to • either forward the packet out all interfaces (flood), or to drop the packet. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-1 OL-20748-01...
Page 374: Adding A Static Arp Entry
To view the current settings for ARP inspection on all interfaces, enter the show arp-inspection command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-2 OL-20748-01...
Page 375: Customizing The Mac Address Table
The default timeout value for dynamic MAC address table entries is 5 minutes, but you can change the timeout. To change the timeout, enter the following command: hostname(config)# mac-address-table aging-time timeout_value Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-3 OL-20748-01...
Page 376: Disabling Mac Address Learning
The following is sample output from the show mac-address-table command that shows the table for the inside interface: hostname# show mac-address-table inside interface mac address type Age min) Group ----------------------------------------------------------------------- inside 0010.7cbe.6101 static inside 0009.7cbe.5101 dynamic Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-4 OL-20748-01...
Page 377: Chapter 20 Using Modular Policy Framework
Permitting or Denying Application Types with PISA Integration—See the “Permitting or Denying • Application Types with PISA Integration” section on page 21-4. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-1 OL-20748-01...
Page 378: Modular Policy Framework Configuration Overview
For example, you might want to drop all HTTP requests with a URL including the text “example.com.” Inspection Policy Map Actions Inspection Class Map/ Match Commands Regular Expression Statement/ Regular Expression Class Map Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-2 OL-20748-01...
Page 379: Default Global Policy
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-3 OL-20748-01...
Page 380: Identifying Traffic (Layer 3/4 Class Map)
Layer 3/4 class maps • Inspection class maps • Regular expression class maps • match commands used directly underneath an inspection policy map • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-4 OL-20748-01...
Page 381: Creating A Layer 3/4 Class Map For Through Traffic
Default traffic for inspection—The class map matches the default TCP and UDP ports used by all • applications that the FWSM can inspect. hostname(config-cmap)# match default-inspection-traffic Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-5 OL-20748-01...
Page 382: Configuring Special Actions For Application Inspections (Inspection Policy Map)
3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted upon as specified (for example, dropped or rate-limited). This section includes the following topics: Inspection Policy Map Overview, page 20-7 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-6 OL-20748-01...
Page 383: Inspection Policy Map Overview
20-10. Alternatively, you can identify the traffic directly within the policy map. Step 2 To create the inspection policy map, enter the following command: hostname(config)# policy-map type inspect application policy_map_name hostname(config-pmap)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-7 OL-20748-01...
Page 384 100 reset match request method get Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-8 OL-20748-01...
Page 385 The following is an example of an HTTP inspection policy map and the related class maps. This policy map is activated by the Layer 3/4 policy map, which is enabled by the service policy. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-9...
Page 386: Identifying Traffic In An Inspection Class Map
“Creating a Regular Expression Class Map” section on page 20-14. Create a class map by entering the following command: Step 2 hostname(config)# class-map type inspect application [match-all] class_map_name hostname(config-cmap)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-10 OL-20748-01...
Page 387: Creating A Regular Expression
Use Ctrl+V to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]g to enter d?g in the configuration. See the regex command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for performance impact information when matching a regular expression to packets.
Page 388 Specifies the beginning of a line. Escape character When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-12 OL-20748-01...
Page 389 The following example creates two regular expressions for use in an inspection policy map: hostname(config)# regex url_example example\.com hostname(config)# regex url_example2 example2\.com Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-13 OL-20748-01...
Page 390: Creating A Regular Expression Class Map
Information About Layer 3/4 Policy Maps, page 20-15 • Default Layer 3/4 Policy Map, page 20-18 Adding a Layer 3/4 Policy Map, page 20-18 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-14 OL-20748-01...
Page 391: Information About Layer 3/4 Policy Maps
If a packet matches a class map for application inspection, but also matches another class map that includes application inspection, then the second class map actions are not applied. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-15...
Page 392: Order In Which Multiple Feature Actions Are Applied
ICMP error MGCP NetBIOS PPTP Sun RPC RTSP Skinny SMTP SNMP SQL*Net TFTP XDMCP DCERPC Permitting or Denying Application Types with PISA Integration Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-16 OL-20748-01...
Page 393: Incompatibility Of Certain Feature Actions
[it should be 21] match port tcp 80 class-map http match port tcp 80 policy-map test class http inspect http class ftp inspect ftp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-17 OL-20748-01...
Page 394: Feature Matching Guidelines For Multiple Policy Maps
The maximum number of policy maps is 64. To create a Layer 3/4 policy map, perform the following steps: Add the policy map by entering the following command: Step 1 hostname(config)# policy-map policy_map_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-18 OL-20748-01...
Page 395 The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-19...
Page 396: Applying Actions To An Interface (Service Policy)
The following commands disable the default global policy, and enables a new one called new_global_policy on all other FWSM interfaces: hostname(config)# no service-policy global_policy global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-20 OL-20748-01...
Page 397: Modular Policy Framework Examples
80 hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_traffic_policy global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-21 OL-20748-01...
Page 398: Applying Inspection And Connection Limits To Http Traffic To Specific Servers
IP address in the access list in the class map. If you applied it to the outside interface, you would use the mapped addresses. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-22...
Page 399 10.1.1.1 any eq 80 hostname(config)# class-map http_client hostname(config-cmap)# match access-list http_client hostname(config)# policy-map http_client hostname(config-pmap)# class http_client hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_client interface inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-23 OL-20748-01...
Page 400 Chapter 20 Using Modular Policy Framework Modular Policy Framework Examples Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-24 OL-20748-01...
Page 401: Chapter 21 Configuring Advanced Connection Features
TCP sequence continues to be randomized. You can also configure maximum connections and TCP sequence randomization in the NAT Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-1 OL-20748-01...
Page 402 65535. The default is 0, which means no limit on the connection rate. The random-sequence-number {enable | disable} keyword enables or disables TCP sequence number randomization. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-2 OL-20748-01...
Page 403 Step 6 To activate the policy map on one or more interfaces, enter the following command: hostname(config)# service-policy policymap_name {global | interface interface_name} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-3 OL-20748-01...
Page 404: Permitting Or Denying Application Types With Pisa Integration
0:0:40 half-closed 0:20:0 Permitting or Denying Application Types with PISA Integration This feature depends on Cisco IOS Release 12.2(18)ZYA or later, and is only available on the Catalyst Note 6500 switch.
Page 405: Pisa Integration Overview
The GRE encapsulation adds 32 bytes (20 bytes for the outer IP header and 12 bytes for the GRE header). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-5...
Page 406: Failover Support
For example, to permit all traffic except for Skype, eDonkey, and Yahoo, enter the following commands: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-6...
Page 407: Configuring The Switch For Pisa/Fwsm Integration
Sample Switch Configurations for PISA Integration, page 21-9 • PISA Limitations and Restrictions The following limitations and restrictions apply to the PISA: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-7 OL-20748-01...
Page 408: Configuring Classification On The Pisa
Classification and tagging need to be enabled on the same port; for example, you cannot enable Note classification on access ports and tagging on a trunk port. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-8 OL-20748-01...
Page 409: Sample Switch Configurations For Pisa Integration
! Allows packet sizes up to 9216 bytes without fragmenting Example 21-2 Layer 2 Mode (Interface-based, Protocol Discovery on Uplink Ports) Router(config)# interface gigabitethernet 6/1 Router(config-if)# ip nbar protocol-discovery ! Classification Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-9 OL-20748-01...
Page 410: Monitoring Pisa Connections
This section describes how to configure TCP state bypass, and includes the following topics: TCP State Bypass Overview, page 21-11 • Enabling TCP State Bypass, page 21-13 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-10 OL-20748-01...
Page 411: Tcp State Bypass Overview
FWSM 1, then the packets will match the entry in the accelerated path, and are passed through. But if subsequent packets go to FWSM 2, where there was not a SYN packet that went Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-11...
Page 412: Unsupported Features
FWSMs for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session on FWSM 1 will differ from the address chosen for the session on FWSM 2. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-12...
Page 413: Connection Timeout
The following is an example configuration for TCP state bypass: hostname(config)# access-list tcp_bypass extended permit tcp 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0 hostname(config)# class-map tcp_bypass Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-13 OL-20748-01...
Page 414: Disabling Tcp Normalization
Non-initial packets are checked to ensure they arrived on the same interface used by the initial packet. To enable Unicast RPF, enter the following command: hostname(config)# ip verify reverse-path interface interface_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-14 OL-20748-01...
Page 415: Configuring The Fragment Size
VLAN ID that is assigned to an interface in other contexts, you can shun the connection in other contexts. Step 3 To remove the shun, enter the following command: hostname(config)# no shun src_ip [vlan vlan_id] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-15 OL-20748-01...
Page 416 Chapter 21 Configuring Advanced Connection Features Blocking Unwanted Connections Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-16 OL-20748-01...
Page 417: Chapter 22 Applying Application Layer Protocol Inspection
NetBIOS Inspection, page 22-72 PPTP Inspection, page 22-73 • RSH Inspection, page 22-73 • RTSP Inspection, page 22-73 • SIP Inspection, page 22-76 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-1 OL-20748-01...
Page 418: Inspection Engine Overview
Connections (XLATE and CONN tables)—Maintains state and other information about each established connection. This information is used by the Adaptive Security Algorithm and cut-through proxy to efficiently forward traffic within established sessions. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-2 OL-20748-01...
Page 419: Inspection Limitations
Some inspection engines do not support PAT, NAT, outside NAT, or NAT between same security • interfaces. See “Default Inspection Policy” for more information about NAT support. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-3 OL-20748-01...
Page 420: Default Inspection Policy
No PTR records are changed. No NAT support is available for Default maximum packet length is 512 name resolution through bytes. WINS. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-4 OL-20748-01...
Page 421 Does not handle TFTP uploaded Cisco (SCCP) IP Phone configurations under certain No NAT on same security circumstances. interfaces. SMTP TCP/25 — RFC 821, 1123 — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-5 OL-20748-01...
Page 422: Configuring Application Inspection
Applying inspections to the traffic. For some applications, you can perform special actions when you enable inspection. Activating inspections on an interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-6 OL-20748-01...
Page 423 Application maps use commands in the form protocol-map. DCERPC—See the “Configuring a DCERPC Inspection Policy Map for Additional Inspection • Control” section on page 22-17. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-7 OL-20748-01...
Page 424 “Configuring a DCERPC Inspection Policy Map for Additional Inspection Control” section on page 22-17, identify the map name in this command. dns [map_name] — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-8 OL-20748-01...
Page 425 If you added an SNMP application map according to “Enabling and Configuring SNMP Application Inspection” section on page 22-98, identify the map name in this command. sqlnet — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-9 OL-20748-01...
Page 426: Ctiqbe Inspection
NAT. This enables Cisco IP SoftPhone and other Cisco TAPI/JTAPI applications to work successfully with Cisco CallManager for call setup across the FWSM. TAPI and JTAPI are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco CallManager.
Page 427: Enabling And Configuring Ctiqbe Inspection
Cisco TSP configuration on the PC. • When using PAT or Outside PAT, if the Cisco CallManager IP address is to be translated, its TCP port 2748 must be statically mapped to the same port of the PAT (interface) address for Cisco IP SoftPhone registrations to succeed.
Page 428: Verifying And Monitoring Ctiqbe Inspection
CTIQBE session setup across the FWSM. It is established between an internal CTI device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco CallManager at 209.165.201.2, where TCP port 2748 is the Cisco CallManager. The heartbeat interval for the session is 120 seconds.
Page 429: Ctiqbe Sample Configurations
- awaiting outside SYN, T - SIP, t - SIP transient, U - up CTIQBE Sample Configurations The following figure shows a sample configuration for a single transparent firewall for Cisco IP SoftPhone (Figure 22-2). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-13 OL-20748-01...
Page 430 The following figure shows a sample configuration for a single transparent firewall for Cisco IP SoftPhone with NetMeeting enabled (Figure 22-3). Cisco IP SoftPhone is configured with the collaboration setting of NetMeeting. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-14 OL-20748-01...
Page 431 Flags: A - awaiting inside ACK to SYN,a - awaiting outside ACK to SYN B - initial SYN from outsideC - CTIQBE media, D - DNS, d - dump, Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-15...
Page 432: Dcerpc Inspection
• RemoteCreateInstance • Any message that does not contain an IP address or port information because these messages do not require inspection Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-16 OL-20748-01...
Page 433: Configuring A Dcerpc Inspection Policy Map For Additional Inspection Control
135 hostname(config)# policy-map global-policy hostname(config-pmap)# class dcerpc hostname(config-pmap-c)# inspect dcerpc dcerpc-map hostname(config)# service-policy global-policy global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-17 OL-20748-01...
Page 434: Dns Inspection
DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-18...
Page 435: How Dns Rewrite Works
For an illustration and configuration instructions for this scenario, see the “DNS Rewrite with Three NAT Zones” section on page 22-22. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-19 OL-20748-01...
Page 436: Configuring Dns Rewrite
The following example specifies that the address 192.168.100.10 on the inside interface is translated into 209.165.201.5 on the outside interface: hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.10 dns Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-20 OL-20748-01...
Page 437: Configuring Dns Rewrite With Two Nat Zones
Example 22-2 DNS Rewrite with Two NAT Zones hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.1 netmask 255.255.255.255 dns hostname(config)# access-list 101 permit tcp any host 209.165.200.225 eq www Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-21 OL-20748-01...
Page 438: Dns Rewrite With Three Nat Zones
The host running the web client sends the DNS server a request for the IP address of server.example.com. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-22 OL-20748-01...
Page 439: Configuring Dns Rewrite With Three Nat Zones
• Step 2 Create an access list that permits traffic to the port that the web server listens to for HTTP requests. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-23 OL-20748-01...
Page 440: Configuring Dns Inspection
Use the match port command to identify DNS traffic. The default port for DNS is UDP port 53. Step 2 hostname(config-cmap)# match port udp eq 53 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-24 OL-20748-01...
Page 441: Verifying And Monitoring Dns Inspection
DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-25...
Page 442: Dns Guard
ESMTP inspection according to the “Configuring Application Inspection” section on page 22-6. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-26 OL-20748-01...
Page 443 To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# To configure a local domain name, enter the following command: hostname(config-pmap-p)# mail-relay domain-name action [drop-connection | log]] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-27 OL-20748-01...
Page 444 (Optional) To match the number of invalid recipients, enter the following command: hostname(config-pmap-p)# match invalid-recipients count gt count Where count is the number of invalid recipients. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-28 OL-20748-01...
Page 445 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-29 OL-20748-01...
Page 446: Ftp Inspection
The 227 and PORT commands are checked to ensure they do not appear in an error string. Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP Caution RFCs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-30 OL-20748-01...
Page 447: The Request-Command Deny Command
Disallows the command that provides help information. Disallows the command that makes a directory on the server. Disallows the client command for sending a file to the server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-31 OL-20748-01...
Page 448: Configuring Ftp Inspection
If you need to identify a range of contiguous ports for a single protocol, use match port command with the range keyword, as follows: hostname(config-cmap)# match port tcp range begin_port_number end_port_number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-32 OL-20748-01...
Page 449 If you want to enable strict FTP inspection, use the inspect ftp command with the strict keyword, • as follows: hostname(config-pmap-c)# inspect ftp strict Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-33 OL-20748-01...
Page 450: Verifying And Monitoring Ftp Inspection
In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-34...
Page 451: Gtp Inspection
UTRAN is the networking protocol used for implementing wireless networks in this system. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN and the UTRAN. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-35 OL-20748-01...
Page 452: Gtp Maps And Commands
GTP inspection parameters. These commands are available in GTP map configuration mode. For the detailed syntax of each command, see the applicable command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 453: Enabling And Configuring Gtp Inspection
GTP map. The CLI enters GTP map configuration mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-37 OL-20748-01...
Page 454 20 max 300 hostname(config-gtp-map)# drop message 20 hostname(config-gtp-map)# tunnel-limit 10000 hostname(config)# policy-map sample_policy hostname(config-pmap)# class gtp-traffic hostname(config-pmap-c)# inspect gtp sample_map hostname(config)# service-policy sample_policy outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-38 OL-20748-01...
Page 455: Verifying And Monitoring Gtp Inspection
You can use the vertical bar (|) to filter the display, as in the following example: hostname# show service-policy gtp statistics | grep gsn Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-39...
Page 456: Ggsn Load Balancing
SGSN. To do so, use the gtp-map and permit responses commands. hostname(config)# gtp-map map_name hostname(config-gtp-map)# permit response to-object-group SGSN-name from-object-group GSN-pool-name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-40 OL-20748-01...
Page 457: Gtp Sample Configuration
Sample configuration of SLB (IOS SLB, MSFC used), GGSN (MWAM module used) and FWSM. SLB and MWAM configuration on supervisor/MSFC. The MWAM is a Cisco IOS application module that you can install in the Cisco Catalyst 6500 Series switch. Each MWAM contains three processor complexes, with two CPUs each and Each CPU can be used to run an independent IOS image.
Page 458 10.2.1.29 udp 3386 service gtp serverfarm GGSN-POOL inservice ip slb vserver GTP-V1 virtual 10.2.1.29 udp 2123 service gtp serverfarm GGSN-POOL inservice Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-42 OL-20748-01...
Page 459 GigabitEthernet0/0 no ip address interface GigabitEthernet0/0.1 interface GigabitEthernet0/0.8 encapsulation dot1Q 8 ip address 10.1.1.2 255.255.255.0 no snmp trap link-status Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-43 OL-20748-01...
Page 460 1111 password cisco inservice ip cef no ip domain lookup Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-44 OL-20748-01...
Page 461 100 ip address 172.21.64.35 255.255.255.128 standby 172.21.64.36 interface Vlan5 nameif inside security-level 100 ip address 10.2.1.41 255.255.255.0 standby 10.2.1.40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-45 OL-20748-01...
Page 462 14400 nat-control no xlate-bypass static (outside,inside) 10.5.1.1 10.5.1.1 netmask 255.255.255.255 static (inside,outside) 10.4.1.31 10.4.1.31 netmask 255.255.255.255 static (inside,outside) 10.4.1.32 10.4.1.32 netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-46 OL-20748-01...
Page 463: H.323 Inspection
• Limitations and Restrictions, page 22-49 • Enabling and Configuring H.323 Inspection, page 22-51 • Topologies Requiring H.225 Configuration, page 22-50 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-47 OL-20748-01...
Page 464: H.323 Inspection Overview
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports. UDP port 1718—Gate Keeper Discovery • UDP port 1719—RAS • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-48 OL-20748-01...
Page 465: Limitations And Restrictions
If you configure a network static address where the network static address is the same as a third-party netmask and address, then any outbound H.323 connection fails. Dynamic NAT (PAT) is not supported for H.323-GUP inspection. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-49 OL-20748-01...
Page 466: Topologies Requiring H.225 Configuration
H.225 configuration. The FWSM is not aware of the existence of the Cisco CallManager in this topology. With only the packet flows that happen through the security appliance, the FWSM cannot open a proper pinhole to allow such a call to be successful.
Page 467: Enabling And Configuring H.323 Inspection
Identify an HSI group. To do so, use the hsi-group command, as follows. hostname(config-h225-map)# hsi-group group_ID hostname(config-h225-map-hsi-grp)# where group_ID is a number, from 0 to 2147483647, that identifies the HSI group. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-51 OL-20748-01...
Page 468 The FWSM begins inspecting H.323 traffic, as specified. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-52 OL-20748-01...
Page 469: Configuring H.323 And H.225 Timeout Values
This section describes how to display information about H.323 sessions. This section includes the following topics: • Monitoring H.225 Sessions, page 22-54 • Monitoring H.245 Sessions, page 22-54 • Monitoring H.323 RAS Sessions, page 22-55 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-53 OL-20748-01...
Page 470: Monitoring H.225 Sessions
4-byte header. The foreign host endpoint is 172.30.254.203, and we are expecting the next packet from this endpoint to have a TPKT header because the TPKT value is 0. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-54...
Page 471: Monitoring H.323 Ras Sessions
• employed because GUP is a Cisco proprietary protocol. • Dynamic NAT and dynamic PAT are not supported in H.323 GUP inspection. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-55 OL-20748-01...
Page 472: H.323 Gup Configuration
RAS inspection should be turned on for interfaces through which the gatekeeper running GUP protocol is reachable. In this example, RAS inspection is turned on for both inside and outside interfaces. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-56...
Page 473: H.323 Sample Configuration
50 209.100.100.2 10.100.100.2 Analog Analog Cisco 3745 Cisco 3745 phone phone Firewall Service Module H.323 Gateway H.323 Gateway (FWSM) Cisco 3745 Gatekeeper Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-57 OL-20748-01...
Page 474 101 voip hostname(config-dial-peer)#destination-pattern 4085550100 hostname(config-dial-peer)#session target ras Forward all voice calls destined to 4085550199 to voice port 3/0/0: hostname(config)#dial-peer voice 102 pots Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-58 OL-20748-01...
Page 475 FLAGS - H Network Processor 2 connections Multicast sessions: Network Processor 1 connections Network Processor 2 connections IPv6 connections: FWSM/admin# show h225 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-59 OL-20748-01...
Page 476: Http Inspection
You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the inspection policy map remains enabled. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-60...
Page 477 Step 2. The length gt max_bytes is the maximum message body length in bytes. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-61 OL-20748-01...
Page 478 Step Create an HTTP inspection policy map, enter the following command: Step 4 hostname(config)# policy-map type inspect http policy_map_name Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-62 OL-20748-01...
Page 479 To substitute a string for the server header field, enter the following command: hostname(config-pmap-p)# spoof-server string Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-63 OL-20748-01...
Page 480: Icmp Inspection
For information about ILS inspection, see the inspect ils command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-64...
Page 481: Mgcp Inspection
Figure 22-11 illustrates how NAT can be used with MGCP. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-65 OL-20748-01...
Page 482 Response header, optionally followed by a session description. To use MGCP, you usually need to configure inspection for traffic sent to two ports: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-66...
Page 483: Configuring Mgcp Call Agents And Gateways
MGCP port and port-2 is the second MGCP port. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-67...
Page 484 MGCP map that you may have created in optional Step Use the service-policy command to apply the policy map globally or to a specific interface, as follows: Step 8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-68 OL-20748-01...
Page 485: Configuring Mgcp Timeout Values
The timeout mgcp-pat command lets you set the timeout for PAT xlates. Because MGCP does not have a keepalive mechanism, if you use non-Cisco MGCP gateways (call agents), the PAT xlates are torn down after the default timeout interval, which is 30 seconds.
Page 486: Mgcp Sample Configuration
Media lcl port 6166 Media rmt IP 192.168.5.7 Media rmt port 6058 MGCP Sample Configuration Figure 22-12 shows a sample configuration for MGCP inspection: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-70 OL-20748-01...
Page 487 Apply the above access lists on the inside and outside interfaces for incoming traffic: hostname(config)# access-group mgcp in interface outside hostname(config)# access-group mgcp in interface inside Configure call agent (IP address of the Cisco CallManager) and the IP address of the IOS MGCP gateway in an MGCP map: hostname(config)# mgcp-map mgcp-inspect hostname(config-mgcp-map)# call-agent 15.0.0.210 101...
Page 488: Netbios Inspection
101 pots hostname(config-dial-peer)# application mgcpapp hostname(config-dial-peer)# port 3/0/0 NetBIOS Inspection NetBIOS inspection is enabled by default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-72 OL-20748-01...
Page 489: Pptp Inspection
If the response message is outbound, then the FWSM does not need to open dynamic channels. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-73...
Page 490: Using Realplayer
SDP files as part of HTTP or RTSP messages. Packets could be fragmented and FWSM cannot perform NAT on fragmented packets. With Cisco IP/TV, the number of NATs the FWSM performs on the SDP part of the message is •...
Page 491 RTSP inspection engine RTSP traffic on the default ports (554 and 8554). The service policy is then applied to the outside interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-75...
Page 492: Sip Inspection
– The port is missing in the contact field in the REGISTER message sent by the endpoint to the – proxy server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-76 OL-20748-01...
Page 493: Sip Instant Messaging
INVITE message from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface does not traverse the FWSM, unless the FWSM configuration specifically allows it. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-77...
Page 494: Ip Address Privacy
The match-any keyword specifies that the traffic matches the class map if any of the match commands in the class map is matched. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-78...
Page 495 Where the regex regex_name argument is the regular expression you created in Step 1. The class regex_class_name is the regular expression class map you created in Step Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-79 OL-20748-01...
Page 496 To enter parameters configuration mode, enter the following command: hostname(config-pmap)# parameters hostname(config-pmap-p)# To enable or disable instant messaging, enter the following command. Instant messaging is enabled by default. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-80 OL-20748-01...
Page 497 {mask | log} [log] The following example shows how to disable instant messaging over SIP: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-81 OL-20748-01...
Page 498: Configuring Sip Timeout Values
200 OK for the CANCEL SIP message, and 200 OK for 4xx/5xx/6xx SIP messages, instead of waiting for the idle timeout. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-82 OL-20748-01...
Page 499 Figure 22-13, when 200 OK is not received for the BYE message, media connections are removed after the timeout sip-disconnect occurs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-83 OL-20748-01...
Page 500 22-14, the media connection is cleared after 200 OK is received for the CANCEL message. If 200 OK is not received for the CANCEL SIP message, the media connection is cleared after the timeout sip-disconnect occurs. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-84 OL-20748-01...
Page 501 SIP INVITE message, the timeout for provisional responses is set to the value configured using the timeout sip-invite command. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-85 OL-20748-01...
Page 502: Verifying And Monitoring Sip Inspection
Active, idle 0:00:06 This sample shows two active SIP sessions on the FWSM (as shown in the Total field). Each call-id represents a call. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-86 OL-20748-01...
Page 503: Sip Sample Configuration
! hostname(config)# nat-control hostname(config)# static (inside, outside) 10.3.100.115 209.165.201.115 netmask 255.255.255.255 hostname(config)# static (inside, outside) 10.3.100.118 209.165.201.118 netmask 255.255.255.255 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-87 OL-20748-01...
Page 504: Router Configuration
IP address. RTP traffic is not switched via the same subnet. Instead it is getting routed via the FWSM. hostname(config)# show conn 6 in use, 28 most used Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-88 OL-20748-01...
Page 505: Skinny (Sccp) Inspection
SCCP (Skinny) Sample Configuration, page 22-93 SCCP Inspection Overview Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals.
Page 506: Supporting Cisco Ip Phones
Cisco CallManager server. When the Cisco IP Phones are on a lower security interface compared to the TFTP server, you must use an access list to connect to the protected TFTP server on UDP port 69. While you do need a static identity entry for the TFTP server, this does not have to be an identity static entry.
Page 507 (Optional) To change the default port used by the FWSM for receiving SCCP traffic, enter the following command: hostname(config-pmap-c)# inspect skinny Step 6 Return to policy map configuration mode by entering the following command: hostname(config-pmap-c)# exit hostname(config-pmap)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-91 OL-20748-01...
Page 508: Verifying And Monitoring Sccp Inspection
VIDEO 10.0.0.22/20798 172.18.1.11/22948 The output indicates that a call has been established between two internal Cisco IP Phones. The RTP listening ports of the first and second phones are UDP 22948 and 20798 respectively. The following is sample output from the show xlate debug command for these Skinny connections:...
Page 509: Sccp (Skinny) Sample Configuration
209.165.201.210 eq 2000 Apply the above access lists on the inside and outside interfaces for incoming traffic: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-93...
Page 510: Smtp And Extended Smtp Inspection
SMTP session but an ESMTP session is considerably faster and offers more options related to reliability and security, such as delivery status notification. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-94...
Page 511 Because of the change in the packed, the TCP checksum has to be recalculated or adjusted. TCP stream editing. • Command pipelining. • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-95 OL-20748-01...
Page 512: Configuring And Enabling Smtp And Extended Smtp Application Inspection
To enable extended SMTP application inspection, enter the following command: hostname(config-pmap-c)# inspect esmtp To enable SMTP application inspection, enter the following command: hostname(config-pmap-c)# inspect smtp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-96 OL-20748-01...
Page 513: Snmp Inspection
The FWSM can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by using the deny version command in SNMP map configuration mode. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-97...
Page 514: Enabling And Configuring Snmp Application Inspection
Step 2, that identifies the SNMP traffic. Use the class command to do Step 7 so, as follows: hostname(config-pmap)# class class_map_name hostname(config-pmap-c)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-98 OL-20748-01...
Page 515: Sql*Net Inspection
Sun RPC Inspection Overview, page 22-100 • Enabling and Configuring Sun RPC Inspection, page 22-100 • Managing Sun RPC Services, page 22-102 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-99 OL-20748-01...
Page 516: Sun Rpc Inspection Overview
If the port mapper process listens to a single port, you can use the match port command to identify traffic sent to that port, as follows: hostname(config-cmap)# match port tcp eq port_number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-100 OL-20748-01...
Page 517 111 hostname(config-cmap)# policy-map sample_policy hostname(config-pmap)# class sunrpc_port hostname(config-pmap-c)# inspect sunrpc hostname(config-pmap-c)# service-policy sample_policy interface outside hostname(config)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-101 OL-20748-01...
Page 518: Managing Sun Rpc Services
UDP out 209.165.200.5:800 in 192.168.100.2:2049 idle 0:00:04 flags - UDP out 209.165.200.5:714 in 192.168.100.2:111 idle 0:00:04 flags - UDP out 209.165.200.5:712 in 192.168.100.2:647 idle 0:00:05 flags - Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-102 OL-20748-01...
Page 519 In this output, port 647 corresponds to the mountd daemon running over UDP. The mountd process would more commonly be using port 32780, but it uses TCP port 650 in this example. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-103...
Page 520: Tftp Inspection
For information about XDMCP inspection, see the established and inspect pptp and command pages in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-104 OL-20748-01...
Page 521 A R T System Administration...
Page 523: Chapter 23 Configuring Management Access
Please note that concurrent access to the FWSM is not recommended. In some cases, two Telnet sessions issuing the same commands might cause one of the sessions to hang until a key is depressed on the other session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-1 OL-20748-01...
Page 524: Allowing Ssh Access
XML management over SSL and SSH are not supported. Note This section includes the following topics: Configuring SSH Access, page 23-3 • Using an SSH Client, page 23-3 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-2 OL-20748-01...
Page 525: Configuring Ssh Access
When starting an SSH session, a dot (.) displays on the FWSM console before the SSH user authentication prompt appears, as follows: hostname(config)# . Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-3 OL-20748-01...
Page 526: Allowing Https Access For Asdm
The FWSM can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using a site-to-site tunnel. You specify the peer networks that can communicate over the tunnel. In the case of the FWSM, the only address available on the FWSM end of the tunnel is the interface itself.
Page 527: Configuring Basic Settings For All Tunnels
Although you can specify authentication alone, or encryption alone, these methods are not secure. You refer to this transform set when you configure the VPN client group or a site-to-site tunnel. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-5...
Page 528: Configuring Vpn Client Access
Configuring VPN Client Access In routed mode, a host with Version 3.0 or 4.0 of the Cisco VPN client can connect to the FWSM for management purposes over a public network, such as the Internet.
Page 529 “admin” and the password “passw0rd” can connect to the FWSM. hostname(config)# isakmp policy 1 authentication pre-share hostname(config)# isakmp policy 1 encryption 3des Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-7 OL-20748-01...
Page 530: Configuring A Site-To-Site Tunnel
“Configuring Basic Settings for All Tunnels” section on page 23-5), enter the following command: hostname(config)# crypto map crypto_map_name priority set transform-set transform_set1 [transform_set2] [...] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-8 OL-20748-01...
Page 531: Allowing Icmp To And From The Fwsm
(0) (FWSM to host) or echo (8) (host to FWSM). See the “ICMP Types” section on page E-15 for a list of ICMP types. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-9 OL-20748-01...
Page 532: Aaa For System Administrators
This section explains how to configure CLI authentication when you use Telnet or SSH, and how to configure ASDM authentication. This section includes the following topics: CLI Access Overview, page 23-11 • • ASDM Access Overview, page 23-11 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-10 OL-20748-01...
Page 533: Cli Access Overview
FWSM (which enters the system execution space). The admin context AAA server or local user database are used in this instance. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-11...
Page 534: Enabling Cli Or Asdm Authentication
You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.41 ... Open User Access Verification Username: myRADIUSusername Password: myRADIUSpassword Type help or ‘?’ for a list of available commands. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-12 OL-20748-01...
Page 535: Configuring Authentication To Access Privileged Exec Mode
15. If you configure local command authorization, then the user can only enter commands assigned to that privilege level or lower. See the “Configuring Local Command Authorization” section on page 23-15 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-13 OL-20748-01...
Page 536: Configuring Command Authorization
• after they authenticate for CLI access. Every command that a user enters at the CLI is checked with the TACACS+ server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-14 OL-20748-01...
Page 537: Configuring Local Command Authorization
Default Command Privilege Levels, page 23-16 • Assigning Privilege Levels to Commands and Enabling Authorization, page 23-16 • Viewing Command Privilege Levels, page 23-18 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-15 OL-20748-01...
Page 538 [show | clear | cmd] level level [mode {enable | cmd}] command command Repeat this command for each command you want to reassign. See the following information about the options in this command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-16 OL-20748-01...
Page 539 The following example shows an additional command, the configure command, that uses the mode keyword: hostname(config)# privilege show level 5 mode cmd command configure Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-17 OL-20748-01...
Page 540: Configuring Tacacs+ Command Authorization
If you enable TACACS+ command authorization, and a user enters a command at the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-18...
Page 541 23-13). Configuring Commands on the TACACS+ Server You can configure commands on a Cisco Secure Access Control Server (ACS) as a shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see your server documentation for more information about command authorization support.
Page 542 Be sure to check the Permit Unmatched Args check box so that enable alone is still allowed (see Figure 23-3). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-20 OL-20748-01...
Page 543 We recommend that you allow the following basic commands for all users: • show checksum – show curpriv – – enable – help – show history login – logout – pager – Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-21 OL-20748-01...
Page 544: Configuring Command Accounting
See the following sample show curpriv command output. A description of each field follows. hostname# show curpriv Username : admin Current privilege level : 15 Current Mode/s : P_PRIV Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-22 OL-20748-01...
Page 545: Recovering From A Lockout
Configure the local database as a fallback method so you do not get locked out when the server is down. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-23 OL-20748-01...
Page 546 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-24 OL-20748-01...
Page 547: Chapter 24 Managing Software, Licenses, And Configurations
Downloading and Backing Up Configuration Files, page 24-14 • Configuring Auto Update Support, page 24-18 • Because the FWSM runs its own operating system, upgrading the Cisco IOS software does not affect the Note operation of the FWSM. Managing Licenses When you install the software, the existing activation key is extracted from the original image and stored in a file in the FWSM file system.
Page 548: Entering A New Activation Key
Installing Application Software from the FWSM CLI, page 24-3 • Installing Application Software from the Maintenance Partition, page 24-5 • Installing ASDM from the FWSM CLI, page 24-8 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-2 OL-20748-01...
Page 549: Installation Overview
To copy from an FTP server, enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename flash: • To copy from an HTTP or HTTPS server, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-3 OL-20748-01...
Page 550 At the “Proceed with reload?” prompt, press Enter to confirm the command. Rebooting... If you have a failover pair, see the “Upgrading Failover Pairs” section on page 24-9. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-4 OL-20748-01...
Page 551: Installing Application Software From The Maintenance Partition
To view the current boot partition, enter the command for your operating system. Note the current boot Step 3 partition so you can set a new default boot partition. Cisco IOS software • Router# show boot device [mod_num] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-5 OL-20748-01...
Page 552 To set network parameters, perform the following steps: Step 8 To assign an IP address to the maintenance partition, enter the following command: root@localhost# ip address ip_address netmask Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-6 OL-20748-01...
Page 553 • Console> (enable) session module_number By default, the password to log in to the FWSM is cisco (set by the password command). If this partition does not have a startup configuration, the default password is used. Enter privileged EXEC mode using the following command: Step 13 hostname>...
Page 554: Installing Asdm From The Fwsm Cli
To use secure copy, first enable SSH, and then enter the following command: • hostname# ssh scopy enable Then from a Linux client, enter the following command: scp -v -pw password filename username@fwsm_address Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-8 OL-20748-01...
Page 555: Upgrading Failover Pairs
Upgrading an Active/Standby Failover Pair to a New Maintenance Release, page 24-10 • Upgrading an Active/Active Failover Pair to a New Maintenance Release, page 24-10 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-9 OL-20748-01...
Page 556: Upgrading An Active/Standby Failover Pair To A New Maintenance Release
In multiple context mode, enter the write memory all command from the system execution space. This command saves all context configurations to which the FWSM has write access. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-10...
Page 557: Upgrading Failover Pairs To A New Minor Or Major Release
Enter the following command separately on each unit: primary(config)# reload Proceed with reload? [confirm] At the “Proceed with reload?” prompt, press Enter to confirm the command. Rebooting... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-11 OL-20748-01...
Page 558: Installing Maintenance Software
Console> (enable) session module_number To log in to the FWSM maintenance partition as root, enter the following command: Step 4 Login: root Password: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-12 OL-20748-01...
Page 559: Upgrading The Maintenance Software
To session in to the FWSM, enter the command for your operating system: – Cisco IOS software Router# session slot number processor 1 Catalyst operating system software – Console> (enable) session module_number Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-13 OL-20748-01...
Page 560: Downloading And Backing Up Configuration Files
Downloading a Text Configuration to the Startup or Running Configuration, page 24-15 • • Downloading a Context Configuration to Disk, page 24-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-14 OL-20748-01...
Page 561: Viewing Files In Flash Memory
To copy the startup configuration or running configuration from the server to the FWSM, enter one of the following commands for the appropriate download server: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-15...
Page 562: Downloading A Context Configuration To Disk
• hostname# copy ftp://[user[:password]@]server[/path]/filename disk:[path/]filename To copy from an HTTP or HTTPS server, enter the following command: • hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename disk:[path/]filename Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-16 OL-20748-01...
Page 563: Backing Up The Configuration
To copy the running configuration to the startup configuration server (connected to the admin context), enter the following command: hostname/contexta# copy running-config startup-config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-17 OL-20748-01...
Page 564: Copying The Configuration From The Terminal Display
IPSec VPN tunnel used for management access. The verify-certificate keyword verifies the certificate returned by the AUS. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-18 OL-20748-01...
Page 565 FWSM will try to reconnect to the AUS 10 times, and wait 3 minutes between attempts at reconnecting. hostname(config)# auto-update server https://jcrichton:farscape@209.165.200.224:1742/management source outside verify-certificate hostname(config)# auto-update device-id hostname hostname(config)# auto-update poll-period 600 10 3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-19 OL-20748-01...
Page 566: Viewing Auto Update Server Status
Next poll in 4.93 minutes Last poll: 11:36:46 PST Tue Nov 13 2004 Last PDM update: 23:36:46 PST Tue Nov 12 2004 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-20 OL-20748-01...
Page 567: Chapter 25 Monitoring The Firewall Services Module
For more information about logging and syslog messages, see Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-1...
Page 568: Security Contexts And Logging
If you do not specify an output destination, the FWSM does not save syslog messages that are generated when events occur. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-2...
Page 569: Disabling Logging To All Configured Output Destinations
Syslog logging: enabled Facility: 20 Timestamp logging: enabled Name logging: disabled Standby logging: disabled Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-3 OL-20748-01...
Page 570: Configuring Log Output Destinations
The syslog server must run a program (known as a server) called syslogd. UNIX provides a syslog server as part of its operating system. For Windows 95 and Windows 98, obtain a syslogd server from another vendor. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-4 OL-20748-01...
Page 571 Step 3 following command: hostname(config)# logging facility number Most UNIX systems expect the syslog messages to arrive at facility 20. hostname(config)# logging Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-5 OL-20748-01...
Page 572: Sending Syslog Messages To An E-Mail Address
If a severity level is not specified, the default severity level is used (error condition, severity level 3). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-6 OL-20748-01...
Page 573: Sending Syslog Messages To Asdm
The following example shows how to enable logging and send syslog messages of severity levels 0, 1, and 2 to the ASDM log buffer: hostname(config)# logging asdm 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-7 OL-20748-01...
Page 574: Sending Syslog Messages To A Switch Session, Telnet Session, Or Ssh Session
For information about creating custom message lists, see the “Filtering Syslog Messages with Custom Message Lists” section on page 25-14. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-8 OL-20748-01...
Page 575: Sending Syslog Messages To The Log Buffer
For information about creating custom message lists, see the “Filtering Syslog Messages with Custom Message Lists” section on page 25-14. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-9 OL-20748-01...
Page 576 To specify that messages in the log buffer should be saved to internal flash memory each time the buffer wraps, enter the following command: hostname(config)# logging flash-bufferwrap Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-10 OL-20748-01...
Page 577: Filtering Syslog Messages
Message Filtering Overview, page 25-12 • Filtering Syslog Messages by Class, page 25-12 Filtering Syslog Messages with Custom Message Lists, page 25-14 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-11 OL-20748-01...
Page 578: Message Filtering Overview
7 should go to the log buffer, and you also specify that ha class messages at severity level 3 should go to the buffer, then the latter configuration takes precedence. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-12...
Page 579 407, 500, 502, 607, 608, 609, 616, 620, 703, 710 snmp SNMP System 199, 211, 214, 216, 306, 307, 315, 414, 604, 605, 606, 610, 612, 614, 615, 701, 711 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-13 OL-20748-01...
Page 580: Filtering Syslog Messages With Custom Message Lists
(high availability or failover). hostname(config)# logging list notif-list 104024-105999 hostname(config)# logging list notif-list level critical hostname(config)# logging list notif-list level warning class ha Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-14 OL-20748-01...
Page 581: Customizing The Log Configuration
To specify that syslog messages should include the date and time that the syslog messages was generated, enter the following command: hostname(config)# logging timestamp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-15 OL-20748-01...
Page 582: Including The Device Id In Syslog Messages
EMBLEM formatting for messages sent to the syslog server. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-16...
Page 583: Disabling A Syslog Message
The following example modifies the severity level of syslog message 113019 to its default value of 4 (warnings): hostname(config)# no logging message 113019 level 5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-17 OL-20748-01...
Page 584: Changing The Amount Of Internal Flash Memory Available For Syslog Messages
Step 1 To specify the maximum amount of internal flash memory available for saving log files, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-18 OL-20748-01...
Page 585: Understanding Syslog Messages
IP addresses, port numbers, or usernames. For a list of variable fields and their descriptions, see Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-19 OL-20748-01...
Page 586: Severity Levels
MIBs and traps for the FWSM and, in multiple mode, for each context. You can download Cisco MIBs from the following website. http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml After you download the MIBs, compile them for your NMS. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-20 OL-20748-01...
Page 587 • • CISCO-ENTITY-REDUNDANCY-MIB The FWSM sends the following traps: • alarm-asserted • alarm-cleared • config-change • fru-insert • fru-remove • redun-switchover • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-21 OL-20748-01...
Page 588 Gauge32: 0 <-0 means any port SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.11.3.97.97.97.1 = Gauge32: 0 <-0 means any port. SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.12.3.97.97.97.1 = Gauge32: 80 <- www translates to 80 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-22 OL-20748-01...
Page 589 60.0.0.1 community public version 2c udp-port 161 hostname(config)# show access-list Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-23 OL-20748-01...
Page 590 <--- source network object group name SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.23.3.97.97.97.1 = STRING: "dest-network" <-- destination network object-group name.. SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.24.3.97.97.97.1 = "" SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.25.3.97.97.97.1 = "" SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.26.3.97.97.97.1 = "" SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.27.3.97.97.97.1 = "" Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-24 OL-20748-01...
Page 591 5.105.112.118.54.1 = Hex-STRING: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 95.105.112.118.54.1 = Gauge32: 0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-25 OL-20748-01...
Page 592 You cannot perform an SNMP query for access-list names configured with more than 112 characters. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-26 OL-20748-01...
Page 593 The FWSM sends the following trap: • session-threshold-exceeded CISCO-SYSLOG-MIB The FWSM sends the following trap: clogMessageGenerated • You cannot browse this MIB. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-27 OL-20748-01...
Page 594 The FWSM supports browsing of the following group: cufwUrlFilterGlobals—This group provides global URL filtering • statistics. IF-MIB The FWSM supports browsing of the following tables: ifTable • ifXTable • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-28 OL-20748-01...
Page 595 IP-MIB::ip.24.7.1.16.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1 IP-MIB::ip.24.7.1.17.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 1 <----- 1 means route is active IP-MIB::ip.24.7.1.17.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 1 <----- 1 means route is active Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-29 OL-20748-01...
Page 596 Up to a three-minute delay may occur between route entries displayed in the show route command, and you can perform an SNMP query for this entry. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-30 OL-20748-01...
Page 597 SNMP query for this entry. MIB-II The FWSM supports browsing of the following group and table: • system Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-31 OL-20748-01...
Page 598: Enabling Snmp
The SNMP server is enabled by default. To identify the IP address of the NMS that can connect to the FWSM, enter the following command: Step 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-32 OL-20748-01...
Page 599 • Traps for entity include: • config-change • fru-insert fru-remove • redun-switchover • alarm-asserted • alarm-cleared • Traps for ipsec include: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-33 OL-20748-01...
Page 600 The following example sets the FWSM to receive requests from host 192.168.3.2 on the inside interface. hostname(config)# snmp-server host inside 192.168.3.2 hostname(config)# snmp-server location building 42 hostname(config)# snmp-server contact Pat lee hostname(config)# snmp-server community ohwhatakeyisthee Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-34 OL-20748-01...
Page 601: Chapter 26 Troubleshooting The Firewall Services Module
To set system log messages to be sent to Telnet or SSH sessions, enter the following command: Step 2 hostname(config)# logging monitor debug Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-1 OL-20748-01...
Page 602: Pinging Fwsm Interfaces
FWSM. You will use this information for this procedure as well as the procedure in the “Pinging Through the FWSM” section on page 26-4. For example: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-2 OL-20748-01...
Page 603 If the ping reply does not return to the router, then you might have a switch loop or redundant IP addresses (see Figure 26-3). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-3 OL-20748-01...
Page 604: Pinging Through The Fwsm
ICMP-CLASS hostname(config-cmap)# match access-list ICMPACL hostname(config-cmap)# policy-map ICMP-POLICY hostname(config-pmap)# class ICMP-CLASS hostname(config-pmap-c)# inspect icmp hostname(config-pmap-c)# service-policy ICMP-POLICY global Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-4 OL-20748-01...
Page 605: Disabling The Test Configuration
To remove the ICMPACL access list, and also delete the related access-group commands, enter the Step 3 following command: hostname(config)# no access-list ICMPACL (Optional) To disable the ICMP inspection engine, enter the following command: Step 4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-5 OL-20748-01...
Page 606: Reloading The Fwsm
To clear the login and enable passwords, as well as the aaa authentication console and aaa authorization command commands, enter the following command: root@localhost# clear passwd cf:{4 | 5} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-6 OL-20748-01...
Page 607: Resetting The Maintenance Partition Passwords
Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use. To enable debug messages, see the debug commands in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference.
Page 608: Capturing Packets
Therefore, if you enable a capture in Context A for a VLAN that is also used by Context B, both Context A and Context B ingress traffic is captured. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-8...
Page 609: Configuring A Packet Capture
By default only 68 bytes of the packets are captured in the buffer. You can optionally change this value. See the capture command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for these and other options.
Page 610: Common Problems
Enable Telnet or SSH to the FWSM according to the “Allowing Telnet Access” Recommended Action section on page 23-1 or the “Allowing SSH Access” section on page 23-2. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-10 OL-20748-01...
Page 611 You did not assign the same VLANs for both units. Possible Cause Recommended Action Make sure to assign the same VLANs to both units in the switch configuration. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-11 OL-20748-01...
Page 612 Chapter 26 Troubleshooting the Firewall Services Module Common Problems Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-12 OL-20748-01...
Page 613 A R T Reference...
Page 615: Appendix
Switch Hardware and Software Compatibility You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the “switch.”...
Page 616: Appendix A Specification
12.2(33)SRC 720, 32, 720-1GE 12.2(33)SRD 720, 32, 720-1GE 12.2(33)SRE 720, 32, 720-1GE 1. The FWSM does not support the supervisor 1 or 1A. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 617: Physical Attributes
4 per context TACACS+) Failover interface monitoring 250 divided between all contexts Filtering servers (Websense 4 per context Enterprise and Sentian by N2H2) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 618: Managed System Resources
65,536 65,536 divided between all contexts firewall mode only) Hosts allowed to connect 262,144 262,144 divided between all contexts through the FWSM, concurrent Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 619 (256 K), not the higher connection limit. To use the connection limit, you need to use NAT, which allows multiple connections using the same translation session. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 620: Fixed System Resources
The FWSM supports a fixed number of rules for the entire system. This section includes the following topics: Default Rule Allocation, page A-7 • Rules in Multiple Context Mode, page A-7 • • Reallocating Rules Between Features, page A-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 621 Default Configured Absolute CLS Rule Limit Limit -----------+---------+----------+--------- Policy NAT 14801 14801 14801 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 622: Reallocating Rules Between Features
124923 in single mode (this is an example only, and might differ from the actual number of rules for your system): hostname(config)# show resource rule Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 623 {max_ace_rules | current | default | max} filter {max_filter_rules | current | default | max} fixup {max_inspect_rules | current | default | max} Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 624 (default 1417) as well as all but one established rule (default 70) to filter (default 425), enter the following command: hostname(config)# resource rule nat default acl 10533 filter 494 fixup 1517 est 1 aaa default console default Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM A-10 OL-20748-01...
Page 625: Appendix
Each customer context belongs to a class that limits its resources (gold, silver, or bronze). Although inside IP addresses can be the same across contexts when the interfaces are unique, keeping them unique is easier to manage. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 626: Appendix B Sample Configuration
FWSM Release (blank means single mode, “<system>” means you are in multiple mode in the system configuration, and <context> means you are in multiple mode in a context). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 627: Admin Context Configuration (Example 1
The certificate is saved in Flash memory. interface vlan 3 nameif outside security-level 0 ip address 209.165.201.2 255.255.255.224 interface vlan 4 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 628: Customer A Context Configuration (Example 1
0 0 209.165.201.1 1 nat (inside) 1 10.1.3.0 255.255.255.0 ! This context uses dynamic PAT for inside users that access the outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 629: Customer C Context Configuration (Example 1
WEBSENSE in interface dmz Switch Configuration (Example 1) The following lines in the Cisco IOS switch configuration relate to the FWSM: firewall module 8 vlan-group 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 630: Example 2: Single Mode Firewall Using Same Security Level Example
10.1.2.1 VLAN 4 Department 2 10.1.2.2 192.168.1.1 VLAN 9 Department 2 Network 2 See the following sections for the configurations for this section: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 631: Fwsm Configuration (Example 2
1 encryption 3des isakmp policy 1 group 2 isakmp policy 1 hash sha isakmp enable outside crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 632: Switch Configuration (Example 2)
(see Figure B-3). Department 1 has a web server that outside users who are authenticated by the AAA server can access. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 633: System Configuration (Example 3
FWSM Release (blank means single mode, “<system>” means you are in multiple mode in the system configuration, and <context> means you are in multiple mode in a context). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 634: Admin Context Configuration (Example 3
INTERNET extended permit ip any any access-group INTERNET in interface inside access-list SHARED remark -Allows only mail traffic from inside to exit shared interface Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-10 OL-20748-01...
Page 635: Department 1 Context Configuration (Example 3
MAIL extended permit tcp host 10.1.1.32 eq smtp host 10.1.1.7 eq smtp access-list MAIL extended permit tcp host 10.1.1.33 eq smtp host 10.1.1.7 eq smtp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-11...
Page 636: Department 2 Context Configuration (Example 3
Switch Configuration (Example 3) The following lines in the Cisco IOS switch configuration relate to the FWSM: firewall module 6 vlan-group 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-12 OL-20748-01...
Page 637: Example 4: Ipv6 Configuration Example
10.142.10.100 255.255.255.0 ipv6 address 2001:400:3:1::100/64 ipv6 nd suppress-ra interface vlan 101 nameif inside security-level 100 ip address 10.140.10.100 255.255.255.0 ipv6 address 2001:400:1:1::100/64 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-13 OL-20748-01...
Page 638: Transparent Mode Sample Configurations
Each customer context belongs to a class that limits its resources (gold, silver, or bronze). Although inside IP addresses can be the same across contexts, keeping them unique is easier to manage. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-14...
Page 639: System Configuration (Example 5
<context> means you are in multiple mode in a context). hostname Farscape password passw0rd enable password chr1cht0n interface vlan 4 interface vlan 5 interface vlan 6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-15 OL-20748-01...
Page 640: Admin Context Configuration (Example 5
150 nameif outside security-level 0 bridge-group 1 interface vlan 4 nameif inside security-level 100 bridge-group 1 interface bvi 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-16 OL-20748-01...
Page 641: Customer A Context Configuration (Example 5
152 nameif outside security-level 0 bridge-group 1 interface vlan 6 nameif inside security-level 100 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-17 OL-20748-01...
Page 642: Customer C Context Configuration (Example 5
Example 6: Routed Mode Failover, page B-19 • Example 7: Transparent Mode Failover, page B-22 • Example 8: Active/Active Failover with Asymmetric Routing Support, page B-27 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-18 OL-20748-01...
Page 643: Example 6: Routed Mode Failover
• Switch Configuration (Example 6), page B-22 Primary FWSM Configuration (Example 6) The following sections include the configuration for the primary FWSM: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-19 OL-20748-01...
Page 644 To change to a context configuration, enter the changeto context name command. To change back to the system, enter changeto system. interface vlan 200 nameif outside security-level 0 ip address 209.165.201.2 255.255.255.224 standby 209.165.201.6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-20 OL-20748-01...
Page 645 (inside) 1 0.0.0.0 0.0.0.0 0 0 global (outside) 1 209.165.201.12 netmask 255.255.255.224 ! This context uses dynamic PAT for inside users that access the outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-21 OL-20748-01...
Page 646: Secondary Fwsm System Configuration (Example 6
Switch Configuration (Example 6) The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall module 1 vlan-group 1...
Page 647: Primary Fwsm Configuration (Example 7
The mode and the activation key are not stored in the configuration file, even though they do endure reboots. If you view Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-23...
Page 648 100 bridge-group 56 interface bvi 56 ip address 10.0.3.1 255.255.255.0 standby 10.0.3.2 monitor-interface inside monitor-interface outside route outside 0 0 10.0.3.4 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-24 OL-20748-01...
Page 649 1 ip address inside 10.0.1.1 255.255.255.0 standby 10.0.1.2 monitor-interface inside monitor-interface outside route outside 0 0 10.0.1.4 1 telnet 10.0.1.65 255.255.255.255 inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-25 OL-20748-01...
Page 650: Secondary Fwsm System Configuration (Example 7
Switch Configuration (Example 7) The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall multiple-vlan-interfaces firewall module 1 vlan-group 1...
Page 651: Example 8: Active/Active Failover With Asymmetric Routing Support
Context A Configuration (Primary FWSM—Example 8), page B-28 Context B Configuration (Primary FWSM—Example 8), page B-29 • Context C Configuration (Primary FWSM—Example 8), page B-29 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-27 OL-20748-01...
Page 652 Context A has only one interface, it is the lowest level interface by default. Instead, you must define an SSH connection to manage the FWSM through this interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-28...
Page 653 ! This context uses dynamic PAT for inside users that access the outside route outside 0 0 10.0.9.5 1 telnet 10.0.1.65 255.255.255.255 inside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-29 OL-20748-01...
Page 654: The Secondary Fwsm Configuration (Example 8
When you enable failover with the failover command, the secondary FWSM obtains the configuration from the primary FWSM. Switch Configuration (Example 8) The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For information about configuring redundancy for the switch, see the switch documentation. firewall multiple-vlan-interfaces...
Page 655: Appendix
The CLI uses similar syntax and other conventions to the Cisco IOS CLI, but the FWSM operating Note system is not a version of Cisco IOS software. Do not assume that a Cisco IOS CLI command works with or has the same function on the FWSM.
Page 656: Appendix C Using The Command-Line Interface
For example, the interface command enters interface configuration mode. The prompt changes to the following: hostname(config-if)# hostname/context(config-if)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 657: Syntax Formatting
0.0.0.0 Command-Line Editing The FWSM uses the same command-line editing conventions as Cisco IOS software. You can view all previously entered commands with the show history command or individually with the up arrow or ^p command. Once you have examined a previously entered command, you can move forward in the list with the down arrow or ^n command.
Page 658: Command Help
Replace regexp with any Cisco IOS regular expression. See The regular expression is not enclosed in quotes or double-quotes, so be careful with trailing white spaces, which will be taken as part of the regular expression.
Page 659: Command Output Paging
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 660: Text Configuration Files
FWSM inserts lines for default settings or for the time the configuration was modified. You do not need to enter these automatic entries when you create your text file. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 661: Multiple Security Context Files
(such as a list of all contexts), while other typical commands are not present (such as many interface parameters). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 662 Appendix C Using the Command-Line Interface Text Configuration Files Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 663: Appendix
— 1.3.6.1.4.1.9.9.467.1.2.2.1.3. ccaAcclStatus — 1.3.6.1.4.1.9.9.467.1.2.2.1.4. ccaAcclType — 1.3.6.1.4.1.9.9.467.1.2.2.1.5. ccaAcclVersion — 1.3.6.1.4.1.9.9.467.1.2.2.1.6. ccaAcclSlot — 1.3.6.1.4.1.9.9.467.1.2.2.1.7. ccaAcclActiveTime — 1.3.6.1.4.1.9.9.467.1.2.2.1.8. ccaAcclInPkts — 1.3.6.1.4.1.9.9.467.1.2.2.1.9. ccaAcclOutPkts — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 664: Appendix D Mapping Mib To Cli Command
1.3.6.1.4.1.9.9.467.1.2.3.1 ccaProtocolStatsTable Crypto accelerator statistics according to security protocols — Index — • ccaProtId 1.3.6.1.4.1.9.9.467.1.2.3.1.1.2. ccaProtPktEncryptsReqs — 1.3.6.1.4.1.9.9.467.1.2.3.1.1.3. ccaProtPktDecryptsReqs — 1.3.6.1.4.1.9.9.467.1.2.3.1.1.4. ccaProtHmacCalcReqs — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 665 — Index — cfwConnectionStatService • protoIP cfwConnectionStatType • currentInUse/high 1.3.6.1.4.1.9.9.147.1.2.2.2.1.3. cfwConnectionStatDescription Description of the connection statistics 1.3.6.1.4.1.9.9.147.1.2.2.2.1.4. cfwConnectionStatCount Not applicable (placeholder only) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 666 Protocol (IP/TCP/UDP/ICMP) 1.3.6.1.4.1.9.9.278.1.1.3.1.10 cippfIpFilterSrcPortLow Source port (low) 1.3.6.1.4.1.9.9.278.1.1.3.1.11 cippfIpFilterSrcPortHigh Source port (high) 1.3.6.1.4.1.9.9.278.1.1.3.1.12 cippfIpFilterDestPortLow Destination port (low) 1.3.6.1.4.1.9.9.278.1.1.3.1.13 cippfIpFilterDestPortHigh Destination port (high) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 667 IP address type for the ARP entry ipNetToPhysicalNetAddress IP address for the ARP entry ipNetToPhysicalPhysAddress MAC address for the IP address CISCO-IPSEC-FLOW- — show ipsec stats MONITOR-MIB Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 668 1.3.6.1.4.1.9.9.171.1.2.1.22. cikeGlobalSysCapFails 1.3.6.1.4.1.9.9.171.1.2.1.23. cikeGlobalAuthFails 1.3.6.1.4.1.9.9.171.1.2.1.24. cikeGlobalDecryptFails 1.3.6.1.4.1.9.9.171.1.2.1.25. cikeGlobalHashValidFails 1.3.6.1.4.1.9.9.171.1.2.1.26. cikeGlobalNoSaFails 1.3.6.1.4.1.9.9.171.1.2.2.1.6. cikePeerLocalAddr 1.3.6.1.4.1.9.9.171.1.2.2.1.7. cikePeerRemoteAddr 1.3.6.1.4.1.9.9.171.1.2.2.1.8. cikePeerActiveTime 1.3.6.1.4.1.9.9.171.1.2.2.1.9. cikePeerActiveTunnelIndex 1.3.6.1.4.1.9.9.171.1.2.3.1.2. cikeTunLocalType 1.3.6.1.4.1.9.9.171.1.2.3.1.3. cikeTunLocalValue Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 669 1.3.6.1.4.1.9.9.171.1.2.3.1.29. cikeTunOutDropPkts 1.3.6.1.4.1.9.9.171.1.2.3.1.30. cikeTunOutNotifys 1.3.6.1.4.1.9.9.171.1.2.3.1.31. cikeTunOutP2Exchgs 1.3.6.1.4.1.9.9.171.1.2.3.1.32. cikeTunOutP2ExchgInvalids 1.3.6.1.4.1.9.9.171.1.2.3.1.33. cikeTunOutP2ExchgRejects 1.3.6.1.4.1.9.9.171.1.2.3.1.34. cikeTunOutP2SaDelRequests 1.3.6.1.4.1.9.9.171.1.2.3.1.35. cikeTunStatus 1.3.6.1.4.1.9.9.171.1.2.4.1.7. cikePeerCorrIpSecTunIndex 1.3.6.1.4.1.9.9.171.1.3.1.1. cipSecGlobalActiveTunnels 1.3.6.1.4.1.9.9.171.1.3.1.2. cipSecGlobalPreviousTunnels 1.3.6.1.4.1.9.9.171.1.3.1.3. cipSecGlobalInOctets Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 670 1.3.6.1.4.1.9.9.171.1.3.1.29. cipSecGlobalNoSaFails 1.3.6.1.4.1.9.9.171.1.3.1.30. cipSecGlobalSysCapFails 1.3.6.1.4.1.9.9.171.1.3.2.1.2. cipSecTunIkeTunnelIndex 1.3.6.1.4.1.9.9.171.1.3.2.1.3. cipSecTunIkeTunnelAlive 1.3.6.1.4.1.9.9.171.1.3.2.1.4. cipSecTunLocalAddr 1.3.6.1.4.1.9.9.171.1.3.2.1.5. cipSecTunRemoteAddr 1.3.6.1.4.1.9.9.171.1.3.2.1.6. cipSecTunKeyType 1.3.6.1.4.1.9.9.171.1.3.2.1.7. cipSecTunEncapMode 1.3.6.1.4.1.9.9.171.1.3.2.1.8. cipSecTunLifeSize 1.3.6.1.4.1.9.9.171.1.3.2.1.9. cipSecTunLifeTime 1.3.6.1.4.1.9.9.171.1.3.2.1.10. cipSecTunActiveTime Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 671 1.3.6.1.4.1.9.9.171.1.3.2.1.36. cipSecTunInAuthFails 1.3.6.1.4.1.9.9.171.1.3.2.1.37. cipSecTunInDecrypts 1.3.6.1.4.1.9.9.171.1.3.2.1.38. cipSecTunInDecryptFails 1.3.6.1.4.1.9.9.171.1.3.2.1.39. cipSecTunOutOctets 1.3.6.1.4.1.9.9.171.1.3.2.1.40. cipSecTunHcOutOctets 1.3.6.1.4.1.9.9.171.1.3.2.1.41. cipSecTunOutOctWraps 1.3.6.1.4.1.9.9.171.1.3.2.1.42. cipSecTunOutUncompOctets 1.3.6.1.4.1.9.9.171.1.3.2.1.43. cipSecTunHcOutUncompOctets 1.3.6.1.4.1.9.9.171.1.3.2.1.44. cipSecTunOutUncompOctWraps 1.3.6.1.4.1.9.9.171.1.3.2.1.45. cipSecTunOutPkts 1.3.6.1.4.1.9.9.171.1.3.2.1.46. cipSecTunOutDropPkts Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 672 1.3.6.1.4.1.9.9.171.1.4.3.1.1.6. cipSecTunHistRemoteAddr 1.3.6.1.4.1.9.9.171.1.4.3.1.1.7. cipSecTunHistKeyType 1.3.6.1.4.1.9.9.171.1.4.3.1.1.8. cipSecTunHistEncapMode 1.3.6.1.4.1.9.9.171.1.4.3.1.1.9. cipSecTunHistLifeSize 1.3.6.1.4.1.9.9.171.1.4.3.1.1.10. cipSecTunHistLifeTime 1.3.6.1.4.1.9.9.171.1.4.3.1.1.11. cipSecTunHistStartTime 1.3.6.1.4.1.9.9.171.1.4.3.1.1.12. cipSecTunHistActiveTime 1.3.6.1.4.1.9.9.171.1.4.3.1.1.13. cipSecTunHistTotalRefreshes 1.3.6.1.4.1.9.9.171.1.4.3.1.1.14. cipSecTunHistTotalSas 1.3.6.1.4.1.9.9.171.1.4.3.1.1.15. cipSecTunHistInSaDiffHellmanGrp 1.3.6.1.4.1.9.9.171.1.4.3.1.1.16. cipSecTunHistInSaEncryptAlgo Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-10 OL-20748-01...
Page 673 1.3.6.1.4.1.9.9.171.1.4.3.1.1.42. cipSecTunHistHcOutUncompOctets 1.3.6.1.4.1.9.9.171.1.4.3.1.1.43. cipSecTunHistOutUncompOctWraps 1.3.6.1.4.1.9.9.171.1.4.3.1.1.44. cipSecTunHistOutPkts 1.3.6.1.4.1.9.9.171.1.4.3.1.1.45. cipSecTunHistOutDropPkts 1.3.6.1.4.1.9.9.171.1.4.3.1.1.46. cipSecTunHistOutAuths 1.3.6.1.4.1.9.9.171.1.4.3.1.1.47. cipSecTunHistOutAuthFails 1.3.6.1.4.1.9.9.171.1.4.3.1.1.48. cipSecTunHistOutEncrypts 1.3.6.1.4.1.9.9.171.1.4.3.1.1.49. cipSecTunHistOutEncryptFails 1.3.6.1.4.1.9.9.171.1.5.1.1.1. cipSecFailTableSize 1.3.6.1.4.1.9.9.171.1.5.2.1.1.2. cikeFailReason 1.3.6.1.4.1.9.9.171.1.5.2.1.1.3. cikeFailTime Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-11 OL-20748-01...
Page 674 (Conns/Fixups/Syslogs) 1.3.6.1.4.1.9.9.480.1.1.4.1.2 crlRateLimitMin Always set to zero. Not applicable to FWSM. 1.3.6.1.4.1.9.9.480.1.1.4.1.3 crlRateLimitMax Configured rate limit value 1.3.6.1.4.1.9.9.480.1.1.4.1.6 crlRateLimitCurrentUsage Current resource usage Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-12 OL-20748-01...
Page 675 Monitoring interval (always set to five seconds). 1.3.6.1.4.1.9.9.109.1.1.1.1.10. cpmCPUTotalMonIntervalValue CPU utilization for five seconds 1.3.6.1.4.1.9.9.109.1.1.1.1.11. cpmCPUInterruptMonIntervalValue Not applicable (placeholder only) 1.3.6.1.4.1.9.9.109.1.2.1.1.1. cpmProcessPID Not applicable (placeholder only) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-13 OL-20748-01...
Page 676 1.3.6.1.4.1.9.9.392.1.3.21.1.6. crasSessionDuration 1.3.6.1.4.1.9.9.392.1.3.21.1.7. crasLocalAddressType 1.3.6.1.4.1.9.9.392.1.3.21.1.8. crasLocalAddress 1.3.6.1.4.1.9.9.392.1.3.21.1.9. crasISPAddressType 1.3.6.1.4.1.9.9.392.1.3.21.1.10. crasISPAddress 1.3.6.1.4.1.9.9.392.1.3.21.1.11. crasSessionProtocol 1.3.6.1.4.1.9.9.392.1.3.21.1.12. crasProtocolElement 1.3.6.1.4.1.9.9.392.1.3.21.1.13. crasSessionEncryptionAlgo 1.3.6.1.4.1.9.9.392.1.3.21.1.14. crasSessionPktAuthenAlgo 1.3.6.1.4.1.9.9.392.1.3.21.1.15. crasSessionCompressionAlgo 1.3.6.1.4.1.9.9.392.1.3.21.1.16. crasHeartbeatInterval Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-14 OL-20748-01...
Page 677 1.3.6.1.4.1.9.9.392.1.6.2. crasThrMaxFailedAuths 1.3.6.1.4.1.9.9.392.1.6.3. crasThrMaxThroughput CISCO-SYSLOG-MIB — — 1.3.6.1.4.1.9.9.41.1.1.6. clogOriginIDType Origin identification type 1.3.6.1.4.1.9.9.41.1.1.7. clogOriginID Origin identification string CISCO-UNIFIED-FIREWALL-MIB — show perfmon detail Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-15 OL-20748-01...
Page 678 1.3.6.1.4.1.9.9.491.1.3.1.17. cufwUrlfNumServerRetries Unsupported Objects — — cufwUrlfFunctionEnabled • cufwUrlfAllowModeReqNumAllowed • cufwUrlfAllowModeReqNumDenied • cufwUrlfResponsesNumLate • cufwUrlfUrlAccRespsNumResDropped • — cufwUrlServerTable Per URL server statistics Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-16 OL-20748-01...
Page 679 — 1.3.6.1.2.1.47.1.1.1.1.14. entPhysicalAlias — 1.3.6.1.2.1.47.1.1.1.1.15. entPhysicalAssetID — 1.3.6.1.2.1.47.1.1.1.1.16. entPhysicalIsFRU — 1.3.6.1.2.1.47.1.2.1 entLogicalTable Information about a logical entity — Index — • entLogicalIndex Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-17 OL-20748-01...
Page 680 Total nonunicast packets sent out 1.3.6.1.2.1.2.2.1.19. ifOutDiscards Total outbound packets discarded 1.3.6.1.2.1.2.2.1.20. ifOutErrors No. of erroneous packets 1.3.6.1.2.1.2.2.1.21. ifOutQLen Output packet queue length Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-18 OL-20748-01...
Page 681 Interface index 1.3.6.1.2.1.4.20.1.3. ipAdEntNetMask Subnet mask 1.3.6.1.2.1.4.20.1.4. ipAdEntBcastAddr Broadcast address 1.3.6.1.2.1.4.20.1.5. ipAdEntReasmMaxSize Max reassembly packet size NAT-MIB NatAddressBindTable show xlate state static detail Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-19 OL-20748-01...
Page 682 1.3.6.1.2.1.123.1.8.1.1.4. natAddrPortBindProtocol TCP/UDP/IP 1.3.6.1.2.1.123.1.8.1.1.5. natAddrPortBindGlobalAddrType ipv4 or ipv6 1.3.6.1.2.1.123.1.8.1.1.6. natAddrPortBindGlobalAddr global_addr 1.3.6.1.2.1.123.1.8.1.1.7. natAddrPortBindGlobalPort global_port 1.3.6.1.2.1.123.1.8.1.1.12. natAddrPortBindSessions No. of conns using this xlate Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-20 OL-20748-01...
Page 683 Total GetNext requests generated 1.3.6.1.2.1.11.27. snmpOutSetRequests Total Set requests generated 1.3.6.1.2.1.11.28. snmpOutGetResponses Total GetNext responses generated 1.3.6.1.2.1.11.29. snmpOutTraps Total traps generated Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-21 OL-20748-01...
Page 684 1.3.6.1.2.1.6.19.1.6. tcpConnectionRemPort foreign_port 1.3.6.1.2.1.6.19.1.8 tcpConnectionProcess Placeholder; always one. Unsupported Object — — tcpConnectionState • UDP-MIB udpEndpointTable show conn protocol udp Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-22 OL-20748-01...
Page 685 1.3.6.1.2.1.7.7.1.5. udpEndpointRemoteAddress foreign_addr 1.3.6.1.2.1.7.7.1.6. udpEndpointRemotePort foreign_port 1.3.6.1.2.1.7.7.1.7. udpEndpointInstance Always set to one. Not applicable to FWSM. 1.3.6.1.2.1.7.7.1.8. udpEndpointProcess Placeholder; always one. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-23 OL-20748-01...
Page 686 Appendix D Mapping MIBs to CLI Commands Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-24 OL-20748-01...
Page 687: Appendix
This section includes the following topics: Classes, page E-2 • Private Networks, page E-2 • Subnet Masks, page E-2 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 688: Appendix E Addresse, Protocol, And Port
255.255.255.0. For a /bits mask, you add the number of 1s: /24. In Example 2, the decimal number is 255.255.248.0 and the /bits is /21. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 689: Determining The Subnet Mask
Class C-size and a Class B-size network. This section includes the following topics: Class C-Size Network Address, page E-4 • Class B-Size Network Address, page E-4 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 690 10.1.240.0 to 10.1.255.255 1. The first and last address of a subnet are reserved. In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 691: Ipv6 Addresses
IPv6 address. Table E-2 IPv6 Address Compression Examples Address Type Standard Form Compressed Form Unicast 2001:0DB8:0:0:0:BA98:0:3210 2001:0DB8::BA98:0:3210 Multicast FF01:0:0:0:0:0:0:101 FF01::101 Loopback 0:0:0:0:0:0:0:1 Unspecified 0:0:0:0:0:0:0:0 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 692: Ipv6 Address Types
Link-Local Address, page E-7 • IPv4-Compatible IPv6 Addresses, page E-7 • Unspecified Address, page E-8 • Loopback Address, page E-8 • Interface Identifiers, page E-8 • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 693 IPv6 address.” This address type is used to represent the addresses of IPv4 nodes as IPv6 addresses. This type of address has the format ::FFFF:y.y.y.y, where y.y.y.y is an IPv4 unicast address. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 694: Multicast Address
1, 2, 5, 8, or E, respectively. For example, a multicast address with the prefix FF02::/16 is a permanent multicast address with a link scope. Figure E-1 shows the format of the IPv6 multicast address. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 695: Anycast Address
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01...
Page 696: Required Addresses
11111111 FF00::/8 Link-Local (unicast) 1111111010 FE80::/10 Site-Local (unicast) 1111111111 FEC0::/10 Global (unicast) All other addresses. Anycast Taken from the unicast address space. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-10 OL-20748-01...
Page 697: Protocols And Applications
FWSM listens for RADIUS on ports 1645 and 1646. If your RADIUS server uses the standard ports • 1812 and 1813, you can configure FWSM to listen to those ports using the authentication-port and accounting-port commands. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-11 OL-20748-01...
Page 698 Internet Message Access Protocol, version 4 Internet Relay Chat protocol isakmp Internet Security Association and Key Management Protocol kerberos TCP, UDP Kerberos Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-12 OL-20748-01...
Page 699 Sun Remote Procedure Call syslog System Log tacacs TCP, UDP Terminal Access Controller Access Control System Plus talk TCP, UDP Talk telnet RFC 854 Telnet Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-13 OL-20748-01...
Page 700: Local Ports And Protocols
224.0.0.5 and 224.0.0.6 Protocol only open on destination IP address 224.0.0.13 — RIPv2 Port only open on destination IP address 224.0.0.9 SNMP Configurable. — Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-14 OL-20748-01...
Page 701: Icmp Types
ICMP Number ICMP Name echo-reply unreachable source-quench redirect alternate-address echo router-advertisement router-solicitation time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply conversion-error mobile-redirect Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-15 OL-20748-01...
Page 702: Icmp Types
Appendix E Addresses, Protocols, and Ports ICMP Types Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-16 OL-20748-01...
Page 703 ESP, which provides both authentication and encryption. See also encryption and VPN. Refer to the RFC 2402. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-1 OL-20748-01...
Page 704 A temporary repository of information accumulated from previous task executions that can be reused, cache decreasing the time required to perform the tasks. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-2 OL-20748-01...
Page 705 ACLs, encryption standards, peers, and other parameters necessary to specify security policies for VPNs using and IPSec. See also VPN. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-3 OL-20748-01...
Page 706 See also encryption. Data encryption standard. DES was published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths),...
Page 707 ESP provides authentication and encryption services for establishing a secure tunnel over an insecure network. For more information, refer to RFCs 2406 and 1827. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-5 OL-20748-01...
Page 708 Global System for Mobile Communication. A digital, mobile, radio standard developed for mobile, wireless, voice communications. Global Seamless Network. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-6 OL-20748-01...
Page 709 Hot Standby Routing Protocol. A Cisco-proprietary protocol, HSRP is a routing protocol that provides HSRP backup to a router in the event of failure. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-7 OL-20748-01...
Page 710 The first interface, usually port 1, that connects your internal, “trusted” network protected by the inside FWSM. See also interface, interface names. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-8 OL-20748-01...
Page 711 IP pool address. IP Pools are used by DHCP and VPNs to assign local IP addresses to clients on the inside interface. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-9 OL-20748-01...
Page 712 OSI model, which consists of the following 7 layers, in order: physical, data link, network, transport, session, presentation, and application. Logical channel number. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-10 OL-20748-01...
Page 713 Modes. Mode IKE Mode Configuration. Mode Config Modular Policy Framework. A means of configuring FWSM features in a manner to similar to Cisco Modular Policy Framework IOS software Modular CLI. mobile station. Refers generically to any mobile device, such as a mobile handset or computer, that is used to access network services.
Page 714 IOS software release 11.2. It is a non-proprietary extension of the existing stub area feature that allows the injection of external routes in a limited fashion into the stub area. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-12...
Page 715 IPSec. The attacker would have to break each IPSec SA individually. IPSec Phase Phase 1 IPSec Phase Phase 2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-13 OL-20748-01...
Page 716 PNS. The datagrams related to a session are sent over the tunnel between the and PNS. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-14 OL-20748-01...
Page 717 Retrieve the running configuration from the FWSM and update the screen. The icon and the button Refresh perform the same function. See RA. registration authority Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-15 OL-20748-01...
Page 718 Real Time Streaming Protocol. Enables the controlled delivery of real-time data, such as audio and RTSP video. RTSP is designed to work with established protocols, such as and HTTP. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-16 OL-20748-01...
Page 719 (called SGCP a call-agent). Serving GPRS Support Node. The SGSN ensures mobility management, session management and SGSN packet relaying functions. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-17 OL-20748-01...
Page 720 Secure Sockets Layer. A protocol that resides between the application layer and TCP/IP to provide transparent encryption of data traffic. secondary unit. standby unit Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-18 OL-20748-01...
Page 721 (such as TCP). The use of TDP does not preclude the use of other mechanisms to distribute tag binding information, such as piggybacking information on other protocols. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-19 OL-20748-01...
Page 722 IP address that matches the correct source interface according to the routing table. Uniform Resource Locator. A standardized addressing scheme for accessing hypertext documents and other services using a browser. For example, http://www.cisco.com. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-20 OL-20748-01...
Page 723 This lets different vendors have VSAs of the same number. The combination of a vendor number and a VSA number makes a VSA unique. For example, the cisco-av-pair VSA is attribute 1 in the set of VSAs related to vendor number 9. Each vendor can define up to 256 VSAs. A...
Page 724 An xlate, also referred to as a translation entry, represents the mapping of one IP address to another, xlate or the mapping of one IP address/port pair to another. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-22 OL-20748-01...
Page 725 13-25 adding maximum 13-6 11-9 types order 11-3 13-2 support summary Active/Active failover 11-3 about with web clients 17-6 14-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-1 OL-20748-01...
Page 726 14-9 17-1 standby state 14-9 overview 11-2 status privileged EXEC mode 14-32 23-13 synchronizing the configurations Telnet 14-10 17-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-2 OL-20748-01...
Page 727 See MAC address table class map bufferwraps inspection 20-10 save to interal Flash Layer 3/4 25-10 send to FTP server match commands 25-11 20-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-3 OL-20748-01...
Page 728 DHCP accessing Cisco IP Phones 8-38 prompt configuring 8-35 configuring 8-33 relay 8-39 configuring RHI 8-33 server 8-38 connection transparent firewall 13-7 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-4 OL-20748-01...
Page 729 14-31 embryonic connection limits module placement 21-2 ESMTP inspection inter-chassis 14-4 configuring 22-96 intra-chassis 14-3 overview PISA 22-94 21-6 established command requirements Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-5 OL-20748-01...
Page 730 22-49 URLs 18-4 overview 22-48 firewall mode troubleshooting 22-54 configuring half-closed connection limits 21-3 overview help, command line Flash memory Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-6 OL-20748-01...
Page 731 10-10 software, using the maintenance partition 24-5 verifying configuration 10-10 Instant Messaging 22-77 viewing routes 10-11 interfaces configuring poll times 14-25, 14-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-7 OL-20748-01...
Page 732 23-23 configuring 25-15 log bufferwraps login save to internal Flash 25-10 banner send to FTP server 25-11 command 23-13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-8 OL-20748-01...
Page 733 20-3 Layer 3/4 class map 20-5 features 20-1 memory flows 20-18 access list use of 13-6 matching multiple policy maps 20-18 Flash Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-9 OL-20748-01...
Page 734 11-9 identity NAT support 11-5 configuration 16-34 overview 16-10 NAT ID 16-20 order of statements 16-15 overlapping addresses object groups 16-38 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-10 OL-20748-01...
Page 735 4-22 default policy 20-18 flows 20-18 policy NAT about 16-10 See NAT packet pools, addresses capture 26-8 DHCP 8-36 classifier Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-11 OL-20748-01...
Page 736 17-3 overview 4-22 network access authorization 17-10 resource types 4-26 password management 17-6 unlimited 4-22 support 11-4 resource usage 4-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-12 OL-20748-01...
Page 737 22-74 URL, setting 4-29 overview 22-73 logging 25-2 rules logging in default allocation managing 4-32 maximum 13-6 mapped interface name 4-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-13 OL-20748-01...
Page 738 21-10 SIP inspection overview instant messaging 22-77 state link overview See Stateful Failover 22-77 timeout values, configuring static ARP entry 22-82 19-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-14 OL-20748-01...
Page 739 25-20 trunk for failover timestamp, including 25-15 verifying module installation variables used in 25-19 switched virtual interfaces system requirements See SVIs Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-15 OL-20748-01...
Page 740 22-86 timestamp-reply (ICMP message) E-15 trustpoint 12-3 traffic flow tunnels routed firewall basic settings, configuring 23-5 transparent firewall 5-12 site-to-site, configuring 23-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-16 OL-20748-01...
Page 741 See security contexts virtual HTTP 17-3 virtual reassembly virtual SSH 17-3 virtual Telnet 17-3 VLANs allocating to a context 4-28 assigning to FWSM interfaces Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-17 OL-20748-01...
Page 742 Index Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-18 OL-20748-01...

This manual is also suitable for:

7609-s 7613 7606-s Catalyst 6500 series 7600 series

Cisco 7604 Configuration Manual

About this Guide

CHAPTER 1 Introduction to the Firewall Services Module1-1

CHAPTER 2 Configuring the Switch for the Firewall Services Module2-1

Chapter 3 Connecting to the Firewall Services Module and Managing the Configuration

CHAPTER 4 Configuring Security Contexts4-1

Chapter 5 Configuring the Firewall Mode

Chapter 6 Configuring Interface Parameters

Chapter 7 Configuring Basic Setting

CHAPTER 8 Configuring IP Routing and DHCP Services

CHAPTER 9 Configuring Multicast Routing9-1

CHAPTER 10 Configuring Ipv610-1

CHAPTER 11 Configuring AAA Servers and the Local Database11-1

CHAPTER 12 Configuring Certificates12-1

Quick Links

Troubleshooting

Related Manuals for Cisco 7604

Summary of Contents for Cisco 7604