ACE Design for Firewall Load Balancing

The dual ACE solution will be able to provide a 10 Gbps throughput for firewall load balancing, and the multiple FWSMs have to match this throughput. Figure 18-4 shows a high-level design of firewall load balancing using ACE. Using Single Context Dual ACE Solution Using Single Context Dual ACE Solution Single ACE Multiple Context Solution Single ACE Multiple Context Solution Trunk EtherChannel (FWSM CSM) State and Fai lover VLANs. VLAN 11 and VLAN 12 In this case, VLAN 13 is the client side...

Adding and Removing Contexts

The first step in adding contexts is to configure the FWSM for multiple-context mode using the following command WARNING This command will change the behavior of the device WARNING This command will initiate a Reboot Proceed with change mode confirm If you have a configuration worth saving, be sure to create a backup. The number of security contexts is based on the license key. To verify the number of supported contexts on the FWSM, use the following command Look for the line that indicates the...

Additional Support for Simple Network Management Protocol Management Information Base

Simple Network Management Protocol (SNMP) is used to get specific information from a device or to send it information for the purposes of configuration changes. Because the FWSM is a security device, you cannot send it information, but you can gather information for keeping track of interface statistics, packet counts, and so on. There have been two additions to the Management Information Base (MIB) ACL entries and hit counters located under CISCO-IP-PROTOCOL-FILTER-MIB Address Resolution...

Assessing Issues Logically

It is important for the troubleshooter to understand the issue and picture the logical design where the FWSM is a part. Follow these steps to identify and understand the problem Step 1 Define the problem It is very important to get the definition from the technical side and user impact. (b) Identify one stream with source and destination. (c) Verify whether all the packets are flowing through the FWSM, whether any one particular flow is impacted, or whether a few applications are impacted. (d)...

Asymmetric Routing

This chapter provides an overview of asymmetric routing prevalent in the enterprise network. You will learn how the placement of a firewall in a network breaks an asymmetric flow. This chapter also includes designs for symmetric routing with firewalls and covers the FWSM feature that supports asymmetric routing. In asymmetric routing, the packet traverses from a source to a destination in one path and takes a different path when it returns to the source. Asymmetric routing is not a problem by...

Asymmetric Routing Support in Active Standby Mode

For the network topology shown in Figure 17-5, the configuration for the outside interface of security context A and security context B will have ASR group 1 (it will belong in the same ASR group) enabled. The packet arrives at the outside interface of context B. Because the ASR group is the same for the two outside interfaces of contexts A and B, the packet will get redirected to context A's outside interface from context B's outside interface. The packet then flows through context A to reach...

Configuring EIGRP

EIGRP has been a long-awaited feature for the Firewall Services Module (FWSM). With EIGRP support, the FWSM can be integrated into an existing EIGRP network, minimizing the need to redistribute routing information into other routing protocols. This reduces the complexity of managing multiple routing processes and simplifies the network design, especially within the datacenter. Redistribution of routes between routing protocols can be difficult because each routing protocol exercises different...

Configuring IPv6 Timers in FWSM

Table 19-2 describes the various timers that can be configured in IPv6 while configuring FWSM. Table 19-2 The Features and Syntax for IPv6 Support in FWSM Table 19-2 The Features and Syntax for IPv6 Support in FWSM Neighbor solicitation message interval This is to configure the time interval between IPv6 neighbor solicitation messages. The value argument ranges from 1000 to 3,600,000 milliseconds. The default value is 1000 milliseconds. This command is used when an interface is configured to...

Configuring PVLAN

The FWSM should have a 3.x code version or the preceding code, and the switch should have 12.2.18 SXFx version or the preceding code. Figure 23-10 shows the configuration of FWSM with PVLANs. Figure 23-10 Configuration of FWSM with PVLANs Figure 23-10 Configuration of FWSM with PVLANs Isolated VLAN 12 Community VLAN 13 Community VLAN 13 Isolated VLAN 12 Community VLAN 13 Community VLAN 13 VLAN 10 is the outside interface of the FWSM. VLAN 11 is the inside VLAN for the FWSM. It is also the...

Configuring Route Health Injection

The FWSM has limited support for dynamic routing protocols when using multiple-context mode. Route Health Injection (RHI) has the capability of propagating routing information from individual contexts in routed-mode, including static routes, connected networks, and Network Address Translation (NAT) pools into the routing-engine on the host-chassis. Because RHI has such a tight integration with the routing-engine, the minimum image needed on the Supervisor 720 and or Supervisor 32 is...

Configuring the PFC

Follow the steps to configure Layer 3 segregation with multiple security domains on a single PFC. This configuration represents the PFC in Figure 23-2 Step 1 Defining a VRF for each security domain route-target export 1 110 route-target import 1 110 ip vrf out rd 1 1 route-target export 1 101 route-target import 1 101 Step 2 VLAN configuration on the switch 6504-E-1 show run interface vlan 10 Building configuration Current configuration 82 bytes interface Vlan10 ip vrf forwarding out ip address...

Connectivity Test of a Flow at the FWSM

Follow the next steps to troubleshoot the basic connectivity to the FWSM Step 1 Make sure the ping is successful from the inside next hop of the FWSM to the inside interface, and follow the same from other security zones. Step 2 Make sure from the FWSM that you are able to ping all the next hop addresses of the physical interfaces on the FWSM and of the static routes. Step 3 Based on the security policy, ping from the next hop of the inside interface to the next hop of the outside interface in...

Controlling Physical Access

Anyone with physical access to the equipment has the ability to quickly perform a Denial of Service (DoS) attack by turning off the power, moving cables, removing line cards, and so on. It is critical to restrict access to individuals who cannot be trusted to behave appropriately. Equipment can be protected inside locked cabinets, equipment rooms with controlled access by using badge readers or keys, and securing physical cabling within conduit. Other mechanisms that may detour inappropriate...

Creating Redundancy in the FWSM

The two types of modes for redundancy in FWSM are as follows The sections that follow cover the two modes in detail. The firewall has an active unit and a nonactive unit. The active unit is called a primary firewall and the nonactive unit is called a secondary firewall. These two FWSM modules are symmetric to each other. All the traffic passes through the primary module and does not pass through the secondary module. The two symmetric modules can be in the same chassis or in a redundant...

Documenting the Process

Documenting the process is one of the most important aspects of creating a network design because it provides a record of the requirements, the scope of the project, and so on. This document should be very clearly written to avoid ambiguity and will provide a foundation for the entire plan. The project documentation should contain information such as the following What is the end goal A general mission project statement needs to define what you are attempting to accomplish. This could be...

Dynamic NAT

With dynamic NAT, a pool of IP addresses is created using the global command. The FWSM then allocates these addresses to devices allowed to use the address pool. The benefit of using a pool is that real IP addresses will be translated to global IP addresses on a one-to-one basis. This provides the capability to support applications that require an individual IP address assignment and also allows for oversubscription of the pool. When a device with a real IP address initiates a connection, the...

Employing Additional Security Features

Autosecure is a good tool to set a baseline for securing the host-chassis. It will disable nonessential system services and enable some limited security best practices. 102 Chapter 6 Configuring and Securing the 6500 7600 Chassis NOTE Be sure to review the configuration changes that Autosecure makes and augment it with other practices outlined in this chapter. The Cisco AutoSecure White Paper can be found at the following location www.cisco.com Service password encryption will encrypt most...

Exploring Routed Mode

In routed mode, the FWSM acts like a Layer 3 device, and all the interfaces in the FWSM need to have an Internet Protocol (IP) address. The interfaces can be in any security zone inside, outside, or demilitarized zone (DMZ). The firewall configuration is in routed mode and needs IP addresses and IP routing enabled on the interfaces. The routed mode can be in single context or multiple context mode. Figure 7-1 illustrates the high-level details of each mode. Figure 7-1 High-Level Topology View...

Exploring Transparent Mode

The firewall is not seen as a Layer 3 hop. The FWSM has a Layer 2 adjacency with the next hop devices. The firewall can be referred to as a bump in the wire. The transparent firewall also facilitates the flow of IP and non-IP traffic. To place the firewall between two Layer 3 devices, no IP readdressing is required. It is also easy to establish routing protocol adjacencies through a transparent firewall. Likewise, protocols such as Hot Standby Routing Protocol (HSRP) or Virtual Router...

FWSM Configuration

The configuration in Example 23-5 represents the FWSM in multiple context mode. Refer to Figure 23-4. Example 23-5 Configuration of the System Context FWSM Version 3.1(3)6 < system> resource acl-partition 12 hostname FWSMB enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted class default Example 23-5 Configuration of the System Context (Continued) limit-resource Mac-addresses 65535 limit-resource ASDM 5 limit-resource SSH 5 limit-resource Telnet 5 limit-resource All...

How Do You Verify Whether the Traffic Is Forwarded to a Particular Interface in the FWSM

To verify whether the traffic is forwarded to a particular interface in the FWSM, use the show access-list command, as shown in Example 21-1. Example 21-1 show access-list Output Verifies Traffic Forwarding Information Notice the hit count for the access list. If the packet hit count is not increasing, verify the access list entry or use the capture command to note whether the packet is seen in the FWSM. The capture command is very useful for troubleshooting connectivity related issues. Using...

Info

Is this packet part of an existing session YES. Packet-inspection firewalls are generally much faster than application firewalls because they are not required to host client applications. Most of the packet-inspection firewalls today also offer very good application or deep-packet inspection. This process allows the firewall to dig into the data portion of the packet and match on protocol compliance, scan for viruses, and so on and still operate very quickly. A feature that is common among all...

Inspecting File Transfer Protocol

File Transfer Protocol (FTP) is a communication mechanism used to transfer data from one device to another using a command and control connection for the communication-specific commands and a data connection for the exchange of bulk information. FTP operates in active and passive modes. Using active mode, the client establishes a TCP connection to the host on port 21 (command and control), and the host connects to the client on a negotiated destination TCP port (data) sourcing from TCP port 20....

Introducing Types of Access Lists

This section covers the three major types of access lists. Each type of access list plays an important role in enabling the functionality of specific features in the FWSM. The three main types of access lists are as follows Standard access list Standard access lists are used in commands to identify the destination IP addresses only. This is normally used in Open Shortest Path First (OSPF) protocol redistribution in FWSM. hostname(config) access-list access_list_name standard deny I permit any I...

Method 1 Layer 3 VPN Segregation with Layer 3 FWSM Multiple Context Mode

The design has three logical blocks These logical blocks are explained as follows Penultimate Hop Router This router removes the MPLS labels, in case MPLS Layer 3 VPNs are used for traffic segregation. This router maps VRF based on VLANs and communicates with the perimeter router. The traffic of each VRF will flow through the VLANs in the individual trunk. Mapping the untagged traffic to each VLAN will be sufficient to achieve the segregation between the penultimate hop router and perimeter...

Monitoring Analysis and Response System

The Monitoring Analysis and Response System (MARS) is an appliance-based threat-mitigation solution that provides the primary functions of rapid threat identification and mitigation, data correlation, and offers topology awareness. MARS has the capability to rapidly identify events through a receive process (push) and or it can gather information (pulls) from firewalls, such as the FWSM, IDS devices, switches, routers, and so on. The collection of Netflow and traffic analysis information also...

Multicast Stub Configuration

Multicast stub configuration does not participate in the PIM neighbor relationship the device just passes the IGMP messages. In a Layer 3 network world, this type of stub configuration is common in routers connecting to satellite links. In this case, the IGMP messages pass through the satellite unidirectional link using an IGMP helper address configuration or an IGMP unidirectional link configuration in the IOS. The FWSM can also be configured in stub mode. In stub configuration, the FWSM will...

Multiple Bridge Groups

An efficient way to leverage the FWSM is through the use of multiple bridge groups. Bridge groups are Layer 2 firewall instances within a context. A maximum of eight bridge groups are supported on the FWSM in single context mode. Each bridge group is unique, having an individual inside and outside bridged connection. Figure 3-6 illustrates multiple bridge groups. Outside Outside Outside VLAN VLAN VLAN Outside Outside Outside Outside Outside VLAN VLAN VLAN VLAN VLAN Inside Inside Inside Inside...

NAT Bypass

There may be situations where NAT may be desirable for some hosts or applications and others where it is not, especially if NAT control has been enabled. There are three mechanisms to bypass the NAT function NAT 0 or identity NAT, static identity NAT, and NAT exemptions. NAT 0 allows for an individual or range of real IP addresses to be translated to a lower-level interface without translating the IP address. Sound strange This provides the capability to pass the NAT-control requirement but not...

Open Shortest Path First

This section gives a basic snapshot of the Open Shortest Path First (OSPF) Protocol and configuring the OSPF Protocol on the FWSM. OSPF is a link state routing protocol developed by the Internet Engineering Task Force (IETF). An OSPF can operate within a hierarchy. An autonomous system (AS) is the largest entity within the hierarchy, which is a collection of networks under a common administration that share a common routing strategy. OSPF is an IGP routing protocol and uses the Dijsktra...

Option 1 Symmetric Routing Through Firewalls

Make sure the routing flows through the desired symmetric architecture as shown in Figure 17-3. Figure 17-3 Symmetric Routing Through Firewalls Without Redundancy Based on the policy, the packet leaves the security domain. When the packet traverses back, the state is maintained in the FWSM and uses the same path to traverse back to a more secured security domain. Figure 17-3 Symmetric Routing Through Firewalls Without Redundancy In this example, the packet traverses through the Cat6k-1 and the...

Option 2 Firewall Redundancy and Routing Redundancy Symmetry

Figure 17-4 shows the failover capability of the firewall and the routing decision to follow the failover state of the firewall. This design has redundancy for the FWSM and Layer 3 portion of the network in each security domain. This is achieved by using the Layer 3 devices to point to the virtual IP address (VIP) of the active interface for a particular security domain. The FWSM points to the VIP address of the Hot Standby Router Protocol (HSRP) for the respective VLANs. In this case, the FWSM...

OSPF Design Example

As shown in Figure 9-4, in this example, the same OSPF process routes between the DMZ and the inside security domains. A separate OSPF process is used to route packets to the outside security domain. This example provides redistribution between the OSPF processes. The FWSM is in a single context routed mode. Note that only two OSPF processes can be configured in a single context routed mode. The configuration does not have MD5 enabled. It is a good practice to enable MD5 authentication. Example...

OUT2IN Policy Configuration

The OUT2IN policy configuration references the outside security domain. The incoming VLAN for packets has the PBR configured as shown Step 1 Policy routing OUT2IN configuration. route-map LB permit 10 match ip address 1 set ip next-hop 10.1.1.2 route-map LB permit 10 match ip address 1 set ip next-hop 10.1.1.2 This will be a virtual IP address of the FWSM, if redundancy is built route-map LB permit 20 match ip address 2 set ip next-hop 10.1.1.3 This will be a virtual IP address of the FWSM, if...

Packet Classifier in FWSM Context Mode

One of the modes in which FWSM can be deployed is the shared outside interface mode. The outside interface is shared between multiple contexts. This translates to one interface for all the contexts in the outside security zone. The packet destined to the outside interface must traverse to a specific context, which has the state information built into it. The traffic is not allowed to traverse the FWSM context if no state information exists. This is for the packets flowing from the lower...

RIP in FWSM

FWSM does not have a full implementation of RIP. It does not send the RIP updates to the directly connected interfaces. FWSM uses RIP in two modes Passive RIP FWSM listens to the RIP update from the neighbor but does not send the RIP updates. This helps the FWSM to learn about networks that are not directly connected to it in a particular security domain. Default Route Updates The FWSM sends a default route to the Layer 3 neighbors, which identifies the FWSM as the default route for the Layer 3...

Routing Information Protocol

Routing Information Protocol (RIP) is a distance vector protocol. This protocol uses a hop count to determine the best path to the destination. RIP uses UDP over port 512 and is used primarily in small networks. RIP has two versions RIPvl and RIPv2. Version 2 supports variable-length subnet masking (VLSM) and summarization. Some of the other important terminologies in RIP are the following Split Horizon This mechanism is used to prevent loops. The router will not advertise networks through an...

Securing Access

To use Telnet in a secure manner, or other management tools from a location outside the FWSM, an encrypted tunnel can be established from a client running the Cisco Virtual Private Network (VPN) client software or to the VPN termination device, such as an Adaptive Security Appliance (ASA) Private Internet Exchange (PIX), Internetwork Operating System (IOS) router, or VPN concentrator. The connection provides encryption and authentication using Internet Protocol Security (IPsec). The FWSM...

Supporting Virtualized Networks

Many organizations have realized the benefits of traffic separation or network virtualization through the use of multiprotocol label switching (MPLS), multiple virtual routing and forwarding (multi-VRF), multitopology routing (MTR), virtual private LAN services (VPLS), and so on. These technologies leverage a single physical infrastructure while providing a logical mechanism for traffic separation. Rather than installing a unique physical firewall per virtual network, you can configure the FWSM...

Traffic Flow

Access lists (EtherType and extended) authentication, authorization, and accounting (AAA) control what traffic is initially allowed to flow through the FWSM. Network Access Translation (NAT) translates IP addresses, and application layer protocol inspection inspects the traffic. Consider the topology shown in Figure 3-4. Figure 3-4 Transparent Mode Example 1 Example 3-1 shows the (nondefault) simple configuration for the FWSM. Example 3-1 ACL Example from Inside to Outside Using Transparent...

Type 2 Configuring Single Context Transparent Mode

In the transparent mode, the FWSM is a bump on the wire. The next-hop devices will have only a Layer 2 relationship with the FWSM. This section shows the steps for the configuration of the transparent mode in a single context mode. Step 1 Configure the Policy Feature Card (PFC). Step 1 covers the switch configuration in relation to the FWSM firewall multiple-vlan-interfaces firewall module 3 vlan-group 1 firewall vlan-group 1 9,10 The details are similar to the explanation provided in Step 1 of...

Types of Firewalls

By definition, a firewall is a single device used to enforce security policies within a network or between networks by controlling traffic flows. The Firewall Services Module (FWSM) is a very capable device that can be used to enforce those security policies. The FWSM was developed as a module or blade that resides in either a Catalyst 6500 series chassis or a 7600 series router chassis. The tight integration with a chassis offers increased flexibility, especially with network virtualization...

Understanding Classification of Traffic

The traffic can be classified into multiple classes (as configured). On these classes, you can perform specific actions. A class map identifies the traffic that needs a selective action. In the FWSM, by default 255 class maps are allowed in a single or in multiple context modes. Creating class maps is a two-step process FWSM(config) class-map class_map_name Step 2 This step defines the traffic that is classified in a class map. This can be done using any of the following methods Access-list An...

Understanding Fallback Support

Configuration practice dictates having fallback support for all AAA configurations on FWSM. The fallback support helps when the external server is not reachable. In this case, the user will not be able to access the FWSM or AAA functionality for other service types. With the fallback method, the last resort for the user to get access to the FWSM is at the local database of the FWSM. For external server redundancy, you can have more than one external server. More servers can be configured in the...

Understanding Object Groups

Object groups allow the administrator to use access lists, based on a grouping that identifies the common use of a policy. With object grouping, you can classify elements of an access list in a group and can have multiple elements referenced in separate groups. These groups can be referenced in the access list for defining the security policy. The grouping can be done based on the following criteria The object group can be used with an extended access list statement. The resource limit of ACE...

Understanding the Interaction Between the Host Chassis and the FWSM

With the integration of the FWSM in a host-chassis, it becomes imperative to secure the host device. This is because the delineation of interfaces on the FWSM is associated with the virtual local-area network (VLAN) interfaces of the switch. The separation is logical not physical. If a misconfiguration occurs on the switch, traffic from a less secure interface (outside) may have uninhibited access to a more secure interface (inside). For this reason, you must consider the switch configuration...

Verify the Functionality of FWSM

Example 19-2 shows ping from the inside to the outside security domain. Example 19-2 Ping from Inside to Outside Security Domain Layer3device ping ipv6 3FFE 500 10 1 1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3FFE 500 10 1 1, timeout is 2 seconds Success rate is 100 percent (5 5), round-trip min avg max 0 0 0 ms The ping test passes through the FWSM and tests the connectivity from the inside to the outside security domain. Example 19-3 shows ping from the outside to the...

Working with Supported Applications

Many applications are supported with specific inspection engines. Based on how those applications behave or how they have been written, you might need to alter the actions of the inspection engines or potentially disable a particular inspection engine if those applications do not function properly. Table 13-1 provides a list of supported applications (courtesy of the Cisco Firewall Services Module documentation on Cisco.com). Table 13-1 provides a reference, but for detailed information refer...

How Do I Verify ACL Resource Limits

This section gives the command to check the ACL resource limit on the FWSM. This is to verify and plan the application of new rules. The details on resource management are covered in Chapter 5, Understanding Contexts. Example 21-3 uses the show command to see ACL statistics. Example 21-3 show Command to See the ACL Statistics Example 21-3 show Command to See the ACL Statistics

Using Adaptive Security Device Manager

Adaptive Security Device Manager (ASDM) is a web-based management tool that is very easy to use, intuitive, and best of all it's free With ASDM, you can configure, monitor, and troubleshoot, all using a graphical user interface (GUI). ASDM is a tremendously valuable tool for managing and monitoring an individual FWSM. ASDM provides a secure connection using Hypertext Transfer Protocol Security (HTTPS) and allows for management to the outside interface. Multiple contexts can be managed from a...

Assigning Interfaces

For the FWSM to communicate to other devices on the network, a connection must be made from logical interfaces of the FWSM to VLANs assigned to the host-chassis. Referring to Figure 6-3, notice that the FWSM is logically connected to VLANs. This is accomplished through the following process. Step 1 Determine in which slot the FWMS is installed with the show module command Mod Ports Card Type Model Serial No. Mod Ports Card Type Model Serial No. The output of the show module command shows that...

Configuring FWSM in the Switch

The configuration of the switch for the FWSM is important because it builds the VLANs that are added between the switch and FWSM. These VLANs will be trunked between the switch and FWSM. Follow these steps in the first configuration Step 1 Verify which module has the FWSM This is shown in the output of the show module command, as demonstrated next Mod Ports Card Type Model Serial No. 1 2 Supervisor Engine 720 (Active) WS-SUP720-BASE SAD081502C1 2 48 48-port 10 100 mb RJ45 WS-X6148-RJ45V...

Network Address Translation Port Address Translation

Network Address Translation (NAT) is the function of changing the source address and or the destination address of an IP packet. NAT must also be performed in both directions. For example, if a connection is attempted from a client to a host and the client's IP address has been modified or translated, the host returns traffic to the translated address. When a connection is attempted from the client to the host, as shown in Figure 4-1, the following NAT function occurs Step 1 The client with the...

Layer 3 Vpn Vrf Terminations at FWSM

The FWSM does not have any knowledge of the Layer 3 VPNs. The Layer 3 VPN services can be terminated at the Layer 3 next hop router connected to the FWSM. The FWSM interfaces can be configured to map different Layer 3 VPNs (Virtual Route Forwarding, or VRF), by associating the interface with the next hop Layer 3 device, where the VRF tag is removed. The removal of the VRF tag makes the FWSM receive regular IP packets. The Layer 3 VPN technology references MPLS Layer 3 VPN or multi-VRF...

Cisco Secure Firewall Services Module FWSM

Ray Blair, CCIE No. 7050 Arvind Durai, CCIE No. 7016 Cisco Secure Firewall Services Module (FWSM) Copyright 2009 Cisco Systems, Inc. Published by Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of...

Examining Syslog

System log, or syslog, is a means by which event information can be collected. This information can be used for troubleshooting or stored for auditing, network analysis, and so on. Unfortunately, syslog messages are sent without being encrypted and may provide valuable information to an unscrupulous individual, so use caution when sending these messages. It is especially important to send syslog messages out a secure interface. Although the FWSM allows you to send messages out the outside...

Understanding Cut Through Proxy in FWSM

In cut-through proxy, the firewall requires the user to authenticate before passing any traffic through the FWSM. Figure 10-1 shows how the cut-through proxy works. The high-level steps that describe cut-through proxy are as follows Step 1 A user from the outside security domain tries to access a web server in a more secured domain. Step 2 The FWSM prompts user authentication. Step 3 After the FWSM receives the information from the user, it passes this information to the access control server...

Dynamic Learning of Routes with FWSM

Placement of the FWSM is very important in the design. The routing information from one security domain to the other can determine the resiliency of the design. Following are some of the methods that can be used to learn the routes between security domains Method 1 Static routes The traditional method is to use static routes. The Layer 3 device at the inside security domain has a default route that points to the inside interface of the FWSM. (In case of a failover scenario, the static route...

Examining Modes of Operation

The Firewall Services Module (FWSM) has the capability to function in two modes transparent and routed. With the introduction of version 3.1, mixed-mode operation is also supported. This allows the capability to have both transparent and routed contexts operate simultaneously on the same FWSM. The transparent mode feature on the FWSM configures the firewall to act in a Layer 2 mode, meaning that it will bridge between networks. Transparent mode helps provide a seamless transition when adding...

Border Gateway Protocol

Border Gateway Protocol (BGP) is a connection-oriented routing protocol. It uses TCP port 179. The connection is maintained by periodic keepalives. With BGP, the metrics and attributes give a granularity in path selection. BGP within the same autonomous system is called internal BGP (iBGP). All iBGP neighbors should have full meshed connectivity. In large BGP configurations, the concept of route reflectors and confederations help to build the hierarchy of connection for iBGP peers. External BGP...

Working with the show Command for IPv6 in FWSM

To view the IPv6 routes, enter the show ipv6 route command as shown in Example 19-5. To view the IPv6 interfaces, enter the show ipv6 interface command as shown in Example 19-6. Example 19-6 Displaying IPv6 Interfaces IPv6 is enabled, link-local address is fe80 211 bbff fe87 dd80 Global unicast address(es) 3ffe 500 10 1 2, subnet is 3ffe 500 10 1 64 Joined group address(es) ff02 1 ff02 2 ff02 1 ff00 2 ff02 1 ff87 dd80 ICMP error messages limited to one every 100 milliseconds ICMP redirects are...

Asymmetric Routing Support in Active Active Mode

In Active Active mode, the two FWSM units in failover state are active. This is achieved using multiple context mode. The active firewalls for the respective contexts are distributed between the two FWSM units in failover mode. Consider a scenario where a packet flows through a single security rule set. When a need exists to have two desired paths, a redundant path can be designed using Active Active redundancy and the ASR feature in the FWSM. The same rule set is applied in both contexts. ASR...

Type 3 Configuring Multiple Context Mixed Mode

The multiple context configuration shown in this section is with mixed mode one of the contexts is in transparent mode, and the other is in routed mode. The configuration for multiple context mode is divided into four steps. Figure 7-4 shows the mixed mode configuration of Figure 7-4. Figure 7-4 Mixed Mode Configuration of FWSM Router 1 - Outside Router for Context A Router 2 - Outside Router for Context B Context A in routed mode Outside VLAN 20 and Inside VLAN 21. Router 1 - Outside Router...

Overview of the Firewall Services Module

The Firewall Services Module (FWSM) is a very sophisticated combination of hardware and software. The better understanding you have of the attributes and architecture, the better your ability to design, deploy, manage, and troubleshoot a security infrastructure. The FWSM is a single line-card module that can be installed in either a 6500 series switch or 7600 series router (one to four modules are supported in a single 6500 or 7600 chassis assuming slots are available). Dynamic routing is also...

Single Box Solution with OSPF

In Figure 23-5, the configurations for the Layer 3 device at the outside security domain, FWSM, and the Layer 3 device for the inside security domain are configured in a single chassis with the FWSM module. The concept of virtualization with Layer 3 VPNs is integrated as a solution with the FWSM. The following example with configuration will help you understand Method 4. Figure 23-5 Method 4 for Route Learning Across Security Domains with OSPF Figure 23-5 Method 4 for Route Learning Across...

Using Secure Shell

To achieve data integrity and confidentiality while managing or monitoring the FWSM from a command-line application, secure shell version 2 (SSHv2) is the method of choice. SSH also allows connections to be established to the outside interface. Use caution when enabling SSH support on the outside interface. If this is done, minimize the impact of a Denial-of-Service (DoS) attack by specifying individual IP address used for management. NOTE Because of the vulnerabilities associated with SSHv1,...

Configuring the CSM

A CSM can be configured in three ways CSM in Routed mode The client traffic entering the Catalyst 6500 through the MSFC passes through the CSM. Based on the interesting traffic list defined, the CSM makes a load-balancing decision. The traffic will then be forwarded to the server farm based on this decision. The forwarding is done via routing. The client and server VLANs will be in different subnets. CSM in Transparent mode In this mode, CSM is similar to a bridge. The transparent mode in CSM...

Reallocating Rules

Within each one of the memory partitions is a subset of resources allocated to rules. These resources can also be divided according to the specific needs of each partition. Figure 24-5 shows how rules can be assigned within each of the memory partitions. To view the resources allocated to a specific partition, use the show resource rule partition number command, as shown in Example 24-1. Example 24-1 Displaying Partition Resource Allocation FWSM show resource rule partition 0 To view the...

Firewall Load Balancing with Policy Based Routing

The traditional routing forwards the packet based on the destination IP address in the routing table. With policy-based routing (PBR), packets are forwarded based on the source IP address. This provides the flexibility to forward packets based on the source IP address to the next hop destination. This concept is used in firewall load balancing. The next section shows the use of PBR in firewall load balancing. In Figure 18-1, the throughput of FWSM is doubled from 5.1 Gbps to 10.2 Gbps for...

Failover Configuration in Mixed Mode

Figure 23-3 illustrates the firewall configuration for multiple context modes. One of the contexts is in routed mode and the other is in transparent mode. VLANs defined in the FWSM are allowed on the trunk interface between the primary and secondary switches. The concept of Layer 3 VPN termination covered in the previous section is used to terminate security zones on the Layer 3 device. Instead of using shared interfaces, the global routing table is leaked into the VRF outside. Each security...

Working with URLs and FTP

The third-party applications that are supported today are Websense Enterprise and Secure Computing SmartFilter (previously N2H2, which was acquired by Secure Computing in October, 2003). Deploying either of these off-box solutions requires a server running the application software. These applications help to enforce Internet access policies by categorizing Internet sites and providing the capability to permit or deny access to these locations. Access can be controlled for the entire...

What Is Network Analysis Module

Network Analysis Module (NAM) is a troubleshooting tool to understand the traffic flow in the VLAN. The flow capture of packets through VLANs and the VLAN interfaces in FWSM are analyzed using this tool. Follow these steps to set up a NAM to monitor the flow through a VLAN Step 1 Configure the switch port or trunk to send statistical data to the NAM. This can be done using Switched Port Analyzer (SPAN), VLAN Access-Control Lists (VACL), and NetFlow. Step 2 In the NAM, you can configure...

Configuring Regular Expressions

If you have had an opportunity to work with Border Gateway Protocol (BGP), you may have been introduced to regular expressions. Regular expressions provide a way to match a group of characters using either an exact string match or by meta-characters that allow you to define a range, a character set, and so on. This feature can be used to match URL strings when inspecting HTTP traffic and perform an action based on a match, or perform an action on the traffic that does not match the regular...

Increasing Performance by Leveraging the Supervisor

One of the most significant features to be released with the 4.x code train is the capability to offload flows to the supervisor, called Trusted Flow Acceleration. This capability dramatically increases the throughput of predefined types of traffic and requires a minimum code of 12.2(33)SXI on the supervisor. Prior to Trusted Flow Acceleration, all traffic was required to flow through the FWSM refer to Chapter 2, Overview of the Firewall Services Module, for details. With the addition of...

Configuring ASR in FWSM

Cisco Cat6k

The command to enable the ASR feature introduced in the 3.1 code release for the FWSM is asr-group number This command-line interface (CLI) should be attached to the interface configuration, for example interface vlan 9 nameif outside security-level 0 ip address 11.1.1.10 255.255.255.0 standby 11.1.1.11 asr-group 1 Example 17-1 represents the FWSM in multiple context routed mode. ASR groups are configured to allow the FWSM to pass the traffic. The spanning tree root for a VLAN is represented by...

Configuring Multiple Context FWSM Failover

This section for multiple context mode goes through Active Active mode of configuring FWSM. The two FWSMs are present in two different chassis. The spanning tree of the VLAN representing the active firewall context should be represented in the same switch. The HSRP VIP for the VLAN should also be represented in the same switch. If the HSRP Spanning Tree Protocol (STP) root follows the placement of primary context, this will reduce the traffic that passes between the two chassis. In this way,...

Configuration Methods

Fwsm Configuration Example

This section covers the common configuration methods to pass the multicast traffic through the FWSM. The following are three common ways of configuring Multicast through firewall in single context routed mode Multicast through firewall via GRE Multicast through transparent firewall in multiple context mode Method 1 Configuration Example for Multicast Through Firewall in Single Context Routed Mode To understand method 1, refer to Figure 16-1, which illustrates a configuration example of...

Memory Partitions

The FWSM has a pool of resources (memory) in which to allocate ACL memory to partitions. In multicontext mode, there are 12 memory partitions and two trees used for security policy rules exclusively Uniform Resource Locator (URL) filtering statements, configured inspections, established rules, authentication, authorization, and accounting (AAA) authentication policies, remote access to the FWSM (SSH, Telnet, HTTP), Internet Control Message Protocol (ICMP) to the FWSM (configured using the ICMP...

Configuring Single Context FWSM Failover

The spanning tree root and Hot Standby Router Protocol (HSRP) primary should be in the same switch as the active FWSM. In a single context mode, the failover mode is Active Standby, where one of the physical firewalls will be the primary FWSM and the peer firewall will be the secondary FWSM. The traffic passes through the primary FWSM when no failure takes place, and in case of failover, the traffic passes through the secondary FWSM. In the network in Figure 12-4, the static route from the...

Using the PISA for Enhanced Traffic Detection

PISA is a hardware subsystem of the Supervisor 32. The PISA has the capability to detect classify protocols, and consequently make decisions on the FWSM to forward or deny traffic can be applied by application type. The PISA uses Network-based Application Recognition (NBAR) and Flexible Packet Matching (FPM) to classify traffic. Both NBAR and FPM use a process of deep packet inspection to determine traffic types. This looks beyond Layer 4 ports and into the data portion of the packet therefore,...