FWSM 4.1 - Config Guide

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLIRelease 4.1

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

Customer Order Number: N/A, Online only Text Part Number: OL-20748-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, CCSI, Cisco Eos, Cisco Explorer, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco TrustSec, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM Copyright 2010 Cisco Systems, Inc. All rights reserved.

CONTENTSAbout This Guide Audience Objectivesxxvii xxvii xxvii xxviii xxix xxvii

Document Conventions Related Documentation

Obtaining Documentation and Submitting a Service Request Quick Start Stepsxxxi xxxi xxxii

Routed Firewall Minimum Configuration Steps

Transparent Firewall Minimum Configuration Steps1

CHAPTER

Introduction to the Firewall Services Module New Features1-2

1-1

Security Policy Overview 1-3 Permitting or Denying Traffic with Access Lists Applying NAT 1-4 Protecting from IP Fragments 1-4 Using AAA for Through Traffic 1-4 Applying Internet Filtering 1-4 Applying Application Inspection 1-5 Applying Connection Limits 1-5

1-4

How the Firewall Services Module Works with the Switch Using the MSFC 1-6 Firewall Mode Overview Security Context Overview21-7 1-8 1-9

1-5

Stateful Inspection Overview

CHAPTER

Configuring the Switch for the Firewall Services Module Switch Overview2-1 2-2 2-2

2-1

Verifying the Module Installation

Assigning VLANs to the Firewall Services Module VLAN Guidelines 2-3 Assigning VLANs to the FWSM 2-3

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01

iii

Contents

Adding Switched Virtual Interfaces to the MSFC SVI Overview 2-5 Configuring SVIs 2-7 Customizing the FWSM Internal Interface2-8

2-4

Configuring the Switch for Failover 2-9 Assigning VLANs to the Secondary Firewall Services Module 2-9 Adding a Trunk Between a Primary Switch and Secondary Switch 2-9 Ensuring Compatibility with Transparent Firewall Mode 2-9 Enabling Autostate Messaging for Rapid Link Failure Detection 2-9 Managing the Firewall Services Module Boot Partitions 2-10 Flash Memory Overview 2-10 Setting the Default Boot Partition 2-10 Resetting the FWSM or Booting from a Specific Partition 2-113

CHAPTER

Connecting to the Firewall Services Module and Managing the Configuration Connecting to the Firewall Services Module Logging in to the FWSM 3-1 Logging out of the FWSM 3-23-1

3-1

Managing the Configuration 3-3 Saving Configuration Changes 3-3 Saving Configuration Changes in Single Context Mode 3-3 Saving Configuration Changes in Multiple Context Mode 3-3 Copying the Startup Configuration to the Running Configuration 3-5 Viewing the Configuration 3-5 Clearing and Removing Configuration Settings 3-5 Creating Text Configuration Files Offline 3-64

CHAPTER

Configuring Security Contexts

4-1

Security Context Overview 4-1 Common Uses for Security Contexts 4-2 Unsupported Features 4-2 Context Configuration Files 4-2 Context Configurations 4-2 System Configuration 4-2 Admin Context Configuration 4-3 How the FWSM Classifies Packets 4-3 Valid Classifier Criteria 4-3 Invalid Classifier Criteria 4-4 Classification Examples 4-5Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

iv

OL-20748-01

Contents

Sharing Interfaces Between Contexts 4-7 NAT and Origination of Traffic 4-8 Sharing an Outside Interface 4-8 Sharing an Inside Interface 4-8 Management Access to Security Contexts 4-9 System Administrator Access 4-9 Context Administrator Access 4-10 Enabling or Disabling Multiple Context Mode 4-10 Backing Up the Single Mode Configuration 4-10 Enabling Multiple Context Mode 4-10 Restoring Single Context Mode 4-11 Managing Memory for Rules 4-11 About Memory Partitions 4-12 Default Rule Allocation 4-12 Setting the Number of Memory Partitions 4-13 Changing the Memory Partition Size 4-14 Reallocating Rules Between Features for a Specific Memory Partition Configuring Resource Management 4-21 Classes and Class Members Overview Resource Limits 4-22 Default Class 4-23 Class Members 4-24 Configuring a Class 4-24 Configuring a Security Context4-27 4-31 4-22

4-19

Changing Between Contexts and the System Execution Space Managing Security Contexts 4-32 Removing a Security Context 4-32 Changing the Admin Context 4-33 Changing the Security Context URL 4-33 Reloading a Security Context 4-34 Reloading by Clearing the Configuration 4-34 Reloading by Removing and Readding the Context Monitoring Security Contexts 4-35 Viewing Context Information 4-35 Viewing Resource Allocation 4-36 Viewing Resource Usage 4-39 Monitoring SYN Attacks in Contexts 4-40

4-35


v

Contents

CHAPTER

5

Configuring the Firewall Mode

5-1

Routed Mode Overview 5-1 IP Routing Support 5-1 How Data Moves Through the FWSM in Routed Firewall Mode An Inside User Visits a Web Server 5-2 An Outside User Visits a Web Server on the DMZ 5-3 An Inside User Visits a Web Server on the DMZ 5-4 An Outside User Attempts to Access an Inside Host 5-5 A DMZ User Attempts to Access an Inside Host 5-6 Transparent Mode Overview 5-7 Transparent Firewall Network 5-7 Bridge Groups 5-7 Management Interface 5-8 Allowing Layer 3 Traffic 5-8 Allowed MAC Addresses 5-8 Passing Traffic Not Allowed in Routed Mode 5-8 MAC Address vs. Route Lookups 5-9 Using the Transparent Firewall in Your Network 5-9 Transparent Firewall Guidelines 5-10 Unsupported Features in Transparent Mode 5-11 How Data Moves Through the Transparent Firewall 5-12 An Inside User Visits a Web Server 5-13 An Inside User Visits a Web Server Using NAT 5-14 An Outside User Visits a Web Server on the Inside Network An Outside User Attempts to Access an Inside Host 5-16 Setting Transparent or Routed Firewall Mode65-17

5-2

5-15

CHAPTER

Configuring Interface Parameters Security Level Overview6-1

6-1

Configuring Interfaces for Routed Firewall Mode Guidelines and Limitations 6-2 Configuring an Interface 6-3

6-2

Configuring Interfaces for Transparent Firewall Mode 6-4 Information About Interfaces in Transparent Mode 6-4 Information About Bridge Groups 6-4 Information About Device Management 6-4 Guidelines and Limitations 6-5 Configuring Transparent Firewall Interfaces for Through Traffic Assigning an IP Address to a Bridge Group 6-6

6-6

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

vi

OL-20748-01

Contents

Adding a Management Interface

6-7 6-10

Allowing Communication Between Interfaces on the Same Security Level Configuring Inter-Interface Communication 6-10 Configuring Intra-Interface Communication 6-11 Turning Off and Turning On Interfaces76-12

CHAPTER

Configuring Basic Settings

7-1

Changing the Passwords 7-1 Changing the Login Password 7-1 Changing the Enable Password 7-2 Changing the Maintenance Software Passwords Setting the Hostname Setting the Prompt7-4 7-5 7-3 7-4

7-2

Setting the Domain Name Configuring a Login Banner8

CHAPTER

Configuring IP Routing and DHCP Services How Routing Behaves Within FWSM 8-1 Egress Interface Selection Process Next Hop Selection Process 8-2

8-1

8-1

Configuring Static and Default Routes 8-2 Configuring a Static Route 8-3 Configuring a Default Route 8-4 Monitoring a Static or Default Route 8-5 Defining a Route Map8-5

Configuring BGP Stub Routing 8-6 BGP Stub Limitations 8-7 Configuring BGP Stub Routing 8-7 Monitoring BGP Stub Routing 8-8 Restarting the BGP Stub Routing Process

8-9

Configuring OSPF 8-9 OSPF Overview 8-9 Enabling OSPF 8-10 Redistributing Routes Between OSPF Processes 8-11 Configuring OSPF Interface Parameters 8-12 Configuring OSPF Area Parameters 8-14 Configuring OSPF NSSA 8-15 Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor

8-16


vii

Contents

Configuring Route Summarization Between OSPF Areas 8-17 Configuring Route Summarization when Redistributing Routes into OSPF Generating a Default Route 8-18 Configuring Route Calculation Timers 8-18 Logging Neighbors Going Up or Down 8-19 Displaying OSPF Update Packet Pacing 8-19 Monitoring OSPF 8-20 Restarting the OSPF Process 8-21 Configuring RIP 8-21 RIP Overview 8-21 Enabling RIP 8-21 Configuring EIGRP 8-22 EIGRP Routing Overview 8-22 Enabling and Configuring EIGRP Routing 8-23 Enabling and Configuring EIGRP Stub Routing 8-24 Enabling EIGRP Authentication 8-25 Defining an EIGRP Neighbor 8-26 Redistributing Routes Into EIGRP 8-26 Configuring the EIGRP Hello Interval and Hold Time 8-27 Disabling Automatic Route Summarization 8-27 Configuring Summary Aggregate Addresses 8-28 Disabling EIGRP Split Horizon 8-28 Changing the Interface Delay Value 8-29 Monitoring EIGRP 8-29 Disabling Neighbor Change and Warning Message Logging Configuring Asymmetric Routing Support 8-30 Adding Interfaces to ASR Groups 8-31 Asymmetric Routing Support Example 8-31 Configuring Route Health Injection 8-32 Route Health Injection Overview 8-32 RHI Guidelines 8-33 Enabling RHI 8-33 Configuring DHCP 8-35 Configuring a DHCP Server 8-35 Enabling the DHCP Server 8-35 Configuring DHCP Options 8-37 Using Cisco IP Phones with a DHCP Server Configuring DHCP Relay Services 8-39 DHCP Relay Overview 8-39

8-17

8-30

8-38


viii

OL-20748-01

Contents

Configuring the DHCP Relay Agent 8-39 Preserving DHCP Option 82 8-41 Verifying the DHCP Relay Configuration 8-419

CHAPTER

Configuring Multicast Routing Multicast Routing Overview Enabling Multicast Routing

9-1 9-1 9-2

Configuring IGMP Features 9-2 Disabling IGMP on an Interface 9-3 Configuring Group Membership 9-3 Configuring a Statically Joined Group 9-3 Controlling Access to Multicast Groups 9-4 Limiting the Number of IGMP States on an Interface 9-4 Modifying the Query Interval and Query Timeout 9-4 Changing the Query Response Time 9-5 Changing the IGMP Version 9-5 Configuring Stub Multicast Routing Configuring a Static Multicast Route9-5 9-6

Configuring PIM Features 9-6 Disabling PIM on an Interface 9-6 Configuring a Static Rendezvous Point Address 9-7 Configuring the Designated Router Priority 9-7 Filtering PIM Register Messages 9-7 Configuring PIM Message Intervals 9-8 For More Information About Multicast Routing109-8

CHAPTER

Configuring IPv6

10-1 10-1 10-2 10-4 10-4 10-5

IPv6-Enabled Commands

Configuring IPv6 on an Interface

Configuring a Dual IP Stack on an Interface Configuring IPv6 Duplicate Address Detection Configuring IPv6 Default and Static Routes Configuring IPv6 Access Lists10-5

Configuring IPv6 Neighbor Discovery 10-6 Configuring Neighbor Solicitation Messages 10-6 Configuring the Neighbor Solicitation Message Interval Configuring the Neighbor Reachable Time 10-7 Configuring Router Advertisement Messages 10-8

10-7


ix

Contents

Configuring the Router Advertisement Transmission Interval Configuring the Router Lifetime Value 10-9 Configuring the IPv6 Prefix 10-9 Suppressing Router Advertisement Messages 10-10 Configuring a Static IPv6 Neighbor10-10

10-9

Verifying the IPv6 Configuration 10-10 Viewing IPv6 Interface Settings 10-10 Viewing IPv6 Routes 10-1111

CHAPTER

Configuring AAA Servers and the Local Database AAA Overview 11-1 About Authentication 11-2 About Authorization 11-2 About Accounting 11-2 AAA Server and Local Database Support 11-3 Summary of Support 11-3 RADIUS Server Support 11-4 Authentication Methods 11-4 Attribute Support 11-4 RADIUS Authorization Functions 11-4 TACACS+ Server Support 11-4 SDI Server Support 11-5 SDI Version Support 11-5 Two-step Authentication Process 11-5 SDI Primary and Replica Servers 11-5 NT Server Support 11-5 Kerberos Server Support 11-6 LDAP Server Support 11-6 Local Database Support 11-6 User Profiles 11-6 Fallback Support 11-6 Configuring the Local Database11-7 11-9

11-1

Identifying AAA Server Groups and Servers12

CHAPTER

Configuring Certificates

12-1

Public Key Cryptography 12-1 About Public Key Cryptography Certificate Scalability 12-2 About Key Pairs 12-2

12-1


x

OL-20748-01

Contents

About Trustpoints 12-3 About Revocation Checking

12-3

Certificate Configuration 12-3 Preparing for Certificates 12-4 Generating Key Pairs 12-4 Removing Key Pairs 12-5 Establishing AAA Authentication 12-5 Verifying Configurations for Specified Settings 12-6 Exporting and Importing Keypairs and Certificates 12-7 Exporting a Keypair and Certificate 12-7 Importing a Keypair and Certificate 12-7 Linking Certificates to a Trustpoint 12-9 Configuration Example: Cut-Through-Proxy Authentication13

12-9

CHAPTER

Identifying Traffic with Access Lists

13-1

Access List Overview 13-1 Access List Types 13-2 Access Control Entry Order 13-2 Access List Implicit Deny 13-3 IP Addresses Used for Access Lists When You Use NAT Access List Commitment 13-5 Maximum Number of ACEs 13-6

13-3

Adding an Extended Access List 13-6 Extended Access List Overview 13-6 Allowing Broadcast and Multicast Traffic through the Transparent Firewall Adding an Extended ACE 13-7

13-7

Adding an EtherType Access List 13-9 Supported EtherTypes 13-9 Apply Access Lists in Both Directions 13-9 Implicit Deny at the End of an Access List Does Not Affect IP or ARP Traffic Using Extended and EtherType Access Lists on the Same Interface 13-10 Allowing MPLS 13-10 Adding an EtherType ACE 13-10 Adding a Standard Access List13-11

13-9

Simplifying Access Lists with Object Grouping 13-11 How Object Grouping Works 13-11 Adding Object Groups 13-12 Adding a Protocol Object Group 13-12 Adding a Network Object Group 13-13Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01

xi

Contents

Adding a Service Object Group 13-14 Adding an ICMP Type Object Group 13-14 Nesting Object Groups 13-15 Using Object Groups with an Access List 13-16 Displaying Object Groups 13-17 Removing Object Groups 13-17 Adding Remarks to Access Lists13-18

Access List Group Optimization 13-18 How Access List Group Optimization Works Configuring Access List Group Optimization

13-18 13-20

Scheduling Extended Access List Activation 13-24 Adding a Time Range 13-24 Applying the Time Range to an ACE 13-25 Logging Access List Activity 13-25 Access List Logging Overview 13-25 Configuring Logging for an ACE 13-26 Managing Deny Flows 13-2714

CHAPTER

Configuring Failover

14-1

Understanding Failover 14-1 Failover System Requirements 14-2 Software Requirements 14-2 License Requirements 14-2 Failover and State Links 14-2 Failover Link 14-2 State Link 14-3 Intra- and Inter-Chassis Module Placement 14-3 Intra-Chassis Failover 14-3 Inter-Chassis Failover 14-4 Transparent Firewall Requirements 14-7 Active/Standby and Active/Active Failover 14-8 Active/Standby Failover 14-8 Active/Active Failover 14-12 Determining Which Type of Failover to Use 14-17 Regular and Stateful Failover 14-17 Regular Failover 14-18 Stateful Failover 14-18 Failover Health Monitoring 14-19 Unit Health Monitoring 14-19Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

xii

OL-20748-01

Contents

Interface Monitoring 14-19 Rapid Link Failure Detection 14-20 Configuring Failover 14-20 Failover Configuration Limitations 14-21 Using Active/Standby Failover 14-21 Prerequisites 14-21 Configuring Active/Standby Failover 14-21 Configuring Optional Active/Standby Failover Settings 14-24 Using Active/Active Failover 14-26 Prerequisites 14-26 Configuring Active/Active Failover 14-26 Configuring Optional Active/Active Failover Settings 14-29 Configuring Failover Communication Authentication/Encryption 14-31 Verifying the Failover Configuration 14-31 Viewing Failover Status 14-31 Viewing Monitored Interfaces 14-39 Viewing the Failover Configuration 14-39 Testing the Failover Functionality 14-39 Controlling and Monitoring Failover 14-40 Forcing Failover 14-40 Disabling Failover 14-41 Disabling Configuration Synchronization 14-41 Restoring a Failed Unit or Failover Group 14-41 Monitoring Failover 14-42 Failover System Log Messages 14-42 Debug Messages 14-42 SNMP 14-4215

CHAPTER

Permitting or Denying Network Access Applying an Access List to an Interface

15-1 15-1

Inbound and Outbound Access List Overview15-4

CHAPTER

16

Configuring NAT

16-1

NAT Overview 16-1 Introduction to NAT 16-2 NAT in Routed Mode 16-2 NAT in Transparent Mode 16-3 NAT Control 16-5 NAT Types 16-6Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01

xiii

Contents

Dynamic NAT 16-6 PAT 16-8 Static NAT 16-8 Static PAT 16-9 Bypassing NAT when NAT Control is Enabled 16-10 Policy NAT 16-10 NAT Session (Xlate) Creation 16-13 NAT and PAT Global Pool Usage 16-14 NAT and Same Security Level Interfaces 16-14 Order of NAT Commands Used to Match Real Addresses 16-15 Maximum Number of NAT Statements 16-15 Mapped Address Guidelines 16-15 DNS and NAT 16-16 Configuring NAT Control Configuring Xlate Bypass16-18 16-19

Using Dynamic NAT and PAT 16-19 Dynamic NAT and PAT Implementation 16-20 Configuring Dynamic NAT or PAT 16-26 Using Static NAT Using Static PAT16-29 16-31

Bypassing NAT 16-33 Configuring Identity NAT 16-34 Configuring Static Identity NAT 16-34 Configuring NAT Exemption 16-36 NAT Examples 16-37 Overlapping Networks 16-38 Redirecting Ports 16-3917

CHAPTER

Applying AAA for Network Access AAA Performance17-1

17-1

Configuring Authentication for Network Access 17-1 Authentication Overview 17-2 One-Time Authentication 17-2 Applications Required to Receive an Authentication Challenge FWSM Authentication Prompts 17-2 Static PAT and HTTP 17-3 Authenticating Directly with the FWSM 17-3 Enabling Network Access Authentication 17-3 Configuring Custom Login Prompts 17-5

17-2


xiv

OL-20748-01

Contents

Enabling Secure Authentication of Web Clients 17-6 Disabling Authentication Challenge per Protocol 17-8 Configuring Authorization for Network Access 17-9 Configuring TACACS+ Authorization 17-9 Configuring RADIUS Authorization 17-10 Configuring a RADIUS Server to Download Per-User Access Control Lists 17-10 Configuring a RADIUS Server to Download Per-User Access Control List Names 17-12 Configuring Accounting for Network Access17-13 17-14

Using MAC Addresses to Exempt Traffic from Authentication and Authorization18

CHAPTER

Applying Filtering Services Filtering Overview18-1

18-1

Filtering ActiveX Objects 18-1 ActiveX Filtering Overview 18-2 Enabling ActiveX Filtering 18-2 Filtering Java Applets18-3 18-4

Filtering URLs and FTP Requests with an External Server URL Filtering Overview 18-4 Identifying the Filtering Server 18-4 Buffering the Content Server Response 18-6 Caching Server Addresses 18-6 Filtering HTTP URLs 18-7 Configuring HTTP Filtering 18-7 Enabling Filtering of Long HTTP URLs 18-7 Truncating Long HTTP URLs 18-8 Exempting Traffic from Filtering 18-8 Filtering HTTPS URLs 18-8 Filtering FTP Requests 18-9 Viewing Filtering Statistics and Configuration 18-9 Viewing Filtering Server Statistics 18-10 Viewing Buffer Configuration and Statistics 18-10 Viewing Caching Statistics 18-11 Viewing Filtering Performance Statistics 18-11 Viewing Filtering Configuration 18-1119

CHAPTER

Configuring ARP Inspection and Bridging Parameters Configuring ARP Inspection 19-1 ARP Inspection Overview 19-1

19-1


xv

Contents

Adding a Static ARP Entry 19-2 Enabling ARP Inspection 19-2 Customizing the MAC Address Table 19-3 MAC Address Table Overview 19-3 Adding a Static MAC Address 19-3 Setting the MAC Address Timeout 19-3 Disabling MAC Address Learning 19-4 Viewing the MAC Address Table 19-420

CHAPTER

Using Modular Policy Framework

20-1

Information About Modular Policy Framework 20-1 Modular Policy Framework Supported Features 20-1 Modular Policy Framework Configuration Overview 20-2 Default Global Policy 20-3 Identifying Traffic (Layer 3/4 Class Map) 20-4 Default Class Maps 20-4 Maximum Class Maps 20-4 Creating a Layer 3/4 Class Map for Through Traffic

20-5 20-6

Configuring Special Actions for Application Inspections (Inspection Policy Map) Inspection Policy Map Overview 20-7 Defining Actions in an Inspection Policy Map 20-7 Identifying Traffic in an Inspection Class Map 20-10 Creating a Regular Expression 20-11 Creating a Regular Expression Class Map 20-14 Defining Actions (Layer 3/4 Policy Map) 20-14 Information About Layer 3/4 Policy Maps 20-15 Policy Map Guidelines 20-15 Feature Directionality 20-15 Feature Matching Guidelines within a Policy Map 20-15 Order in Which Multiple Feature Actions are Applied 20-16 Incompatibility of Certain Feature Actions 20-17 Feature Matching Guidelines for Multiple Policy Maps 20-18 Default Layer 3/4 Policy Map 20-18 Adding a Layer 3/4 Policy Map 20-18 Applying Actions to an Interface (Service Policy)20-20

Modular Policy Framework Examples 20-21 Applying Inspection to HTTP Traffic Globally 20-21 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers Applying Inspection to HTTP Traffic with NAT 20-22Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

20-22

xvi

OL-20748-01

Contents

CHAPTER

21

Configuring Advanced Connection Features Configuring Connection Limits and Timeouts

21-1 21-1

Permitting or Denying Application Types with PISA Integration 21-4 PISA Integration Overview 21-5 PISA Integration Guidelines and Limitations 21-5 Using GRE for Tagging 21-5 Failover Support 21-6 Configuring the FWSM to Deny PISA Traffic 21-6 Configuring the Switch for PISA/FWSM Integration 21-7 PISA Limitations and Restrictions 21-7 Changing the MTU on the Switch to Support Longer Packet Length Configuring Classification on the PISA 21-8 Configuring Tagging on the PISA 21-8 Sample Switch Configurations for PISA Integration 21-9 Monitoring PISA Connections 21-10 Syslog Message for Dropped Connections 21-10 Viewing PISA Connections on the FWSM 21-10 Configuring TCP State Bypass 21-10 TCP State Bypass Overview 21-11 Allowing Outbound and Inbound Flows through Separate FWSMs Unsupported Features 21-12 Compatibility with NAT 21-12 Connection Timeout 21-13 Enabling TCP State Bypass 21-13 Disabling TCP Normalization Preventing IP Spoofing21-14 21-15 21-15 21-14

21-8

21-11

Configuring the Fragment Size Blocking Unwanted Connections22

CHAPTER

Applying Application Layer Protocol Inspection Inspection Engine Overview 22-2 When to Use Application Protocol Inspection How Inspection Engines Work 22-2 Inspection Limitations 22-3 Default Inspection Policy 22-4 Configuring Application Inspection CTIQBE Inspection 22-10 CTIQBE Inspection Overview22-6

22-1

22-2

22-10


xvii

Contents

Limitations and Restrictions 22-10 Enabling and Configuring CTIQBE Inspection Verifying and Monitoring CTIQBE Inspection CTIQBE Sample Configurations 22-13

22-11 22-12

DCERPC Inspection 22-16 Configuring a DCERPC Inspection Policy Map for Additional Inspection Control DNS Inspection 22-18 How DNS Application Inspection Works 22-18 How DNS Rewrite Works 22-19 Configuring DNS Rewrite 22-20 Using the Alias Command for DNS Rewrite 22-20 Using the Static Command for DNS Rewrite 22-20 Configuring DNS Rewrite with Two NAT Zones 22-21 DNS Rewrite with Three NAT Zones 22-22 Configuring DNS Rewrite with Three NAT Zones 22-23 Configuring DNS Inspection 22-24 Verifying and Monitoring DNS Inspection 22-25 DNS Guard 22-26 ESMTP Inspection 22-26 Configuring an ESMTP Inspection Policy Map for Additional Inspection Control FTP Inspection 22-30 FTP Inspection Overview 22-30 Using the strict Option 22-30 The request-command deny Command 22-31 Configuring FTP Inspection 22-32 Verifying and Monitoring FTP Inspection 22-34 GTP Inspection 22-35 GTP Inspection Overview 22-35 GTP Maps and Commands 22-36 Enabling and Configuring GTP Inspection Verifying and Monitoring GTP Inspection GGSN Load Balancing 22-40 GTP Sample Configuration 22-41 H.323 Inspection 22-47 H.323 Inspection Overview 22-48 How H.323 Works 22-48 Limitations and Restrictions 22-49 Topologies Requiring H.225 Configuration H.225 Map Commands 22-50

22-17

22-26

22-37 22-39

22-50


xviii

OL-20748-01

Contents

Enabling and Configuring H.323 Inspection 22-51 Configuring H.323 and H.225 Timeout Values 22-53 Verifying and Monitoring H.323 Inspection 22-53 Monitoring H.225 Sessions 22-54 Monitoring H.245 Sessions 22-54 Monitoring H.323 RAS Sessions 22-55 H.323 GUP Support 22-55 H.323 GUP Configuration 22-56 H.323 Sample Configuration 22-57 HTTP Inspection 22-60 HTTP Inspection Overview 22-60 Configuring an HTTP Inspection Policy Map for Additional Inspection Control ICMP Inspection ILS Inspection22-64 22-64

22-60

MGCP Inspection 22-65 MGCP Inspection Overview 22-65 Configuring MGCP Call Agents and Gateways 22-67 Configuring and Enabling MGCP Inspection 22-67 Configuring MGCP Timeout Values 22-69 Verifying and Monitoring MGCP Inspection 22-69 MGCP Sample Configuration 22-70 NetBIOS Inspection PPTP Inspection RSH Inspection22-72 22-73 22-73

RTSP Inspection 22-73 RTSP Inspection Overview 22-73 Using RealPlayer 22-74 Restrictions and Limitations 22-74 Enabling and Configuring RTSP Inspection

22-74

SIP Inspection 22-76 SIP Inspection Overview 22-76 SIP Instant Messaging 22-77 IP Address Privacy 22-78 Configuring a SIP Inspection Policy Map for Additional Inspection Control Configuring SIP Timeout Values 22-82 SIP Inspection Enhancement 22-82 Verifying and Monitoring SIP Inspection 22-86 SIP Sample Configuration 22-87 Skinny (SCCP) Inspection22-89

22-78


xix

Contents

SCCP Inspection Overview 22-89 Supporting Cisco IP Phones 22-90 Restrictions and Limitations 22-90 Configuring and Enabling SCCP Inspection 22-90 Verifying and Monitoring SCCP Inspection 22-92 SCCP (Skinny) Sample Configuration 22-93 SMTP and Extended SMTP Inspection 22-94 SMTP and Extended SMTP Inspection Overview 22-94 Configuring and Enabling SMTP and Extended SMTP Application Inspection SNMP Inspection 22-97 SNMP Inspection Overview 22-97 Enabling and Configuring SNMP Application Inspection SQL*Net Inspection22-99

22-96

22-98

Sun RPC Inspection 22-99 Sun RPC Inspection Overview 22-100 Enabling and Configuring Sun RPC Inspection Managing Sun RPC Services 22-102 Verifying and Monitoring Sun RPC Inspection TFTP Inspection XDMCP Inspection2322-104 22-104

22-100

22-102

CHAPTER

Configuring Management Access Allowing Telnet Access23-1

23-1

Allowing SSH Access 23-2 Configuring SSH Access 23-3 Using an SSH Client 23-3 Allowing HTTPS Access for ASDM23-4

Allowing a VPN Management Connection 23-4 Configuring Basic Settings for All Tunnels 23-5 Configuring VPN Client Access 23-6 Configuring a Site-to-Site Tunnel 23-8 Allowing ICMP to and from the FWSM23-9

AAA for System Administrators 23-10 Configuring Authentication for CLI and ASDM Access 23-10 CLI Access Overview 23-11 ASDM Access Overview 23-11 Authenticating Sessions from the Switch to the FWSM 23-11 Enabling CLI or ASDM Authentication 23-12Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

xx

OL-20748-01

Contents

Configuring Authentication to Access Privileged EXEC Mode 23-13 Configuring Authentication for the Enable Command 23-13 Authenticating Users Using the Login Command 23-13 Configuring Command Authorization 23-14 Command Authorization Overview 23-14 Configuring Local Command Authorization 23-15 Configuring TACACS+ Command Authorization 23-18 Configuring Command Accounting 23-22 Viewing the Current Logged-In User 23-22 Recovering from a Lockout 23-2324

CHAPTER

Managing Software, Licenses, and Configurations Managing Licenses 24-1 Obtaining an Activation Key 24-1 Entering a New Activation Key 24-2

24-1

Installing Application or ASDM Software 24-2 Installation Overview 24-3 Installing Application Software from the FWSM CLI 24-3 Installing Application Software from the Maintenance Partition Installing ASDM from the FWSM CLI 24-8

24-5

Upgrading Failover Pairs 24-9 Upgrading Failover Pairs to a New Maintenance Release 24-9 Upgrading an Active/Standby Failover Pair to a New Maintenance Release 24-10 Upgrading an Active/Active Failover Pair to a New Maintenance Release 24-10 Upgrading Failover Pairs to a New Minor or Major Release 24-11 Installing Maintenance Software 24-12 Checking the Maintenance Software Release 24-12 Upgrading the Maintenance Software 24-13 Downloading and Backing Up Configuration Files 24-14 Viewing Files in Flash Memory 24-15 Downloading a Text Configuration to the Startup or Running Configuration 24-15 Downloading a Context Configuration to Disk 24-16 Backing Up the Configuration 24-17 Backing up the Single Mode Configuration or Multiple Mode System Configuration Backing Up a Context Configuration in Flash Memory 24-17 Backing Up a Context Configuration within a Context 24-17 Copying the Configuration from the Terminal Display 24-18 Configuring Auto Update Support 24-18 Configuring Communication with an Auto Update Server24-18

24-17


xxi

Contents

Viewing Auto Update Server Status25

24-20

CHAPTER

Monitoring the Firewall Services Module

25-1

Configuring and Managing Syslog Messages 25-1 Logging Overview 25-1 Security Contexts and Logging 25-2 Enabling and Disabling Logging 25-2 Enabling Logging to All Configured Output Destinations 25-2 Disabling Logging to All Configured Output Destinations 25-3 Viewing the Log Configuration 25-3 Printing of Mapped Names of Hosts or Networks 25-3 Configuring Log Output Destinations 25-4 Sending Syslog Messages to a Syslog Server 25-4 Sending Syslog Messages to an E-mail Address 25-6 Sending Syslog Messages to ASDM 25-7 Sending Syslog Messages to a Switch Session, Telnet Session, or SSH Session 25-8 Sending Syslog Messages to the Log Buffer 25-9 Filtering Syslog Messages 25-11 Message Filtering Overview 25-12 Filtering Syslog Messages by Class 25-12 Filtering Syslog Messages with Custom Message Lists 25-14 Customizing the Log Configuration 25-15 Configuring the Logging Queue 25-15 Including the Date and Time in Syslog Messages 25-15 Including the Device ID in Syslog Messages 25-16 Generating Syslog Messages in EMBLEM Format 25-16 Disabling a Syslog Message 25-17 Changing the Severity Level of a Syslog Message 25-17 Changing the Amount of Internal Flash Memory Available for Syslog Messages 25-18 Understanding Syslog Messages 25-19 Syslog Message Format 25-19 Severity Levels 25-20 Configuring SNMP 25-20 SNMP Overview 25-20 Enabling SNMP 25-3226

CHAPTER

Troubleshooting the Firewall Services Module

26-1

Testing Your Configuration 26-1 Enabling ICMP Debug Messages and System Log Messages

26-1


xxii

OL-20748-01

Contents

Pinging FWSM Interfaces 26-2 Pinging Through the FWSM 26-4 Disabling the Test Configuration 26-5 Reloading the FWSM26-6

Performing Password Recovery 26-6 Clearing the Application Partition Passwords and AAA Settings Resetting the Maintenance Partition Passwords 26-7 Other Troubleshooting Tools 26-7 Viewing Debug Messages 26-7 Capturing Packets 26-8 Capture Overview 26-8 Capture Limitations 26-8 Configuring a Packet Capture Viewing the Crash Dump 26-9 Common ProblemsA26-10

26-6

26-9

APPENDIX

Specifications

A-1

Switch Hardware and Software Compatibility A-1 Catalyst 6500 Series Requirements A-2 Cisco 7600 Series Requirements A-2 Licensed Features Physical Attributes Feature LimitsA-3 A-4 A-2 A-3

Managed System Resources Fixed System ResourcesA-6

Rule Limits A-6 Default Rule Allocation A-7 Rules in Multiple Context Mode A-7 Reallocating Rules Between Features A-8B

APPENDIX

Sample Configurations

B-1

Routed Mode Sample Configurations B-1 Example 1: Multiple Mode Firewall with Outside Access B-1 System Configuration (Example 1) B-2 Admin Context Configuration (Example 1) B-3 Customer A Context Configuration (Example 1) B-4 Customer B Context Configuration (Example 1) B-4 Customer C Context Configuration (Example 1) B-5Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01

xxiii

Contents

Switch Configuration (Example 1) B-5 Example 2: Single Mode Firewall Using Same Security Level Example FWSM Configuration (Example 2) B-7 Switch Configuration (Example 2) B-8 Example 3: Shared Resources for Multiple Contexts Example B-8 System Configuration (Example 3) B-9 Admin Context Configuration (Example 3) B-10 Department 1 Context Configuration (Example 3) B-11 Department 2 Context Configuration (Example 3) B-12 Switch Configuration (Example 3) B-12 Example 4: IPv6 Configuration Example B-13

B-6

Transparent Mode Sample Configurations B-14 Example 5: Multiple Mode, Transparent Firewall with Outside Access Example System Configuration (Example 5) B-15 Admin Context Configuration (Example 5) B-16 Customer A Context Configuration (Example 5) B-17 Customer B Context Configuration (Example 5) B-17 Customer C Context Configuration (Example 5) B-18 Failover Example Configurations B-18 Example 6: Routed Mode Failover B-19 Primary FWSM Configuration (Example 6) B-19 Secondary FWSM System Configuration (Example 6) B-22 Switch Configuration (Example 6) B-22 Example 7: Transparent Mode Failover B-22 Primary FWSM Configuration (Example 7) B-23 Secondary FWSM System Configuration (Example 7) B-26 Switch Configuration (Example 7) B-26 Example 8: Active/Active Failover with Asymmetric Routing Support Prerequisites B-27 Primary FWSM Configuration (Example 8) B-27 The Secondary FWSM Configuration (Example 8) B-30 Switch Configuration (Example 8) B-30C

B-14

B-27

APPENDIX

Using the Command-Line Interface Command Modes and Prompts Syntax FormattingC-3 C-3 C-3 C-2

C-1 C-1

Firewall Mode and Security Context Mode

Abbreviating Commands Command-Line Editing


xxiv

OL-20748-01

Contents

Command Completion Command HelpC-4

C-3

Filtering show Command Output Command Output Paging Adding CommentsC-5 C-5

C-4

Text Configuration Files C-6 How Commands Correspond with Lines in the Text File C-6 Command-Specific Configuration Mode Commands C-6 Automatic Text Entries C-6 Line Order C-7 Commands Not Included in the Text Configuration C-7 Passwords C-7 Multiple Security Context Files C-7D

APPENDIX

Mapping MIBs to CLI Commands Addresses, Protocols, and Ports

D-1

APPENDIX

E

E-1

IPv4 Addresses and Subnet Masks E-1 Classes E-2 Private Networks E-2 Subnet Masks E-2 Determining the Subnet Mask E-3 Determining the Address to Use with the Subnet Mask IPv6 Addresses E-5 IPv6 Address Format E-5 IPv6 Address Types E-6 Unicast Addresses E-6 Multicast Address E-8 Anycast Address E-9 Required Addresses E-10 IPv6 Address Prefixes E-10 Protocols and Applications TCP and UDP Ports ICMP TypesGLOSSARY

E-3

E-11

E-11 E-14

Local Ports and ProtocolsE-15

INDEX


xxv

Contents


xxvi

OL-20748-01

About This GuideThis preface describes the objectives and organization of this document and explains how to find additional information on related products and services. This preface includes the following sections:

Audience, page xxvii Objectives, page xxvii Document Conventions, page xxvii Related Documentation, page xxviii Obtaining Documentation and Submitting a Service Request, page xxix

AudienceThis guide is for network managers who perform any of the following tasks:

Managing network security Installing and configuring firewalls Managing default and static routes, and TCP and UDP services

ObjectivesThis document contains instructions and procedures for configuring the Firewall Services Module (FWSM), a single-width services module supported on the Catalyst 6500 switch and the Cisco 7600 router, using the command-line interface. FWSM protects your network from unauthorized use. This guide does not cover every feature, but describes only the most common configuration scenarios. You can also configure and monitor the FWSM by using ASDM, a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online Help for less common scenarios. For more information, see: http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html.

Document ConventionsThe FWSM command syntax descriptions use the following conventions:Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01

xxvii

About This Guide

Command descriptions use these conventions:

Braces ({ }) indicate a required choice. Square brackets ([ ]) indicate optional elements. Vertical bars ( | ) separate alternative, mutually exclusive elements. Boldface indicates commands and keywords that are entered literally as shown. Italics indicate arguments for which you supply values. Examples depict screen displays and the command line in screen font. Information you need to enter in examples is shown in boldface screen font. Variables for which you must supply a value are shown in italic screen font. Examples might include output from different platforms; for example, you might not recognize an interface type in an example because it is not available on your platform. Differences should be minor.

Examples use these conventions:

Note

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual. For information on modes, prompts, and syntax, see Appendix C Using the Command-Line Interface.

Related DocumentationFWSM documentation is at the following URL: http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home .html ASDM documentation is at the following URL: http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html For more information, see the following documentation:

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Installation and Verification Note Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Release Notes Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM Release Notes for Cisco ASDM Open Source Software Licenses for FWSM


xxviii

OL-20748-01

About This Guide

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.


xxix

About This Guide


xxx

OL-20748-01

Quick Start StepsThe following sections describe the minimum configuration required for the FWSM in routed mode or transparent mode:

Routed Firewall Minimum Configuration Steps, page xxxi Transparent Firewall Minimum Configuration Steps, page xxxii

Routed Firewall Minimum Configuration StepsTo configure the FWSM in routed mode, perform the following steps: TaskStep 1

Description

Assigning VLANs to the Firewall Services Module, page 2-2 On the switch, you need to assign VLANs to the FWSM so that the FWSM can send and receive traffic on the switch. (Might be required) Adding Switched Virtual Interfaces to the MSFC, page 2-4 Connecting to the Firewall Services Module, page 3-1 If you want the MSFC to route between VLANs that are assigned to the FWSM, complete this procedure. From the switch CLI, you can session into the FWSM to access the FWSM CLI.

Step 2 Step 3 Step 4

(Might be required; multiple context mode only) Enabling or If you want to use multiple context mode and your Disabling Multiple Context Mode, page 4-10 FWSM is not already configured for it, or if you want to change back to single mode, follow this procedure. (Multiple context mode only) Configuring a Security Context, page 4-27 (Multiple context mode only) Changing Between Contexts and the System Execution Space, page 4-31 Add a security context. Because you must configure some settings in the system execution space and some settings within the context, you need to know how to switch between contexts and the system execution space. For each VLAN interface, you must set a name (such as inside or outside), a security level, and an IP address. Create a default route to an upstream router.

Step 5 Step 6

Step 7

Configuring Interfaces for Routed Firewall Mode, page 6-2

Step 8

Configuring a Default Route, page 8-4


xxxi

Quick Start Steps

TaskStep 9

Description In multiple context mode, static routing and stub BGP is the only routing method supported. In single mode, you have a choice of static, stub BGP, RIP, EIGRP, or OSPF.

Configure routing using one of these methods:

Configuring a Static Route, page 8-3 Configuring BGP Stub Routing, page 8-6 (Single context mode only) Configuring OSPF, page 8-9 (Single context mode only) Configuring EIGRP, page 8-22 (Single context mode only) Configuring RIP, page 8-21

Step 10

(Might be required) Use one or more of these NAT methods: Configure NAT if you use private addresses, or want the extra security. Using Dynamic NAT and PAT, page 16-19

Using Static NAT, page 16-29 Using Static PAT, page 16-31 Before any traffic can go through the FWSM, you must create an access list that permits traffic. Apply the access list to an interface.

Step 11 Step 12

Adding an Extended ACE, page 13-7 Applying an Access List to an Interface, page 15-4

Transparent Firewall Minimum Configuration StepsTo configure the FWSM in transparent mode, perform the following steps: TaskStep 1

Description

Assigning VLANs to the Firewall Services Module, page 2-2 On the switch, you need to assign VLANs to the FWSM so that the FWSM can send and receive traffic on the switch. (Might be required) Adding Switched Virtual Interfaces to the MSFC, page 2-4 Connecting to the Firewall Services Module, page 3-1 If you want the MSFC to route between VLANs that are assigned to the FWSM, complete this procedure. From the switch CLI, you can session into the FWSM to access the FWSM CLI.

Step 2 Step 3 Step 4

(Might be required; multiple context mode only) Enabling or If you want to use multiple context mode and your Disabling Multiple Context Mode, page 4-10 FWSM is not already configured for it, or if you want to change back to single mode, follow this procedure. (Multiple context mode only) Configuring a Security Context, page 4-27 (Multiple context mode only) Changing Between Contexts and the System Execution Space, page 4-31 Add a security context. Because you must configure some settings in the system execution space and some settings within the context, you need to know how to switch between contexts and the system execution space. Before you configure any settings, you must set the firewall mode to transparent mode. Changing the mode clears your configuration. In multiple context mode, set the mode in each context.

Step 5 Step 6

Step 7

Setting Transparent or Routed Firewall Mode, page 5-17


xxxii

OL-20748-01

Quick Start Steps

TaskStep 8

Description For each VLAN interface, you must set a name (such as inside or outside), a security level, and a bridge group. Assign an IP address to each bridge group. Create a default route to an upstream router for returning management traffic. Before any traffic can go through the FWSM, you must create an access list that permits traffic. Apply the access list to an interface.

Configuring Transparent Firewall Interfaces for Through Traffic, page 6-6 Assigning an IP Address to a Bridge Group, page 6-6 Configuring a Default Route, page 8-4 Adding an Extended ACE, page 13-7 Applying an Access List to an Interface, page 15-4

Step 9 Step 10 Step 11 Step 12


xxxiii

Quick Start Steps


xxxiv

OL-20748-01

PA R T

1

Getting Started and General Information

CH A P T E R

1

Introduction to the Firewall Services ModuleThe FWSM is a high-performance, space-saving, stateful firewall module that installs in the Catalyst 6500 series switches and the Cisco 7600 series routers. Firewalls protect inside networks from unauthorized access by users on an outside network. The firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ includes only the public servers, an attack there affects only the servers and does not affect the other inside networks. You can also control when inside users access outside networks (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external URL filtering server. The FWSM includes many advanced features, such as multiple security contexts (similar to virtualized firewalls), transparent (Layer 2) firewall or routed (Layer 3) firewall operation, hundreds of interfaces, and many more features. When discussing networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited access to outside users. Because the FWSM lets you configure many interfaces with varied security policies, including many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only. This chapter includes the following sections:

New Features, page 1-2 Security Policy Overview, page 1-3 How the Firewall Services Module Works with the Switch, page 1-5 Firewall Mode Overview, page 1-7 Stateful Inspection Overview, page 1-8 Security Context Overview, page 1-9


1-1

Chapter 1 New Features

Introduction to the Firewall Services Module

New FeaturesTable 1-1 lists the new features for FWSM Release 4.1(1).Table 1-1 New Features for FWSM Version 4.1(1)

FeaturePlatform Features

Description

Separate Host names for This feature lets you configure a separate hostname on the primary and secondary FWSMs. If the Primary and Secondary secondary hostname is not configured, the primary and secondary hostnames are the same. blades The following command was modified: hostname primary_hostname [secondary secondary_hostname].Firewall Features

Creation of UDP sessions with unresolved ARP in the accelerated path

If you configure the FWSM to create the session in the accelerated path even though the ARP lookup fails, then it will drop all further packets to the destination IP address until the ARP lookup succeeds. Without this feature, each subsequent UDP packet goes through the session management path before being dropped by the accelerated path, causing potential overload of the session management path. The following command was introduced: sysopt connection udp create-arp-unresolved-conn.

DCERPC Enhancement: In this release, DCERPC Inspection was enhanced to support inspection of Remote Create Instance RemoteCreationInstance RPC messages. message support No commands were modified. NAT/PAT Global Pool usage enhancement Reset Connection marked for Deletion This feature lets you track and manage the usage of global pools for NAT/PAT configurations. The following command was introduced: show global usage. You can now disable the sending of a reset (RST) packet for a connection marked for deletion. Starting in this release, reset packets are not sent by default. You can restore the previous behavior, so that when the FWSM receives a SYN packet on the same 5-tuple (source IP and port, destination IP and port, protocol) which was marked for deletion, it will send a reset packet. The following command was introduced: service reset connection marked-for-deletion. PPTP-GRE Timeout You can now set the timeout for GRE connectionss that are built as a result of PPTP inspection. The following command was modified: timeout pptp-gre.Management Features


1-2

OL-20748-01

Chapter 1

Introduction to the Firewall Services Module Security Policy Overview

Table 1-1

New Features for FWSM Version 4.1(1) (continued)

Feature

Description

Turning on/off names in This feature enables users to choose whether or not to apply name translation while generating Syslog messages syslogs to the console, syslog server, and FTP syslog server. The following command was introduced: logging names. Shared Management You can now add a management VLAN that is not part of any bridge group. This VLAN is Interface in Transparent especially useful in multiple context mode where you can share a single management VLAN across Mode multiple contexts. The following command was introduced for transparent mode: management-only Teardown Syslog Enhancement SNMP Buffer enhancementTroubleshooting Features

New syslogs were added for when a connection is torn down. The following syslog messages were introduced: 302030 through 33. With this enhancement, SNMP requests will be handled more efficiently, so that the allocated blocks for SNMP are freed up quickly, thus leaving enough blocks for other processes. No commands were modified.

Crashinfo enhancement

The crashinfo enhancement improves the reliability of generating crash information. No commands were modified.

Security Policy OverviewA security policy determines which traffic is allowed to pass through the firewall to access another network. The FWSM does not allow any traffic to pass through unless explicitly allowed by an access list. You can apply actions to traffic to customize the security policy. This section discusses some commonly-used features; not all features are listed here. This section includes the following topics:

Permitting or Denying Traffic with Access Lists, page 1-4 Applying NAT, page 1-4 Protecting from IP Fragments, page 1-4


1-3

Chapter 1 Security Policy Overview


Using AAA for Through Traffic, page 1-4 Applying Internet Filtering, page 1-4 Applying Application Inspection, page 1-5 Applying Connection Limits, page 1-5

Permitting or Denying Traffic with Access ListsYou can apply an access list to allow traffic through an interface. For transparent firewall mode, you can also apply an EtherType access list to allow non-IP traffic.

Applying NATSome of the benefits of NAT include the following:

You can use private addresses on your inside networks. Private addresses are not routable on the Internet. NAT hides the local addresses from other networks, so attackers cannot learn the real address of a host. NAT can resolve IP routing problems by supporting overlapping IP addresses.

Protecting from IP FragmentsThe FWSM provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the FWSM. Fragments that fail the security check are dropped and logged. Virtual reassembly cannot be disabled.

Using AAA for Through TrafficYou can require authentication and/or authorization for certain types of traffic, for example, for HTTP. The FWSM also sends accounting information to a RADIUS or TACACS+ server.

Applying Internet FilteringAlthough you can use access lists to prevent outbound access to specific websites or FTP servers, configuring and managing web usage this way is not practical because of the size and dynamic nature of the Internet. We recommend that you use the FWSM in conjunction with a separate server running one of the following Internet filtering products:

Websense Enterprise Sentian by N2H2


1-4

OL-20748-01

Chapter 1

Introduction to the Firewall Services Module How the Firewall Services Module Works with the Switch

Applying Application InspectionInspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the FWSM to perform a deep packet inspection.

Applying Connection LimitsYou can limit TCP and UDP connections and embryonic connections. Limiting the number of connections and embryonic connections protects you from a DoS attack. The FWSM uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

How the Firewall Services Module Works with the SwitchYou can install the FWSM in the Catalyst 6500 series switches and the Cisco 7600 series routers with Cisco IOS software on both the switch supervisor and the integrated MSFC (known as supervisor IOS).

Note

The Catalyst Operating System (OS) is not supported. The FWSM runs its own operating system.


1-5

Chapter 1 How the Firewall Services Module Works with the Switch


Using the MSFCThe switch includes a switching processor (the supervisor) and a router (the MSFC). Although you need the MSFC as part of your system, you do not have to use it. If you choose to do so, you can assign one or more VLAN interfaces to the MSFC (if your switch software version supports multiple SVIs; see Table A-1 on page A-2). In single context mode, you can place the MSFC in front of the firewall or behind the firewall (see Figure 1-1). The location of the MSFC depends entirely on the VLANs that you assign to it. For example, the MSFC is behind the firewall in the example shown on the left side of Figure 1-1 because you assigned VLAN 201 to the inside interface of the FWSM. The MSFC is in front of the firewall in the example shown on the right side of Figure 1-1 because you assigned VLAN 200 to the outside interface of the FWSM. In the left-hand example, the MSFC routes between VLANs 201, 301, 302, and 303, and no inside traffic goes through the FWSM unless it is destined for the Internet. In the right-hand example, the FWSM processes and protects all traffic between the inside VLANs 201, 202, and 203.Figure 1-1 MSFC Placement

MSFC Behind the FWSM Internet

MSFC In Front of the FWSM Internet

VLAN 200

VLAN 100 MSFC

FWSM VLAN 200 VLAN 201 FWSM MSFC VLAN 301 Inside VLAN 302 DMZ VLAN 303 HR VLAN 201 Inside VLAN 202 DMZ92881

VLAN 203 HR


1-6

OL-20748-01

Chapter 1

Introduction to the Firewall Services Module Firewall Mode Overview

For multiple context mode, if you place the MSFC behind the FWSM, you should only connect it to a single context. If you connect the MSFC to multiple contexts, the MSFC will route between the contexts, which might not be your intention. The typical scenario for multiple contexts is to use the MSFC in front of all the contexts to route between the Internet and the switched networks (see Figure 1-2).Figure 1-2 MSFC Placement with Multiple Contexts

Internet

VLAN 100 MSFC VLAN 200 Admin Context Context A Context B Context C

VLAN 201 Admin Network

VLAN 202 Inside Customer A

VLAN 203 Inside Customer B

VLAN 204 Inside Customer C

Firewall Mode OverviewThe FWSM runs in two different firewall modes:

Routed Transparent

In routed mode, the FWSM is considered to be a router hop in the network. In transparent mode, the FWSM acts like a bump in the wire, or a stealth firewall, and is not considered a router hop. The FWSM connects to the same network on its inside and outside interfaces. You can configure up to eight pairs of interfaces (called bridge groups) to connect to eight different networks, per context. You might use a transparent firewall to simplify your network configuration. Transparent mode is also useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow unsupported routing protocols. In multiple context mode, you can choose the mode for each context independently, so some contexts can run in transparent mode while others can run in routed mode.


92882

1-7

Chapter 1 Stateful Inspection Overview


Stateful Inspection OverviewAll traffic that goes through the firewall is inspected using the Adaptive Security Algorithm and is either allowed through or dropped. A simple packet filter can check for the correct source address, destination address, and ports, but it does not check that the packet sequence or flags are correct. A filter also checks every packet against the filter, which can be a slow process.

Note

The following feature allows you to customize the packet flow: Configuring TCP State Bypass section on page 21-10. A stateful firewall like the FWSM, however, takes into consideration the state of a packet:

Is this a new connection? If it is a new connection, the firewall has to check the packet against access lists and perform other tasks to determine if the packet is allowed or denied. To perform this check, the first packet of the session goes through the session management path, and depending on the type of traffic, it might also pass through the control plane path.

Note

The first packet for a session cannot be comprised of fragments for a packet that is larger than 8500 Bytes. The session will be established, but only the first 8500 Bytes will be sent out. Subsequent packets for this session are not affected by this limitation. The session management path is responsible for the following tasks: Performing the access list checks Performing route lookups Allocating NAT translations (xlates) Establishing sessions in the accelerated path

Some packets that require Layer 7 inspection (the packet payload must be inspected or altered) are passed on to the control plane path. Layer 7 inspection engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port numbers for each session. These protocols include FTP, H.323, and SNMP.

Note

The FWSM performs session management path and accelerated path processing on three specialized networking processors. The control plane path processing is performed in a general-purpose processor that also handles traffic directed to the FWSM and configuration and management tasks. Is this an established connection? If the connection is already established, the firewall does not need to recheck packets; most matching packets can go through the accelerated path in both directions. The accelerated path is responsible for the following tasks: IP checksum verification Session lookup TCP sequence number check NAT translations based on existing sessions


1-8

OL-20748-01

Chapter 1

Introduction to the Firewall Services Module Security Context Overview

Layer 3 and Layer 4 header adjustments

For UDP or other connectionless protocols, the FWSM creates connection state information so that it can also use the accelerated path. Data packets for protocols that require Layer 7 inspection can also go through the accelerated path. Some established session packets must continue to go through the session management path or the control plane path. Packets that go through the session management path include HTTP packets that require inspection or content filtering. Packets that go through the control plane path include the control packets for protocols that require Layer 7 inspection.

Note

For QoS compatibility, the FWSM preserves the DSCP bits for all traffic that passes through the FWSM.

Security Context OverviewYou can partition a single FWSM into multiple virtual devices, known as security contexts. Each context has its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices. Many features are supported in multiple context mode, including routing tables, firewall features, and management. Some features are not supported, including dynamic routing protocols. In multiple context mode, the FWSM includes a configuration for each context that identifies the security policy, interfaces, and almost all the options you can configure on a standalone device. The system administrator adds and manages contexts by configuring them in the system configuration, which, like a single mode configuration, is the startup configuration. The system configuration identifies basic settings for the FWSM. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs in to the admin context, then that user has system administrator rights and can access the system and all other contexts.

Note

Multiple context mode supports static routing only.


1-9

Chapter 1 Security Context Overview



1-10

OL-20748-01

CH A P T E R

2

Configuring the Switch for the Firewall Services ModuleThis chapter describes how to configure the Catalyst 6500 series switch or the Cisco 7600 series router for use with the FWSM. Before completing the procedures in this chapter, configure the basic properties of your switch, including assigning VLANs to interfaces, according to the documentation that came with your switch. This chapter includes the following sections:

Switch Overview, page 2-1 Verifying the Module Installation, page 2-2 Assigning VLANs to the Firewall Services Module, page 2-2 Adding Switched Virtual Interfaces to the MSFC, page 2-4 Customizing the FWSM Internal Interface, page 2-8 Configuring the Switch for Failover, page 2-9 Managing the Firewall Services Module Boot Partitions, page 2-10

Switch OverviewYou can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the switch. The switch includes a switch (the supervisor engine) as well as a router (the MSFC). The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router.

Note

The Catalyst operating system software is not supported. The FWSM runs its own operating system.

Note

Because the FWSM runs its own operating system, upgrading the Cisco IOS software does not affect the operation of the FWSM. See the Using the MSFC section on page 1-6 for more information about the MSFC.


2-1

Chapter 2 Verifying the Module Installation

Configuring the Switch for the Firewall Services Module

Some FWSM features interact with Cisco IOS features, and require specific Cisco IOS software versions. See the Switch Hardware and Software Compatibility section on page A-1 for more information. The following features involve Cisco IOS software, and are described in the feature sections:

Route Health InjectionSee the Configuring Route Health Injection section on page 8-32. PISA integrationSee the Permitting or Denying Application Types with PISA Integration section on page 21-4. Virtual Switching System (VSS) supportNo FWSM configuration required.

Note

For Cisco IOS software Version 12.2(18)SX6 and earlier, for each FWSM in a switch, the SPAN reflector feature is enabled. This feature enables multicast traffic (and other traffic that requires central rewrite engine) to be switched when coming from the FWSM. The SPAN reflector feature uses one SPAN session. To disable this feature, enter the following command:Router(config)# no monitor session servicemodule

Verifying the Module InstallationTo verify that the switch acknowledges the FWSM and has brought it online, view the module information using the following command:Router> show module [mod-num | all]

The following is sample output from the show module command:Router> show module Mod Ports Card Type --- ----- -------------------------------------1 2 Catalyst 6000 supervisor 2 (Active) 2 48 48 port 10/100 mb RJ-45 ethernet 3 2 Intrusion Detection System 4 6 Firewall Module Model -----------------WS-X6K-SUP2-2GE WS-X6248-RJ-45 WS-X6381-IDS WS-SVC-FWM-1 Serial No. ----------SAD0444099Y SAD03475619 SAD04250KV5 SAD062302U4

Note

The show module command shows six ports for the FWSM; these are internal ports that are grouped together as an EtherChannel. See the Customizing the FWSM Internal Interface section on page 2-8 for more information.

Assigning VLANs to the Firewall Services ModuleThis section describes how to assign VLANs to the FWSM. The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces. Assigning VLANs to the FWSM is similar to assigning a VLAN to a switch port; the FWSM includes an internal interface to the Switch Fabric Module (if present) or the shared bus.

Note

See the switch documentation for information about adding VLANs to the switch and assigning them to switch ports.


2-2

OL-20748-01

Chapter 2

Configuring the Switch for the Firewall Services Module Assigning VLANs to the Firewall Services Module

This section includes the following topics:

VLAN Guidelines, page 2-3 Assigning VLANs to the FWSM, page 2-3

VLAN GuidelinesSee the following guidelines for using VLANs with the FWSM:

You can use private VLANs with the FWSM. Assign the primary VLAN to the FWSM; the FWSM automatically handles secondary VLAN traffic. You cannot use reserved VLANs. You cannot use VLAN 1. If you are using FWSM failover within the same switch chassis, do not assign the VLAN(s) you are reserving for failover and stateful communications to a switch port. However, if you are using failover between chassis, you must include the VLANs in the trunk port between the chassis. If you do not add the VLANs to the switch before you assign them to the FWSM, the VLANs are stored in the supervisor engine database and are sent to the FWSM as soon as they are added to the switch.

Assigning VLANs to the FWSMIn Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer. Each group can contain unlimited VLANs. You cannot assign the same VLAN to multiple firewall groups; however, you can assign multiple firewall groups to an FWSM and you can assign a single firewall group to multiple FWSMs. VLANs that you want to assign to multiple FWSMs, for example, can reside in a separate group from VLANs that are unique to each FWSM. To assign VLANs to the FWSM, perform the following steps:Step 1

To assign VLANs to a firewall group, enter the following command:Router(config)# firewall vlan-group firewall_group vlan_range

The firewall_group argument is an integer. The vlan_range can be one or more VLANs (2 to 1000 and from 1025 to 4094) identified in one of the following ways:

A single number (n) A range (n-x)

Separate numbers or ranges by commas. For example, enter the following numbers:5,7-10,13,45-100

Note

Routed ports and WAN ports consume internal VLANs, so it is possible that VLANs in the 1020-1100 range might already be in use.


2-3

Chapter 2 Adding Switched Virtual Interfaces to the MSFC


If you configure the VLANs in the FWSM configuration, and then later assign the VLANs to the FWSM on the switch using this procedure, then those VLANs are brought administratively up on the FWSM even if they were configured to be shut down. To shut them down, enter the following commands at the FWSM CLI:interface vlan number shutdown

Step 2

To assign the firewall groups to the FWSM, enter the following command:Router(config)# firewall module module_number vlan-group firewall_group

The firewall_group is one or more group numbers:

A single number (n) A range (n-x)

Separate numbers or ranges by commas. For example, enter the following numbers:5,7-10

The following example shows how you can create three firewall VLAN groups: one for each FWSM, and one that includes VLANs assigned to both FWSMs:Router(config)# Router(config)# Router(config)# Router(config)# Router(config)# firewall firewall firewall firewall firewall vlan-group 50 55-57 vlan-group 51 70-85 vlan-group 52 100 module 5 vlan-group 50,52 module 8 vlan-group 51,52

The following is sample output from the show firewall vlan-group command:Router# show firewall vlan-group Group vlans ----- -----50 55-57 51 70-85 52 100

The following is sample output from the show firewall module command, which shows all VLAN groups:Router# show firewall module Module Vlan-groups 5 50,52 8 51,52

Adding Switched Virtual Interfaces to the MSFCA VLAN defined on the MSFC is called a switched virtual interface. If you assign the VLAN used for the SVI to the FWSM (see the Assigning VLANs to the Firewall Services Module section on page 2-2), then the MSFC routes between the FWSM and other Layer 3 VLANs. This section includes the following topics:

SVI Overview, page 2-5


2-4

OL-20748-01

Chapter 2

Configuring the Switch for the Firewall Services Module Adding Switched Virtual Interfaces to the MSFC

Configuring SVIs, page 2-7

SVI OverviewFor security reasons, by default, only one SVI can exist between the MSFC and the FWSM. For example, if you misconfigure the system with multiple SVIs, you could accidentally allow traffic to pass around the FWSM by assigning both the inside and outside VLANs to the MSFC. (See Figure 2-1.)Figure 2-1 Multiple SVI Misconfiguration

Internet

VLAN 100 MSFC VLAN 200

FWSM

VLAN 201

VLAN 201 Inside92883


2-5

Chapter 2 Adding Switched Virtual Interfaces to the MSFC


However, you might need to bypass the FWSM in some network scenarios. Figure 2-2 shows an IPX host on the same Ethernet segment as IP hosts. Because the FWSM in routed firewall mode only handles IP traffic and drops other protocol traffic like IPX (transparent firewall mode can optionally allow non-IP traffic), you might want to bypass the FWSM for IPX traffic. Make sure to configure the MSFC with an access list that allows only IPX traffic to pass on VLAN 201.Figure 2-2 Multiple SVIs for IPX

Internet

VLAN 100 MSFC VLAN 200

FWSM

VLAN 201

VLAN 201 Inside

IPX Host

IP Host


2-6

92884

OL-20748-01

Chapter 2

Configuring the Switch for the Firewall Services Module Adding Switched Virtual Interfaces to the MSFC

For transparent firewalls in multiple context mode, you need to use multiple SVIs because each context requires a unique VLAN on its outside interface (See Figure 2-3). You might also choose to use multiple SVIs in routed mode so you do not have to share a single VLAN for the outside interface.Figure 2-3 Multiple SVIs in Multiple Context Mode

Internet VLAN 100

VLAN 151 VLAN 150 Admin Context Context A

VLAN 152 VLAN 153 Context B Context C

VLAN 201 Admin Network

VLAN 202 Inside Customer A

VLAN 203 Inside Customer B

VLAN 204

Configuring SVIsTo add an SVI to the MSFC, perform the following steps:Step 1

(Optional) To allow you to add more than one SVI to the FWSM, enter the following command:Router(config)# firewall multiple-vlan-interfaces

Step 2

To add a VLAN interface to the MSFC, enter the following command:Router(config)# interface vlan vlan_number

Step 3

To set the IP address for this interface on the MSFC, enter the following command:Router(config-if)# ip address address mask

Step 4

To enable the interface, enter the following command:Router(config-if)# no shutdown

The following example shows a typical configuration with multiple SVIs:Router(config)# firewall vlan-group 50 55-57


92885

Inside Customer C

2-7

Chapter 2 Customizing the FWSM Internal Interface


Router(config)# firewall vlan-group 51 70-85 Router(config)# firewall module 8 vlan-group 50-51 Router(config)# firewall multiple-vlan-interfaces Router(config)# interface vlan 55 Router(config-if)# ip address 10.1.1.1 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# interface vlan 56 Router(config-if)# ip address 10.1.2.1 255.255.255.0 Router(config-if)# no shutdown Router(config-if)# end Router#

The following is sample output from the show interface command:Router# show interface vlan 55 Vlan55 is up, line protocol is up Hardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca) Internet address is 10.1.1.1/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set ARP type:ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:08, output hang never Last clearing of "show interface" counters never Input queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0 Queueing strategy:fifo Output queue :0/40 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec L2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytes L3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcast L3 out Switched:ucast:0 pkt, 0 bytes 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 4 packets output, 256 bytes, 0 underruns 0 output errors, 0 interface resets 0 output buffer failures, 0 output buffers swapped out

Customizing the FWSM Internal InterfaceThe connection between the FWSM and the switch is a 6-GB 802.1Q trunking EtherChannel. This EtherChannel is automatically created when you install the FWSM. On the FWSM side, two NPs connect to three Gigabit Ethernet interfaces each, and these interfaces comprise the EtherChannel. The switch distributes traffic to the interfaces in the EtherChannel according to a distribution algorithm based on session information; load sharing is not performed on a per-packet basis, but rather on a flow basis. In some cases, the algorithm assigns traffic unevenly between the interfaces and, therefore, between the two NPs. Aside from not utilizing the full processing potential of the FWSM, consistent inequity can result in unexpected behavior when you apply resource management to multiple contexts. (See the Configuring a Class section on page 4-24 for more information.) To change the load-balancing method, enter the following command:Router(config)# port-channel load-balance {dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-mac | src-dst-port | src-ip | src-mac | src-port}

The default is src-dst-ip.


2-8

OL-20748-01

Chapter 2

Configuring the Switch for the Firewall Services Module Configuring the Switch for Failover

Configuring the Switch for FailoverTo configure the switch for failover, see the following topics:

Assigning VLANs to the Secondary Firewall Services Module, page 2-9 Adding a Trunk Between a Primary Switch and Secondary Switch, page 2-9 Ensuring Compatibility with Transparent Firewall Mode, page 2-9 Enabling Autostate Messaging for Rapid Link Failure Detection, page 2-9

Assigning VLANs to the Secondary Firewall Services ModuleBecause both units require the same access to the inside and outside networks, you must assign the same VLANs to both FWSMs on the switch(es). See the Assigning VLANs to the Firewall Services Module section on page 2-2.

Adding a Trunk Between a Primary Switch and Secondary SwitchIf you are using inter-switch failover (see the Intra- and Inter-Chassis Module Placement section on page 14-3), then you should configure an 802.1Q VLAN trunk between the two switches to carry the failover and state links. The trunk should have QoS enabled so that failover VLAN packets, which have the CoS value of 5 (higher priority), are treated with higher priority in these ports. To configure the EtherChannel and trunk, see the documentation for your switch.

Ensuring Compatibility with Transparent Firewall ModeTo avoid loops when you use failover in transparent mode, use switch software that supports BPDU forwarding. See the Switch Hardware and Software Compatibility section on page A-1 for more information about switch support for transparent firewall mode. Do not enable LoopGuard globally on the switch if the FWSM is in transparent mode. LoopGuard is automatically applied to the internal EtherChannel between the switch and the FWSM, so after a failover and a failback, LoopGuard causes the secondary unit to be disconnected because the EtherChannel goes into the err-disable state.

Enabling Autostate Messaging for Rapid Link Failure DetectionUsing Cisco IOS software Release 12.2(18)SXF5 and higher, the supervisor engine can send autostate messages to the FWSM about the status of physical interfaces associated with FWSM VLANs. For example, when all physical interfaces associated with a VLAN go down, the autostate message tells the FWSM that the VLAN is down. This information lets the FWSM declare the VLAN as down, bypassing the interface monitoring tests normally required for determining which side suffered a link failure. Autostate messaging provides a dramatic improvement in the time the FWSM takes to detect a link failure (a few milliseconds as compared to up to 45 seconds without autostate support). The switch supervisor sends an autostate message to the FWSM when:

The last interface belonging to a VLAN goes down. The first interface belonging to a VLAN comes up.


2-9

Chapter 2 Managing the Firewall Services Module Boot Partitions


Note

The switch supports autostate messaging only if you install a si

FWSM 4.1 - Config Guide

Documents

Transcript of FWSM 4.1 - Config Guide