How Do I Verify ACL Resource Limits

This section gives the command to check the ACL resource limit on the FWSM. This is to verify and plan the application of new rules. The details on resource management are covered in Chapter 5, Understanding Contexts. Example 21-3 uses the show command to see ACL statistics. Example 21-3 show Command to See the ACL Statistics Example 21-3 show Command to See the ACL Statistics

Using Adaptive Security Device Manager

Adaptive Security Device Manager (ASDM) is a web-based management tool that is very easy to use, intuitive, and best of all it's free With ASDM, you can configure, monitor, and troubleshoot, all using a graphical user interface (GUI). ASDM is a tremendously valuable tool for managing and monitoring an individual FWSM. ASDM provides a secure connection using Hypertext Transfer Protocol Security (HTTPS) and allows for management to the outside interface. Multiple contexts can be managed from a...

Assigning Interfaces

For the FWSM to communicate to other devices on the network, a connection must be made from logical interfaces of the FWSM to VLANs assigned to the host-chassis. Referring to Figure 6-3, notice that the FWSM is logically connected to VLANs. This is accomplished through the following process. Step 1 Determine in which slot the FWMS is installed with the show module command Mod Ports Card Type Model Serial No. Mod Ports Card Type Model Serial No. The output of the show module command shows that...

Configuring FWSM in the Switch

The configuration of the switch for the FWSM is important because it builds the VLANs that are added between the switch and FWSM. These VLANs will be trunked between the switch and FWSM. Follow these steps in the first configuration Step 1 Verify which module has the FWSM This is shown in the output of the show module command, as demonstrated next Mod Ports Card Type Model Serial No. 1 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAD081502C1 2 48 48-port 10 100 mb RJ45 WS-X6148-RJ45V...

Network Address Translation Port Address Translation

Network Address Translation (NAT) is the function of changing the source address and or the destination address of an IP packet. NAT must also be performed in both directions. For example, if a connection is attempted from a client to a host and the client's IP address has been modified or translated, the host returns traffic to the translated address. When a connection is attempted from the client to the host, as shown in Figure 4-1, the following NAT function occurs Step 1 The client with the...

Layer 3 Vpn Vrf Terminations at FWSM

The FWSM does not have any knowledge of the Layer 3 VPNs. The Layer 3 VPN services can be terminated at the Layer 3 next hop router connected to the FWSM. The FWSM interfaces can be configured to map different Layer 3 VPNs (Virtual Route Forwarding, or VRF), by associating the interface with the next hop Layer 3 device, where the VRF tag is removed. The removal of the VRF tag makes the FWSM receive regular IP packets. The Layer 3 VPN technology references MPLS Layer 3 VPN or multi-VRF...

Cisco Secure Firewall Services Module FWSM

Ray Blair, CCIE No. 7050 Arvind Durai, CCIE No. 7016 Cisco Secure Firewall Services Module (FWSM) Copyright 2009 Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of...

Examining Syslog

System log, or syslog, is a means by which event information can be collected. This information can be used for troubleshooting or stored for auditing, network analysis, and so on. Unfortunately, syslog messages are sent without being encrypted and may provide valuable information to an unscrupulous individual, so use caution when sending these messages. It is especially important to send syslog messages out a secure interface. Although the FWSM allows you to send messages out the outside...

Understanding Cut Through Proxy in FWSM

In cut-through proxy, the firewall requires the user to authenticate before passing any traffic through the FWSM. Figure 10-1 shows how the cut-through proxy works. The high-level steps that describe cut-through proxy are as follows Step 1 A user from the outside security domain tries to access a web server in a more secured domain. Step 2 The FWSM prompts user authentication. Step 3 After the FWSM receives the information from the user, it passes this information to the access control server...

Dynamic Learning of Routes with FWSM

Placement of the FWSM is very important in the design. The routing information from one security domain to the other can determine the resiliency of the design. Following are some of the methods that can be used to learn the routes between security domains Method 1 Static routes The traditional method is to use static routes. The Layer 3 device at the inside security domain has a default route that points to the inside interface of the FWSM. (In case of a failover scenario, the static route...

Examining Modes of Operation

The Firewall Services Module (FWSM) has the capability to function in two modes transparent and routed. With the introduction of version 3.1, mixed-mode operation is also supported. This allows the capability to have both transparent and routed contexts operate simultaneously on the same FWSM. The transparent mode feature on the FWSM configures the firewall to act in a Layer 2 mode, meaning that it will bridge between networks. Transparent mode helps provide a seamless transition when adding...

Border Gateway Protocol

Border Gateway Protocol (BGP) is a connection-oriented routing protocol. It uses TCP port 179. The connection is maintained by periodic keepalives. With BGP, the metrics and attributes give a granularity in path selection. BGP within the same autonomous system is called internal BGP (iBGP). All iBGP neighbors should have full meshed connectivity. In large BGP configurations, the concept of route reflectors and confederations help to build the hierarchy of connection for iBGP peers. External BGP...

Working with the show Command for IPv6 in FWSM

To view the IPv6 routes, enter the show ipv6 route command as shown in Example 19-5. To view the IPv6 interfaces, enter the show ipv6 interface command as shown in Example 19-6. Example 19-6 Displaying IPv6 Interfaces IPv6 is enabled, link-local address is fe80 211 bbff fe87 dd80 Global unicast address(es) 3ffe 500 10 1 2, subnet is 3ffe 500 10 1 64 Joined group address(es) ff02 1 ff02 2 ff02 1 ff00 2 ff02 1 ff87 dd80 ICMP error messages limited to one every 100 milliseconds ICMP redirects are...

OSPF Design Example

As shown in Figure 9-3, in this example, the same OSPF process routes between the DMZ and the inside security domains. The FWSM is in a single context routed mode. The configuration does not have MD5 enabled. It is a good practice to enable MD5 authentication. Example 9-2 shows the FWSM configuration. Figure 9-3 OSPF Single-Process Between Two Security Zones Router 1 (R1) - Outside Router (MSFC) The FWSM has a default route that points to R1 router. VLANs 92 and 91 are configured in the OSPF...

Asymmetric Routing Support in Active Active Mode

In Active Active mode, the two FWSM units in failover state are active. This is achieved using multiple context mode. The active firewalls for the respective contexts are distributed between the two FWSM units in failover mode. Consider a scenario where a packet flows through a single security rule set. When a need exists to have two desired paths, a redundant path can be designed using Active Active redundancy and the ASR feature in the FWSM. The same rule set is applied in both contexts. ASR...

Type 3 Configuring Multiple Context Mixed Mode

The multiple context configuration shown in this section is with mixed mode one of the contexts is in transparent mode, and the other is in routed mode. The configuration for multiple context mode is divided into four steps. Figure 7-4 shows the mixed mode configuration of Figure 7-4. Figure 7-4 Mixed Mode Configuration of FWSM Router 1 - Outside Router for Context A Router 2 - Outside Router for Context B Context A in routed mode Outside VLAN 20 and Inside VLAN 21. Router 1 - Outside Router...

Overview of the Firewall Services Module

The Firewall Services Module (FWSM) is a very sophisticated combination of hardware and software. The better understanding you have of the attributes and architecture, the better your ability to design, deploy, manage, and troubleshoot a security infrastructure. The FWSM is a single line-card module that can be installed in either a 6500 series switch or 7600 series router (one to four modules are supported in a single 6500 or 7600 chassis assuming slots are available). Dynamic routing is also...

Single Box Solution with OSPF

In Figure 23-5, the configurations for the Layer 3 device at the outside security domain, FWSM, and the Layer 3 device for the inside security domain are configured in a single chassis with the FWSM module. The concept of virtualization with Layer 3 VPNs is integrated as a solution with the FWSM. The following example with configuration will help you understand Method 4. Figure 23-5 Method 4 for Route Learning Across Security Domains with OSPF Figure 23-5 Method 4 for Route Learning Across...

Using Secure Shell

To achieve data integrity and confidentiality while managing or monitoring the FWSM from a command-line application, secure shell version 2 (SSHv2) is the method of choice. SSH also allows connections to be established to the outside interface. Use caution when enabling SSH support on the outside interface. If this is done, minimize the impact of a Denial-of-Service (DoS) attack by specifying individual IP address used for management. NOTE Because of the vulnerabilities associated with SSHv1,...

Configuring the CSM

A CSM can be configured in three ways CSM in Routed mode The client traffic entering the Catalyst 6500 through the MSFC passes through the CSM. Based on the interesting traffic list defined, the CSM makes a load-balancing decision. The traffic will then be forwarded to the server farm based on this decision. The forwarding is done via routing. The client and server VLANs will be in different subnets. CSM in Transparent mode In this mode, CSM is similar to a bridge. The transparent mode in CSM...

Reallocating Rules

Within each one of the memory partitions is a subset of resources allocated to rules. These resources can also be divided according to the specific needs of each partition. Figure 24-5 shows how rules can be assigned within each of the memory partitions. To view the resources allocated to a specific partition, use the show resource rule partition number command, as shown in Example 24-1. Example 24-1 Displaying Partition Resource Allocation FWSM show resource rule partition 0 To view the...

Firewall Load Balancing with Policy Based Routing

The traditional routing forwards the packet based on the destination IP address in the routing table. With policy-based routing (PBR), packets are forwarded based on the source IP address. This provides the flexibility to forward packets based on the source IP address to the next hop destination. This concept is used in firewall load balancing. The next section shows the use of PBR in firewall load balancing. In Figure 18-1, the throughput of FWSM is doubled from 5.1 Gbps to 10.2 Gbps for...

Failover Configuration in Mixed Mode

Figure 23-3 illustrates the firewall configuration for multiple context modes. One of the contexts is in routed mode and the other is in transparent mode. VLANs defined in the FWSM are allowed on the trunk interface between the primary and secondary switches. The concept of Layer 3 VPN termination covered in the previous section is used to terminate security zones on the Layer 3 device. Instead of using shared interfaces, the global routing table is leaked into the VRF outside. Each security...

Working with URLs and FTP

The third-party applications that are supported today are Websense Enterprise and Secure Computing SmartFilter (previously N2H2, which was acquired by Secure Computing in October, 2003). Deploying either of these off-box solutions requires a server running the application software. These applications help to enforce Internet access policies by categorizing Internet sites and providing the capability to permit or deny access to these locations. Access can be controlled for the entire...

What Is Network Analysis Module

Network Analysis Module (NAM) is a troubleshooting tool to understand the traffic flow in the VLAN. The flow capture of packets through VLANs and the VLAN interfaces in FWSM are analyzed using this tool. Follow these steps to set up a NAM to monitor the flow through a VLAN Step 1 Configure the switch port or trunk to send statistical data to the NAM. This can be done using Switched Port Analyzer (SPAN), VLAN Access-Control Lists (VACL), and NetFlow. Step 2 In the NAM, you can configure...

Configuring Regular Expressions

If you have had an opportunity to work with Border Gateway Protocol (BGP), you may have been introduced to regular expressions. Regular expressions provide a way to match a group of characters using either an exact string match or by meta-characters that allow you to define a range, a character set, and so on. This feature can be used to match URL strings when inspecting HTTP traffic and perform an action based on a match, or perform an action on the traffic that does not match the regular...

Increasing Performance by Leveraging the Supervisor

One of the most significant features to be released with the 4.x code train is the capability to offload flows to the supervisor, called Trusted Flow Acceleration. This capability dramatically increases the throughput of predefined types of traffic and requires a minimum code of 12.2(33)SXI on the supervisor. Prior to Trusted Flow Acceleration, all traffic was required to flow through the FWSM refer to Chapter 2, Overview of the Firewall Services Module, for details. With the addition of...

Configuring ASR in FWSM

Cisco Cat6k

The command to enable the ASR feature introduced in the 3.1 code release for the FWSM is asr-group number This command-line interface (CLI) should be attached to the interface configuration, for example interface vlan 9 nameif outside security-level 0 ip address 11.1.1.10 255.255.255.0 standby 11.1.1.11 asr-group 1 Example 17-1 represents the FWSM in multiple context routed mode. ASR groups are configured to allow the FWSM to pass the traffic. The spanning tree root for a VLAN is represented by...

Configuring Multiple Context FWSM Failover

This section for multiple context mode goes through Active Active mode of configuring FWSM. The two FWSMs are present in two different chassis. The spanning tree of the VLAN representing the active firewall context should be represented in the same switch. The HSRP VIP for the VLAN should also be represented in the same switch. If the HSRP Spanning Tree Protocol (STP) root follows the placement of primary context, this will reduce the traffic that passes between the two chassis. In this way,...

Configuration Methods

Fwsm Configuration Example

This section covers the common configuration methods to pass the multicast traffic through the FWSM. The following are three common ways of configuring Multicast through firewall in single context routed mode Multicast through firewall via GRE Multicast through transparent firewall in multiple context mode Method 1 Configuration Example for Multicast Through Firewall in Single Context Routed Mode To understand method 1, refer to Figure 16-1, which illustrates a configuration example of...

Memory Partitions

The FWSM has a pool of resources (memory) in which to allocate ACL memory to partitions. In multicontext mode, there are 12 memory partitions and two trees used for security policy rules exclusively Uniform Resource Locator (URL) filtering statements, configured inspections, established rules, authentication, authorization, and accounting (AAA) authentication policies, remote access to the FWSM (SSH, Telnet, HTTP), Internet Control Message Protocol (ICMP) to the FWSM (configured using the ICMP...

Configuring Single Context FWSM Failover

The spanning tree root and Hot Standby Router Protocol (HSRP) primary should be in the same switch as the active FWSM. In a single context mode, the failover mode is Active Standby, where one of the physical firewalls will be the primary FWSM and the peer firewall will be the secondary FWSM. The traffic passes through the primary FWSM when no failure takes place, and in case of failover, the traffic passes through the secondary FWSM. In the network in Figure 12-4, the static route from the...

Using the PISA for Enhanced Traffic Detection

PISA is a hardware subsystem of the Supervisor 32. The PISA has the capability to detect classify protocols, and consequently make decisions on the FWSM to forward or deny traffic can be applied by application type. The PISA uses Network-based Application Recognition (NBAR) and Flexible Packet Matching (FPM) to classify traffic. Both NBAR and FPM use a process of deep packet inspection to determine traffic types. This looks beyond Layer 4 ports and into the data portion of the packet therefore,...