Cisco 7604 Configuration Guide
Cisco 7604 Manual
 |
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Cisco 7604 manual content summary:
- Cisco 7604 | Configuration Guide - Page 1
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI Release 4.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 - Cisco 7604 | Configuration Guide - Page 2
shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM Copyright © 2010 Cisco Systems, Inc. All rights reserved. - Cisco 7604 | Configuration Guide - Page 3
Services Module 2-1 Switch Overview 2-1 Verifying the Module Installation 2-2 Assigning VLANs to the Firewall Services Module 2-2 VLAN Guidelines 2-3 Assigning VLANs to the FWSM 2-3 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 4
4-2 System Configuration 4-2 Admin Context Configuration 4-3 How the FWSM Classifies Packets 4-3 Valid Classifier Criteria 4-3 Invalid Classifier Criteria 4-4 Classification Examples 4-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 5
Partition Size 4-14 Reallocating Rules Between Features for a Specific Memory Partition 4-19 Configuring Resource Management 4-21 Classes and Class Members Overview 4-22 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM v - Cisco 7604 | Configuration Guide - Page 6
Device Management 6-4 Guidelines and Limitations 6-5 Configuring Transparent Firewall Interfaces for Through Traffic 6-6 Assigning an IP Address to a Bridge Group 6-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM vi OL-20748-01 - Cisco 7604 | Configuration Guide - Page 7
Processes 8-11 Configuring OSPF Interface Parameters 8-12 Configuring OSPF Area Parameters 8-14 Configuring OSPF NSSA 8-15 Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor 8-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 8
Enabling the DHCP Server 8-35 Configuring DHCP Options 8-37 Using Cisco IP Phones with a DHCP Server 8-38 Configuring DHCP Relay Services 8-39 DHCP Relay Overview 8-39 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM viii OL-20748-01 - Cisco 7604 | Configuration Guide - Page 9
Messages 10-6 Configuring the Neighbor Solicitation Message Interval 10-7 Configuring the Neighbor Reachable Time 10-7 Configuring Router Advertisement Messages 10-8 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM ix - Cisco 7604 | Configuration Guide - Page 10
and Servers 11-9 12 C H A P T E R Configuring Certificates 12-1 Public Key Cryptography 12-1 About Public Key Cryptography 12-1 Certificate Scalability 12-2 About Key Pairs 12-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM x OL - Cisco 7604 | Configuration Guide - Page 11
Entry Order 13-2 Access List Implicit Deny 13-3 IP Addresses Used for Access Lists When You Use NAT 13-3 13-9 Supported EtherTypes 13-9 Apply Access Lists in Both Directions 13-9 Implicit Deny at the End of Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xi - Cisco 7604 | Configuration Guide - Page 12
14-3 Intra- and Inter-Chassis Module Placement 14-3 Intra-Chassis Failover 14-3 Inter-Chassis Failover 14-4 Transparent Firewall Requirements 14-7 Active/Standby and Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xii OL-20748-01 - Cisco 7604 | Configuration Guide - Page 13
15-4 16 C H A P T E R Configuring NAT 16-1 NAT Overview 16-1 Introduction to NAT 16-2 NAT in Routed Mode 16-2 NAT in Transparent Mode 16-3 NAT Control 16-5 NAT Types 16-6 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 14
Prompts 17-2 Static PAT and HTTP 17-3 Authenticating Directly with the FWSM 17-3 Enabling Network Access Authentication 17-3 Configuring Custom Login Prompts 17-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xiv OL-20748-01 - Cisco 7604 | Configuration Guide - Page 15
18-11 Viewing Filtering Configuration 18-11 Configuring ARP Inspection and Bridging Parameters 19-1 Configuring ARP Inspection 19-1 ARP Inspection Overview 19-1 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xv - Cisco 7604 | Configuration Guide - Page 16
to HTTP Traffic Globally 20-21 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers 20-22 Applying Inspection to HTTP Traffic with NAT 20-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xvi OL-20748-01 - Cisco 7604 | Configuration Guide - Page 17
Inspection Engines Work 22-2 Inspection Limitations 22-3 Default Inspection Policy 22-4 Configuring Application Inspection 22-6 CTIQBE Inspection 22-10 CTIQBE Inspection Overview 22-10 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 18
22-47 H.323 Inspection Overview 22-48 How H.323 Works 22-48 Limitations and Restrictions 22-49 Topologies Requiring H.225 Configuration 22-50 H.225 Map Commands 22-50 xviii Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 19
22-78 Configuring SIP Timeout Values 22-82 SIP Inspection Enhancement 22-82 Verifying and Monitoring SIP Inspection 22-86 SIP Sample Configuration 22-87 Skinny (SCCP) Inspection 22-89 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 20
ASDM Access 23-10 CLI Access Overview 23-11 ASDM Access Overview 23-11 Authenticating Sessions from the Switch to the FWSM 23-11 Enabling CLI or ASDM Authentication 23-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xx OL-20748-01 - Cisco 7604 | Configuration Guide - Page 21
within a Context 24-17 Copying the Configuration from the Terminal Display 24-18 Configuring Auto Update Support 24-18 Configuring Communication with an Auto Update Server 24-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxi - Cisco 7604 | Configuration Guide - Page 22
25-20 Enabling SNMP 25-32 Troubleshooting the Firewall Services Module 26-1 Testing Your Configuration 26-1 Enabling ICMP Debug Messages and System Log Messages 26-1 xxii Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 23
(Example 1) B-3 Customer A Context Configuration (Example 1) B-4 Customer B Context Configuration (Example 1) B-4 Customer C Context Configuration (Example 1) B-5 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxiii - Cisco 7604 | Configuration Guide - Page 24
the Command-Line Interface C-1 Firewall Mode and Security Context Mode C-1 Command Modes and Prompts C-2 Syntax Formatting C-3 Abbreviating Commands C-3 Command-Line Editing C-3 xxiv Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 25
Address E-8 Anycast Address E-9 Required Addresses E-10 IPv6 Address Prefixes E-10 Protocols and Applications E-11 TCP and UDP Ports E-11 Local Ports and Protocols E-14 ICMP Types E-15 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 26
Contents xxvi Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 27
document contains instructions and procedures for configuring the Firewall Services Module (FWSM), a single-width services module supported on the Catalyst 6500 switch and the Cisco 7600 router, using the command-line interface. FWSM protects your network from unauthorized use. This guide does not - Cisco 7604 | Configuration Guide - Page 28
Switch and Cisco 7600 Series Router Firewall Services Module Installation and Verification Note • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Release Notes • Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 29
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxix - Cisco 7604 | Configuration Guide - Page 30
About This Guide Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxx OL-20748-01 - Cisco 7604 | Configuration Guide - Page 31
must set a name (such as inside or outside), a security level, and an IP address. Configuring a Default Route, page 8-4 Create a default route to an upstream router. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxi - Cisco 7604 | Configuration Guide - Page 32
any settings, you must set the firewall mode to transparent mode. Changing the mode clears your configuration. In multiple context mode, set the mode in each context. xxxii Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 33
security level, and a bridge group. Assign an IP address to each bridge group. Create a default route to an upstream router for returning management traffic. Before any traffic can go 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxxiii - Cisco 7604 | Configuration Guide - Page 34
Quick Start Steps xxxiv Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 35
PART 1 Getting Started and General Information - Cisco 7604 | Configuration Guide - Page 36
- Cisco 7604 | Configuration Guide - Page 37
Firewall Services Module Works with the Switch, page 1-5 • Firewall Mode Overview, page 1-7 • Stateful Inspection Overview, page 1-8 • Security Context Overview, page 1-9 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 38
to the destination IP address until the ARP lookup port, destination IP and port, protocol) which was marked for deletion, it will send a reset packet. The following command was introduced: service Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-2 OL - Cisco 7604 | Configuration Guide - Page 39
for other processes. No commands were modified. Troubleshooting Features Crashinfo enhancement The crashinfo enhancement improves the IP Fragments, page 1-4 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-3 - Cisco 7604 | Configuration Guide - Page 40
addresses from other networks, so attackers cannot learn the real address of a host. • NAT can resolve IP routing problems by supporting overlapping IP addresses specific websites or FTP servers, configuring and Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 41
both the switch supervisor and the integrated MSFC (known as "supervisor IOS"). Note The Catalyst Operating System (OS) is not supported. The FWSM runs its own operating system. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 42
303 Inside HR VLAN 302 DMZ VLAN 100 MSFC VLAN 200 FWSM VLAN 201 VLAN 203 Inside HR VLAN 202 DMZ 92881 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 43
. In multiple context mode, you can choose the mode for each context independently, so some contexts can run in transparent mode while others can run in routed mode. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-7 - Cisco 7604 | Configuration Guide - Page 44
engines are required for protocols that have two or more channels: a data channel, which uses well-known port numbers, and a control channel, which uses different port sessions Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-8 OL- - Cisco 7604 | Configuration Guide - Page 45
admin context, then that user has system administrator rights and can access the system and all other contexts. Note Multiple context mode supports static routing only. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-9 - Cisco 7604 | Configuration Guide - Page 46
Security Context Overview Chapter 1 Introduction to the Firewall Services Module 1-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 47
series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the "switch." The switch includes a switch (the supervisor engine) as well as a router (the MSFC). The switch supports Cisco IOS software on both the switch supervisor engine - Cisco 7604 | Configuration Guide - Page 48
Verifying the Module Installation Chapter 2 Configuring the Switch for the Firewall Services Module Some FWSM features interact with Cisco IOS features, and require specific Cisco IOS software versions. See the "Switch Hardware and Software Compatibility" section on page A-1 for more information. - Cisco 7604 | Configuration Guide - Page 49
following numbers: 5,7-10,13,45-100 Note Routed ports and WAN ports consume internal VLANs, so it is possible that VLANs in the 1020-1100 range might already be in use. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-3 - Cisco 7604 | Configuration Guide - Page 50
to the Firewall Services Module" section on page 2-2), then the MSFC routes between the FWSM and other Layer 3 VLANs. This section includes the following topics: • SVI Overview, page 2-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 51
. (See Figure 2-1.) Figure 2-1 Multiple SVI Misconfiguration Internet VLAN 201 VLAN 100 MSFC VLAN 200 FWSM VLAN 201 Inside 92883 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-5 - Cisco 7604 | Configuration Guide - Page 52
. Figure 2-2 Multiple SVIs for IPX Internet VLAN 201 VLAN 100 MSFC VLAN 200 FWSM VLAN 201 Inside 92884 IPX Host IP Host Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 53
following command: Router(config-if)# no shutdown OL-20748-01 The following example shows a typical configuration with multiple SVIs: Router(config)# firewall vlan-group 50 55-57 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 2-7 - Cisco 7604 | Configuration Guide - Page 54
command: Router(config)# port-channel load-balance {dst-ip | dst-mac | dst-port | src-dst-ip | src-dst-mac | src-dst-port | src-ip | src-mac | src-port} The default is src-dst-ip. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 55
support). The switch supervisor sends an autostate message to the FWSM when: • The last interface belonging to a VLAN goes down. • The first interface belonging to a VLAN comes up. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 56
2 Configuring the Switch for the Firewall Services Module Note The switch supports autostate messaging only if you install a single FWSM in the chassis. Autostate messaging is disabled by default. To enable autostate messaging in Cisco IOS software, enter the following command: Router(config - Cisco 7604 | Configuration Guide - Page 57
reload of module? [confirm] y % reset issued for module 9 Router# 00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap 00:26:55:SP:The PC in slot 8 is shutting down. Please wait ... OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 58
Managing the Firewall Services Module Boot Partitions Chapter 2 Configuring the Switch for the Firewall Services Module 2-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 59
require a password. Caution Management access to the FWSM causes a degradation in performance. We recommend that you avoid accessing the FWSM when high network performance is critical. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 60
to the following: hostname(config)# Logging out of the FWSM To end the FWSM session and access the switch CLI, enter the following command: hostname# exit Logoff Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 3-2 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 61
only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to Configurations at the Same Time, page 3-4 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 62
at the end of all other messages: Unable to save the configuration for the following contexts as these contexts have read-only config-urls: context 'a' , context 'b' , context 'c' . Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 63
To clear all the configuration for a specified command, enter the following command: hostname(config)# clear configure configurationcommand [level2configurationcommand] OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 3-5 - Cisco 7604 | Configuration Guide - Page 64
the no command to remove the specific configuration identified by qualifier. For example, to remove a specific nat command, enter enough of C, "Using the Command-Line Interface." Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 3-6 OL- - Cisco 7604 | Configuration Guide - Page 65
Configuration Files, page 4-2 • How the FWSM Classifies Packets, page 4-3 • Sharing Interfaces Between Contexts, page 4-7 • Management Access to Security Contexts, page 4-9 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 66
), it uses one of the contexts that is designated as the admin context. The system configuration does include a specialized failover interface for failover traffic only. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-2 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 67
.0 netmask 255.255.255.0 • Context B: static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0 • Context C: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-3 - Cisco 7604 | Configuration Guide - Page 68
the same subnet, then the classifier uses the static command to classify packets destined for that subnet and ignores the static route. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-4 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 69
IP addresses. The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address. Figure 10.1.1.13 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-5 - Cisco 7604 | Configuration Guide - Page 70
Security Context Overview Chapter 4 Configuring Security Contexts Note that all new incoming traffic must be classified, even 10.1.1.13 Host 10.1.1.13 Host 10.1.1.13 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 71
classify the destination addresses to a context, the classifier is limited by how you can configure NAT. If you do not want to perform NAT, you must use unique interfaces. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 72
, then you need to configure static NAT statements for each Internet address. This requirement necessarily limits the kind of address. Your NAT configuration determines DNS entry management.) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 73
www.example.com 209.165.201.4 Internet HTTP Packet Dest. Address: 209.165.201.4 Admin Context Context A VLAN 100 switch. From the switch, you access the system execution space. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 74
file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match using the mode command. 4-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 75
Number of Memory Partitions, page 4-13 • Changing the Memory Partition Size, page 4-14 • Reallocating Rules Between Features for a Specific Memory Partition, page 4-19 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-11 - Cisco 7604 | Configuration Guide - Page 76
support will be less than the maximum. See the "Maximum Number of ACEs" section on page 13-6 for more information about ACEs and memory usage. Table 4-1 Default Rule Allocation Specification Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 77
contexts :2(RefCount:2) Number of rules :0(Max:53087) Partition #1 Mode :non-exclusive List of Contexts :admin, momandpopA, momandpopB, momandpopC momandpopD OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-13 - Cisco 7604 | Configuration Guide - Page 78
. Changing the Memory Partition Size The FWSM lets you set the memory size of each partition. Note Changing the partition sizes requires you to reload the FWSM. 4-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 79
requires a second reload. • Allocate contexts to specific partitions before you set the partition sizes (see the "Configuring a Specific Memory Partition" section on page 4-19). If you manually allocated Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-15 - Cisco 7604 | Configuration Guide - Page 80
2 19219 19219 15000 3 19219 19219 15000 4 19219 19219 15000 5 19219 19219 15000 6 19219 19219 19219 7 19219 19219 19219 8 19219 19219 19219 4-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 81
Tree 7 8 9 10 11 Bootup Partition Size 19219 19219 19219 19219 19219 19219 19219 Configured Size 24001 24001 22369 22369 22369 22369 22369 Difference 4782 4782 3150 3150 3150 3150 3150 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-17 - Cisco 7604 | Configuration Guide - Page 82
(config-partition)# size 56615 hostname(config-partition)# show resource partition Partition Number Bootup Default Partition Size Size Current Configured Size 4-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 83
for a specific partition overrides the global setting. Guidelines Caution Failure to follow these guidelines might result in dropped access list configuration as well as -20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-19 - Cisco 7604 | Configuration Guide - Page 84
Del : 0 ... Note The established command creates two types of rules, control and data. Both of these types are shown in the display, but you allocate both rules by 4-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 85
creates two types of rules, control and data. Both of these types are shown switch containing the FWSM can limit bandwidth per VLAN. See the switch documentation for more information. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 86
be unlimited, a few contexts can "use up" those resources, potentially affecting service to other contexts. You can set the limit for all resources together as a A, 4-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 87
default set to the maximum allowed per context: • Telnet sessions-5 sessions. • SSH sessions-5 sessions. • IPSec sessions-5 sessions. • MAC addresses-65,535 entries. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-23 - Cisco 7604 | Configuration Guide - Page 88
following options: • To set all resource limits (shown in Table 4-2), enter the following command: hostname(config-resmgmt)# limit-resource all {number% | 0} 4-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 89
Chapter 4 Configuring Security Contexts Configuring Resource Management The number is an integer greater than or equal to 1. 0 ( also the show resource types command. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-25 - Cisco 7604 | Configuration Guide - Page 90
N/A 65,535 concurrent For transparent firewall mode, the number of MAC addresses allowed in the MAC address table. N/A 999,900 concurrent TCP or concurrent 4-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 91
for example, if you clear the configuration) then you must first specify the admin context name by entering the following command: hostname(config)# admin-context name OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-27 - Cisco 7604 | Configuration Guide - Page 92
followed by a numeric portion. The alphabetic portion of the mapped name must match for both ends of the range. For example, enter the following range: int0-int10 4-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 93
port]/[path/]filename[;type=xx] The type can be one of the following keywords: - ap-ASCII passive mode - an-ASCII normal mode - ip-(Default) Binary passive mode - in-Binary normal mode OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 94
default is 12 partitions, so the range is 0 to 11. See the "Setting the Number of Memory Partitions" section on page 4-13 to configure the number of memory partitions. 4-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 95
you need to manually adjust the way configuration displays. You can, however, save all context running configurations from the system execution space using the write memory all command. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 96
a Security Context You can only remove a context by editing the system configuration. You cannot remove the current admin context, unless you remove all contexts 4-32 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 97
/name(config)# changeto system To enter the context configuration mode for the context you want to change, enter the following command: hostname(config)# context name OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-33 - Cisco 7604 | Configuration Guide - Page 98
startup-config running-config The FWSM copies the configuration from the URL specified in the system configuration. You cannot change the URL from within a context. 4-34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 99
assigned to the context. Shows the firewall mode for each context, either Routed or Transparent. Shows the URL from which the FWSM loads the context configuration. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-35 - Cisco 7604 | Configuration Guide - Page 100
, ID: 258 See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the detail 35.00% 4-36 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 101
Chapter 4 Configuring Security Contexts Managing Security Contexts OL-20748-01 Xlates All D 5 CA 1 CA unlimited 5 50.00% 1 10.00% 11 110.00% SSH default all C 5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-37 - Cisco 7604 | Configuration Guide - Page 102
11520 5 5.00% 10 10.00% 20 20.00% 23040 23040 10.00% 10.00% mac-addresses default all C 65535 gold 1 D 65535 65535 100.00% silver 1 CA 6553 6553 9.99 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 103
Chapter 4 Configuring Security Contexts Managing Security Contexts Viewing Resource Usage From the system Denied Context 12000(U) 0 Summary 100000(S) 0 Summary OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-39 - Cisco 7604 | Configuration Guide - Page 104
Resource Telnet SSH ASDM IPSec Syslogs [rate] Conns Xlates Hosts Conns [rate] Fixups [rate] Mac-addresses Current 0 0 0 0 0 0 0 0 0 0 0 Peak 0 0 0 0/s 0/s 0/s 0/s 4-40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 105
Chapter 4 Configuring Security Contexts Managing Security Contexts AAA Author AAA Account TCP Intercept 0/s 0/s 322779/s 0/s Current Peak Limit Denied Context OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 4-41 - Cisco 7604 | Configuration Guide - Page 106
Managing Security Contexts Chapter 4 Configuring Security Contexts memory 238421312 238434336 unlimited 0 Summary chunk:channels limit; the system limit is shown 4-42 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 107
IP Routing Support, page 5-1 • How Data Moves Through the FWSM in Routed Firewall Mode, page 5-2 IP Routing Support The FWSM acts as a router between connected networks, and each interface requires an IP address on a different subnet. In single context mode, the routed firewall supports OSPF, EIGRP - Cisco 7604 | Configuration Guide - Page 108
Inside DMZ 92888 User 10.1.2.27 Web Server 10.1.1.3 The following steps describe how data moves through the FWSM (see Figure 5-1): 1. The user on the inside network Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-2 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 109
associated with a new connection. The FWSM performs NAT by translating the mapped address to the real address, 10.1.2.27. 6. The FWSM forwards the packet to the inside user -20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-3 - Cisco 7604 | Configuration Guide - Page 110
web server. Figure 5-3 Inside to DMZ Outside 10.1.2.1 209.165.201.2 FWSM 10.1.1.1 Inside DMZ 92887 User 10.1.2.27 Web Server 10.1.1.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-4 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 111
5-4 Outside to Inside www.example.com Outside 10.1.2.1 209.165.201.2 FWSM 10.1.1.1 Inside DMZ User 10.1.2.27 92891 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-5 - Cisco 7604 | Configuration Guide - Page 112
the security policy (access lists, filters, AAA). 3. The packet is denied, and the FWSM drops the packet and logs the connection attempt. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 113
. The management IP address must be on the same subnet as the connected network. For another method of management, see the "Management Interface" section on page 5-8. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-7 - Cisco 7604 | Configuration Guide - Page 114
made for BPDUs, which are supported. For example, you can establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP . Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-8 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 115
to the outside router. Figure 5-6 Transparent Firewall Network Internet FWSM Network A 10.1.1.1 Management IP 10.1.1.2 10.1.1.3 192.168.1.2 Network B 92895 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-9 - Cisco 7604 | Configuration Guide - Page 116
IP address is required for each bridge group. Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned . 5-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 117
in an extended access list. Remote access VPN for management You can use site-to-site VPN for management. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-11 - Cisco 7604 | Configuration Guide - Page 118
Host 209.165.201.3 92896 Web Server 209.165.200.225 This section describes how data moves through the FWSM, and includes the following topics: • An Inside User Visits a 12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 119
, the packet bypasses the many lookups associated with a new connection. 6. The FWSM forwards the packet to the inside user. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-13 - Cisco 7604 | Configuration Guide - Page 120
, the packet bypasses the many lookups associated with a new connection. 7. The FWSM performs NAT by translating the mapped address to the real address, 10.1.2.27. 5-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 121
.1. If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC address by sending an ARP request and a ping. The first packet is dropped. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 122
to attack the inside network, the FWSM employs many technologies to determine if a packet is valid for an already established session. 5-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 123
context: hostname(config)# firewall transparent • To set the mode to routed, enter the following command in each context: hostname(config)# no firewall transparent OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 5-17 - Cisco 7604 | Configuration Guide - Page 124
Setting Transparent or Routed Firewall Mode Chapter 5 Configuring the Firewall Mode 5-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 125
choose to use NAT between any interface, or you can choose not to use NAT. Keep in mind that configuring NAT for an outside interface might require a special keyword. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-1 - Cisco 7604 | Configuration Guide - Page 126
interfaces that you are reserving for failover and Stateful Failover communications. See Chapter 14, "Configuring Failover," to configure the failover and state links. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-2 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 127
: hostname(config)# interface vlan 101 hostname(config-if)# nameif inside hostname(config-if)# security-level 100 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-3 - Cisco 7604 | Configuration Guide - Page 128
management, you have two available mechanisms: • Any bridge group management address-Connect to the bridge group network on which your management station is located. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-4 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 129
one management interface each. - The management interface IP address can be on a separate network from any bridge group Configuring Failover," to configure the failover and state links. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 130
)# interface bvi bridge_group_number Specify the IP address by entering the following command: hostname(config-if)# ip address ip_address [mask] [standby ip_address] Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 131
reserved address from that subnet to the upstream router, then the FWSM drops the ARP request from the downstream router to the upstream router. The FWSM does not support traffic on Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-7 - Cisco 7604 | Configuration Guide - Page 132
.0.0.3 FWSM VLAN 105 Bridge group IP: 209.165.202.129 Inside Context A Inside Context B Inside Context C 247335 Context A hostname(config)# interface vlan500 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-8 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 133
(config-if)# security-level 0 hostname(config-if)# bridge-group 30 hostname(config-if)# interface bvi 30 hostname(config-if)# ip address 209.165.202.129 255.255.255.224 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-9 - Cisco 7604 | Configuration Guide - Page 134
in some situations, you can exceed the maximum number of xlates using that configuration (see the "Managed System Resources" section on page A-4 for limits). For . 6-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 135
, keep in mind the following requirements: • Outside NAT is not supported. • You can configure static routes from one interface to another on the same security level. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 6-11 - Cisco 7604 | Configuration Guide - Page 136
the interface, enter the following command: hostname(config)# shutdown To reenable the interface, enter the following command: hostname(config)# no shutdown 6-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 137
in the configuration in encrypted form, so you cannot view the original password after you enter it. Use the no password command to restore the password to the default setting. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 138
default password is "cisco". Change the root password by entering the following command: root@localhost# passwd Enter the new password at the prompt: Changing password for user root New password: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 139
unit to Active unit. Configurations are no longer synchronized. context-CTX1-secondary %FWSM-5-111008: User 'enable_15' executed the 'logging console debug' command. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 7-3 - Cisco 7604 | Configuration Guide - Page 140
hostname must start and end with a letter or digit, and have as interior characters only letters, digits, or a hyphen. The FWSM supports all 95 printable domain name. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 7-4 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 141
a context by using the $(system) string in the context configuration. To add more than one line, precede each line by the banner command. For example, to add a message- -20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 7-5 - Cisco 7604 | Configuration Guide - Page 142
Configuring a Login Banner Chapter 7 Configuring Basic Settings Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 7-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 143
this packet by looking up the route to select egress interface, then source-ip translation is performed (if necessary). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-1 - Cisco 7604 | Configuration Guide - Page 144
The same problem may happen resolved manually OSPF. • Your network is small and you can easily manage static routes. • You do not want the traffic or CPU overhead associated with routing protocols. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 145
table manually. However, static routes are removed from the routing table if the associated interface goes down. They are reinstated when the interface comes back up. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 146
IP addresses 192.168.2.1, 192.168.2.2, 192.168.2.3. hostname(config)# route outside 0 0 192.168.2.1 hostname(config)# route outside 0 0 192.168.2.2 hostname(config)# route outside 0 0 192.168.2.3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 147
switch to an alternate path in the event a router goes down, use the Command Line a route map for use with supported features, perform the following steps: address acl_id [acl_id] [...] OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 148
a next hop router address that matches supports BGP stub routing. The BGP stub routing process advertises static and directly connected routes but does not accept routes advertised by the BGP peer. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 149
and configure a BGP routing process, perform the following steps: Step 1 Create the BGP routing process by entering the following command: hostname(config)# router bgp as-number OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 150
(config-router)# neighbor ip-addr password [mode] password The ip-addr argument is the IP address of the BGP neighbor defined with the neighbor command. The mode argument Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-8 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 151
. The cost can be configured to specify preferred paths. The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-9 - Cisco 7604 | Configuration Guide - Page 152
the following command: hostname(config-router)# network ip_address mask area area_id The following example shows how to enable OSPF: hostname(config)# router ospf 2 8-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 153
static and dynamic) supported by FWSM is 32768, or 32K. To redistribute static, connected, or OSPF routes from one process into another OSPF process, perform the )# router ospf 1 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8- - Cisco 7604 | Configuration Guide - Page 154
the following command: hostname(config-interface)# ospf message-digest-key key_id md5 key Set the following values: - key_id-An identifier in the range from 1 to 255. 8-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 155
and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa External flood list length 0 Area BACKBONE(0) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-13 - Cisco 7604 | Configuration Guide - Page 156
: hostname(config)# router ospf 2 hostname(config-router)# area 0 authentication hostname(config-router)# area 0 authentication message-digest hostname(config-router)# area 17 stub 8-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 157
7 default route that can be used to reach external destinations. When configured, the router generates a type 7 default into the NSSA or the NSSA area boundary router. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-15 - Cisco 7604 | Configuration Guide - Page 158
(config-if)# security-level 0 hostname(config-if)# ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2 hostname(config-if)# ospf network point-to-point non-broadcast 8-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 159
enter the following command: hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag] OSPF does not support summary-address 0.0.0.0 0.0.0.0. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-17 - Cisco 7604 | Configuration Guide - Page 160
. The default time is 5 seconds. A value of 0 means that there is no delay; that is, the SPF calculation is started immediately. 8-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 161
You also can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-19 - Cisco 7604 | Configuration Guide - Page 162
: hostname# show ospf [process-id] summary-address • To display OSPF-related virtual links information, enter the following command: hostname# show ospf [process-id] virtual-links 8-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 163
of routers or gateways that a packet must travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to configure initially 1 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-21 - Cisco 7604 | Configuration Guide - Page 164
Time, page 8-27 • Disabling Automatic Route Summarization, page 8-27 • Configuring Summary Aggregate Addresses, page 8-28 • Disabling EIGRP Split Horizon, page 8-28 • 8-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 165
receiving EIGRP updates. (Optional) To prevent an interface from sending or receiving EIGRP routing message, enter the following command: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-23 - Cisco 7604 | Configuration Guide - Page 166
Step 1 Create the EIGRP routing process and enter router configuration mode for that process by entering the following command: hostname(config)# router eigrp as-num 8-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 167
exist The key argument can contain up to 16 characters. The key-id argument is a number from 0 to 255. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-25 - Cisco 7604 | Configuration Guide - Page 168
routing process, enter the following command: hostname(config-router): redistribute connected [metric bandwidth delay reliability loading mtu] [route-map map_name] 8-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 169
hostname(config-router): redistribute ospf pid [match problems if you have non-contiguous networks. For example, if you have a router routers creating the conflicting summary addresses. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 170
: Step 1 Enter interface configuration mode for the interface on which you are disabling split horizon by entering the following command: hostname(config)# interface phy_if 8-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 171
Cisco 7600 Series Router Firewall Services Module Command Reference. • To display the EIGRP event log, enter the following command: hostname# show eigrp [as-number] events [{start end 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-29 - Cisco 7604 | Configuration Guide - Page 172
failover pair, are connected to different service providers and the outbound connection does not use a NAT address. By default, the FWSM drops the Routing Support Example, page 8-31 8-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 173
the unit where context B is active. Normally, the return traffic would be dropped because there is no session information OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-31 - Cisco 7604 | Configuration Guide - Page 174
between two chassis in Active/Active failover mode, both of the FWSM networks inject routes to their corresponding MSFC, corresponding to the contexts that is in the Active state. 8-32 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 175
FWSM in the other chassis. In that case, the supported in both single and multiple context mode. • RHI is supported in routed firewall mode; it is not supported in transparent mode. • RHI is supported Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-33 - Cisco 7604 | Configuration Guide - Page 176
hostname(config)# interface vlan20 hostname(config-if)# nameif outside hostname(config-if)# ip address 209.165.200.250 255.255.255.224 standby 209.165.200.251 hostname(config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 177
DHCP server does not support BOOTP requests. In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 178
[dns2] You can specify up to two DNS servers. (Optional) To specify the IP address(es) of the WINS server(s) the client will use, enter the following command: hostname(config Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 179
The FWSM supports all three categories of DHCP options. To configure a DHCP option, do one of the following: • To configure a DHCP option that returns one or two IP addresses, enter Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 8-37 - Cisco 7604 | Configuration Guide - Page 180
• To provide the IP address or names of one or two TFTP servers for option 150, enter the following command: hostname(config)# dhcpd option 150 ip server_ip1 [server_ip2] 8-38 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 181
To configure an interface-specific server, enter the following commands: hostname(config)# interface {vlan vlan_id | mapped_name} hostname(config-if)# dhcprelay server ip_address OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 182
the DHCP server by using the routing table.) Note If you configure an interface-specific server address after a connection has already been set up between a client 8-40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 183
DHCP relay agent address that will be set specific DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay interface [vlan vlan_id | mapped_name] OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 184
DHCP Chapter 8 Configuring IP Routing and DHCP Services To view the global DHCP relay configuration, enter the following command: hostname# show running-config dhcprelay global 8-42 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 185
receivers, without requiring source-specific state. The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 9-1 - Cisco 7604 | Configuration Guide - Page 186
Table 9-1 lists the maximum number of entries for specific multicast tables based on the amount of RAM on Configuring Group Membership, page 9-3 • Configuring a Statically Joined Group, page 9-3 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 187
specified interface. To configure a statically joined multicast group on an interface, enter the following command: hostname(config-if)# igmp static-group group-address OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 9-3 - Cisco 7604 | Configuration Guide - Page 188
prevents learned groups from being added, but manually defined memberships (using the igmp join- specific groups. Query messages are addressed to the all-systems multicast group, which has an address Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 9-4 OL-20748 - Cisco 7604 | Configuration Guide - Page 189
from the interface attached to the stub area: hostname(config-if)# igmp forward interface if_name Note Stub Multicast Routing and PIM are not supported concurrently. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 9-5 - Cisco 7604 | Configuration Guide - Page 190
PIM Message Intervals, page 9-8 Disabling PIM on an Interface You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 9-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 191
to 4294967294. Filtering PIM Register Messages You can configure the FWSM to filter PIM register messages. To filter PIM register messages, enter the following command: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 9-7 - Cisco 7604 | Configuration Guide - Page 192
the SMR feature: • RFC 2236 IGMPv2 • RFC 2362 PIM-SM • RFC 2588 IP Multicast and Firewalls • RFC 2113 IP Router Alert Option • IETF draft-ietf-idmr-igmp-proxy-01.txt Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 9-8 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 193
FWSM commands can accept and display IPv6 addresses: • capture • configure • copy • http • name • object-group • ping • show conn • show local-host • show tcpstat OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-1 - Cisco 7604 | Configuration Guide - Page 194
support IPv6 anycast addresses. You can configure both IPv6 and IPv4 addresses on an interface. Note You cannot configure IPv6 on an interface that is used by more than one context (a shared VLAN). 10-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration - Cisco 7604 | Configuration Guide - Page 195
(config-if)# ipv6 nd suppress-ra See the "Example 4: IPv6 Configuration Example" section on page B-13 for an example of IPv6 addresses applied to an interface. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-3 - Cisco 7604 | Configuration Guide - Page 196
. Note Changing this value changes it for all neighbor solicitation messages sent out on the interface, not just those used for duplicate address detection. 10-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 197
ipv6 route interface_name ::/0 next_hop_ipv6_addr The address ::/0 is the IPv6 equivalent of " specifically for ICMP traffic, enter the following command: hostname(config)# ipv6 access-list id [line num Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-5 - Cisco 7604 | Configuration Guide - Page 198
addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr. • src_port and dst_port-The source and destination port (or service Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748- - Cisco 7604 | Configuration Guide - Page 199
reachable after a reachability confirmation event has occurred, enter the following command: hostname(config-if)# ipv6 nd reachable-time value OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-7 - Cisco 7604 | Configuration Guide - Page 200
of the router solicitation message. You can configure the following settings for router advertisement messages: • The time interval between periodic router advertisement messages. 10-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 201
ipv6-prefix/prefix-length Note For stateless autoconfiguration to work properly, the advertised prefix length in router advertisement messages must always be 64 bits. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 10-9 - Cisco 7604 | Configuration Guide - Page 202
IPv6 enabled on them. The output for the command shows the following: • The name and status of the interface. • The link-local and global unicast addresses. 10-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 203
- OSPF ext 1, OE2 - OSPF ext 2 L fe80::/10 [0/0] via ::, inside L fec0::a:0:0:a0a:a70/128 [0/0] via ::, inside C fec0:0:0:a::/64 [0/0] via ::, inside L ff00::/8 [0/0] via ::, inside OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 204
Verifying the IPv6 Configuration Chapter 10 Configuring IPv6 10-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 205
AAA Server and Local Database Support, page 11-3 • Configuring the Local Database, page server and you might not always know IP addresses of these users, you can enable AAA . Authorization always requires a user to Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 206
controls access by requiring valid user credentials, which are typically a username and password. You can configure the FWSM to , the service used, and the duration of each session. 11-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 207
with user-specific access lists only, which are received or specified in a RADIUS authentication response. 3. Local command authorization is supported by privilege level only. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 208
list when the authentication session expires. TACACS+ Server Support The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1. 11-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 209
and one-time password and grants or denies SDI Version Support The FWSM offers the following SDI version support: • Versions IP address with .sdi appended. A Version 5.0 SDI server that you configure on Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-5 - Cisco 7604 | Configuration Guide - Page 210
a fallback method for the functions in Table 11-1. This behavior is designed to help you prevent accidental lockout from the FWSM. 11-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 211
database for network access authorization. The local database does not support accounting. You cannot enter the username command in the password password} [privilege level] OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 212
account with a password, enters username mode, and specifies a few VPN attributes: hostname(config)# username user1 password gOgeOus hostname(config)# username user1 attributes 11-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 213
group is specific to mode command. For more information about this command, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 214
the value. For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. 11-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 215
RADIUS 10 seconds sdi-pre-5-slave SDI - sdi-version SDI sdi-5 server-port Kerberos 88 LDAP 389 NT 139 SDI 5500 TACACS+ 49 timeout All 10 seconds protocol nt Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-11 - Cisco 7604 | Configuration Guide - Page 216
-group)# exit hostname(config)# aaa-server NTAuth (inside) host 10.1.1.4 hostname(config-aaa-server-host)# nt-auth-domain-controller primary1 11-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 217
public key of the sender to the data. If the signature sent with the data matches the result of applying the public key to the data, the validity of the message is 20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-1 - Cisco 7604 | Configuration Guide - Page 218
manually configure each IPSec peer for every peer with which it communicates, and every new peer you add to a network would then require a configuration operations, the supported maximum key size Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 219
Importing Keypairs and Certificates, page 12-7 • Linking Certificates to a Trustpoint, page 12-9 • Configuration Example: Cut-Through-Proxy Authentication, page 12-9 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-3 - Cisco 7604 | Configuration Guide - Page 220
certificates, be sure that the FWSM is correctly configured to support certificates. An incorrectly configured FWSM can cause enrollment to fail or create -pair-label 12-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 221
Key Modulus Size (bits): 1024 Key Data: 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 TACACS+ or RADIUS user accounting, or the local IP address of the host or network of hosts that you want to Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-5 - Cisco 7604 | Configuration Guide - Page 222
2 Step 3 Step 4 Step 5 To verify that the required access lists have been configured, enter the following command: hostname(config)# show run access- the virtual IP address: 12-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 223
this condition. To control which trustpoint sharing a CA is used for validation of user certificates issued by that CA, enter the support-user-cert-validation command. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 12-7 - Cisco 7604 | Configuration Guide - Page 224
c=US serialNumber=C1183477 2.5.4.15=#131256312e302c20436c6175736520352e286229 1.3.6.1.4.1.311.60.2.1.2=#130a43616c69666f726e6961 1.3.6.1.4.1.311.60.2.1.3=#13025553 12-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 225
com/pca3-g5.crl Validity Date: start date: 23:00:00 IST Nov 7 2006 end date: 22:59:59 IST Nov 7 2016 Associated Trustpoints: newton Linking Certificates to -mode depletion deadtime 2 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 226
allowed through the FWSM. Only those shown in the example and SSH are supported for cut-through-proxy authentication. The timeout uauth command allows the FWSM to 12-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 227
List Implicit Deny, page 13-3 • IP Addresses Used for Access Lists When You Use NAT, page 13-3 • Access List Commitment, page 13-5 • Maximum Number of ACEs, page 13-6 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-1 - Cisco 7604 | Configuration Guide - Page 228
list that explicitly permits all traffic, no further statements are ever checked. You can disable an ACE by making it inactive. 13-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 229
ip 10.1.1.0 255.255.255.0 host 209.165.200.225 hostname(config)# access-group INSIDE in interface inside 104634 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-3 - Cisco 7604 | Configuration Guide - Page 230
outside interface. You need to specify the translated address of the inside host in the access list because that address is the address that can be used on the outside network Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 231
-enter the command after each reload. For information about exceeding memory limits, see the "Maximum Number of ACEs" section. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-5 - Cisco 7604 | Configuration Guide - Page 232
the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. 13-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 233
the configuration. You might want to name the access list for the interface (for example, INSIDE), or for the purpose for which it is created (for example, NO_NAT or VPN). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 234
each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP. Use an operator to match port address 209.165.201.29. All other traffic is allowed. 13-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 235
the FWSM is designed to specifically handle BPDUs. The FWSM receives trunk port (Cisco proprietary) BPDUs because FWSM ports are trunk ports. Trunk BPDUs have VLAN information 01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-9 - Cisco 7604 | Configuration Guide - Page 236
ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside 13-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 237
consider the following three object groups: • MyServices-Includes the TCP and UDP port numbers of the service requests that are allowed access to the internal network OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-11 - Cisco 7604 | Configuration Guide - Page 238
. To define the protocols in the group, enter the following command for each protocol: hostname(config-protocol)# protocol-object protocol 13-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 239
Addresses hostname(config-network)# network-object host 10.1.1.4 hostname(config-network)# network-object host 10.1.1.78 hostname(config-network)# network-object host 10.1.1.34 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 240
objects; the commands you already set remain in place unless you remove them with the no form of the command. 13-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 241
.1.1.5 hostname(config-network)# network-object host 10.1.1.9 hostname(config-network)# network-object host 10.1.1.89 hostname(config-network)# object-group network hr Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-15 - Cisco 7604 | Configuration Guide - Page 242
object groups in an access list, replace the normal protocol (protocol), network (source_address mask, and so on), service (operator port), or ICMP type (icmp_type) parameter Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 243
in an access list. • To remove a specific object group, enter the following command: hostname(config services | icmp-type] If you do not enter a type, all object groups are removed. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 244
end of the access list unless you specify the line number. If you delete an access list using the clear configure - this is the inside admin address hostname(config)# access-list OUT extended Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 245
log disable [rule y] After optimization: access-list test extended deny tcp any any range 50 100 log default [rule x] OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-19 - Cisco 7604 | Configuration Guide - Page 246
this command when you are sure that you will not exceed the start-up configuration size limit. The following is an example of an optimized access list configuration. 13-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 247
"Access Lists Optimization Complete" defines the end of the optimization process. During that line 1 extended permit tcp host 10.1.1.6 host 10.1.1.20 eq www (hitcnt=*) 0x1d3335f6 access-list test line Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13 - Cisco 7604 | Configuration Guide - Page 248
= 46% SUBSET rules : 2 ADJACENT rules : 5 access-list test line 1 extended permit tcp host 10.1.1.6 host 10.1.1.20 eq www (hitcnt=0) 0x00000000 before optimization 13-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 249
are merged, the original access lists can be replaced with the optimized ones. Note that this action will configuration before proceeding with disabling access list group optimization. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 250
specific times end time and date are specified, the time range is in effect indefinitely. hostname(config)# time-range for2006 hostname(config-time-range)# absolute start 8:00 1 january 2006 13-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 251
line 1 extended deny tcp host 209.165.200.225 host 209.165.201.1 time-range New_York_Minute Logging Access List Activity This section describes how to configure OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-25 - Cisco 7604 | Configuration Guide - Page 252
a specific interval. The FWSM generates a system log message at the first hit and at the end of source and destination IP addresses, protocols, and ports. Because the source port might differ for a Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 253
ports remain the same), then the hit count is incremented by 1 and the following message is displayed at the end received within a specific interval. The FWSM To prevent unlimited consumption of memory Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-27 - Cisco 7604 | Configuration Guide - Page 254
in a short period of time. Restricting the number of deny flows prevents unlimited consumption of memory and CPU resources. When you reach the maximum number of deny flows, Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 255
Firewall Requirements, page 14-7 • Active/Standby and Active/Active Failover, page 14-8 • Regular and Stateful Failover, page 14-17 • Failover Health Monitoring, page 14-19 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 256
sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. 14-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 257
on page 14-4. Even though both FWSMs are assigned the same VLANs, only the active module takes part in networking. The standby module does not pass any traffic. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-3 - Cisco 7604 | Configuration Guide - Page 258
the failover FWSM VLANs (VLANs 10 and 11). Note FWSM failover is independent of the switch failover operation; however, FWSM works in any switch failover scenario. 14-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 259
Switch Switch Understanding Failover VLAN 200 Active FWSM Failover Links: Trunk: VLANs 10 & 11 VLAN 10 VLAN 11 Standby FWSM Eng VLAN 203 Mktg VLAN 202 Inside VLAN 201 132920 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 260
Internet VLAN 100 Switch Switch VLAN 200 Failed FWSM Failover Links: Trunk: VLANs 10 & 11 VLAN 10 VLAN 11 Active FWSM Eng VLAN 203 Mktg VLAN 202 Inside VLAN 201 132921 14-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 261
other module, or due to a bad failover link. Because the FWSMs bridge packets between the same two VLANs, loops can occur when inside packets destined for the outside get OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 262
14-9 • Device Initialization and Configuration Synchronization, page 14-9 • Command Replication, page 14-11 • Failover Triggers, page 14-11 • Failover Actions, page 14-12 14-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 263
its running configuration (except for the failover commands needed to communicate with the active unit), and the active unit sends its entire configuration to the standby unit. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 264
MAC address to that of the primary unit, which can cause an interruption in your network traffic. When the configuration configuration synchronization, the secondary unit will be operational. 14-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 265
do not affect the configuration. Failover Triggers The unit can fail if one of the following events occurs: • The unit has a hardware failure or a power failure. • The unit -01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-11 - Cisco 7604 | Configuration Guide - Page 266
(power or hardware) Policy Failover Active Action n/a Formerly active unit recovers Standby unit failed (power Configuration Synchronization, page 14-14 • Command Replication, page 14-14 14-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 267
in the standby state take over the standby MAC address and IP addresses. Note A failover group failing on a services. Load balancing must be handled by a router passing traffic to FWSM. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 268
the peer unit. • You manually force a failover group to become configurations to become out of synchronization. Those changes may be lost the next time configuration synchronization occurs. 14-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 269
. • The unit has a power failure. • The unit has a software failure. • The no failover active or the failover active command is entered in the system execution space. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-15 - Cisco 7604 | Configuration Guide - Page 270
Behavior for Active/Active Failover Failure Event A unit experiences a power or software failure Interface failure on active failover group above threshold active. 14-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 271
Failover FWSM supports two types of failover, regular and stateful. This section includes the following topics: • Regular Failover, page 14-18 • Stateful Failover, page 14-18 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 272
MAC address table, the peer FWSM is not able to generate switch CAM table refresh packets for the given endpoints. Therefore, if the CAM table entries on the switch for the given hosts are 14-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 273
If FWSM does not receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed. • If FWSM does not receive a response Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-19 - Cisco 7604 | Configuration Guide - Page 274
Using Active/Active Failover, page 14-26 • Configuring Failover Communication Authentication/Encryption, page 14-31 • Verifying the Failover Configuration, page 14-31 14-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 275
the minimum configuration needed to enable failover on the primary unit. For multiple context mode, all steps are performed in the system execution space unless otherwise noted. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 276
standby IP address to the state link. Note If the state link uses the failover link, skip this step. You have already defined the failover link active and standby IP addresses. 14-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 277
ip_addr mask standby ip_addr Note Enter this command exactly as you entered it on the primary unit when you configured the failover interface on the primary unit. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-23 - Cisco 7604 | Configuration Guide - Page 278
secondary unless previously configured. Step 3 Step 4 Step 5 (Optional) Specify different hostnames for the primary and secondary FWSMs to replace the default hostname -24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 279
When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 280
for the failover link or for the state link (if you are going to use Stateful Failover). hostname(config-if)# ip address active_addr netmask standby standby_addr 14-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 281
the failover link, then you only need to supply the if_name argument. b. Assign an active and standby IP address to the state link. Note If the state group configuration mode. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 282
interface ip if_name ip_addr mask standby ip_addr Note Enter this command exactly as you entered it on the primary unit when you configured the failover interface. 14-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 283
unless previously configured otherwise. Step 3 Step 4 Step 5 Step 6 (Optional) Specify different hostnames for the primary and secondary FWSMs to replace the default OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-29 - Cisco 7604 | Configuration Guide - Page 284
[%] When specifying a specific number of interfaces, the num argument can be from 1 to 250. When specifying a percentage of interfaces, the num argument can be from 1 to 100. 14-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 285
this information includes any usernames, passwords and preshared keys used for establishing the tunnels. Transmitting this sensitive data in clear text could pose -35 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-31 - Cisco 7604 | Configuration Guide - Page 286
is similar to the information shown when using the command in single context mode. Instead of showing the active/standby status of the unit, it displays .0.11): Normal 14-32 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 287
Failover Stateful Failover Logical Update Statistics Status: Configured. Stateful Obj xmit xerr rcv RPC services 0 0 0 TCP conn 99 0 0 UDP conn 0 0 0 ARP tbl 22 0 0 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-33 - Cisco 7604 | Configuration Guide - Page 288
table information (transparent firewall mode only). Xlate_Timeout Indicates connection translation timeout information. VPN IKE upd IKE connection information. 14-34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 289
outside (10.3.3.2): Normal ctx2 Interface inside (10.4.4.2): Normal Other host: Group 1 Secondary State: Active time: Standby Ready 190 (sec) OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-35 - Cisco 7604 | Configuration Guide - Page 290
Normal Stateful Failover Logical Update Statistics Status: Configured. RPC services 0 0 0 0 TCP conn 33 0 0 0 UDP conn 0 0 0 0 ARP tbl 12 0 0 0 14-36 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 291
seconds For each interface, the display shows the IP address currently being used on each unit, as well as interface has failed. • No link-The interface line protocol is down. • Normal-The interface is Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-37 - Cisco 7604 | Configuration Guide - Page 292
data Procedure Call connection information. TCP connection information. Dynamic UDP connection information. Dynamic ARP table information. Layer 2 bridge table information (transparent firewall mode Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748- - Cisco 7604 | Configuration Guide - Page 293
show running-config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value. : OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-39 - Cisco 7604 | Configuration Guide - Page 294
Forcing Failover, page 14-40 • Disabling Failover, page 14-41 • Disabling Configuration Synchronization, page 14-41 • Restoring a Failed Unit or Failover Group, page 14-40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 295
. If previously active, a failover group will become active if it is configured with the preempt command and if the unit on which it failed is its preferred unit. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 14-41 - Cisco 7604 | Configuration Guide - Page 296
the snmp-server and logging commands in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information. 14-42 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 297
PART 2 Configuring the Security Policy - Cisco 7604 | Configuration Guide - Page 298
- Cisco 7604 | Configuration Guide - Page 299
access list allowing the host IP address. You only need to configure management access according to Chapter 23, "Configuring Management Access." This chapter includes OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-1 - Cisco 7604 | Configuration Guide - Page 300
You might want to use an outbound access list to simplify your access list configuration. For example, if you want to allow three inside networks on three different eng 15-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 301
Use NAT" section on page 13-3 for information about NAT and IP addresses. The outbound access list prevents any other hosts from reaching the outside network outside OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-3 - Cisco 7604 | Configuration Guide - Page 302
-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside 15-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 303
Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface hostname(config)# access-group ETHER in interface outside OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 15-5 - Cisco 7604 | Configuration Guide - Page 304
Applying an Access List to an Interface Chapter 15 Permitting or Denying Network Access 15-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 305
NAT Commands Used to Match Real Addresses, page 16-15 • Maximum Number of NAT Statements, page 16-15 • Mapped Address Guidelines, page 16-15 • DNS and NAT, page 16-16 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-1 - Cisco 7604 | Configuration Guide - Page 306
receives the packet. The FWSM then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27 before sending it on to the host. 16-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 307
of the firewall, and the initiating host real address is mapped to a different address on the same subnet, then the real address remains visible in the ARP request. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-3 - Cisco 7604 | Configuration Guide - Page 308
it sends the response to the mapped address, 209.165.201.10, and the FWSM receives the packet because the upstream router includes this mapped network in a static .15 16-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 309
NAT on any networks unless you choose to perform NAT. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-5 - Cisco 7604 | Configuration Guide - Page 310
the classifier might require changes in your network configuration. See the "How address. The connection is denied because the FWSM only allows returning connections to the mapped address. 16-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 311
list allows it. Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-7 - Cisco 7604 | Configuration Guide - Page 312
host (if there is an access list that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT. 16-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 313
the original port 8080. Similarly, if you want to provide extra security, you can tell your web users to connect to non-standard port 6785, and then undo translation to port 80. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 314
secondary ports. Or, when the ports cannot be predicted, the policy should specify only the IP addresses for the secondary channel. This way, the FWSM translates the secondary ports. 16-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 315
) 1 209.165.202.129 hostname(config)# nat (inside) 2 access-list NET2 hostname(config)# global (outside) 2 209.165.202.130 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-11 - Cisco 7604 | Configuration Guide - Page 316
remote network, the access list identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation. 16-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 317
address. Note Policy NAT does not support SQL*Net, but it is supported by regular NAT. See the "Inspection Engine Overview" section on page 22-2 for information about NAT support Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-13 - Cisco 7604 | Configuration Guide - Page 318
security interfaces. These inspection engines include Skinny, SIP, and H.323. See the "Inspection Engine Overview" section on page 22-2 for supported inspection engines. 16-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 319
traffic destined for a real address. If you use OSPF to advertise mapped IP addresses that belong to a different subnet from the mapped interface, you need to create OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-15 - Cisco 7604 | Configuration Guide - Page 320
IP address embedded in the DNS query response or the FWSM will not NAT it. The necessary route can be learned via static routing or by any other routing protocol, such as RIP or OSPF. 16-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 321
DNS server, then the IP address in the DNS reply is also modified for this user, even though the user is not on the Inside interface referenced by the static command. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-17 - Cisco 7604 | Configuration Guide - Page 322
address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.example.com (10.1.2.56) you need to configure dns Configuring NAT Control NAT control requires that packets Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 323
how to configure dynamic NAT and PAT, and it includes the following topics: • Dynamic NAT and PAT Implementation, page 16-20 • Configuring Dynamic NAT or PAT, page 16-26 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 324
configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 325
a PAT address when exiting the Outside interface. (See Figure 16-15.) Figure 16-15 nat Commands on Multiple Interfaces Web Server: www.cisco.com Outside OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-21 - Cisco 7604 | Configuration Guide - Page 326
use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the the destination addresses and ports are unique in each access list. 16-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 327
, you might enter two PAT statements if you need more than the approximately 64,000 PAT sessions that a single PAT mapped statement supports. (See Figure 16-18.) OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-23 - Cisco 7604 | Configuration Guide - Page 328
NAT (DMZ interface to Inside interface), the inside host uses a static command to allow outside access, so both the source and destination addresses are translated. 16-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 329
NAT requirements preceding come into effect for that group of addresses when they access all higher security interfaces. Traffic identified by a static command is not affected. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 330
is allowed back. The mapped address defined by the global command is the same for each translation, but the port is dynamically assigned. Figure 16 ] [norandomseq] 16-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 331
no need for both firewalls to be performing this action. However, leaving ISN randomization enabled on both firewalls does not affect the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-27 - Cisco 7604 | Configuration Guide - Page 332
209.165.201.10-209.165.201.20 To translate the lower security DMZ network addresses so they appear to be on the same network as the inside network (10 10.1.1.45 16-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 333
and the mapped address is statically assigned by the static command. Figure 16-22 Static NAT FWSM 10.1.1.1 209.165.201.1 10.1.1.2 209.165.201.2 132937 Inside Outside OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 334
second address in the access list is the source address. This access list should include only permit ACEs. You can optionally specify the real and destination ports in -30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 335
address in the static command that is also defined in a global command for the same mapped interface. For more information about static PAT, see the "Static PAT" section on page 16-9. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 336
Specify the port using the eq operator. The first address in the access list is the real address; the second address is either the source or destination address, depending 32 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 337
mapped address. hostname -known port (80) to another port (8080 Configuring Identity NAT, page 16-34 • Configuring Static Identity NAT, page 16-34 • Configuring NAT Exemption, page 16-36 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 338
Policy NAT lets you identify the real and destination addresses when determining the real addresses to translate. (See the "Policy NAT" section on page 16-10 for more 16-34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 339
identity NAT for an inside IP address (10.1.1.3) when accessed by the outside: hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-35 - Cisco 7604 | Configuration Guide - Page 340
and destination addresses when ports. NAT exemption also does not consider the inactive or time-range keywords; all ACEs are considered to be active for NAT exemption configuration. 16-36 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 341
For example, to exempt an inside network when accessing any destination address, enter the following command: hostname(config)# access-list EXEMPT permit ip Ports, page 16-39 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 342
inside network, that host receives the packet. To solve this problem, use NAT to provide non-overlapping addresses. If you want to allow access in both directions, 1 16-38 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 343
to 10.1.1.5. • HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80. To implement this scenario, perform the following steps: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-39 - Cisco 7604 | Configuration Guide - Page 344
PAT address 209.165.201.15 to 10.1.1.7 port 80 by entering the following command: hostname(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www netmask 255.255.255.255 16-40 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 345
17-3 • Configuring Custom Login Prompts, page 17-5 • Enabling Secure Authentication of Web Clients, page 17-6 • Disabling Authentication Challenge per Protocol, page 17-8 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 346
you enter another username and password. For HTTP, you log in using basic HTTP authentication supplied by the browser. For HTTPS, the FWSM generates custom login windows. 17-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 347
7600 Series Router Firewall Services Module Command Reference. Enabling Network Access Authentication To enable network access authentication, perform the following steps: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 348
smtp hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound 17-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 349
Enter key ends the string. passwords, then the generic reject prompt is shown in all cases. To show text when a user is rejected due to invalid credentials, enter the following command: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 350
securing HTTP authentication, usernames and passwords provided to the FWSM would be requiring authentication, the FWSM displays the Authentication Proxy Login Page shown in Figure 17-1. 17-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 351
PAT for web traffic and the second line must be added to support the HTTPS authentication configuration. static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-7 - Cisco 7604 | Configuration Guide - Page 352
protocol challenge disable For example, to disable the username and password challenge for new connections using FTP, enter the following command: traffic is allowed. 17-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 353
TACACS+ server responds to the FWSM with information that the FWSM treats as a user-specific, dynamic access list for that traffic, based on the user profile. Note If you 20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-9 - Cisco 7604 | Configuration Guide - Page 354
how to configure Cisco Secure ACS or a third-party RADIUS server, and includes the following topics: • Configuring Cisco Secure ACS for Downloadable Access Lists, page 17-11 17-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 355
is a unique version ID generated by Cisco Secure ACS. The downloaded access list on the FWSM consists of the following lines: access-list #ACSACL#-ip-xxx-acs_ten_acl-3b5385f7 -01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-11 - Cisco 7604 | Configuration Guide - Page 356
on the FWSM from the RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as follows: filter-id=acl_name 17-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 357
page 17-3. If you want the FWSM to provide accounting data per IP address, enabling authentication is not necessary and you can continue to requires authorization and accounting. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 358
the first 8 digits. To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following command: hostname(config)# aaa mac-exempt match id 17-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 359
. hostname(config)# mac-list 1 deny 00a0.c95d.0282 ffff.ffff.ffff hostname(config)# mac-list 1 permit 00a0.c95d.0000 ffff.ffff.0000 hostname(config)# aaa mac-exempt match 1 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 360
Using MAC Addresses to Exempt Traffic from Authentication and Authorization Chapter 17 Applying AAA for Network Access 17-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 361
You can also use URL filtering to direct specific traffic to an external filtering server, such an of your URL filtering server, the time required for the initial connection may be noticeably slower Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-1 - Cisco 7604 | Configuration Guide - Page 362
to any foreign host. To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter activex 80 0 0 0 0 18-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 363
. To remove the configuration, use the no form of the command, as in the following example: hostname(config)# no filter java http 192.168.3.3 255.255.255.255 0 0 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-3 - Cisco 7604 | Configuration Guide - Page 364
Server Addresses, page specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration configuration. 18-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 365
-server (perimeter) vendor n2h2 host 10.0.1.2 This identifies two Sentian filtering servers, both on a perimeter interface of the FWSM. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-5 - Cisco 7604 | Configuration Guide - Page 366
). Use the dst keyword to cache entries based on the URL destination address. Select this mode if all users share the same URL filtering policy on the Websense server. 18-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 367
only) You can also configure the maximum size of the URL buffer memory pool with the following command: hostname(config)# url-block url-mempool memory_pool_size OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-7 - Cisco 7604 | Configuration Guide - Page 368
FWSM to send only the hostname or IP address portion of the URL for evaluation to the Filtering To exempt specific traffic from filtering port localIP local_mask foreign_IP foreign_mask [allow] 18-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 369
/public/files. Viewing Filtering Statistics and Configuration This section describes how to monitor filtering statistics. This section includes the following topics: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-9 - Cisco 7604 | Configuration Guide - Page 370
server url-server (outside) vendor n2h2 host 128.107.254.202 port 4005 timeout 5 protocol TCP To show information about the filtering server the configuration of the URL block buffer. 18-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 371
are shown in the URL Access and URL Server Req rows. Viewing Filtering Configuration The following is sample output from the show running-config filter command: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 18-11 - Cisco 7604 | Configuration Guide - Page 372
Viewing Filtering Statistics and Configuration hostname# show running-config filter filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 Chapter 18 Applying Filtering Services 18-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL- - Cisco 7604 | Configuration Guide - Page 373
to all bridge groups. When you enable ARP inspection, the FWSM compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table -01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 19-1 - Cisco 7604 | Configuration Guide - Page 374
outside enable no-flood To view the current settings for ARP inspection on all interfaces, enter the show arp-inspection command. 19-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 375
MAC address table entries is 5 minutes, but you can change the timeout. To change the timeout, enter the following command: hostname(config)# mac-address-table aging-time timeout_value OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 376
: hostname# show mac-address-table inside interface mac address type Age min) Group inside 0010.7cbe.6101 static - Eng inside 0009.7cbe.5101 dynamic 10 Eng 19-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 377
configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. This section includes the following topics: • Modular Policy Framework Supported Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-1 - Cisco 7604 | Configuration Guide - Page 378
might only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address. Layer 3/4 Class Map Layer 3/4 Class Map 241506 See the "Identifying Traffic Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 379
inspect h323 ras inspect netbios inspect rsh inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp service-policy global_policy global OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-3 - Cisco 7604 | Configuration Guide - Page 380
: class-map class-default match any This class map appears at the end of all Layer 3/4 policy maps and essentially tells the FWSM to not an inspection policy map 20-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 381
traffic based on protocols, ports, IP addresses and other Layer 3 or ports used by all applications that the FWSM can inspect. hostname(config-cmap)# match default-inspection-traffic OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 382
on all interfaces. Not all applications whose ports are included in the match default-inspection-traffic configure special actions for many application inspections. When you enable an inspection engine Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL- - Cisco 7604 | Configuration Guide - Page 383
the "Inspection Engine Overview" section on page 22-2 for a list of applications that support inspection policy maps map to match application traffic to criteria specific to the application, such as a URL Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-7 - Cisco 7604 | Configuration Guide - Page 384
(config-pmap-c)# Not all applications support inspection class maps. • Specify traffic are available for each application. Other actions specific to the application might also be available. See Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 385
sip2 log class sip1 log Step 4 To configure parameters that affect the inspection engine, enter the following command: hostname(config-pmap)# by the service policy. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-9 - Cisco 7604 | Configuration Guide - Page 386
specific to an application. For example, for HTTP traffic, you can match a particular URL. Note Not all applications support inspection class maps. See the CLI help for a list of supported Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748- - Cisco 7604 | Configuration Guide - Page 387
slashes, like "http://", be sure to search for "http:/" instead. Table 20-1 lists the metacharacters that have special meanings. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-11 - Cisco 7604 | Configuration Guide - Page 388
it looks for a match. Specifies the beginning of a line. When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket. 20-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 389
metacharacter, matches the literal character. Matches a carriage return 0x0d. Matches a new line 0x0a. Matches a tab 0x09. Matches a form feed 0x0c. Matches an ASCII OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-13 - Cisco 7604 | Configuration Guide - Page 390
at least one of the regular expressions. The CLI enters class-map configuration mode. (Optional) Add a description to the class map by entering the Map, page 20-18 20-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 391
map, you can assign multiple actions from one or more feature types, if supported. See the "Incompatibility of Certain Feature Actions" section on page 20-17. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-15 - Cisco 7604 | Configuration Guide - Page 392
RPC n. RSH o. RTSP p. SIP q. Skinny r. SMTP s. SNMP t. SQL*Net u. TFTP v. XDMCP w. DCERPC 3. Permitting or Denying Application Types with PISA Integration 20-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 393
Inspection Also Configured class-map ftp match port tcp 80 [it should be 21] class-map http match port tcp 80 policy-map test class http inspect http class ftp inspect ftp OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 394
if it is outbound than if it is inbound. Default Layer 3/4 Policy Map The configuration includes a default Layer 3/4 policy map that the FWSM uses in the default global 20-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 395
traffic hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80 hostname(config)# policy-map outside_policy hostname(config- the same feature domain: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 20-19 - Cisco 7604 | Configuration Guide - Page 396
a specific policy, enter the following command: hostname(config)# service-policy policy_map_name global By default, the configuration includes no service-policy global_policy global 20-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 397
Connection Limits to HTTP Traffic to Specific Servers, page 20-22 • any HTTP connection (TCP traffic on port 80) that enters the FWSM through service-policy http_traffic_policy global OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 398
is used, then you must use the real IP address in the access list in the class map. If you applied it to the outside interface, you would use the mapped addresses. 20-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 399
Figure 20-3 HTTP Inspection with NAT Modular Policy Framework Examples port 80 Host insp. inside Real IP: 10.1.1.1 Mapped IP: service-policy http_client interface inside OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 400
Modular Policy Framework Examples Chapter 20 Using Modular Policy Framework 20-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 401
and not data connections; for data connections, the TCP sequence continues to be randomized. You can also configure maximum connections and TCP sequence randomization in the NAT OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 402
hostname(config)# class-map CONNS hostname(config-cmap)# match any To match specific traffic, you can match an access list: hostname(config)# access list CONNS . 21-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 403
To activate the policy map on one or more interfaces, enter the following command: hostname(config)# service-policy policymap_name {global | interface interface_name} OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-3 - Cisco 7604 | Configuration Guide - Page 404
and PISA integration is to consolidate your security configuration on a single FWSM instead of having to configure multiple upstream switches with PISAs installed. 21-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 405
the original routing/switching paths for the modified packet. The GRE encapsulation adds 32 bytes (20 bytes for the outer IP header and 12 bytes for the GRE header). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21 - Cisco 7604 | Configuration Guide - Page 406
see the supported protocol names, end, PISA actions have an implicit permit at the end. For example, to permit all traffic except for Skype, eDonkey, and Yahoo, enter the following commands: 21-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 407
page 21-8 • Sample Switch Configurations for PISA Integration, page 21-9 PISA Limitations and Restrictions The following limitations and restrictions apply to the PISA: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21 - Cisco 7604 | Configuration Guide - Page 408
underlying PISA infrastructure also does not support acceleration of IPv6 packets. • Currently port; for example, you cannot enable classification on access ports and tagging on a trunk port. 21-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 409
-2 Layer 2 Mode (Interface-based, Protocol Discovery on Uplink Ports) Router(config)# interface gigabitethernet 6/1 Router(config-if)# ip nbar protocol-discovery ! Classification OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 410
section describes how to configure TCP state bypass, and includes the following topics: • TCP State Bypass Overview, page 21-11 • Enabling TCP State Bypass, page 21-13 21-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 411
Chapter 21 Configuring Advanced Connection Features Configuring TCP State Bypass TCP State Bypass Overview This section describes how was not a SYN packet that went OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-11 - Cisco 7604 | Configuration Guide - Page 412
for TCP state bypass traffic; if you use dynamic NAT, the address chosen for the session on FWSM 1 will differ from the address chosen for the session on FWSM 2. 21-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 413
is allowed. You can override the global policy on an interface by applying a service policy to that interface. You can only apply one policy map to each interface. map tcp_bypass Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-13 - Cisco 7604 | Configuration Guide - Page 414
only looks at the destination address when determining where to forward the packet. Unicast RPF instructs the FWSM to also look at the source address; this is why it 21-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 415
fragmentation on a specific interface. By default . To shun a connection manually, perform the following steps: shun connections from the source IP address, enter the following command: hostname(config Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 21-15 - Cisco 7604 | Configuration Guide - Page 416
Blocking Unwanted Connections Chapter 21 Configuring Advanced Connection Features 21-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 417
This chapter describes how to configure application layer protocol inspection. Inspection engines are required for services that embed IP addressing information in the user data packet or that open secondary channels on dynamically assigned ports. These protocols require the FWSM to perform a deep - Cisco 7604 | Configuration Guide - Page 418
connection. This information is used by the Adaptive Security Algorithm and cut-through proxy to efficiently forward traffic within established sessions. 22-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 419
inspection engines do not support PAT, NAT, outside NAT, or NAT between same security interfaces. See "Default Inspection Policy" for more information about NAT support. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 420
through WINS. Comments - Supports the map and lookup operations of the EPM for clients. No PTR records are changed. Default maximum packet length is 512 bytes. 22-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 421
2327, No handling for HTTP cloaking. 1889 RFC 3261 - - Does not handle TFTP uploaded Cisco IP Phone configurations under certain circumstances. RFC 821, 1123 - OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-5 - Cisco 7604 | Configuration Guide - Page 422
Configuring Application Inspection Chapter 22 Applying Application Layer Protocol Inspection Table 22-1 Supported Application Inspection Engines (continued) Application1 Default Port 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 423
maps use commands in the form protocol-map. • DCERPC-See the "Configuring a DCERPC Inspection Policy Map for Additional Inspection Control" section on page 22-17. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-7 - Cisco 7604 | Configuration Guide - Page 424
policy map according to "Configuring a DCERPC Inspection Policy Map for Additional Inspection Control" section on page 22-17, identify the map name in this command. - 22-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 425
you added an SNMP application map according to "Enabling and Configuring SNMP Application Inspection" section on page 22-98, identify the map name in this command. - OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-9 - Cisco 7604 | Configuration Guide - Page 426
includes UDP port 111; if you want to enable Sun RPC inspection for TCP port 111, you need to create a new class map that matches TCP port 111, support configurations with the alias command. 22-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 427
the class map you created in Step 1. The CLI enters the policy map class configuration mode and the prompt changes accordingly. Enable CTIQBE application inspection. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-11 - Cisco 7604 | Configuration Guide - Page 428
allocated by the CTIQBE inspection engine. The following is sample output address and RTP listening port is PATed to 209.165.201.2 UDP port 1028. Its RTCP listening port is PATed to UDP 1029. 22-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 429
, U - up CTIQBE Sample Configurations The following figure shows a sample configuration for a single transparent firewall for Cisco IP SoftPhone (Figure 22-2). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-13 - Cisco 7604 | Configuration Guide - Page 430
single transparent firewall for Cisco IP SoftPhone with NetMeeting enabled (Figure 22-3). Cisco IP SoftPhone is configured with the collaboration setting of NetMeeting. 22-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 431
! Note To allow successful collaboration and application sharing, TCP ports 1503 and 1720 must be allowed to pass through. The following media, D - DNS, d - dump, OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-15 - Cisco 7604 | Configuration Guide - Page 432
messages: • End point mapper (EPMAP) • RemoteCreateInstance • Any message that does not contain an IP address or port information because these messages do not require inspection 22-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 433
string To configure parameters that affect the inspection engine, perform the following steps: a. To enter parameters configuration mode, enter service-policy global-policy global OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 434
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the 22-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 435
is on an inside interface. For an illustration and configuration instructions for this scenario, see the "DNS Rewrite with Three NAT Zones" section on page 22-22. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-19 - Cisco 7604 | Configuration Guide - Page 436
the address 192.168.100.10 on the inside interface is translated into 209.165.201.5 on the outside interface: hostname(config)# static (inside,outside) 209.165.200.225 192.168.100.10 dns 22-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 437
-address eq port where the arguments are as follows: acl-name-The name you give the access-list. mapped-address-The translated IP address of the web server. port-The TCP port www Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-21 - Cisco 7604 | Configuration Guide - Page 438
interface outside This configuration requires the following A- configuration. For configuration instructions for scenarios like this one, see the "Configuring address of server.example.com. 22-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 439
server. • real-address-The real IP address of the web server. Create an access list that permits traffic to the port that the web server listens to for HTTP requests. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22 - Cisco 7604 | Configuration Guide - Page 440
enters class map configuration mode. Use the match port command to identify DNS traffic. The default port for DNS is UDP port 53. hostname(config-cmap)# match port udp eq 53 22-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 441
by a new DNS session. This is due to the nature of the shared DNS connection and is by design. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-25 - Cisco 7604 | Configuration Guide - Page 442
source and destination IP address along with the protocol and the DNS ID instead of the source and destination ports. If the DNS Configuring Application Inspection" section on page 22-6. 22-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 443
(config-pmap-p)# b. To configure a local domain name, enter the following command: hostname(config-pmap-p)# mail-relay domain-name action [drop-connection | log]] OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-27 - Cisco 7604 | Configuration Guide - Page 444
addresses. h. (Optional) To match the command line length, enter the following command: hostname(config-pmap-p)# match cmd line length gt length Where length is the command line 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 445
Optional) To match a sender address, enter the following command: hostname(config-pmap-p)# match sender-address regex [name | class name] service-policy outside_policy interface outside OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 446
PORT commands are checked to ensure they do not appear in an error string. Caution Using the strict option may cause the failure of FTP clients that are not strictly compliant with FTP RFCs. 22-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 447
PORT command is assumed to be truncated and the TCP connection is closed. • Incorrect command-Checks the ftp command to see if it ends with characters, as required -01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-31 - Cisco 7604 | Configuration Guide - Page 448
of contiguous ports for a single protocol, use match port command with the range keyword, as follows: hostname(config-cmap)# match port tcp range begin_port_number end_port_number 22-32 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 449
Step 7 c. (Optional) If you want to disallow specific FTP commands, use the request-command deny command and want to use to apply the FTP inspection engine to FTP traffic. To do so, use the policy- Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-33 - Cisco 7604 | Configuration Guide - Page 450
shortage. In conjunction with NAT, the FTP application inspection translates the IP address within the application payload. This is described in detail in RFC 959. 22-34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 451
. GTP allows multi-protocol packets to be tunneled through a UMTS/GPRS backbone between a GGSN, an SGSN and the UTRAN. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-35 - Cisco 7604 | Configuration Guide - Page 452
Protocol Inspection GTP does not include any inherent security or encryption of user data, but using GTP with the FWSM helps protect your network against these risks 22-36 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 453
follows. hostname(config-cmap)# gtp-map map_name hostname(config-gtp-map)# where map_name is the name of the GTP map. The CLI enters GTP map configuration mode. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-37 - Cisco 7604 | Configuration Guide - Page 454
-map sample_policy hostname(config-pmap)# class gtp-traffic hostname(config-pmap-c)# inspect gtp sample_map hostname(config)# service-policy sample_policy outside 22-38 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 455
packet data network and a MS user. You can use the vertical bar (|) to filter the display, as in the following example: hostname# show service-policy gtp statistics | grep gsn OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 456
achieve load balancing on the GGSN. To enable support for GNS pooling, use the permit response command. -object host IP-address hostname(config)# where IP-address is the IP address of the host. Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 457
. Several Cisco mobile wireless applications are supported. This sample configuration runs Cisco Gateway GPRS Support (General Packet Radio Service Packet Gateway application). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 458
virtual 10.2.1.29 udp 3386 service gtp serverfarm GGSN-POOL inservice ! ip slb vserver GTP-V1 virtual 10.2.1.29 udp 2123 service gtp serverfarm GGSN-POOL inservice ! 22-42 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 459
GigabitEthernet0/0 no ip address ! interface GigabitEthernet0/0.1 ! interface GigabitEthernet0/0.8 encapsulation dot1Q 8 ip address 10.1.1.2 255.255.255.0 no snmp trap link-status ! Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22 - Cisco 7604 | Configuration Guide - Page 460
-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! ip subnet-zero ip dfp agent gprs port 1111 password cisco inservice ! ip cef no ip domain lookup 22-44 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 461
-level 100 ip address 172.21.64.35 255.255.255.128 standby 172.21.64.36 ! interface Vlan5 nameif inside security-level 100 ip address 10.2.1.41 255.255.255.0 standby 10.2.1.40 ! Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22 - Cisco 7604 | Configuration Guide - Page 462
address 209.165.201.41 255.255.255.0 standby 209.165.201.40 ! passwd 2KFQnbNIdI.2KYOU encrypted same-security-traffic permit inter-interface object-group network GGSNS configured pager lines 24 Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 463
, page 22-48 • Limitations and Restrictions, page 22-49 • Enabling and Configuring H.323 Inspection, page 22-51 • Topologies Requiring H.225 Configuration, page 22-50 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-47 - Cisco 7604 | Configuration Guide - Page 464
The H.323 control channel handles H.225 and H.245 and H.323 RAS. H.323 inspection uses the following ports. • UDP port 1718-Gate Keeper Discovery • UDP port 1719-RAS 22-48 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 465
network static address is the same as a third-party netmask and address, then any outbound H.323 connection fails. • Dynamic NAT (PAT) is not supported for H.323-GUP inspection. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 466
configuration is required in this scenario. To provide the necessary configuration allows the FWSM to open dynamic, port-specific pinholes for an H.245 connection when configuration mode. 22-50 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 467
that identify the ports required for H.323 traffic, enter the following command for each ACE: hostname(config)# access-list acl-name permit {udp | tcp} any any eq port where acl- Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-51 - Cisco 7604 | Configuration Guide - Page 468
specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command. The FWSM begins inspecting H.323 traffic, as specified. 22-52 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration - Cisco 7604 | Configuration Guide - Page 469
: • Monitoring H.225 Sessions, page 22-54 • Monitoring H.245 Sessions, page 22-54 • Monitoring H.323 RAS Sessions, page 22-55 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-53 - Cisco 7604 | Configuration Guide - Page 470
event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues. The following is sample output from the show h245 command: -54 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 471
where the Cisco Gatekeeper devices are employed because GUP is a Cisco proprietary protocol. • Dynamic NAT and dynamic PAT are not supported in H.323 GUP inspection. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 472
gatekeeper running GUP protocol is reachable. In this example, RAS inspection is turned on for both inside and outside interfaces. 22-56 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 473
inside 209.100.100.2 10.100.100.2 Firewall Service Module (FWSM) R1 vlan 50 Cisco 3745 H.323 Gateway 4085550199 Analog phone 191991 OL-20748-01 Cisco 3745 Gatekeeper Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-57 - Cisco 7604 | Configuration Guide - Page 474
4085550100 hostname(config-dial-peer)#session target ras Forward all voice calls destined to 4085550199 to voice port 3/0/0: hostname(config)#dial-peer voice 102 pots 22-58 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 475
port 3/0/0 hostname(config-dial-peer)#^Z Configuration of the IOS H.323 Gatekeeper (router -if)# security-level 100 hostname(config-if)# ip address 10.100.100.2 255.0.0.0 hostname(config-if)# hostname 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 476
Configuring an HTTP Inspection Policy Map for Additional Inspection Control, page 22-60 HTTP Inspection Overview Use the HTTP inspection engine to protect against specific 60 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 477
map if it matches at least one of the criteria. The CLI enters class-map configuration mode, where you can enter one or more match commands. b. (Optional) To add a OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-61 - Cisco 7604 | Configuration Guide - Page 478
in the HTTP response message status line, enter the following command: hostname(config-cmap)# match [not] response status-line {regex [regex_name | class 22-62 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 479
page 20-7. To configure parameters that affect the inspection engine, perform the following steps: a. To enter parameters configuration mode, enter the following OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-63 - Cisco 7604 | Configuration Guide - Page 480
about ILS inspection, see the inspect ils command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. 22-64 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 481
and configure MGCP application inspection and change the default port configuration. This you support a large number of devices on an internal network with a limited set of external (global) addresses. Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-65 - Cisco 7604 | Configuration Guide - Page 482
for data. instruct the endpoints to detect certain events and generate signals. The endpoints automatically communicate changes in service configure inspection for traffic sent to two ports: 22-66 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 483
list acl-name permit udp any any eq port-2 where acl-name is the name you assign to the access list, port-1 is the first MGCP port and port-2 is the second MGCP port. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-67 - Cisco 7604 | Configuration Guide - Page 484
you want to use to apply the MGCP inspection engine to MGCP traffic. To do so, use the policy service-policy command to apply the policy map globally or to a specific interface, as follows: 22-68 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 485
interface. This creates a class map to match MGCP traffic on the default ports (2427 and 2727). This configuration allows call agents 10.10.11.5 and 10.10.11.6 to control gateway Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-69 - Cisco 7604 | Configuration Guide - Page 486
name aaln/1 Media lcl port 6166 Media rmt IP 192.168.5.7 Media rmt port 6058 MGCP Sample Configuration Figure 22-12 shows a sample configuration for MGCP inspection: 22-70 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 487
)# command-queue 150 hostname(config-mgcp-map)# exit Apply MGCP inspection with MGCP map: hostname(config)# policy-map global_policy OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-71 - Cisco 7604 | Configuration Guide - Page 488
voice 101 pots hostname(config-dial-peer)# application mgcpapp hostname(config-dial-peer)# port 3/0/0 NetBIOS Inspection NetBIOS inspection is enabled by default. 22-72 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 489
rsh command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. RTSP Inspection This section describes how to enable RTSP application inspection and change the default port configuration. This section includes the following topics: • RTSP - Cisco 7604 | Configuration Guide - Page 490
. Use the access-list extended command to do so, adding an ACE to match each port, as follows. hostname(config)# access-list acl-name any any tcp eq port_number 22-74 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 491
22-11 shows how to enable the RTSP inspection engine RTSP traffic on the default ports (554 and 8554). The service policy is then applied to the outside interface. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-75 - Cisco 7604 | Configuration Guide - Page 492
. - The SIP registrar server is on the outside network. - The port is missing in the contact field in the REGISTER message sent by the endpoint to the proxy server. 22-76 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 493
from the inside endpoint. Unsolicited RTP/RTCP UDP packets to an inside interface does not traverse the FWSM, unless the FWSM configuration specifically allows it. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-77 - Cisco 7604 | Configuration Guide - Page 494
interface, all SIP signaling messages go through the SIP proxy server. IP Address Privacy can be enabled when SIP over TCP or UDP application inspection is enabled. 22-78 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 495
Layer Protocol Inspection SIP Inspection OL-20748-01 The CLI enters class-map configuration mode, where you can enter one or more match commands. b. (Optional) in Step 2. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-79 - Cisco 7604 | Configuration Guide - Page 496
(Optional) To configure parameters that affect the inspection engine, perform the following steps: a. To enter parameters configuration mode, enter the following . 22-80 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 497
im c. To enable or disable IP address privacy, enter the following command: hostname(config-pmap-p)# ip-address-privacy d. To enable check on Max-forwards over SIP: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-81 - Cisco 7604 | Configuration Guide - Page 498
hostname(config-pmap-c)# inspect sip mymap hostname(config)# service-policy global_policy global Configuring SIP Timeout Values The media connections are torn down . 22-82 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 499
SIP Inspection Figure 22-13 Media Connection Clear on BYE Message UAC Firewall Service Module (FWSM) UAC INVITE 100 Trying 180 ringing 200 OK RTP Media CONN OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-83 - Cisco 7604 | Configuration Guide - Page 500
Inspection Figure 22-14 Media Connection Clear on CANCEL Message UAC Firewall Service Module (FWSM) UAC INVITE 100 Trying 180 ringing with SDP Timer 191378 . 22-84 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 501
the absence of the EXPIRE field in the SIP INVITE message, the timeout for provisional responses is set to the value configured using the timeout sip-invite command. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-85 - Cisco 7604 | Configuration Guide - Page 502
and Monitoring SIP Inspection The show sip command assists in troubleshooting SIP inspection engine issues and is described with the inspect protocol sip udp a call. 22-86 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 503
hostname(config)# ! hostname(config)# sip-map privacy hostname(config-if)# ip-address-privacy hostname(config)# ! hostname(config)# nat-control hostname(config)# static (inside 01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-87 - Cisco 7604 | Configuration Guide - Page 504
hiding each phone IP address. RTP traffic is not switched via the same subnet. Instead it is getting routed via the FWSM. hostname(config)# show conn 6 in use, 28 most used 22-88 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 505
to use. By supporting NAT and PAT of SCCP Signaling packets, Skinny application inspection ensures that all SCCP signalling and media packets can traverse the FWSM. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-89 - Cisco 7604 | Configuration Guide - Page 506
The FWSM supports stateful failover of SCCP calls except for calls that are in the middle of call setup. Configuring and Enabling SCCP Inspection SCCP inspection is enabled by default. 22-90 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 507
(config-pmap-c)# inspect skinny Return to policy map configuration mode by entering the following command: hostname(config-pmap-c)# exit hostname(config-pmap)# OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-91 - Cisco 7604 | Configuration Guide - Page 508
service-policy sample_policy interface outside Verifying and Monitoring SCCP Inspection The show skinny command assists in troubleshooting SCCP (Skinny) inspection engine Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 509
any host 209.165.201.210 eq 2000 Apply the above access lists on the inside and outside interfaces for incoming traffic: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-93 - Cisco 7604 | Configuration Guide - Page 510
port configuration. This section includes the following topics: • SMTP and Extended SMTP Inspection Overview, page 22-94 • Configuring process for ESMTP includes support for SMTP sessions. Most Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 511
supports seven RFC 821 commands (DATA, HELO, MAIL, NOOP, QUIT, RCPT, RSET). The inspect esmtp command supports those seven commands and supports in the mail address is replaced. For more information Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-95 - Cisco 7604 | Configuration Guide - Page 512
command: hostname(config-pmap-c)# inspect esmtp b. To enable SMTP application inspection, enter the following command: hostname(config-pmap-c)# inspect smtp 22-96 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 513
required by your security policy. The FWSM can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by using the deny version command in SNMP map configuration mode. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 514
configuration mode. Use a match command to identify traffic sent to the SNMP ports you determined in Step 1. If you need to assign a range of contiguous ports SNMP inspection engine to the SNMP Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 515
in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Sun RPC Inspection This section describes how to enable Sun RPC application inspection, change the default port configuration, and manage the Sun RPC service table. This section includes the - Cisco 7604 | Configuration Guide - Page 516
listens to a single port, you can use the match port command to identify traffic sent to that port, as follows: hostname(config-cmap)# match port tcp eq port_number 22-100 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 517
(config-pmap)# class sunrpc_port hostname(config-pmap-c)# inspect sunrpc hostname(config-pmap-c)# service-policy sample_policy interface outside hostname(config)# OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-101 - Cisco 7604 | Configuration Guide - Page 518
.2:111 idle 0:00:04 flags UDP out 209.165.200.5:712 in 192.168.100.2:647 idle 0:00:05 flags - 22-102 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 519
output, port 647 corresponds to the mountd daemon running over UDP. The mountd process would more commonly be using port 32780, but it uses TCP port 650 in this example. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 520
, see the established and inspect pptp and command pages in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. 22-104 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 521
PART 3 System Administration - Cisco 7604 | Configuration Guide - Page 522
- Cisco 7604 | Configuration Guide - Page 523
list allowing the host IP address. You only need to configure management access according to the prompt and avoid this situation, enter the pager lines 0 command. Please note that concurrent access to Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-1 - Cisco 7604 | Configuration Guide - Page 524
XML management over SSL and SSH are not supported. This section includes the following topics: • Configuring SSH Access, page 23-3 • Using an SSH Client, page 23-3 23-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 525
, the password is "cisco." When starting an SSH session, a dot (.) displays on the FWSM console before the SSH user authentication prompt appears, as follows: hostname(config)# . OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 526
the IP address of the client. Instead, you rely on client authentication. Transparent firewall mode does not support remote clients. Transparent mode does support site-to-site tunnels. 23-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 527
alone, or encryption alone, these methods are not secure. You refer to this transform set when you configure the VPN client group or a site-to-site tunnel. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-5 - Cisco 7604 | Configuration Guide - Page 528
sets in order of priority (highest priority first). This dynamic crypto map allows unknown IP addresses to connect to the FWSM. The dynamic-map name is used in Step 2. 23-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 529
range of addresses that VPN password "passw0rd" can connect to the FWSM. hostname(config)# isakmp policy 1 authentication pre-share hostname(config)# isakmp policy 1 encryption 3des OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 530
permit} {protocol} host fwsm_interface_address dest_address mask For the destination address, specify the addresses that are allowed to access the FWSM. See the "Adding 23-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 531
To permit or deny address(es) to reach an FWSM interface with ICMP (either from a host to the FWSM, or from the FWSM to a host, which requires the ICMP reply to types. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-9 - Cisco 7604 | Configuration Guide - Page 532
or SSH, and how to configure ASDM authentication. This section includes the following topics: • CLI Access Overview, page 23-11 • ASDM Access Overview, page 23-11 23-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 533
to sessions from the switch to the FWSM (which enters the system execution space). The admin context AAA server or local user database are used in this instance. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-11 - Cisco 7604 | Configuration Guide - Page 534
prompt to end the session Trying 127.0.0.41 ... Open User Access Verification Username: myRADIUSusername Password: myRADIUSpassword Type help or '?' for a list of available commands. 23-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 535
user can only enter commands assigned to that privilege level or lower. See the "Configuring Local Command Authorization" section on page 23-15 for more information. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-13 - Cisco 7604 | Configuration Guide - Page 536
users to level 1 so you can control who can use the system enable password to access privileged EXEC mode. To log in as a user from the local database, enter the -14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 537
username requires correlating the data from several servers. When configuring command support AAA commands; therefore, command authorization is not available in the system execution space. Configuring Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-15 - Cisco 7604 | Configuration Guide - Page 538
requires no configuration. mode {enable | cmd}] command command Repeat this command for each command you want to reassign. See the following information about the options in this command: 23-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 539
enable The following example shows an additional command, the configure command, that uses the mode keyword: hostname(config)# privilege show level 5 mode cmd command configure Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-17 - Cisco 7604 | Configuration Guide - Page 540
the CLI, the FWSM sends the command and username to the TACACS+ server to determine if the command is authorized. 23-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 541
and reliable. The necessary level of reliability typically requires that you have a fully redundant TACACS+ server authorization support. See the following guidelines for configuring commands in Cisco Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-19 - Cisco 7604 | Configuration Guide - Page 542
commands field, and deny password in the arguments field. Be sure to check the Permit Unmatched Args check box so that enable alone is still allowed (see Figure 23-3). 23-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 543
23 Configuring Management Access Figure 23-3 Disallowing Arguments AAA for System Administrators • When you abbreviate a command at the command line, the - pager OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-21 - Cisco 7604 | Configuration Guide - Page 544
sample show curpriv command output. A description of each field follows. hostname# show curpriv Username : admin Current privilege level : 15 Current Mode/s : P_PRIV 23-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 545
to the context and reconfigure your network settings. 2. Configure the local database as a fallback method so you do not get locked out when the server is down. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-23 - Cisco 7604 | Configuration Guide - Page 546
in and reset the passwords and aaa commands. Session in to the FWSM from the switch. From the system execution space, you can change to the context and change the user level. 23-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 547
steps: Step 1 Obtain the serial number for your FWSM by entering the following command: hostname> show version | include Number OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-1 - Cisco 7604 | Configuration Guide - Page 548
Software from the FWSM CLI, page 24-3 • Installing Application Software from the Maintenance Partition, page 24-5 • Installing ASDM from the FWSM CLI, page 24-8 24-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 549
enter the following command: hostname# copy ftp://[user[:password]@]server[/path]/filename flash: • To copy from an HTTP or HTTPS server, enter the following command: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-3 - Cisco 7604 | Configuration Guide - Page 550
"Proceed with reload?" prompt, press Enter to confirm the command. Rebooting... If you have a failover pair, see the "Upgrading Failover Pairs" section on page 24-9. 24-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 551
command for your operating system. Note the current boot partition so you can set a new default boot partition. • Cisco IOS software Router# show boot device [mod_num] OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-5 - Cisco 7604 | Configuration Guide - Page 552
, perform the following steps: a. To assign an IP address to the maintenance partition, enter the following command: root@localhost# ip address ip_address netmask 24-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 553
to the running configuration, use one of the following methods: • Paste the configuration at the command line. • To copy from a TFTP server, enter the following command: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24 - Cisco 7604 | Configuration Guide - Page 554
then enter the following command: hostname# ssh scopy enable Then from a Linux client, enter the following command: scp -v -pw password filename username@fwsm_address 24-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 555
topics: • Upgrading an Active/Standby Failover Pair to a New Maintenance Release, page 24-10 • Upgrading an Active/Active Failover Pair to a New Maintenance Release, page 24-10 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 556
In multiple context mode, enter the write memory all command from the system execution space. This command saves all context configurations to which the FWSM has write access. 24-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 557
(config)# reload Proceed with reload? [confirm] At the "Proceed with reload?" prompt, press Enter to confirm the command. Rebooting... OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-11 - Cisco 7604 | Configuration Guide - Page 558
cause networking problems. Installing Maintenance Software You must install maintenance software Release 2.1(2) or later before you upgrade to FWSM Login: root Password: 24-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 559
for your operating system: - Cisco IOS software Router# session slot number processor 1 - Catalyst operating system software Console> (enable) session module_number OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-13 - Cisco 7604 | Configuration Guide - Page 560
Memory, page 24-15 • Downloading a Text Configuration to the Startup or Running Configuration, page 24-15 • Downloading a Context Configuration to Disk, page 24-16 24-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 561
information about a specific file, enter the configuration or running configuration from the server to the FWSM, enter one of the following commands for the appropriate download server: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 562
• To copy from an HTTP or HTTPS server, enter the following command: hostname# copy http[s]://[user[:password]@]server[:port][/path]/filename disk:[path/]filename 24-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 563
[:password]@] configuration to the startup configuration server (connected to the admin context), enter the following command: hostname/contexta# copy running-config startup-config OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 564
the write terminal, show configuration or show tech-support commands to view the configuration, the user and password are replaced with The default port is 80 for HTTP 24-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 565
source outside verify-certificate hostname(config)# auto-update device-id hostname hostname(config)# auto-update poll-period 600 10 3 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 24-19 - Cisco 7604 | Configuration Guide - Page 566
Auto Update Support Chapter 24 Managing Software, Licenses, and Configurations Viewing Auto Update Server Status To view the Auto Update Server PST Tue Nov 12 2004 24-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 567
. For more information about logging and syslog messages, see Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-1 - Cisco 7604 | Configuration Guide - Page 568
more syslog servers, an SNMP management station, specified e-mail addresses, or Telnet and SSH sessions. • Configure and manage syslog messages in groups, such as by -2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 569
messages, enter the following command: hostname(config)# logging names To print IP addresses instead of mapped names of hosts or networks in syslog messages, enter OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-3 - Cisco 7604 | Configuration Guide - Page 570
messages are logged, extract data from the log and save the records to another file for reporting, or track statistics using a site-specific script. The syslog server . 25-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 571
(config)# logging facility number Most UNIX systems expect the syslog messages to arrive at facility 20. hostname(config)# logging OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-5 - Cisco 7604 | Configuration Guide - Page 572
config)# logging recipient-address e-mail_address [severity_level] If a severity level is not specified, the default severity level is used (error condition, severity level 3). 25-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 573
Configuring Logging for ASDM, page 25-7 • Clearing the ASDM Log Buffer, page 25-8 Configuring Logging for ASDM Note To start logging to ASDM as defined in this procedure -20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-7 - Cisco 7604 | Configuration Guide - Page 574
. For information about creating custom message lists, see the "Filtering Syslog Messages with Custom Message Lists" section on page 25-14. 25-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 575
the buffer as defined in this procedure, be sure to enable logging for all output locations. See the "Enabling Logging to All Configured Output Destinations" section on page 25 -01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-9 - Cisco 7604 | Configuration Guide - Page 576
be saved to internal flash memory each time the buffer wraps, enter the following command: hostname(config)# logging flash-bufferwrap 25-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 577
-12 • Filtering Syslog Messages by Class, page 25-12 • Filtering Syslog Messages with Custom Message Lists, page 25-14 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-11 - Cisco 7604 | Configuration Guide - Page 578
destination. Specifically, you can configure the address to notify system administrators of a possible problem message class. For instructions, see the " configuration takes precedence. 25-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 579
enables syslog server logging. Select one destination per command-line entry. If you want to specify that a class ) IP Stack Network Processor OSPF Routing RIP Routing Resource Manager Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-13 - Cisco 7604 | Configuration Guide - Page 580
messages with severity levels of 1 and 2 and send them to one or more e-mail addresses. • Select all syslog messages associated with a message class (such as "ha") and save Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 581
messages while they are waiting to be sent to the configured output destination. The number of blocks required depends on the length of the syslog message queue and the 20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-15 - Cisco 7604 | Configuration Guide - Page 582
the IP address of the interface port] and udp[/port] indicate the protocol and port that should be used, and format emblem enables EMBLEM formatting for messages sent to the syslog server. 25-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 583
severity level of syslog message 113019 to its default value of 4 (warnings): hostname(config)# no logging message 113019 level 5 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-17 - Cisco 7604 | Configuration Guide - Page 584
instructing the FWSM to save the current contents of the log buffer to internal flash memory immediately By default, the FWSM can use up to 1 MB of internal flash memory for log data 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 585
. For a list of variable fields and their descriptions, see Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System Log Messages. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-19 - Cisco 7604 | Configuration Guide - Page 586
. You can download Cisco MIBs from the following website. http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml After you download the MIBs, compile them for your NMS. 25-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 587
• entLogicalTable • entPhysicalTable The FWSM sends the following traps: • alarm-asserted • alarm-cleared • config-change • fru-insert • fru-remove • redun-switchover OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-21 - Cisco 7604 | Configuration Guide - Page 588
.9.9.278.1.1.3.1.11.3.97.97.97.1 = Gauge32: 0 - Cisco 7604 | Configuration Guide - Page 589
security-level 100 ip address 50.0.0.2 255.0.0.0 ! interface Vlan60 nameif outside security-level 0 ip address 60.0.0.2 255.0.0.0 ! object port 161 ! hostname(config)# show access-list OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 590
.1.1.3.1.25.3.97.97.97.1 = "" SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.26.3.97.97.97.1 = "" SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.27.3.97.97.97.1 = "" 25-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 591
community public version 2c udp-port 161 ! FWSM# show ipv6 access-list ipv6 access-list allow_ipv6; 1 elements ipv6 access-list allow_ipv6 line 1 permit tcp any any OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-25 - Cisco 7604 | Configuration Guide - Page 592
Configuring SNMP Chapter 25 Monitoring the Firewall Services Module Table 25-3 SNMP MIB and Trap Support (continued) MIB and Trap CISCO-IP- configured with more than 112 characters. 25-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 593
sends the following trap: • session-threshold-exceeded CISCO-SYSLOG-MIB The FWSM sends the following trap: • clogMessageGenerated You cannot browse this MIB. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-27 - Cisco 7604 | Configuration Guide - Page 594
following group: • cufwUrlFilterGlobals-This group provides global URL filtering statistics. The FWSM supports browsing of the following tables: • ifTable • ifXTable 25-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 595
address 50.0.0.2 255.0.0.0 ! interface Vlan60 nameif outside security-level 0 ip address 60.0.0.2 255.0.0.0 ! snmp-server host outside 60.0.0.1 community public version 2c udp-port Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25- - Cisco 7604 | Configuration Guide - Page 596
Configuring SNMP Chapter 25 Monitoring the Firewall Services Module Table 25-3 SNMP MIB and Trap Support (continued) MIB and Trap IP-FORWARD-MIB (Continued entry. 25-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 597
4E F6 CC For an SNMP request for a specific IP address from the ipNetToPhysicalTable, enter the following: MIB-II supports browsing of the following group and table: • system OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 598
FWSM supports browsing of the following tables: • natAddrBindTable • natAddrPortBindTable The FWSM supports address of the NMS that can connect to the FWSM, enter the following command: 25-32 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 599
linkdown • coldstart Traps for entity include: • config-change • fru-insert • fru-remove • redun-switchover • alarm-asserted • alarm-cleared Traps for ipsec include: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 25-33 - Cisco 7604 | Configuration Guide - Page 600
.3.2 hostname(config)# snmp-server location building 42 hostname(config)# snmp-server contact Pat lee hostname(config)# snmp-server community ohwhatakeyisthee 25-34 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 601
the Firewall Services Module This chapter describes how to troubleshoot the FWSM, and includes the following sections: • Testing Your Configuration, page 26-1 • Reloading the FWSM, page 26-6 • Performing Password Recovery, page 26-6 • Other Troubleshooting Tools, page 26-7 • Common Problems, page - Cisco 7604 | Configuration Guide - Page 602
Your Configuration Chapter 26 Troubleshooting the Firewall Services Module Step procedure as well as the procedure in the "Pinging Through the FWSM" section on page 26-4. For example: 26-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 603
seq 512) 209.165.201.2 > 209.165.201.1 If the ping reply does not return to the router, then you might have a switch loop or redundant IP addresses (see Figure 26-3). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-3 - Cisco 7604 | Configuration Guide - Page 604
-cmap)# policy-map ICMP-POLICY hostname(config-pmap)# class ICMP-CLASS hostname(config-pmap-c)# inspect icmp hostname(config-pmap-c)# service-policy ICMP-POLICY global 26-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 605
an inside host, and you do not have a static translation (which is required with NAT control), you see message 106010: deny inbound icmp. Note The engine, enter the following command: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 606
login and enable passwords, as well as the aaa authentication console and aaa authorization command commands, enter the following command: root@localhost# clear passwd cf:{4 | 5} 26-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 607
only to troubleshoot specific problems or during troubleshooting sessions with Cisco TAC. Moreover Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 608
you enable a capture in Context A for a VLAN that is also used by Context B, both Context A and Context B ingress traffic is captured. 26-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 609
to interpret the crash dump. See the show crashdump command in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 26-9 - Cisco 7604 | Configuration Guide - Page 610
FWSM according to the "Allowing Telnet Access" section on page 23-1 or the "Allowing SSH Access" section on page 23-2. 26-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 611
Troubleshooting the Firewall Services Module Common Problems traffic, or enable the ICMP inspection engine, which treats ICMP connections as stateful switch configuration. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 612
Common Problems Chapter 26 Troubleshooting the Firewall Services Module 26-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 613
PART 4 Reference - Cisco 7604 | Configuration Guide - Page 614
- Cisco 7604 | Configuration Guide - Page 615
series routers. The configuration of both series is identical, and the series are referred to generically in this guide as the "switch." The switch includes a switch (the supervisor engine) as well as a router (the MSFC 2). The switch supports Cisco IOS software on both the switch supervisor engine - Cisco 7604 | Configuration Guide - Page 616
does not support the supervisor 1 or 1A. FWSM Features: Route Health PISA Integration Injection Virtual Switching System No No No No No No No No No No No No No No No Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 617
Filtering servers (Websense Enterprise and Sentian by N2H2) Context Mode Single 16 250 16 Multiple 4 per context 250 divided between all contexts 4 per context OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM A-3 - Cisco 7604 | Configuration Guide - Page 618
MAC addresses (transparent firewall mode only) 65,536 Hosts allowed to connect 262,144 through the FWSM, concurrent Multiple 65,536 divided between all contexts 262,144 divided between all contexts Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration - Cisco 7604 | Configuration Guide - Page 619
Table A-5 Managed System Resources (continued) Context Mode Specification Single Multiple Inspection engine connections, 10,000 per second 10,000 session. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM A-5 - Cisco 7604 | Configuration Guide - Page 620
the FWSM. Table A-6 Fixed System Resources Context Mode Specification Single Multiple AAA connections, rate 80 per second 80 Mode, page A-7 • Reallocating Rules Between Features, page A-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 621
for your system): hostname(config)# show resource rule Default Configured Absolute CLS Rule Limit Limit Max Policy NAT 384 384 833 ACL 14801 14801 14801 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM A-7 - Cisco 7604 | Configuration Guide - Page 622
maximum rules as 124923 in single mode (this is an example only, and might differ from the actual number of rules for your system): hostname(config)# show resource rule Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM A-8 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 623
| default | max} acl {max_ace_rules | current | default | max} filter {max_filter_rules | current | default | max} fixup {max_inspect_rules | current | default | max} OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM A-9 - Cisco 7604 | Configuration Guide - Page 624
, between 0 and 716. The established command creates two types of rules, control and data. Both of these types are shown in the show np 3 acl count and show default A-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 625
(gold, silver, or bronze). Although inside IP addresses can be the same across contexts when the interfaces are unique, keeping them unique is easier to manage. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-1 - Cisco 7604 | Configuration Guide - Page 626
FWSM Release (blank means single mode, "" means you are in multiple mode in the system configuration, and means you are in multiple mode in a context). Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-2 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 627
vlan 3 nameif outside security-level 0 ip address 209.165.201.2 255.255.255.224 interface vlan 4 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-3 - Cisco 7604 | Configuration Guide - Page 628
passwd tenac10us enable password defen$e route outside 0 0 209.165.201.1 1 nat (inside) 1 10.1.3.0 255.255.255.0 ! This context uses dynamic PAT for inside users that access the outside Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 629
in interface dmz Switch Configuration (Example 1) The following lines in the Cisco IOS switch configuration relate to the FWSM: ... firewall module 8 vlan-group 1 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-5 - Cisco 7604 | Configuration Guide - Page 630
Server 192.168.2.2 VLAN 4 Department 2 10.1.2.2 VLAN 9 192.168.1.1 Department 2 Network 2 132978 See the following sections for the configurations for this section: Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 631
policy 1 group 2 isakmp policy 1 hash sha isakmp enable outside crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-7 - Cisco 7604 | Configuration Guide - Page 632
.2.2 logging enable Switch Configuration (Example 2) The following lines in the switch configuration relate to the FWSM: interface vlan 3 ip address 209.165.201 access. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-8 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 633
FWSM Release (blank means single mode, "" means you are in multiple mode in the system configuration, and means you are in multiple mode in a context). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-9 - Cisco 7604 | Configuration Guide - Page 634
address 10.1.0.1 255.255.255.0 interface vlan 300 nameif shared security-level 50 ip address 10.1.1.1 255.255.255.0 passwd v00d00 enable password interface, it ! requires a static translation to Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 635
address 10.1.2.1 255.255.255.0 interface vlan 300 nameif shared security-level 50 ip address 10.1.1.2 255.255.255.0 passwd cugel enable password from outside and requires a static translation static Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-11 - Cisco 7604 | Configuration Guide - Page 636
10.1.1.8 logging on Switch Configuration (Example 3) The following lines in the Cisco IOS switch configuration relate to the FWSM: ... firewall module 6 vlan-group 1 B-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748 - Cisco 7604 | Configuration Guide - Page 637
.255.0 ipv6 address 2001:400:3:1::100/64 ipv6 nd suppress-ra interface vlan 101 nameif inside security-level 100 ip address 10.140.10.100 255.255.255.0 ipv6 address 2001:400:1:1::100/64 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 638
to a class that limits its resources (gold, silver, or bronze). Although inside IP addresses can be the same across contexts, keeping them unique is easier to manage. B-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 639
context> means you are in multiple mode in a context). hostname Farscape password passw0rd enable password chr1cht0n interface vlan 4 interface vlan 5 interface vlan 6 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-15 - Cisco 7604 | Configuration Guide - Page 640
secret1969 enable password h1andl0 interface vlan 150 nameif outside security-level 0 bridge-group 1 interface vlan 4 nameif inside security-level 100 bridge-group 1 interface bvi 1 B-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 641
passwd tenac10us enable password defen$e interface vlan 152 nameif outside security-level 0 bridge-group 1 interface vlan 6 nameif inside security-level 100 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-17 - Cisco 7604 | Configuration Guide - Page 642
: • Example 6: Routed Mode Failover, page B-19 • Example 7: Transparent Mode Failover, page B-22 • Example 8: Active/Active Failover with Asymmetric Routing Support, page B-27 B-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 643
page B-22 • Switch Configuration (Example 6), page B-22 Primary FWSM Configuration (Example 6) The following sections include the configuration for the primary FWSM: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-19 - Cisco 7604 | Configuration Guide - Page 644
To change back to the system, enter changeto system. interface vlan 200 nameif outside security-level 0 ip address 209.165.201.2 255.255.255.224 standby 209.165.201.6 B-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 645
interface vlan 202 nameif inside security-level 100 ip address 10.0.2.1 255.255.255.0 standby 10.0.2.2 passwd secret1978 enable password 7samura1 monitor-interface inside nat (inside) 1 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-21 - Cisco 7604 | Configuration Guide - Page 646
Each context (A, B, and C) monitors the inside interface and outside interface. The secondary FWSM is also in multiple context mode, and has the same software release. B-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 647
contexts using the activation-key command. The mode and the activation key are not stored in the configuration file, even though they do endure reboots. If you view OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-23 - Cisco 7604 | Configuration Guide - Page 648
100 bridge-group 56 interface bvi 56 ip address 10.0.3.1 255.255.255.0 standby 10.0.3.2 monitor-interface inside monitor-interface outside route outside 0 0 10.0.3.4 1 B-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 649
ip address inside 10.0.1.1 255.255.255.0 standby 10.0.1.2 monitor-interface inside monitor-interface outside route outside 0 0 10.0.1.4 1 telnet 10.0.1.65 255.255.255.255 inside OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 650
5 15 standby 200 authentication Secret no shutdown interface range gigabitethernet 2/1-3 channel-group 2 mode on switchport trunk encapsulation dot1q no shutdown ... B-26 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 651
(Primary FWSM-Example 8), page B-28 • Context B Configuration (Primary FWSM-Example 8), page B-29 • Context C Configuration (Primary FWSM-Example 8), page B-29 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-27 - Cisco 7604 | Configuration Guide - Page 652
failover and Stateful Failover VLANs are configured in the system context. hostname cisco-primary enable password farscape password crichton interface vlan 4 interface B-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 653
nameif inside security-level 100 ip address 10.0.2.1 255.255.255.0 standby 10.0.2.2 passwd secret1978 enable password 7samura1 monitor-interface inside monitor-interface 20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM B-29 - Cisco 7604 | Configuration Guide - Page 654
5 15 standby 200 authentication Secret no shutdown interface range gigabitethernet 2/1-3 channel-group 2 mode on switchport trunk encapsulation dot1q no shutdown ... B-30 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 655
context mode determines if the FWSM runs as a single device or as multiple security contexts, which act like virtual devices. Some commands are only available in certain modes. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 656
are available in this mode. For example, the interface command enters interface configuration mode. The prompt changes to the following: hostname(config-if)# hostname/context(config-if)# Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 657
you supply values. Square brackets enclose an optional element (keyword or argument). A vertical bar indicates a choice within an optional or required set of disable. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM C-3 - Cisco 7604 | Configuration Guide - Page 658
option shows all the output lines starting with the line that matches the regular expression. Replace regexp with any Cisco IOS regular expression. See The regular meaning. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM C-4 OL-20748 - Cisco 7604 | Configuration Guide - Page 659
dollar sign $ Matches the end of the input string. underscore you choose the number of lines to display before the More configuration, the write terminal command does not display it. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 660
, the FWSM inserts lines for default settings or for the time the configuration was modified. You do not need to enter these automatic entries when you create your text file. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM C-6 OL - Cisco 7604 | Configuration Guide - Page 661
the system configuration includes system-only commands (such as a list of all contexts), while other typical commands are not present (such as many interface parameters). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 662
Text Configuration Files Appendix C Using the Command-Line Interface Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM C-8 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 663
Field or Description show crypto accelerator statistics See this MIB for an explanation of the objects. Information and statistics about each crypto accelerator card OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-1 - Cisco 7604 | Configuration Guide - Page 664
ccaProtPktEncryptsReqs ccaProtPktDecryptsReqs ccaProtHmacCalcReqs CLI Field or Description Crypto accelerator statistics according to security protocols - - - - Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-2 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 665
cfwConnectionStatCount CLI Field or Description A physical entity asserts an alarm. - The status of the standby unit changes to Not applicable (placeholder only) OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-3 - Cisco 7604 | Configuration Guide - Page 666
Source IP mask Destination IP address Destination IP mask Protocol (IP/TCP/UDP/ICMP) Source port (low) Source port (high) Destination port (low) Destination port (high) Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-4 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 667
ACE hit-count show arp - Interfce number for the ARP entry IP address type for the ARP entry IP address for the ARP entry MAC address for the IP address show ipsec stats OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-5 - Cisco 7604 | Configuration Guide - Page 668
cikePeerActiveTime cikePeerActiveTunnelIndex cikeTunLocalType cikeTunLocalValue CLI Field or Description See this MIB for an explanation of the objects. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-6 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 669
cipSecGlobalActiveTunnels cipSecGlobalPreviousTunnels cipSecGlobalInOctets CLI Field or Description See this MIB for an explanation of the objects. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-7 - Cisco 7604 | Configuration Guide - Page 670
cipSecTunKeyType cipSecTunEncapMode cipSecTunLifeSize cipSecTunLifeTime cipSecTunActiveTime CLI Field or Description See this MIB for an explanation of the objects. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-8 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 671
cipSecTunHcOutUncompOctets cipSecTunOutUncompOctWraps cipSecTunOutPkts cipSecTunOutDropPkts CLI Field or Description See this MIB for an explanation of the objects. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-9 - Cisco 7604 | Configuration Guide - Page 672
cipSecTunHistTotalSas cipSecTunHistInSaDiffHellmanGrp cipSecTunHistInSaEncryptAlgo CLI Field or Description See this MIB for an explanation of the objects. D-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 673
cipSecTunHistOutEncryptFails cipSecFailTableSize cikeFailReason cikeFailTime CLI Field or Description See this MIB for an explanation of the objects. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-11 - Cisco 7604 | Configuration Guide - Page 674
/Telnet /ASDM/IPSec/MAC Address) Absolute or percentage Always set to zero. Not applicable to FWSM. Configured limit value Current resource Configured rate limit value Current resource usage D-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 675
MIB Details 1.3.6.1.4.1.9.9.480.1.1.4.1.7 1.3.6.1.4.1.9.9.480.1.1.4.1.8 CISCO-MEMORY-POOL-MIB 1.3.6.1.4.1.9.9.48.1.1 - ) Not applicable (placeholder only) OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-13 - Cisco 7604 | Configuration Guide - Page 676
.1.2.3.1.5. 1.3.6.1.4.1.9.9.109.1.2.4.1.2. 1.3.6.1.4.1.9.9.109.1.2.4.1.3. CISCO-REMOTE-ACCESSMONITOR-MIB 1.3.6.1.4.1.9.9.392.1.1.1. for an explanation of the objects. D-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 677
Description See this MIB for an explanation of the objects. - Origin identification type Origin identification string show perfmon detail OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-15 - Cisco 7604 | Configuration Guide - Page 678
• cufwUrlfAllowModeReqNumDenied • cufwUrlfResponsesNumLate • cufwUrlfUrlAccRespsNumResDropped cufwUrlServerTable Per URL server statistics D-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 679
entPhysicalIsFRU entLogicalTable Index • entLogicalIndex CLI Field or Description - Information about a physical entity - Information about a logical entity - OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-17 - Cisco 7604 | Configuration Guide - Page 680
description Interface type MTU of the interface Speed of the interface MAC address of the interface Admin status Operational status Last changed time Total queue length D-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 681
NatAddressBindTable CLI Field or Description Specific value - - Name of address Interface index Subnet mask Broadcast address Max reassembly packet size show xlate state static detail OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 682
portmap detail - ipv4 or ipv6 local_addr local_port TCP/UDP/IP ipv4 or ipv6 global_addr global_port No. of conns using this xlate D-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 683
Total Get requests generated Total GetNext requests generated Total Set requests generated Total GetNext responses generated Total traps generated OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-21 - Cisco 7604 | Configuration Guide - Page 684
show conn protocol tcp - ipv4 or ipv6 local_addr local_port ipv4 or ipv6 foreign_addr foreign_port Placeholder; always one. - show conn protocol udp D-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 685
ipv6 local_addr local_port ipv4 or ipv6 foreign_addr foreign_port Always set to one. Not applicable to FWSM. Placeholder; always one. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM D-23 - Cisco 7604 | Configuration Guide - Page 686
Appendix D Mapping MIBs to CLI Commands D-24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 687
Ports, page E-11 • Local Ports and Protocols, page E-14 • ICMP Types, page E-15 IPv4 Addresses and Subnet Masks This section describes how to use IPv4 addresses with FWSM. An IPv4 address 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-1 - Cisco 7604 | Configuration Guide - Page 688
mask, you add the number of 1s: /24. In Example 2, the decimal number is 255.255.248.0 and the /bits is /21. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-2 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 689
Appendix E Addresses, Protocols, and Ports IPv4 Addresses and Subnet Masks You can also supernet Size Network Address, page E-4 • Class B-Size Network Address, page E-4 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 690
... 10.1.240.0 10.1.240.0 to 10.1.255.255 1. The first and last address of a subnet are reserved. In the first subnet example, you cannot use 10.1.0.0 or 10.1.15.255. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-4 OL-20748-01 - Cisco 7604 | Configuration Guide - Page 691
Addresses, Protocols, and Ports IPv6 Addresses IPv6 Addresses IPv6 is the next generation of the Internet Protocol after IPv4. It provides an expanded address space, a simplified header format, improved support Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 692
page E-7 • Link-Local Address, page E-7 • IPv4-Compatible IPv6 Addresses, page E-7 • Unspecified Address, page E-8 • Loopback Address, page E-8 • Interface Identifiers, page E-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-6 OL - Cisco 7604 | Configuration Guide - Page 693
type is used to represent the addresses of IPv4 nodes as IPv6 addresses. This type of address has the format ::FFFF:y.y.y.y, where y.y.y.y is an IPv4 unicast address. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-7 - Cisco 7604 | Configuration Guide - Page 694
. For example, a multicast address with the prefix FF02::/16 is a permanent multicast address with a link scope. Figure E-1 shows the format of the IPv6 multicast address. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-8 OL-20748 - Cisco 7604 | Configuration Guide - Page 695
is simply a unicast address that has been assigned to more than one interface, and the interfaces must be configured to recognize the address as an anycast address. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-9 - Cisco 7604 | Configuration Guide - Page 696
(unicast) 1111111010 FE80::/10 Site-Local (unicast) 1111111111 FEC0::/10 Global (unicast) All other addresses. Anycast Taken from the unicast address space. E-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 697
System (Novell's NetWare). ospf 89 Open Shortest Path ports 1812 and 1813, you can configure FWSM to listen to those ports using the authentication-port and accounting-port commands. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 698
Server Ident authentication service Internet Message Access Protocol, version 4 Internet Relay Chat protocol Internet Security Association and Key Management Protocol Kerberos E-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 699
- Trap Structured Query Language Network Secure Shell Sun Remote Procedure Call System Log Terminal Access Controller Access Control System Plus Talk RFC 854 Telnet OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-13 - Cisco 7604 | Configuration Guide - Page 700
on destination IP address 224.0.0.5 and 224.0.0.6 Protocol only open on destination IP address 224.0.0.13 - Port only open on destination IP address 224.0.0.9 Configurable. - E-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 701
time-exceeded parameter-problem timestamp-request timestamp-reply information-request information-reply mask-request mask-reply conversion-error mobile-redirect OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-15 - Cisco 7604 | Configuration Guide - Page 702
ICMP Types Appendix E Addresses, Protocols, and Ports E-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 703
ensure compatibility with IPSec peers that do not support ESP, which provides both authentication and encryption. See also encryption and VPN. Refer to the RFC 2402. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-1 - Cisco 7604 | Configuration Guide - Page 704
public key, RA. A temporary repository of information accumulated from previous task executions that can be reused, decreasing the time required to perform the tasks. GL-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 705
standards, peers, and other parameters necessary to specify security policies for VPNs using IKE and IPSec. See also VPN. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-3 - Cisco 7604 | Configuration Guide - Page 706
the Movian VPN client, but works with any peer that supports Group 7 (ECC). See also VPN and encryption. digital certificate See certificate. DMZ See interface. GL-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 707
, ESP provides authentication and encryption services for establishing a secure tunnel over an insecure network. For more information, refer to RFCs 2406 and 1827. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-5 - Cisco 7604 | Configuration Guide - Page 708
mode. See inspection engine. A nonvolatile storage device used to store the configuration file when the FWSM is powered down. Fully qualified domain name/IP address . GL-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 709
an address translation (xlate) or ACE. Hot Standby Routing Protocol. A Cisco-proprietary protocol, HSRP is a routing protocol that provides backup to a router in the event of failure. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 710
NSAPI. See also NSAPI. The first interface, usually port 1, that connects your internal, "trusted" network protected by the FWSM. See also interface, interface names. GL-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 711
name, and a range with a starting IP address and an ending address. IP Pools are used by DHCP and VPNs to assign local IP addresses to clients on the inside interface. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-9 - Cisco 7604 | Configuration Guide - Page 712
model, which consists of the following 7 layers, in order: physical, data link, network, transport, session, presentation, and application. Logical channel number. GL-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 713
of operation supported within the GPRS and the GSM mobile wireless networks. For example, a Class A MS supports simultaneous operation of GPRS and GSM services. Microsoft CHAP. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 714
in Cisco IOS software release 11.2. It is a non-proprietary extension of the existing stub area feature that allows the injection of external routes in a limited fashion into the stub area. GL-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 715
bandwidth and its rapid convergence after changes in topology. The FWSM supports OSPF. Organizational Unit. An X.500 directory attribute. Refers to traffic whose 2. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-13 - Cisco 7604 | Configuration Guide - Page 716
is created when end-to-end PPP connection is attempted between a dial user and the PNS. The datagrams related to a session are sent over the tunnel between the PAC and PNS. GL-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL - Cisco 7604 | Configuration Guide - Page 717
standard. See also AAA and TACACS+. Retrieve the running configuration from the FWSM and update the screen. The icon and the button perform the same function. See RA. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-15 - Cisco 7604 | Configuration Guide - Page 718
Protocol. Enables the controlled delivery of real-time data, such as audio and video. RTSP is designed to work with established protocols, such as RTP and HTTP. GL-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 719
call control element (called a call-agent). SGSN Serving GPRS Support Node. The SGSN ensures mobility management, session management and packet relaying functions. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-17 - Cisco 7604 | Configuration Guide - Page 720
with SDP for call signaling. SDP specifies the ports for the media stream. Using SIP, the FWSM can support any SIP VoIP gateways and VoIP proxy servers. data traffic. See secondary unit. GL-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 721
powerful barrier to certain types of computer security threats. Static PAT Static Port Address Translation. Static PAT is a static address that also maps a local port to a global port 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-19 - Cisco 7604 | Configuration Guide - Page 722
have led to its replacement by SSH. TFTP Trivial requires addressing scheme for accessing hypertext documents and other services using a browser. For example, http://www.cisco.com. GL-20 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 723
WAN wide-area network. Data communications network that serves users across a broad geographic area and often uses transmission devices provided by common carriers. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM GL-21 - Cisco 7604 | Configuration Guide - Page 724
employee access to the Internet. Websense uses a policy engine and a URL database to control user access to websites address to another, or the mapping of one IP address/port pair to another. GL-22 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 725
accounting 17-13 ACEs expanded 13-6 logging 13-25 maximum 13-6 order 13-2 Active/Active failover about 14-13 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-1 - Cisco 7604 | Configuration Guide - Page 726
routing support 8-30 AUS 24-18 authentication CLI access 23-10 CLI access, system 23-11 FTP 17-3 HTTP 17-2 network access 17-1 overview 11-2 privileged EXEC mode 23-13 Telnet 17-2 IN-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using - Cisco 7604 | Configuration Guide - Page 727
classes, MPF See class map classes, resource See resource management class map inspection 20-10 Layer 3/4 match commands 20-5 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-3 - Cisco 7604 | Configuration Guide - Page 728
20-3 deny flows, logging 13-27 device ID, including in messages 25-16 DHCP Cisco IP Phones 8-38 configuring 8-35 relay 8-39 server 8-38 transparent firewall 13-7 IN-4 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 729
(ICMP message) E-15 editing command lines C-3 EIGRP 13-7 configuring 8-23 DUAL algorithm 8-23 hello module placement inter-chassis 14-4 intra-chassis 14-3 PISA 21-6 requirements OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 730
guidelines 5-9 H.323 inspection configuring 22-51 limitations 22-49 overview 22-48 troubleshooting 22-54 half-closed connection limits 21-3 help, command line C-4 IN-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 731
address detection 10-4 enabled commands 10-1 neighbor discovery 10-6 router advertisement messages 10-8 static neighbor 10-10 verifying configuration 10-10 viewing routes 10-11 IPX 2-6 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 732
-2 K Kerberos configuring 11-9 support 11-6 L Layer 2 firewall See transparent firewall Layer 2 forwarding table See MAC address table Layer configuring 25-15 login banner 7-5 command 23-13 IN-8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 733
OSPF 8-20 resource management 4-36 SNMP 25-20 more prompt disabling 23-1 overview C-5 MPF about 20-1 default policy 20-3 features 20-1 flows 20-18 matching multiple policy maps 20-18 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide - Cisco 7604 | Configuration Guide - Page 734
xlate bypass configuring 16-19 overview 16-13 network processors 1-8 networks, overlapping 16-38 NPs 1-8 NTLM support 11-5 NT server configuring 11-9 support 11-5 O object groups IN-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM - Cisco 7604 | Configuration Guide - Page 735
map inspection 20-7 Layer 3/4 about 20-15 adding 20-18 default policy 20-18 flows 20-18 policy NAT about 16-10 See NAT pools, addresses DHCP 8-36 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-11 - Cisco 7604 | Configuration Guide - Page 736
a class 4-30 class 4-24 configuring 4-21 default class 4-23 monitoring 4-36 oversubscribing 4-22 overview 4-22 resource types 4-26 unlimited 4-22 resource usage 4-39 IN-12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 737
31 classifier 4-3 command authorization 23-15 configuration URL, changing 4-33 URL, setting 4-29 logging 25-2 logging in 4-9 managing 4-32 mapped interface name 4-28 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-13 - Cisco 7604 | Configuration Guide - Page 738
mode backing up configuration 4-10 configuration 4-11 enabling 4-10 restoring 4-11 SIP inspection instant messaging 22-77 overview 22-77 timeout values, configuring 22-82 troubleshooting Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 739
class 25-13 creating a message list 25-12 multiple context mode 25-2 severity levels 25-20 timestamp, including 25-15 variables used in 25-19 system requirements A-1 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-15 - Cisco 7604 | Configuration Guide - Page 740
messages 26-7 H.323 22-54 H.323 RAS 22-55 password recovery 26-6 SIP 22-86 trustpoint 12-3 tunnels basic settings, configuring 23-5 site-to-site, configuring 23-8 IN-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 - Cisco 7604 | Configuration Guide - Page 741
access 23-4 site-to-site tunnel 23-8 transforms 23-5 VRRP 5-8 W WAN ports A-1 web clients, secure authentication 17-6 X xlate bypass configuring 16-19 overview 16-13 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM IN-17 - Cisco 7604 | Configuration Guide - Page 742
Index IN-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
-
251
-
252
-
253
-
254
-
255
-
256
-
257
-
258
-
259
-
260
-
261
-
262
-
263
-
264
-
265
-
266
-
267
-
268
-
269
-
270
-
271
-
272
-
273
-
274
-
275
-
276
-
277
-
278
-
279
-
280
-
281
-
282
-
283
-
284
-
285
-
286
-
287
-
288
-
289
-
290
-
291
-
292
-
293
-
294
-
295
-
296
-
297
-
298
-
299
-
300
-
301
-
302
-
303
-
304
-
305
-
306
-
307
-
308
-
309
-
310
-
311
-
312
-
313
-
314
-
315
-
316
-
317
-
318
-
319
-
320
-
321
-
322
-
323
-
324
-
325
-
326
-
327
-
328
-
329
-
330
-
331
-
332
-
333
-
334
-
335
-
336
-
337
-
338
-
339
-
340
-
341
-
342
-
343
-
344
-
345
-
346
-
347
-
348
-
349
-
350
-
351
-
352
-
353
-
354
-
355
-
356
-
357
-
358
-
359
-
360
-
361
-
362
-
363
-
364
-
365
-
366
-
367
-
368
-
369
-
370
-
371
-
372
-
373
-
374
-
375
-
376
-
377
-
378
-
379
-
380
-
381
-
382
-
383
-
384
-
385
-
386
-
387
-
388
-
389
-
390
-
391
-
392
-
393
-
394
-
395
-
396
-
397
-
398
-
399
-
400
-
401
-
402
-
403
-
404
-
405
-
406
-
407
-
408
-
409
-
410
-
411
-
412
-
413
-
414
-
415
-
416
-
417
-
418
-
419
-
420
-
421
-
422
-
423
-
424
-
425
-
426
-
427
-
428
-
429
-
430
-
431
-
432
-
433
-
434
-
435
-
436
-
437
-
438
-
439
-
440
-
441
-
442
-
443
-
444
-
445
-
446
-
447
-
448
-
449
-
450
-
451
-
452
-
453
-
454
-
455
-
456
-
457
-
458
-
459
-
460
-
461
-
462
-
463
-
464
-
465
-
466
-
467
-
468
-
469
-
470
-
471
-
472
-
473
-
474
-
475
-
476
-
477
-
478
-
479
-
480
-
481
-
482
-
483
-
484
-
485
-
486
-
487
-
488
-
489
-
490
-
491
-
492
-
493
-
494
-
495
-
496
-
497
-
498
-
499
-
500
-
501
-
502
-
503
-
504
-
505
-
506
-
507
-
508
-
509
-
510
-
511
-
512
-
513
-
514
-
515
-
516
-
517
-
518
-
519
-
520
-
521
-
522
-
523
-
524
-
525
-
526
-
527
-
528
-
529
-
530
-
531
-
532
-
533
-
534
-
535
-
536
-
537
-
538
-
539
-
540
-
541
-
542
-
543
-
544
-
545
-
546
-
547
-
548
-
549
-
550
-
551
-
552
-
553
-
554
-
555
-
556
-
557
-
558
-
559
-
560
-
561
-
562
-
563
-
564
-
565
-
566
-
567
-
568
-
569
-
570
-
571
-
572
-
573
-
574
-
575
-
576
-
577
-
578
-
579
-
580
-
581
-
582
-
583
-
584
-
585
-
586
-
587
-
588
-
589
-
590
-
591
-
592
-
593
-
594
-
595
-
596
-
597
-
598
-
599
-
600
-
601
-
602
-
603
-
604
-
605
-
606
-
607
-
608
-
609
-
610
-
611
-
612
-
613
-
614
-
615
-
616
-
617
-
618
-
619
-
620
-
621
-
622
-
623
-
624
-
625
-
626
-
627
-
628
-
629
-
630
-
631
-
632
-
633
-
634
-
635
-
636
-
637
-
638
-
639
-
640
-
641
-
642
-
643
-
644
-
645
-
646
-
647
-
648
-
649
-
650
-
651
-
652
-
653
-
654
-
655
-
656
-
657
-
658
-
659
-
660
-
661
-
662
-
663
-
664
-
665
-
666
-
667
-
668
-
669
-
670
-
671
-
672
-
673
-
674
-
675
-
676
-
677
-
678
-
679
-
680
-
681
-
682
-
683
-
684
-
685
-
686
-
687
-
688
-
689
-
690
-
691
-
692
-
693
-
694
-
695
-
696
-
697
-
698
-
699
-
700
-
701
-
702
-
703
-
704
-
705
-
706
-
707
-
708
-
709
-
710
-
711
-
712
-
713
-
714
-
715
-
716
-
717
-
718
-
719
-
720
-
721
-
722
-
723
-
724
-
725
-
726
-
727
-
728
-
729
-
730
-
731
-
732
-
733
-
734
-
735
-
736
-
737
-
738
-
739
-
740
-
741
-
742
 |
 |
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Catalyst 6500 Series Switch and
Cisco
7600 Series Router Firewall Services
Module Configuration Guide Using the CLI
Release 4.1
Customer Order Number: N/A, Online only
Text Part Number: OL-20748-01