manualshive.com logo in svg

Cisco 6500 - Catalyst Series 10 Gigabit EN Interface Module Expansion, Configuration Manual, Page: 446 / 742

Share
Download
Cisco 6500 - Catalyst Series 10 Gigabit EN Interface Module Expansion Configuration Manual Download Page 446

 

22-30

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

OL-20748-01

Chapter 22      Applying Application Layer Protocol Inspection

  FTP Inspection

FTP Inspection

This section describes how the FTP inspection engine works and how you can change its configuration. 
This section includes the following topics:

FTP Inspection Overview, page 22-30

Using the strict Option, page 22-30

The request-command deny Command, page 22-31

Configuring FTP Inspection, page 22-32

Verifying and Monitoring FTP Inspection, page 22-34

FTP Inspection Overview

The FTP application inspection inspects the FTP sessions and performs four

 

tasks:

Prepares dynamic secondary data connection

Tracks 

ftp 

command-response sequence

Generates an audit trail

NATs embedded IP address

FTP application inspection prepares secondary channels for FTP data transfer. Ports for these channels 
are negotiated through PORT or PASV commands. The channels are allocated in response to a file 
upload, a file download, or a directory listing event.

Note

If you disable FTP inspection engines with the 

no inspect ftp

 command, outbound users can start 

connections only in passive mode, and all inbound FTP is disabled.

Using the strict Option

Using the 

strict

 option with the 

inspect ftp

 command increases the security of protected networks by 

preventing web browsers from sending embedded commands in FTP requests.

Tip

To specify FTP commands that are not permitted to pass through the FWSM, create an FTP map and 
enter the 

request-command deny 

command in FTP map configuration mode.

After you enable the 

strict

 option on an interface, FTP inspection enforces the following behavior:

An FTP command must be acknowledged before the FWSM allows a new command.

The FWSM drops connections that send embedded commands.

The 227 and PORT commands are checked to ensure they do not appear in an error string.

Caution

Using the 

strict

 option may cause the failure of FTP clients that are not strictly compliant with FTP 

RFCs.

Summary of Contents for 6500 - Catalyst Series 10 Gigabit EN Interface Module Expansion

Page 1: ...134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide Using the CLI Release 4 1 Customer Order Number N A Online only Text Part Number OL 20748 01 ...

Page 2: ...e Cisco StackPower Cisco StadiumVision Cisco TelePresence Cisco TrustSec Cisco Unified Computing System Cisco WebEx DCE Flip Channels Flip for Good Flip Mino Flipshare Design Flip Ultra Flip Video Flip Video Design Instant Broadband and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn Cisco Capital Cisco Capital Design Cisco Financed Stylized Cisco Store Fli...

Page 3: ...s Module 1 1 New Features 1 2 Security Policy Overview 1 3 Permitting or Denying Traffic with Access Lists 1 4 Applying NAT 1 4 Protecting from IP Fragments 1 4 Using AAA for Through Traffic 1 4 Applying Internet Filtering 1 4 Applying Application Inspection 1 5 Applying Connection Limits 1 5 How the Firewall Services Module Works with the Switch 1 5 Using the MSFC 1 6 Firewall Mode Overview 1 7 S...

Page 4: ...C H A P T E R 3 Connecting to the Firewall Services Module and Managing the Configuration 3 1 Connecting to the Firewall Services Module 3 1 Logging in to the FWSM 3 1 Logging out of the FWSM 3 2 Managing the Configuration 3 3 Saving Configuration Changes 3 3 Saving Configuration Changes in Single Context Mode 3 3 Saving Configuration Changes in Multiple Context Mode 3 3 Copying the Startup Config...

Page 5: ...ng the Number of Memory Partitions 4 13 Changing the Memory Partition Size 4 14 Reallocating Rules Between Features for a Specific Memory Partition 4 19 Configuring Resource Management 4 21 Classes and Class Members Overview 4 22 Resource Limits 4 22 Default Class 4 23 Class Members 4 24 Configuring a Class 4 24 Configuring a Security Context 4 27 Changing Between Contexts and the System Execution...

Page 6: ...ps 5 9 Using the Transparent Firewall in Your Network 5 9 Transparent Firewall Guidelines 5 10 Unsupported Features in Transparent Mode 5 11 How Data Moves Through the Transparent Firewall 5 12 An Inside User Visits a Web Server 5 13 An Inside User Visits a Web Server Using NAT 5 14 An Outside User Visits a Web Server on the Inside Network 5 15 An Outside User Attempts to Access an Inside Host 5 1...

Page 7: ...g the Prompt 7 4 Configuring a Login Banner 7 5 C H A P T E R 8 Configuring IP Routing and DHCP Services 8 1 How Routing Behaves Within FWSM 8 1 Egress Interface Selection Process 8 1 Next Hop Selection Process 8 2 Configuring Static and Default Routes 8 2 Configuring a Static Route 8 3 Configuring a Default Route 8 4 Monitoring a Static or Default Route 8 5 Defining a Route Map 8 5 Configuring BG...

Page 8: ...ing 8 24 Enabling EIGRP Authentication 8 25 Defining an EIGRP Neighbor 8 26 Redistributing Routes Into EIGRP 8 26 Configuring the EIGRP Hello Interval and Hold Time 8 27 Disabling Automatic Route Summarization 8 27 Configuring Summary Aggregate Addresses 8 28 Disabling EIGRP Split Horizon 8 28 Changing the Interface Delay Value 8 29 Monitoring EIGRP 8 29 Disabling Neighbor Change and Warning Messa...

Page 9: ...MP Version 9 5 Configuring Stub Multicast Routing 9 5 Configuring a Static Multicast Route 9 6 Configuring PIM Features 9 6 Disabling PIM on an Interface 9 6 Configuring a Static Rendezvous Point Address 9 7 Configuring the Designated Router Priority 9 7 Filtering PIM Register Messages 9 7 Configuring PIM Message Intervals 9 8 For More Information About Multicast Routing 9 8 C H A P T E R 10 Confi...

Page 10: ...on 11 2 About Authorization 11 2 About Accounting 11 2 AAA Server and Local Database Support 11 3 Summary of Support 11 3 RADIUS Server Support 11 4 Authentication Methods 11 4 Attribute Support 11 4 RADIUS Authorization Functions 11 4 TACACS Server Support 11 4 SDI Server Support 11 5 SDI Version Support 11 5 Two step Authentication Process 11 5 SDI Primary and Replica Servers 11 5 NT Server Supp...

Page 11: ...ew 13 1 Access List Types 13 2 Access Control Entry Order 13 2 Access List Implicit Deny 13 3 IP Addresses Used for Access Lists When You Use NAT 13 3 Access List Commitment 13 5 Maximum Number of ACEs 13 6 Adding an Extended Access List 13 6 Extended Access List Overview 13 6 Allowing Broadcast and Multicast Traffic through the Transparent Firewall 13 7 Adding an Extended ACE 13 7 Adding an Ether...

Page 12: ...nge to an ACE 13 25 Logging Access List Activity 13 25 Access List Logging Overview 13 25 Configuring Logging for an ACE 13 26 Managing Deny Flows 13 27 C H A P T E R 14 Configuring Failover 14 1 Understanding Failover 14 1 Failover System Requirements 14 2 Software Requirements 14 2 License Requirements 14 2 Failover and State Links 14 2 Failover Link 14 2 State Link 14 3 Intra and Inter Chassis ...

Page 13: ...n Authentication Encryption 14 31 Verifying the Failover Configuration 14 31 Viewing Failover Status 14 31 Viewing Monitored Interfaces 14 39 Viewing the Failover Configuration 14 39 Testing the Failover Functionality 14 39 Controlling and Monitoring Failover 14 40 Forcing Failover 14 40 Disabling Failover 14 41 Disabling Configuration Synchronization 14 41 Restoring a Failed Unit or Failover Grou...

Page 14: ...9 Using Dynamic NAT and PAT 16 19 Dynamic NAT and PAT Implementation 16 20 Configuring Dynamic NAT or PAT 16 26 Using Static NAT 16 29 Using Static PAT 16 31 Bypassing NAT 16 33 Configuring Identity NAT 16 34 Configuring Static Identity NAT 16 34 Configuring NAT Exemption 16 36 NAT Examples 16 37 Overlapping Networks 16 38 Redirecting Ports 16 39 C H A P T E R 17 Applying AAA for Network Access 17...

Page 15: ...ring ActiveX Objects 18 1 ActiveX Filtering Overview 18 2 Enabling ActiveX Filtering 18 2 Filtering Java Applets 18 3 Filtering URLs and FTP Requests with an External Server 18 4 URL Filtering Overview 18 4 Identifying the Filtering Server 18 4 Buffering the Content Server Response 18 6 Caching Server Addresses 18 6 Filtering HTTP URLs 18 7 Configuring HTTP Filtering 18 7 Enabling Filtering of Lon...

Page 16: ...cial Actions for Application Inspections Inspection Policy Map 20 6 Inspection Policy Map Overview 20 7 Defining Actions in an Inspection Policy Map 20 7 Identifying Traffic in an Inspection Class Map 20 10 Creating a Regular Expression 20 11 Creating a Regular Expression Class Map 20 14 Defining Actions Layer 3 4 Policy Map 20 14 Information About Layer 3 4 Policy Maps 20 15 Policy Map Guidelines...

Page 17: ...ing on the PISA 21 8 Sample Switch Configurations for PISA Integration 21 9 Monitoring PISA Connections 21 10 Syslog Message for Dropped Connections 21 10 Viewing PISA Connections on the FWSM 21 10 Configuring TCP State Bypass 21 10 TCP State Bypass Overview 21 11 Allowing Outbound and Inbound Flows through Separate FWSMs 21 11 Unsupported Features 21 12 Compatibility with NAT 21 12 Connection Tim...

Page 18: ...e with Three NAT Zones 22 22 Configuring DNS Rewrite with Three NAT Zones 22 23 Configuring DNS Inspection 22 24 Verifying and Monitoring DNS Inspection 22 25 DNS Guard 22 26 ESMTP Inspection 22 26 Configuring an ESMTP Inspection Policy Map for Additional Inspection Control 22 26 FTP Inspection 22 30 FTP Inspection Overview 22 30 Using the strict Option 22 30 The request command deny Command 22 31...

Page 19: ...MGCP Inspection 22 65 MGCP Inspection Overview 22 65 Configuring MGCP Call Agents and Gateways 22 67 Configuring and Enabling MGCP Inspection 22 67 Configuring MGCP Timeout Values 22 69 Verifying and Monitoring MGCP Inspection 22 69 MGCP Sample Configuration 22 70 NetBIOS Inspection 22 72 PPTP Inspection 22 73 RSH Inspection 22 73 RTSP Inspection 22 73 RTSP Inspection Overview 22 73 Using RealPlay...

Page 20: ...C Inspection 22 99 Sun RPC Inspection Overview 22 100 Enabling and Configuring Sun RPC Inspection 22 100 Managing Sun RPC Services 22 102 Verifying and Monitoring Sun RPC Inspection 22 102 TFTP Inspection 22 104 XDMCP Inspection 22 104 C H A P T E R 23 Configuring Management Access 23 1 Allowing Telnet Access 23 1 Allowing SSH Access 23 2 Configuring SSH Access 23 3 Using an SSH Client 23 3 Allowi...

Page 21: ...m the Maintenance Partition 24 5 Installing ASDM from the FWSM CLI 24 8 Upgrading Failover Pairs 24 9 Upgrading Failover Pairs to a New Maintenance Release 24 9 Upgrading an Active Standby Failover Pair to a New Maintenance Release 24 10 Upgrading an Active Active Failover Pair to a New Maintenance Release 24 10 Upgrading Failover Pairs to a New Minor or Major Release 24 11 Installing Maintenance ...

Page 22: ...g Messages to a Switch Session Telnet Session or SSH Session 25 8 Sending Syslog Messages to the Log Buffer 25 9 Filtering Syslog Messages 25 11 Message Filtering Overview 25 12 Filtering Syslog Messages by Class 25 12 Filtering Syslog Messages with Custom Message Lists 25 14 Customizing the Log Configuration 25 15 Configuring the Logging Queue 25 15 Including the Date and Time in Syslog Messages ...

Page 23: ...Crash Dump 26 9 Common Problems 26 10 A P P E N D I X A Specifications A 1 Switch Hardware and Software Compatibility A 1 Catalyst 6500 Series Requirements A 2 Cisco 7600 Series Requirements A 2 Licensed Features A 2 Physical Attributes A 3 Feature Limits A 3 Managed System Resources A 4 Fixed System Resources A 6 Rule Limits A 6 Default Rule Allocation A 7 Rules in Multiple Context Mode A 7 Reall...

Page 24: ... B 15 Admin Context Configuration Example 5 B 16 Customer A Context Configuration Example 5 B 17 Customer B Context Configuration Example 5 B 17 Customer C Context Configuration Example 5 B 18 Failover Example Configurations B 18 Example 6 Routed Mode Failover B 19 Primary FWSM Configuration Example 6 B 19 Secondary FWSM System Configuration Example 6 B 22 Switch Configuration Example 6 B 22 Examp...

Page 25: ...he Text Configuration C 7 Passwords C 7 Multiple Security Context Files C 7 A P P E N D I X D Mapping MIBs to CLI Commands D 1 A P P E N D I X E Addresses Protocols and Ports E 1 IPv4 Addresses and Subnet Masks E 1 Classes E 2 Private Networks E 2 Subnet Masks E 2 Determining the Subnet Mask E 3 Determining the Address to Use with the Subnet Mask E 3 IPv6 Addresses E 5 IPv6 Address Format E 5 IPv6...

Page 26: ...Contents xxvi Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 ...

Page 27: ...lls Managing default and static routes and TCP and UDP services Objectives This document contains instructions and procedures for configuring the Firewall Services Module FWSM a single width services module supported on the Catalyst 6500 switch and the Cisco 7600 router using the command line interface FWSM protects your network from unauthorized use This guide does not cover every feature but des...

Page 28: ...ader take note Notes contain helpful suggestions or references to material not covered in the manual For information on modes prompts and syntax see Appendix C Using the Command Line Interface Related Documentation FWSM documentation is at the following URL http www cisco com en US products hw modules ps2706 ps4452 tsd_products_support_model_home html ASDM documentation is at the following URL htt...

Page 29: ...gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader applica...

Page 30: ...xxx Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 About This Guide ...

Page 31: ... procedure Step 3 Connecting to the Firewall Services Module page 3 1 From the switch CLI you can session into the FWSM to access the FWSM CLI Step 4 Might be required multiple context mode only Enabling or Disabling Multiple Context Mode page 4 10 If you want to use multiple context mode and your FWSM is not already configured for it or if you want to change back to single mode follow this proced...

Page 32: ... Description Step 1 Assigning VLANs to the Firewall Services Module page 2 2 On the switch you need to assign VLANs to the FWSM so that the FWSM can send and receive traffic on the switch Step 2 Might be required Adding Switched Virtual Interfaces to the MSFC page 2 4 If you want the MSFC to route between VLANs that are assigned to the FWSM complete this procedure Step 3 Connecting to the Firewall...

Page 33: ...ecurity level and a bridge group Step 9 Assigning an IP Address to a Bridge Group page 6 6 Assign an IP address to each bridge group Step 10 Configuring a Default Route page 8 4 Create a default route to an upstream router for returning management traffic Step 11 Adding an Extended ACE page 13 7 Before any traffic can go through the FWSM you must create an access list that permits traffic Step 12 ...

Page 34: ...xxxiv Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Quick Start Steps ...

Page 35: ...P A R T 1 Getting Started and General Information ...

Page 36: ......

Page 37: ...ou can also control when inside users access outside networks for example access to the Internet by allowing only certain addresses out by requiring authentication or authorization or by coordinating with an external URL filtering server The FWSM includes many advanced features such as multiple security contexts similar to virtualized firewalls transparent Layer 2 firewall or routed Layer 3 firewa...

Page 38: ...ment path before being dropped by the accelerated path causing potential overload of the session management path The following command was introduced sysopt connection udp create arp unresolved conn DCERPC Enhancement Remote Create Instance message support In this release DCERPC Inspection was enhanced to support inspection of RemoteCreationInstance RPC messages No commands were modified NAT PAT G...

Page 39: ...slation while generating syslogs to the console syslog server and FTP syslog server The following command was introduced logging names Shared Management Interface in Transparent Mode You can now add a management VLAN that is not part of any bridge group This VLAN is especially useful in multiple context mode where you can share a single management VLAN across multiple contexts The following comman...

Page 40: ...al address of a host NAT can resolve IP routing problems by supporting overlapping IP addresses Protecting from IP Fragments The FWSM provides IP fragment protection This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the FWSM Fragments that fail the security check are dropped and logged Virtual reassembly ca...

Page 41: ...nnections and embryonic connections Limiting the number of connections and embryonic connections protects you from a DoS attack The FWSM uses the embryonic limit to trigger TCP Intercept which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets An embryonic connection is a connection request that has not finished the necessary handshake between sourc...

Page 42: ...on of the MSFC depends entirely on the VLANs that you assign to it For example the MSFC is behind the firewall in the example shown on the left side of Figure 1 1 because you assigned VLAN 201 to the inside interface of the FWSM The MSFC is in front of the firewall in the example shown on the right side of Figure 1 1 because you assigned VLAN 200 to the outside interface of the FWSM In the left ha...

Page 43: ...network In transparent mode the FWSM acts like a bump in the wire or a stealth firewall and is not considered a router hop The FWSM connects to the same network on its inside and outside interfaces You can configure up to eight pairs of interfaces called bridge groups to connect to eight different networks per context You might use a transparent firewall to simplify your network configuration Tran...

Page 44: ... fragments for a packet that is larger than 8500 Bytes The session will be established but only the first 8500 Bytes will be sent out Subsequent packets for this session are not affected by this limitation The session management path is responsible for the following tasks Performing the access list checks Performing route lookups Allocating NAT translations xlates Establishing sessions in the acce...

Page 45: ...h context has its own security policy interfaces and administrators Multiple contexts are similar to having multiple standalone devices Many features are supported in multiple context mode including routing tables firewall features and management Some features are not supported including dynamic routing protocols In multiple context mode the FWSM includes a configuration for each context that iden...

Page 46: ... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 1 Introduction to the Firewall Services Module Security Context Overview ...

Page 47: ...al Interfaces to the MSFC page 2 4 Customizing the FWSM Internal Interface page 2 8 Configuring the Switch for Failover page 2 9 Managing the Firewall Services Module Boot Partitions page 2 10 Switch Overview You can install the FWSM in the Catalyst 6500 series switches or the Cisco 7600 series routers The configuration of both series is identical and the series are referred to generically in this...

Page 48: ...r the following command Router config no monitor session servicemodule Verifying the Module Installation To verify that the switch acknowledges the FWSM and has brought it online view the module information using the following command Router show module mod num all The following is sample output from the show module command Router show module Mod Ports Card Type Model Serial No 1 2 Catalyst 6000 s...

Page 49: ...they are added to the switch Assigning VLANs to the FWSM In Cisco IOS software create up to 16 firewall VLAN groups and then assign the groups to the FWSM For example you can assign all the VLANs to one group or you can create an inside group and an outside group or you can create a group for each customer Each group can contain unlimited VLANs You cannot assign the same VLAN to multiple firewall ...

Page 50: ...ollowing numbers 5 7 10 The following example shows how you can create three firewall VLAN groups one for each FWSM and one that includes VLANs assigned to both FWSMs Router config firewall vlan group 50 55 57 Router config firewall vlan group 51 70 85 Router config firewall vlan group 52 100 Router config firewall module 5 vlan group 50 52 Router config firewall module 8 vlan group 51 52 The foll...

Page 51: ...e MSFC Configuring SVIs page 2 7 SVI Overview For security reasons by default only one SVI can exist between the MSFC and the FWSM For example if you misconfigure the system with multiple SVIs you could accidentally allow traffic to pass around the FWSM by assigning both the inside and outside VLANs to the MSFC See Figure 2 1 Figure 2 1 Multiple SVI Misconfiguration FWSM MSFC VLAN 200 VLAN 100 VLA...

Page 52: ...s Figure 2 2 shows an IPX host on the same Ethernet segment as IP hosts Because the FWSM in routed firewall mode only handles IP traffic and drops other protocol traffic like IPX transparent firewall mode can optionally allow non IP traffic you might want to bypass the FWSM for IPX traffic Make sure to configure the MSFC with an access list that allows only IPX traffic to pass on VLAN 201 Figure 2...

Page 53: ...SFC perform the following steps Step 1 Optional To allow you to add more than one SVI to the FWSM enter the following command Router config firewall multiple vlan interfaces Step 2 To add a VLAN interface to the MSFC enter the following command Router config interface vlan vlan_number Step 3 To set the IP address for this interface on the MSFC enter the following command Router config if ip addres...

Page 54: ... Switched ucast 196 pkt 13328 bytes mcast 4 pkt 256 bytes L3 in Switched ucast 0 pkt 0 bytes mcast 0 pkt 0 bytes mcast L3 out Switched ucast 0 pkt 0 bytes 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 4 packets output 256 bytes 0 underruns 0 output errors 0 interface resets 0 output buffer failures 0 output b...

Page 55: ...ee the documentation for your switch Ensuring Compatibility with Transparent Firewall Mode To avoid loops when you use failover in transparent mode use switch software that supports BPDU forwarding See the Switch Hardware and Software Compatibility section on page A 1 for more information about switch support for transparent firewall mode Do not enable LoopGuard globally on the switch if the FWSM ...

Page 56: ...t the application image password or to display the crash dump information Network configuration partition cf 2 Contains the network configuration of the maintenance software The maintenance software requires IP settings so that the FWSM can reach the TFTP server to download application software images Crash dump partition cf 3 Stores the crash dump information Application partitions cf 4 and cf 5 ...

Page 57: ...ation partition The maintenance partition is valuable for troubleshooting The reset process might take several minutes When you reset the FWSM you can also choose to run a full memory test When the FWSM initially boots it only runs a partial memory test A full memory test takes approximately six minutes Note To reload the FWSM when you are logged into the FWSM enter reload or reboot You cannot boo...

Page 58: ...s Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 2 Configuring the Switch for the Firewall Services Module Managing the Firewall Services Module Boot Partitions ...

Page 59: ...FWSM page 3 2 Logging in to the FWSM The FWSM does not have an external console port you must session in to the FWSM for initial configuration Later when you configure interfaces and IP addresses on the FWSM itself you can access the FWSM CLI remotely through an FWSM interface See Chapter 23 Configuring Management Access for more information Without any additional configuration for user authentica...

Page 60: ...by entering the login password at the following prompt hostname passwd By default the password is cisco To change the password see the Changing the Passwords section on page 7 1 Step 3 To access privileged EXEC mode enter the following command hostname enable This command accesses the highest privilege level The following prompt appears Password Step 4 Enter the enable password at the prompt By de...

Page 61: ...urity Contexts This section includes the following topics Saving Configuration Changes page 3 3 Copying the Startup Configuration to the Running Configuration page 3 5 Viewing the Configuration page 3 5 Clearing and Removing Configuration Settings page 3 5 Creating Text Configuration Files Offline page 3 6 Saving Configuration Changes This section describes how to save your configuration and inclu...

Page 62: ...n reside on external servers In this case the FWSM saves the configuration back to the server you identified in the context URL except for an HTTP or HTTPS URL which do not let you save the configuration to the server After the FWSM saves each context the following message appears Saving context b 1 3 contexts saved Sometimes a context is not saved because of an error See the following information...

Page 63: ...ect of the merge depends on the command You might get errors or you might have unexpected results To load the startup configuration and discard the running configuration restart the FWSM by entering the following command hostname reload Alternatively you can use the following commands to load the startup configuration and discard the running configuration without requiring a reboot hostname config...

Page 64: ...ws hostname config no nat inside 1 To erase the startup configuration enter the following command hostname config write erase To erase the running configuration enter the following command hostname config clear configure all Note In multiple context mode if you enter clear configure all from the system configuration you also remove all contexts and stop them from running Creating Text Configuratio...

Page 65: ... page 4 32 Security Context Overview You can partition a single FWSM into multiple virtual devices known as security contexts Each context has its own security policy interfaces and administrators Multiple contexts are similar to having multiple standalone devices Many features are supported in multiple context mode including routing tables firewall features and management Some features are not su...

Page 66: ...e See the Configuring Route Health Injection section on page 8 32 Multicast routing Multicast bridging is supported Context Configuration Files This section describes how the FWSM implements multiple context mode configurations and includes the following topics Context Configurations page 4 2 System Configuration page 4 2 Admin Context Configuration page 4 3 Context Configurations The FWSM include...

Page 67: ...MAC address Moreover the bridging table of the switch would constantly change as the MAC address moves from one interface to another The purpose of the security context classifier is to resolve this situation This section includes the following topics Valid Classifier Criteria page 4 3 Invalid Classifier Criteria page 4 4 Classification Examples page 4 5 Valid Classifier Criteria If only one conte...

Page 68: ...ow np 3 static command in the system execution space Note For management traffic destined for an interface the interface IP address is used for classification Invalid Classifier Criteria The following configurations are not used for packet classification NAT exemption The classifier does not use a NAT exemption configuration for classification purposes because NAT exemption does not identify the m...

Page 69: ...nique allowing overlapping IP addresses The classifier assigns the packet to Context B because Context B includes the address translation that matches the destination address Figure 4 1 Packet Classification with a Shared Interface Classifier Context A Context B VLAN 300 VLAN 250 VLAN 100 Shared Interface Admin Context VLAN 200 Host 10 1 1 13 Host 10 1 1 13 Host 10 1 1 13 Dest Addr Translation 209...

Page 70: ...de networks Figure 4 2 shows a host on the Context B inside network accessing the Internet The classifier assigns the packet to Context B because the ingress interface is VLAN 300 which is assigned to Context B Figure 4 2 Incoming Traffic from Inside Networks Host 10 1 1 13 Host 10 1 1 13 Host 10 1 1 13 Classifier Context A Context B VLAN 300 VLAN 250 VLAN 100 Admin Context VLAN 200 Inside Custome...

Page 71: ...ent mode you can only share a management only VLAN all through traffic interfaces must be unique For management traffic destined for an interface the interface IP address is used for classification For non management only VLANs in routed mode packet classification requirements might make sharing interfaces impractical Because the classifier relies on active NAT sessions to classify the destination...

Page 72: ...to an existing connection Static NAT however lets you initiate connections so you can initiate connections on the shared interface Sharing an Outside Interface When you have an outside shared interface connected to the Internet for example the destination addresses on the inside are limited and are known by the system administrator so configuring NAT for those addresses is easy even if you want to...

Page 73: ...curity Contexts The FWSM provides system administrator access in multiple context mode as well as access for individual context administrators The following topics describe logging in as a system administrator or as a context administrator System Administrator Access page 4 9 Context Administrator Access page 4 10 System Administrator Access You can access the FWSM as a system administrator in two...

Page 74: ...mand When you change to context B you must again enter the login command to log in as admin Context Administrator Access You can access a context using Telnet SSH or ASDM If you log in to a non admin context you can only access the configuration for that context You can provide individual logins to the context See Chapter 23 Configuring Management Access to enable Telnet SSH and SDM access and to ...

Page 75: ...can restore the old single mode running configuration if available as the startup configuration Because the system configuration does not have any network interfaces as part of its configuration you must access the FWSM from a switch session to perform the copy To copy the old running configuration to the startup configuration and to change the mode to single mode perform the following steps in th...

Page 76: ...ed up on a first come first served basis so one context might use more rules than another context You can manage memory partitions by manually assigning a context to a partition see the Configuring a Security Context section on page 4 27 reducing the number of partitions to better match the number of contexts you have see the Setting the Number of Memory Partitions section on page 4 13 changing th...

Page 77: ...ollow these guidelines might result in dropped access list configuration as well as other anomalies including ACL tree corruption The target partition and rule allocation settings must be carefully calculated planned and preferably tested in a non production environment prior to making the change to ensure that all existing contexts and rules can be accommodated When failover is used both FWSMs ne...

Page 78: ...he no resource acl partition command to restore the default for this command You see the following message WARNING This command leads to re partitioning of ACL Memory It will not take affect until you save the configuration and reboot Step 3 To reload the FWSM so your changes can take effect enter the following command hostname config reload If you are using failover wait a few seconds before relo...

Page 79: ...d not specifically allocate the contexts then you run the risk of context assignments shifting after a reload for example if you add or subtract contexts Reduce the size of partition s before increasing the size of other partition s The FWSM rejects any increases in size if there is not free space available If the existing number of ACEs does not fit into the new partition size then the resizing i...

Page 80: ... is between 0 and 11 by default If you changed the number of partitions the partition numbering starts with 0 So if you have 10 partitions the partition numbers are 0 through 9 Step 3 To reduce the partition size enter the following command hostname config partition size number_of_rules Where number is the number of rules you want to assign to the partition in this case a lower number than was sho...

Page 81: ...is between 0 and 11 by default If you changed the number of partitions the partition numbering starts with 0 So if you have 10 partitions the partition numbers are 0 through 9 Step 7 To increase the partition size enter the following command hostname config partition size number_of_rules Where number is the number of rules you want to assign to the partition in this case a higher number than was s...

Page 82: ...n Default Partition Configured Number Size Size Size 0 49970 49970 49970 1 49969 49969 49969 2 49969 49969 49969 3 49969 49969 49969 backup tree 49970 49970 49970 Total 249847 249847 249847 Total Partition size Configured size Available to allocate 249847 249847 0 hostname config resource partition 0 hostname config partition size 40000 hostname config partition resource partition 1 hostname confi...

Page 83: ...and preferably tested in a non production environment prior to making the change to ensure that all existing contexts and rules can be accommodated When failover is used both FWSMs need to be reloaded at the same time after making partition changes Reloading both FWSMs causes an outage with no possibility for a zero downtime reload At no time should two FWSMs with a mismatched number of partitions...

Page 84: ...e close to the maximum of 9216 You might choose to reallocate some access list rules ACL Rule to inspections hostname config show np 3 acl count 0 CLS Rule Current Counts CLS Filter Rule Count 0 CLS Fixup Rule Count 9001 CLS Est Ctl Rule Count 4 CLS AAA Rule Count 15 CLS Est Data Rule Count 4 CLS Console Rule Count 16 CLS Policy NAT Rule Count 0 CLS ACL Rule Count 30500 CLS ACL Uncommitted Add 0 C...

Page 85: ... display but you set both rules using the est keyword which correlates with the number of established commands Be sure to double the value you enter here when comparing the total number of configured rules with the total number of rules shown in the show commands The aaa max_nat_rules arguments set the maximum number of AAA rules between 0 and 10000 The console max_nat_rules arguments set the maxi...

Page 86: ...ibe the FWSM by assigning more than 100 percent of the resources across all contexts For example you can set the Bronze class to limit connections to 20 percent per context and then assign 10 contexts to the class for a total of 200 percent If contexts concurrently use more than the system limit then each context gets less than the 20 percent you intended See Figure 4 5 Figure 4 5 Resource Oversub...

Page 87: ...owever if the other class has any settings that are not defined then the member context uses the default class for those limits For example if you create a class with a 2 percent limit for all concurrent connections but no other limits then all other limits are inherited from the default class Conversely if you create a class with a 2 percent limit for all resources the class uses no settings from...

Page 88: ...lt You can only assign a context to one resource class The exception to this rule is that limits that are undefined in the member class are inherited from the default class so in effect a context could be a member of default plus another class Configuring a Class To configure a class in the system configuration perform the following steps You can change the value of a particular resource limit by ...

Page 89: ...imit You can assign more than 100 percent if you want to oversubscribe the device To set a particular resource limit enter the following command hostname config resmgmt limit resource rate resource_name number For this particular resource the limit overrides the limit set for all Enter the rate argument to set the rate per second for certain resources See Table 4 2 for resources for which you can ...

Page 90: ...n some circumstances the connections are not evenly divided and you might reach the maximum connection limit on one NP before reaching the maximum on the other In this case the maximum connections allowed is less than the limit you set The NP distribution is controlled by the switch based on an algorithm You can adjust this algorithm on the switch or you can adjust the connection limit upward to a...

Page 91: ...t resource all 3 hostname config class limit resource rate syslogs 500 Configuring a Security Context The security context definition in the system configuration identifies the context name configuration file URL interfaces that a context can use and other context parameters Note To assign a context to a failover group for active active failover see the Using Active Active Failover section on page...

Page 92: ...nge of VLANs typically from 2 to 1000 and from 1025 to 4094 see the switch documentation for supported VLANs To see a list of VLANs assigned to the FWSM use the show vlan command You can allocate a VLAN that is not yet assigned to the FWSM but you need to assign them from the switch if you want them to pass traffic When you allocate an interface the FWSM automatically adds the interface command fo...

Page 93: ...config url url When you add a context URL the system immediately loads the context so that it is running if the configuration is available Note Enter the allocate interface command s before you enter the config url command The FWSM must assign interfaces to the context before it loads the context configuration the context configuration might include commands that refer to interfaces interface nat ...

Page 94: ...text Specify the interface name if you want to override the route to the server address The filename does not require a file extension although we recommend using cfg If the configuration file is not available you see the following message WARNING Could not fetch the URL tftp url INFO Creating context with default config You can then change to the context configure it at the CLI and enter the writ...

Page 95: ...rator hostname config context administrator hostname config ctx allocate interface vlan10 hostname config ctx allocate interface vlan11 hostname config ctx config url disk admin cfg hostname config ctx context test hostname config ctx allocate interface vlan100 int1 hostname config ctx allocate interface vlan102 int2 hostname config ctx allocate interface vlan110 vlan115 int3 int8 hostname config ...

Page 96: ...cs Removing a Security Context page 4 32 Changing the Admin Context page 4 33 Changing the Security Context URL page 4 33 Reloading a Security Context page 4 34 Monitoring Security Contexts page 4 35 Removing a Security Context You can only remove a context by editing the system configuration You cannot remove the current admin context unless you remove all contexts using the clear context command...

Page 97: ...ace name does not exist in the new admin context be sure to update any system commands that refer to the interface Changing the Security Context URL You cannot change the security context URL without reloading the configuration from the new URL The FWSM merges the new configuration with the current running configuration Reentering the same URL also merges the saved configuration with the running c...

Page 98: ...system requires you to respecify the URL and interfaces This section includes the following topics Reloading by Clearing the Configuration page 4 34 Reloading by Removing and Readding the Context page 4 35 Reloading by Clearing the Configuration To reload the context by clearing the context configuration and reloading the configuration from the URL perform the following steps Step 1 To change to t...

Page 99: ...space view all contexts by entering the following command hostname show context name detail count The detail option shows additional information See the following sample displays for more information If you want to show information for a particular context specify the name The count option shows the total number of contexts The following is sample output from the show context command The following...

Page 100: ...co 7600 Series Router Firewall Services Module Command Reference for more information about the detail output The following is sample output from the show context count command hostname show context count Total active contexts 2 Viewing Resource Allocation From the system execution space you can view the allocation for each resource across all classes and class members To view the resource allocat...

Page 101: ...0000 10 00 Syslogs rate default all CA unlimited gold 1 C 6000 6000 20 00 silver 1 CA 3000 3000 10 00 bronze 0 CA 1500 All Contexts 3 9000 30 00 Conns default all CA unlimited gold 1 C 200000 200000 20 00 silver 1 CA 100000 100000 10 00 bronze 0 CA 50000 All Contexts 3 300000 30 00 Hosts default all CA unlimited gold 1 DA unlimited silver 1 CA 26214 26214 9 99 bronze 0 CA 13107 All Contexts 3 2621...

Page 102: ...he All contexts field shows the total values across all classes Mmbrs The number of contexts assigned to each class Origin The origin of the resource limit as follows A You set this limit with the all option instead of as an individual resource C This limit is derived from the member class D This limit was not defined in the member class but was derived from the default class For a context assigne...

Page 103: ...nage For example you can view the number of TCP intercepts The counter counter_name is one of the following keywords current Shows the active concurrent instances or the current rate of the resource denied Shows the number of instances that were denied because they exceeded the resource allocation peak Shows the peak concurrent instances or the peak rate of the resource since the statistics were l...

Page 104: ...rcept TCP Intercept uses the SYN cookies algorithm to prevent TCP SYN flooding attacks A SYN flooding attack consists of a series of SYN packets usually originating from spoofed IP addresses The constant flood of SYN packets keeps the server SYN queue full which prevents it from servicing connection requests When the embryonic connection threshold of a connection is crossed the FWSM acts as a prox...

Page 105: ...ted 0 c1 chunk channels 15 16 unlimited 0 c1 chunk dbgtrace 1 1 unlimited 0 c1 chunk fixup 15 15 unlimited 0 c1 chunk global 1 1 unlimited 0 c1 chunk hole 2 2 unlimited 0 c1 chunk ip users 10 10 unlimited 0 c1 chunk udp ctrl blk 1 1 unlimited 0 c1 chunk list elem 24 24 unlimited 0 c1 chunk list hdr 5 6 unlimited 0 c1 chunk nat 1 1 unlimited 0 c1 chunk route 2 2 unlimited 0 c1 chunk static 1 1 unli...

Page 106: ...ed 0 Summary chunk udp ctrl blk 1 1 unlimited 0 Summary chunk list elem 1059 1059 unlimited 0 Summary chunk list hdr 10 11 unlimited 0 Summary chunk nat 1 1 unlimited 0 Summary chunk route 5 5 unlimited 0 Summary chunk static 2 2 unlimited 0 Summary block 16384 510 885 8192 S 0 Summary block 2048 32 35 1000 S 0 Summary tcp intercept rate 341306 811579 unlimited 0 Summary globals 1 1 1051 S 0 Summa...

Page 107: ...erview In routed mode the FWSM is considered to be a router hop in the network It can use OSPF EIGRP passive RIP in single context mode and BGP in stub mode Routed mode supports many interfaces and each interface is on a different subnet You can share interfaces between contexts with some limitations IP Routing Support page 5 1 How Data Moves Through the FWSM in Routed Firewall Mode page 5 2 IP Ro...

Page 108: ...de User Attempts to Access an Inside Host page 5 5 A DMZ User Attempts to Access an Inside Host page 5 6 An Inside User Visits a Web Server Figure 5 1 shows an inside user accessing an outside web server Figure 5 1 Inside to Outside The following steps describe how data moves through the FWSM see Figure 5 1 1 The user on the inside network requests a web page from www example com 2 The FWSM receiv...

Page 109: ...hich is on the outside interface subnet The mapped address could be on any subnet but routing is simplified when it is on the outside interface subnet 4 The FWSM then records that a session is established and forwards the packet from the outside interface 5 When www example com responds to the request the packet goes through the FWSM and because the session is already established the packet bypass...

Page 110: ...context the destination address is associated by matching an address translation in a context In this case the classifier knows that the DMZ web server address belongs to a certain context because of the server address translation 3 The FWSM translates the destination address to the real address 10 1 1 3 4 The FWSM then adds a session entry to the fast path and forwards the packet from the DMZ int...

Page 111: ...ither a unique interface or a unique destination address associated with a context the destination address is associated by matching an address translation in a context In this case the interface is unique the web server IP address does not have a current address translation 3 The FWSM then records that a session is established and forwards the packet out of the DMZ interface 4 When the DMZ web se...

Page 112: ... drops the packet and logs the connection attempt If the outside user is attempting to attack the inside network the FWSM employs many technologies to determine if a packet is valid for an already established session A DMZ User Attempts to Access an Inside Host Figure 5 5 shows a user in the DMZ attempting to access the inside network Figure 5 5 DMZ to Inside The following steps describe how data ...

Page 113: ... NAT for hosts connected to the transparent firewall Bridge Groups If you do not want the overhead of security contexts or want to maximize your use of security contexts you can configure up to eight pairs of interfaces called bridge groups Each bridge group connects to a separate network Bridge group traffic is isolated from other bridge groups traffic is not routed to another bridge group within...

Page 114: ... 0100 5EFE FFFF IPv6 multicast MAC addresses from 3333 0000 0000 to 3333 FFFF FFFF BPDU multicast address equal to 0100 0CCC CCCD AppleTalk multicast MAC addresses from 0900 0700 0000 to 0900 07FF FFFF Passing Traffic Not Allowed in Routed Mode In routed mode some types of traffic cannot pass through the FWSM even if you allow it in an access list The transparent firewall however can pass most typ...

Page 115: ...transparent firewall between a CCM and an H 323 gateway and there is a router between the transparent firewall and the H 323 gateway then you need to add a static route on the FWSM for the H 323 gateway for successful call completion If you use NAT then the FWSM uses a route lookup instead of a MAC address lookup In some cases you will need static routes For example if the real destination address...

Page 116: ...work The FWSM does not support traffic on secondary networks only traffic on the same network as the management IP address is supported See the Assigning an IP Address to a Bridge Group section on page 6 6 for more information about management IP subnets Each bridge group uses an inside interface and an outside interface only Each directly connected network must be on the same subnet Do not specif...

Page 117: ...d Features in Transparent Mode Unsupported Feature Description DHCP relay The transparent firewall can act as a DHCP server but it does not support the DHCP relay commands DHCP relay is not required because you can allow DHCP traffic to pass through using an extended access list Dynamic routing protocols You can however add static routes for traffic originating on the FWSM You can also allow dynam...

Page 118: ...ccess Internet resources Another access list lets the outside users access only the web server on the inside network Figure 5 8 Typical Transparent Firewall Data Path This section describes how data moves through the FWSM and includes the following topics An Inside User Visits a Web Server page 5 13 An Inside User Visits a Web Server Using NAT page 5 14 An Outside User Visits a Web Server on the I...

Page 119: ...to the terms of the security policy access lists filters AAA For multiple context mode the FWSM first classifies the packet according to a unique interface 3 The FWSM records that a session is established 4 If the destination MAC address is in its table the FWSM forwards the packet out of the outside interface The destination MAC address is that of the upstream router 209 165 201 2 If the destinat...

Page 120: ...mapped address 209 165 201 10 Because the mapped address is not on the same network as the outside interface then be sure the upstream router has a static route to the mapped network that points to the FWSM 4 The FWSM then records that a session is established and forwards the packet from the outside interface 5 If the destination MAC address is in its table the FWSM forwards the packet out of the...

Page 121: ...ce MAC address to the MAC address table if required Because it is a new session it verifies that the packet is allowed according to the terms of the security policy access lists filters AAA For multiple context mode the FWSM first classifies the packet according to a unique interface 3 The FWSM records that a session is established 4 If the destination MAC address is in its table the FWSM forwards...

Page 122: ...lowing steps describe how data moves through the FWSM see Figure 5 12 1 A user on the outside network attempts to reach an inside host 2 The FWSM receives the packet and adds the source MAC address to the MAC address table if required Because it is a new session it verifies if the packet is allowed according to the terms of the security policy access lists filters AAA For multiple context mode the...

Page 123: ...your configuration before changing the mode you can use this backup for reference when creating your new configuration If you download a text configuration to the FWSM that changes the mode with the firewall transparent command be sure to put the command at the top of the configuration the FWSM changes the mode as soon as it reads the command and then continues reading the configuration you downlo...

Page 124: ...atalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 5 Configuring the Firewall Mode Setting Transparent or Routed Firewall Mode ...

Page 125: ... DMZs can be in between You can assign interfaces to the same security level See the Allowing Communication Between Interfaces on the Same Security Level section on page 6 10 for more information The level controls the following behavior Inspection engines Some inspection engines are dependent on the security level For same security interfaces inspection engines apply to traffic in either directio...

Page 126: ...o matter what the state of the interface is in the system execution space However for traffic to pass through the interface the interface also has to be enabled in the system execution space If you shut down an interface in the system execution space then that interface is down in all contexts that share it See the Turning Off and Turning On Interfaces section on page 6 12 Configure the context in...

Page 127: ...ensitive You can change the name by reentering this command with a new value Do not enter the no form because that command causes all commands that refer to that name to be deleted Note After you set the name for an interface the security level is automatically changed to 0 However if the name is inside then the security level becomes 100 Step 3 To set the security level enter the following comman...

Page 128: ...t firewall connects the same network on its inside and outside interfaces Each pair of interfaces belongs to a bridge group to which you must assign a management IP address You can configure up to eight bridge groups of two interfaces each Each bridge group connects to a separate network Bridge group traffic is isolated from other bridge groups traffic is not routed to another bridge group within ...

Page 129: ...ines You can only configure context interfaces that you already assigned to the context in the system configuration using the allocate interface command All allocated interfaces are enabled by default no matter what the state of the interface is in the system execution space However for traffic to pass through the interface the interface also has to be enabled in the system execution space If you ...

Page 130: ...not enter the no form because that command causes all commands that refer to that name to be deleted If you name an interface inside and you do not set the security level explicitly then the FWSM sets the security level to 100 Step 4 To set the security level enter the following command hostname config if security level number Where number is an integer between 0 lowest and 100 highest By default ...

Page 131: ...f inside hostname config if security level 100 hostname config if bridge group 1 hostname config if interface vlan 301 hostname config if nameif outside hostname config if security level 0 hostname config if bridge group 1 hostname config if interface bvi 1 hostname config if ip address 10 1 3 1 255 255 255 0 standby 10 1 3 2 Adding a Management Interface In addition to each bridge group managemen...

Page 132: ...mation Step 5 To set this interface to be management only enter the following command hostname config if management only This command is required an interface without the management only command will be ignored The following example configures interfaces for one bridge group each for three contexts plus a shared management VLAN see Figure 6 1 Figure 6 1 Shared Management VLAN Context A hostname co...

Page 133: ...curity level 0 hostname config if management only hostname config if ip address 10 0 0 2 255 0 0 0 hostname config if interface vlan103 hostname config if nameif inside hostname config if security level 100 hostname config if bridge group 20 hostname config if interface vlan104 hostname config if nameif outside hostname config if security level 0 hostname config if bridge group 20 hostname config ...

Page 134: ...erfaces See the NAT and Same Security Level Interfaces section on page 16 14 for more information on NAT and same security level interfaces If you enable same security interface communication you can still configure interfaces at different security levels as usual To enable interfaces on the same security level to communicate with each other enter the following command hostname config same securit...

Page 135: ... config route map intra inter3 permit 0 Router config route map match ip address 103 Router config route map set interface Vlan20 Router config route map set set ip next hop 10 6 34 7 Router config route map intra inter2 permit 20 Router config route map match ip address 102 Router config route map set interface Vlan20 Router config route map set set ip next hop 10 6 34 7 Router config route map i...

Page 136: ...isable or reenable the interface within a context only that context interface is affected But if you disable or reenable the interface in the system execution space then you affect that VLAN interface for all contexts To disable an interface or reenable it perform the following steps Step 1 To enter the interface configuration mode enter the following command hostname config interface vlan number ...

Page 137: ...ge 7 1 Changing the Enable Password page 7 2 Changing the Maintenance Software Passwords page 7 2 Note In multiple context mode every context and the system execution space has its own login policies and passwords Changing the Login Password The login password is used for sessions from the switch as well as Telnet and SSH connections By default the login password is cisco To change the password en...

Page 138: ...mple you can install new software to an application partition reset passwords or show crash dump information from the maintenance software You can only access the maintenance software by sessioning in to the FWSM The maintenance software has two user levels with different access privileges root Lets you configure the network partition parameters upgrade the software images on the application parti...

Page 139: ...d f1rc8t passwd all authentication tokens updated successfully Setting the Hostname When you set a hostname for the FWSM that name appears in the command line prompt If you establish sessions to multiple devices the hostname helps you keep track of where you enter commands When using failover you can specify both a primary and secondary hostname Using both primary and secondary hostnames lets you ...

Page 140: ... as a suffix to unqualified names For example if you set the domain name to example com and specify a syslog server by the unqualified name of jupiter then the FWSM qualifies the name to jupiter example com The default domain name is default domain invalid For multiple context mode you can set the domain name for each context as well as within the system execution space To specify the domain name ...

Page 141: ...Banner You can configure a message to display when a user connects to the FWSM when a user logs in to the FWSM using Telnet or when a user enters user EXEC mode To configure a login banner enter the following command in the system execution space or within a context hostname config banner motd login exec text The motd keyword shows a banner when a user first connects The login keyword shows a bann...

Page 142: ...7 6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 7 Configuring Basic Settings Configuring a Login Banner ...

Page 143: ... routing table and XLATE tables for routing decisions To handle destination ip translated that is untranslated traffic FWSM searches for existing XLATE or static translation to select the egress interface The selection process is as follows Egress Interface Selection Process If destination ip translating XLATE already exists the egress interface for the packet is determined from the XLATE table bu...

Page 144: ...E times out It may be either forwarded to wrong interface or dropped with message 110001 no route to host if old route was removed from the old interface and attached to another one by routing process The same problem may happen when there is no route flaps on FWSM itself but some routing process is flapping around it sending source translated packets that belong to the same flow through FWSM usin...

Page 145: ...p network you need to specify a static route that identifies the network from which you expect management traffic The FWSM supports up to three equal cost routes to the same destination per interface for load balancing This section includes the following topics Configuring a Static Route page 8 3 Configuring a Default Route page 8 4 Monitoring a Static or Default Route page 8 5 For information abo...

Page 146: ...0 192 168 1 2 hostname config route outside 10 10 10 0 255 255 255 0 192 168 1 3 Configuring a Default Route A default route identifies the gateway IP address to which FWSM sends all IP packets for which it does not have a learned or static route A default route is simply a static route with 0 0 0 0 0 as the destination IP address Routes that identify a specific destination take precedence over th...

Page 147: ...le threshold number set by the failures keyword the router is determined to be unreachable The failures keyword is the maximum number of ICMP queries that are not replied to before the router is determined to be down the default value being five seconds At this point the backup route takes precedence provided this route was reachable and becomes the best route The original route then becomes the b...

Page 148: ... hostname config route map match ip route source acl_id acl_id If you specify more than one access list then the route can match any of the access lists To match the route type enter the following command hostname config route map match route type internal external type 1 type 2 Step 3 Enter one or more set commands If a route matches the match commands then the following set commands determine th...

Page 149: ...process In multiple context mode the FWSM can only advertise static routes and directly connected networks for the context that contains the interface the BGP peer is reachable through and for which there are configured network commands If the BGP neighbor is reachable through an interface that is shared across multiple contexts then all of the static routes and directly connected networks in the ...

Page 150: ...p 4 Optional Enter the password used to authenticate the BGP message to the neighbor This password must be set on both the neighbor and the FWSM before BGP messages can be exchanged hostname config router neighbor ip addr password mode password The ip addr argument is the IP address of the BGP neighbor defined with the neighbor command The mode argument can be from 0 to 7 If used the BGP neighbor ...

Page 151: ... Route Summarization Between OSPF Areas page 8 17 Configuring Route Summarization when Redistributing Routes into OSPF page 8 17 Generating a Default Route page 8 18 Configuring Route Calculation Timers page 8 18 Logging Neighbors Going Up or Down page 8 19 Displaying OSPF Update Packet Pacing page 8 19 Monitoring OSPF page 8 20 Restarting the OSPF Process page 8 21 OSPF Overview OSPF uses a link ...

Page 152: ...5 authentication Support for configuring FWSM as a designated router or a designated backup router FWSM also can be set up as an ABR however the ability to configure the FWSM as an ASBR is limited to default information only for example injecting a default route Support for stub areas and not so stubby areas Area boundary router type 3 LSA filtering Advertisement of static and global address trans...

Page 153: ...static connect metric metric value metric type type 1 type 2 tag tag_value subnets route map map_name The ospf process_id static and connect keywords specify from where you want to redistribute routes You can either use the options in this command to match and set route properties or you can use a route map The tag and subnets options do not have equivalents in the route map command If you use bot...

Page 154: ...uthentication enter the following command hostname config interface ospf authentication key key The key can be any continuous string of characters up to 8 bytes in length The password created by this command is used as a key that is inserted directly into the OSPF header when the FWSM software originates routing protocol packets A separate password can be assigned to each network on a per interfac...

Page 155: ... the estimated number of seconds required to send a link state update packet on an OSPF interface enter the following command hostname config interface ospf transmit delay seconds The seconds is from 1 to 65535 seconds The default is 1 second The following example shows how to configure the OSPF interfaces hostname config router ospf 2 hostname config router network 10 1 1 0 255 255 255 0 area 0 h...

Page 156: ...he number of LSAs sent into a stub area you can configure the no summary keyword of the area stub command on the ABR to prevent it from sending summary link advertisement LSA type 3 into the stub area To specify area parameters for your network perform the following steps Step 1 If you have not already done so enter the router configuration mode for the OSPF process you want to configure by enteri...

Page 157: ...With NSSA you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA To specify area parameters for your network as needed to configure OSPF NSSA perform the following steps Step 1 If you have not already done so enter the router configuration mode for the OSPF process you want to configure by entering the following command...

Page 158: ... router configuration mode for the OSPF process Enter the following command hostname config router ospf pid b Define the OSPF neighbor by entering the following command hostname config router neighbor addr interface if_name The addr argument is the IP address of the OSPF neighbor The if_name is the interface used to communicate with the neighbor If the OSPF neighbor is not on the same network as a...

Page 159: ...o configure by entering the following command hostname config router ospf process_id Step 2 To set the address range enter the following command hostname config router area area id range ip address mask advertise not advertise The following example shows how to configure route summarization between OSPF areas hostname config router ospf 1 hostname config router area 17 range 12 1 0 0 255 255 0 0 C...

Page 160: ...er ospf process_id Step 2 To force the ASBR to generate a default route enter the following command hostname config router default information originate always metric metric value metric type 1 2 route map map name The following example shows how to generate a default route hostname config router ospf 2 hostname config router default information originate always Configuring Route Calculation Timer...

Page 161: ...not already done so enter the router configuration mode for the OSPF process you want to configure by entering the following command hostname config router ospf process_id Step 2 To configure logging for neighbors going up or down enter the following command hostname config router log adj changes detail Note Logging must be enabled for the neighbor up down messages to be sent The following example...

Page 162: ... routing table entries to the ABR and ASBR enter the following command hostname show ospf border routers To display lists of information related to the OSPF database for a specific router enter the following command hostname show ospf process id area id database To display a list of LSAs waiting to be flooded over an interface to observe OSPF packet pacing enter the following command hostname show...

Page 163: ...uting Additionally RIP cannot be enabled on a global basis FWSM uses a limited version of RIP it does not send out RIP updates that identify the networks that FWSM can reach However you can enable one or both of the following methods Passive RIP FWSM listens for RIP updates but does not send any updates about its networks out of the interface Passive RIP allows FWSM to learn about networks to whic...

Page 164: ... EIGRP Routing page 8 23 Enabling and Configuring EIGRP Stub Routing page 8 24 Enabling EIGRP Authentication page 8 25 Defining an EIGRP Neighbor page 8 26 Redistributing Routes Into EIGRP page 8 26 Configuring the EIGRP Hello Interval and Hold Time page 8 27 Disabling Automatic Route Summarization page 8 27 Configuring Summary Aggregate Addresses page 8 28 Disabling EIGRP Split Horizon page 8 28 ...

Page 165: ...le a route recomputation must occur During route recomputation DUAL queries the EIGRP neighbors for a route who in turn query their neighbors Routers that do no have a feasible successor for the route return an unreachable message During route recomputation DUAL marks the route as active By default the FWSM waits for three minutes to receive a response from its neighbors If the FWSM does not recei...

Page 166: ... access list that defines the routes you want to filter from received updates b Enter the following command to apply the filter You can specify an interface to apply the filter to only those updates received by that interface hostname config router distribute list acl in interface if_name You can enter multiple distribute list commands in your EIGRP router configuration Enabling and Configuring EI...

Page 167: ...bors on interfaces configured for EIGRP message authentication must be configured with the same authentication mode and key for adjacencies to be established Before you can enable EIGRP route authentication you must enable EIGRP To enable EIGRP authentication on an interface perform the following steps Step 1 Enter interface configuration mode for the interface on which you are configuring EIGRP m...

Page 168: ...c and connected routes into the EIGRP routing process You do not need to redistribute static or connected routes if they fall within the range of a network statement in the EIGRP configuration To redistribute routes into the EIGRP routing process perform the following steps Step 1 Optional Create a route map to further define which routes from the specified routing protocol are redistributed in to...

Page 169: ... time is 15 seconds three times the hello interval Both the hello interval and the advertised hold time are configured on a per interface basis We recommend setting the hold time to be at minimum three times the hello interval To configure the hello interval and advertised hold time perform the following steps Step 1 Enter interface configuration mode for the interface on which you are configuring...

Page 170: ...ing command hostname config if summary address eigrp as num address mask distance By default EIGRP summary addresses that you define have an administrative distance of 5 You can change this value by specifying the optional distance argument in the summary address command Disabling EIGRP Split Horizon Split horizon controls the sending of EIGRP update and query packets When split horizon is enabled...

Page 171: ...e delay for 2000 microseconds you would enter a value of 200 Step 3 Optional To view the delay value assigned to an interface use the show interface command Monitoring EIGRP You can use the following commands to monitor the EIGRP routing process For examples and descriptions of the command output see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Refe...

Page 172: ... failover pair are connected to different service providers and the outbound connection does not use a NAT address By default the FWSM drops the return traffic because there is no connection information for the traffic You can prevent the return traffic from being dropped using the asr group command on interfaces where this is likely to occur When an interface configured with the asr group command...

Page 173: ...ess per VLAN and have different MAC addresses for different VLANs to allow for the redirection of packets from a standby unit to an active unit in failover configurations Asymmetric Routing Support Example Figure 8 1 shows an example of using the asr group command for asymmetric routing support in an Active Active failover configuration Figure 8 1 ASR Example with Active Active Failover Context A ...

Page 174: ...routes static routes and NAT addresses the FWSM can inject routes into the routing table of the switch these routes specify the IP address of the FWSM interface as the next hop IP address for each of these FWSM networks For example when you configure NAT on the FWSM the MSFC and other external routers do not know that those NAT addresses are connected to the FWSM unless you configure static routes...

Page 175: ...ing RHI To configure RHI perform the following steps Step 1 Optional If you want to limit the routes that you inject for each type connected static and NAT you can limit the routes you want to inject to those that match one of the following objects route map See the Defining a Route Map section on page 8 5 Route maps are only available in single context mode access list standard See the Adding a S...

Page 176: ... match access list acl1 209 165 201 0 30 is injected with a nexthop of 209 165 200 225 the active IP address of the outside interface on VLAN 20 The 209 165 201 10 through 16 addresses are not injected hostname config interface vlan20 hostname config if nameif outside hostname config if ip address 209 165 200 225 255 255 255 224 standby 209 165 200 226 hostname config if exit hostname config acces...

Page 177: ... config route inject redistribute static route map map1 interface outside Configuring DHCP DHCP provides network configuration parameters such as IP addresses to DHCP clients The FWSM can provide a DHCP server or DHCP relay services to DHCP clients attached to FWSM interfaces The DHCP server provides network configuration parameters directly to DHCP clients DHCP relay passes DHCP requests received...

Page 178: ...n specify up to two DNS servers Step 3 Optional To specify the IP address es of the WINS server s the client will use enter the following command hostname config dhcpd wins wins1 wins2 You can specify up to two WINS servers Step 4 Optional To change the lease length to be granted to the client enter the following command hostname config dhcpd lease lease_length This lease equals the amount of time...

Page 179: ...a DHCP option do one of the following To configure a DHCP option that returns one or two IP addresses enter the following command hostname config dhcpd option code ip addr_1 addr_2 To configure a DHCP option that returns a text string enter the following command hostname config dhcpd option code ascii text To configure a DHCP option that returns a hexadecimal value enter the following command host...

Page 180: ...a list of TFTP servers DHCP option 66 gives the IP address or the hostname of a single TFTP server Cisco IP Phones might also include DHCP option 3 in their requests which sets the default route Cisco IP Phones might include both option 150 and 66 in a single request In this case the FWSM DHCP server provides values for both options in the response if they are configured on the FWSM You can config...

Page 181: ...hen the FWSM relays the request only to the interface specific servers Global DHCP servers When a request enters an interface that does not have interface specific servers configured then the FWSM relays the request to all global servers If the interface has interface specific servers then the global servers are not used The following restrictions apply to the use of the DHCP relay agent The relay...

Page 182: ...up to 10 servers including any interface specific servers Step 2 To enable DHCP relay on the interface connected to the clients enter the following command hostname config dhcprelay enable interface You can enable DHCP relay on multiple interfaces however you cannot configure DHCP relay on any interfaces that are connected to the DHCP servers For example you can configure DHCP relay on inside1 and...

Page 183: ...lt You can optionally preserve option 82 and forward the packet by identifying an interface as a trusted interface This feature makes sure that DHCP snooping and IP source guard features on the switch work along with the FWSM DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding table You...

Page 184: ...uter Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 8 Configuring IP Routing and DHCP Services Configuring DHCP To view the global DHCP relay configuration enter the following command hostname show running config dhcprelay global ...

Page 185: ...MP proxy agent Instead of fully participating in multicast routing the FWSM forwards IGMP messages to an upstream multicast router which sets up delivery of the multicast data When configured for Stub Multicast Routing the FWSM cannot be configured for PIM The FWSM supports both PIM SM and bi directional PIM PIM SM is a multicast routing protocol that uses the underlying unicast routing informatio...

Page 186: ...res IP hosts use IGMP to report their group memberships to directly connected multicast routers IGMP uses group addresses Class D IP address as group identifiers Host group address can be in the range 224 0 0 0 to 239 255 255 255 The address 224 0 0 0 is never assigned to any group The address 224 0 0 1 is assigned to all systems on a subnet The address 224 0 0 2 is assigned to all routers on a su...

Page 187: ...ring Group Membership You can configure the FWSM to be a member of a multicast group Configuring the FWSM to join a multicast group causes upstream routers to maintain multicast routing table information for that group and keep the paths for that group active To have the FWSM join a multicast group enter the following command hostname config if igmp join group group address Configuring a Staticall...

Page 188: ...asis Membership reports exceeding the configured limits are not entered in the IGMP cache and traffic for the excess membership reports is not forwarded To limit the number of IGMP states on an interface enter the following command hostname config if igmp limit number Valid values range from 0 to 500 with 500 being the default value Setting this value to 0 prevents learned groups from being added ...

Page 189: ...the FWSM runs IGMP Version 2 which enables several additional features such as the igmp query timeout and igmp query interval commands All multicast routers on a subnet must support the same version of IGMP The FWSM does not automatically detect version 1 routers and switch to version 1 However a mix of IGMP Version 1 and 2 hosts on the subnet works the FWSM running IGMP Version 2 works correctly ...

Page 190: ...ou can specify the interface or the RPF neighbor but not at the same time To configure a static multicast route for a stub area enter the following command hostname config mroute src_ip src_mask input_if_name dense output_if_name distance Note The dense output_if_name keyword and argument pair is only supported for Stub Multicast Routing Configuring PIM Features Routers use PIM to maintain forward...

Page 191: ...he PIM PR enter the following command hostname config pim rp address ip_address acl bidir The ip_address argument is the unicast IP address of the router to be a PIM RP The acl argument is the name or number of an access list that defines which multicast groups the RP should be used with Excluding the bidir keyword causes the groups to operate in PIM sparse mode Note The FWSM always advertises the...

Page 192: ...value by entering the following command hostname config if pim hello interval seconds Valid values for the seconds argument range from 1 to 3600 seconds Every 60 seconds the FWSM sends PIM join prune messages To change this value enter the following command hostname config if pim join prune interval seconds Valid values for the seconds argument range from 10 to 600 seconds For More Information Abo...

Page 193: ...ng a Dual IP Stack on an Interface page 10 4 Configuring IPv6 Duplicate Address Detection page 10 4 Configuring IPv6 Default and Static Routes page 10 5 Configuring IPv6 Access Lists page 10 5 Configuring IPv6 Neighbor Discovery page 10 6 Configuring a Static IPv6 Neighbor page 10 10 Verifying the IPv6 Configuration page 10 10 For an example IPv6 configuration see the Example 4 IPv6 Configuration ...

Page 194: ...er you must enclose the IPv6 address in square brackets in the following situations You need to specify a port number with the address for example fe80 2e0 b6ff fe01 3b7a 8080 The command uses a colon as a separator such as the write net and config net commands For example configure net fe80 2e0 b6ff fe01 3b7a tftp config pixconfig The following commands were modified to work for IPv6 debug fragme...

Page 195: ... the link local address or generating one based on the interface MAC address Modified EUI 64 format Enter the following command to manually specify the link local address hostname config if ipv6 address ipv6 address link local Enter the following command to enable IPv6 on the interface and automatically generate the link local address using the Modified EUI 64 interface ID based on the interface M...

Page 196: ...e duplicate address is the link local address of the interface the processing of IPv6 packets is disabled on the interface and an error message is issued If the duplicate address is a global address of the interface the address is not used and an error message is issued However all configuration commands associated with the duplicate address remain as configured while the state of the address is s...

Page 197: ... configure the default route Configuring IPv6 Access Lists Configuring an IPv6 access list is similar configuring an IPv4 access but with IPv6 addresses To configure an IPv6 access list perform the following steps Step 1 Create an access entry To create an access list use the ipv6 access list command to create entries for the access list There are two main forms of this command to choose from one ...

Page 198: ...e B 13 for an example IPv6 access list Configuring IPv6 Neighbor Discovery The IPv6 neighbor discovery process uses ICMPv6 messages and solicited node multicast addresses to determine the link layer address of a neighbor on the same network local link verify the reachability of a neighbor and keep track of neighboring routers This section contains the following topics Configuring Neighbor Solicita...

Page 199: ...g the Neighbor Reachable Time page 10 7 Configuring the Neighbor Solicitation Message Interval To configure the interval between IPv6 neighbor solicitation retransmissions on an interface enter the following command hostname config if ipv6 nd ns interval value Valid values for the value argument range from 1000 to 3600000 milliseconds The default value is 1000 milliseconds This setting is also sen...

Page 200: ...unt of time between neighbor solicitation message retransmissions on a given link The amount of time a node considers a neighbor reachable Router advertisements are also sent in response to router solicitation messages ICMPv6 Type 133 Router solicitation messages are sent by hosts at system startup so that the host can immediately autoconfigure without needing to wait for the next scheduled router...

Page 201: ... or 500 to 1800000 milliseconds if the msec keyword is used The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if FWSM is configured as a default router by using the ipv6 nd ra lifetime command To prevent synchronization with other IPv6 nodes randomly adjust the actual value used to within 20 percent of the desired value Configuring the Router...

Page 202: ...configure a static entry in the IPv6 neighbor discovery cache enter the following command hostname config if ipv6 neighbor ipv6_address if_name mac_address The ipv6_address argument is the link local IPv6 address of the neighbor the if_name argument is the interface through which the neighbor is available and the mac_address argument is the MAC address of the neighbor interface Note The clear ipv6...

Page 203: ...n on an interface you need to use the show ipv6 interface command The show ipv6 interface command does not display any IPv4 settings for the interface if both are configured on the interface Viewing IPv6 Routes To display the routes in the IPv6 routing table enter the following command hostname show ipv6 route The output from the show ipv6 route command is similar to the IPv4 show route command It...

Page 204: ...10 12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 10 Configuring IPv6 Verifying the IPv6 Configuration ...

Page 205: ...an access list allowing all outside users to access Telnet on a server on an inside interface If you want only some users to access the server and you might not always know IP addresses of these users you can enable AAA to allow only authenticated and or authorized users to make it through the FWSM The Telnet server enforces authentication too the FWSM prevents unauthorized users from attempting t...

Page 206: ...ion authentication alone would provide the same access to services for all authenticated users If you need the control that authorization provides you can configure a broad authentication rule and then have a detailed authorization configuration For example you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular use...

Page 207: ... the support for each AAA service by each AAA server type including the local database For more information about support for a specific AAA server type see the topics following the table Table 11 1 Summary of AAA Support AAA Service Database Type Local RADIUS TACACS SDI NT Kerberos LDAP Authentication of VPN users1 1 VPN is available for management connections only Yes Yes Yes Yes Yes Yes No Fire...

Page 208: ... the following sets of RADIUS attributes Authentication attributes defined in RFC 2138 Accounting attributes defined in RFC 2139 RADIUS attributes for tunneled protocol support defined in RFC 2868 Cisco IOS VSAs identified by RADIUS vendor ID 9 Cisco VPN related VSAs identified by RADIUS vendor ID 3076 Microsoft VSAs defined in RFC 2548 RADIUS Authorization Functions The FWSM can use RADIUS server...

Page 209: ... Replica Servers section on page 11 5 for information about how the SDI agent selects servers to authenticate users Two step Authentication Process SDI Version 5 0 uses a two step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server The SDI agent first sends a lock request to the SecurID server before se...

Page 210: ...g to the FWSM LDAP Server Support The FWSM can use LDAP servers for authorization of VPN based management connections When user authentication for VPN access has succeeded and the applicable tunnel group record specifies an LDAP authorization server group the FWSM queries the LDAP server and applies to the VPN session the authorizations it receives Local Database Support The FWSM maintains a local...

Page 211: ...u are configuring attributes of a tunnel group When VPN client of an administrator specifies a tunnel group configured to fallback to the local database the VPN tunnel can be established even if the AAA server group is unavailable provided that the local database is configured with the necessary attributes Configuring the Local Database This section describes how to manage users in the local datab...

Page 212: ...word DLaUiAX3l78qgoB5c7iVNw nt encrypted Step 2 To configure a local user account with VPN attributes perform the following steps a Enter the following command hostname config username username attributes When you enter the username attributes command you enter username mode The commands available in this mode are as follows group lock password storage vpn access hours vpn filter vpn framed ip add...

Page 213: ...authenticate CLI access you need to create at least two server groups one for RADIUS servers and one for TACACS servers You can have up to 15 AAA server groups in single mode or 4 AAA server groups per context in multiple mode Each group can have up to 16 servers in single mode or 4 servers in multiple mode When you enter a aaa server command you enter group mode b If you want to specify the maxim...

Page 214: ... the server including the AAA server group it belongs to by entering the following command hostname config aaa server server_tag interface_name host server_ip key timeout seconds When you enter a aaa server host command you enter aaa server host configuration mode b As needed use host mode commands to further configure the AAA server The commands in host mode do not apply to all AAA server types T...

Page 215: ...ame config aaa server AuthInbound inside host 10 1 1 2 hostname config aaa server host key TACPlusUauthKey2 hostname config aaa server host exit hostname config aaa server AuthOutbound protocol radius hostname config aaa server group exit hostname config aaa server AuthOutbound inside host 10 1 1 3 hostname config aaa server host key RadUauthKey hostname config aaa server host exit hostname config...

Page 216: ...uration Guide using ASDM OL 20748 01 Chapter 11 Configuring AAA Servers and the Local Database Identifying AAA Server Groups and Servers hostname config aaa server group exit hostname config aaa server NTAuth inside host 10 1 1 4 hostname config aaa server host nt auth domain controller primary1 ...

Page 217: ...Key Cryptography page 12 1 Certificate Scalability page 12 2 About Key Pairs page 12 2 About Trustpoints page 12 3 About Revocation Checking page 12 3 About Public Key Cryptography Digital signatures enabled by public key cryptography provide a means to authenticate devices and users In public key cryptography such as the RSA encryption system each user has a key pair containing both a public and ...

Page 218: ...cause each certificate encapsulates the public key for the associated peer each certificate is authenticated by the CA and all participating peers recognize the CA as an authenticating authority This is called IKE with an RSA signature The peer can continue sending its certificate for multiple IPSec sessions and to multiple IPSec peers until the certificate expires When its certificate expires the...

Page 219: ...ime period expires for example because of security concerns or a change of name or association CAs periodically issue a signed list of revoked certificates Enabling revocation checking forces the FWSM to check that the CA has not revoked a certificate every time it uses that certificate for authentication When you enable revocation checking during the PKI certificate validation process the FWSM ch...

Page 220: ...e for the certificate If the time is outside that range enrollment fails For information about setting the clock see the hostname config domain name example com section on page 7 4 Generating Key Pairs Key pairs are RSA keys as discussed in the About Key Pairs section on page 12 2 You must generate key pairs for the types of certification that you want to use To generate key pairs perform the foll...

Page 221: ...ou have generated To do so save the running configuration by entering the following command hostname config write memory Removing Key Pairs To remove key pairs enter the following command hostname config crypto key zeroize rsa The following is sample output from the crypto key zeroize rsa command WARNING All RSA keys will be removed WARNING All device certs issued using these keys will also be rem...

Page 222: ... any Step 2 To verify that the AAA server has been configured enter the following command hostname config show run aaa server The following is sample output from the show run aaa server command that displays the configured AAA server aaa server new protocol tacacs aaa server new outside host 10 77 152 80 key cisco Step 3 To verify that the AAA settings have been configured enter the following comm...

Page 223: ...to manually export PKCS12 data for a trustpoint called newton using cisco123 as the passphrase enter the following command hostname config crypto ca export newton pkcs12 cisco123 Exported pkcs12 follows PKCS12 data omitted End This line not part of the pkcs12 Importing a Keypair and Certificate To import keypairs and issued certificates associated with a trustpoint configuration in PKCS12 format p...

Page 224: ...8cdcc6b3b4a Certificate Usage General Purpose Public Key Type RSA 2048 bits Issuer Name cn VeriSign Class 3 Public Primary Certification Authority G5 ou c 2006 VeriSign Inc For authorized use only ou VeriSign Trust Network o VeriSign Inc c US Subject Name cn VeriSign Class 3 Public Primary Certification Authority G5 ou c 2006 VeriSign Inc For authorized use only ou VeriSign Trust Network o VeriSig...

Page 225: ...n Points 1 http EVSecure crl verisign com pca3 g5 crl Validity Date start date 23 00 00 IST Nov 7 2006 end date 22 59 59 IST Nov 7 2016 Associated Trustpoints newton Linking Certificates to a Trustpoint After you have imported the third party certificate you must link it to the trustpoint which allows you to communicate with multiple clients To display the name of the trustpoint which has the same...

Page 226: ...t JCPIX249 Login Accepted auth prompt reject JCPIX249 Login Rejected The access list series of commands defines which protocols are allowed through the FWSM Only those shown in the example and SSH are supported for cut through proxy authentication The timeout uauth command allows the FWSM to re request authorization for all those protocols in five minutes The aaa authentication command is cut thro...

Page 227: ...age 13 11 Simplifying Access Lists with Object Grouping page 13 11 Adding Remarks to Access Lists page 13 18 Access List Group Optimization page 13 18 Scheduling Extended Access List Activation page 13 24 Logging Access List Activity page 13 25 For information about IPv6 access lists see the Configuring IPv6 Access Lists section on page 10 5 Access List Overview Access lists are made up of one or ...

Page 228: ...by an extended access list Note To access the FWSM interface for management access you do not also need an access list allowing the host IP address You only need to configure management access according to Chapter 23 Configuring Management Access Identify traffic for AAA rules Extended AAA rules use access lists to identify traffic Control network access for IP traffic for a given user Extended do...

Page 229: ...uideline applies for both inbound and outbound access groups the direction does not determine the address used only the interface does For example you want to apply an access list to the inbound direction of the inside interface You configure the FWSM to perform NAT on the inside source addresses when they access outside addresses Because the access list is applied to the inside interface the sour...

Page 230: ...he translated address of the inside host in the access list because that address is the address that can be used on the outside network see Figure 13 2 Figure 13 2 IP Addresses in Access Lists NAT used for Destination Addresses See the following commands for this example hostname config access list OUTSIDE extended permit ip host 209 165 200 225 host 209 165 201 5 hostname config access group OUTS...

Page 231: ...a short period of time after you last entered an access list command and then commits the access list If you enter an ACE after the commitment starts the FWSM aborts the commitment and recommits the access list after a short waiting period The FWSM displays a message similar to the following after it commits the access list Access Rules Download Complete Memory Utilization 1 Large access lists of ...

Page 232: ...e if you paste 1000 ACEs at the prompt and the last ACE exceeds the memory limitations all 1000 ACEs are rejected Adding an Extended Access List This section describes how to add an extended access list and includes the following topics Extended Access List Overview page 13 6 Allowing Broadcast and Multicast Traffic through the Transparent Firewall page 13 7 Adding an Extended ACE page 13 7 Extend...

Page 233: ...not allow dynamic routing for example Note Because these special types of traffic are connectionless you need to apply an extended access list to both interfaces so returning traffic is allowed through Table 13 2 lists common traffic types that you can allow through the transparent firewall Adding an Extended ACE When you enter the access list command for a given access list name the ACE is added ...

Page 234: ...MP Type Object Group section on page 13 14 The ICMP inspection engine treats ICMP sessions as stateful connections To control ping specify echo reply 0 FWSM to host or echo 8 host to FWSM See the Adding an ICMP Type Object Group section on page 13 14 for a list of ICMP types When you specify a network mask the method is different from the Cisco IOS software access list command The FWSM uses a netw...

Page 235: ...re not handled by the access list because they use a length field as opposed to a type field BPDUs which are handled by the access list are the only exception they are SNAP encapsulated and the FWSM is designed to specifically handle BPDUs The FWSM receives trunk port Cisco proprietary BPDUs because FWSM ports are trunk ports Trunk BPDUs have VLAN information inside the payload so the FWSM modifie...

Page 236: ...ist_name ethertype permit deny ipx bpdu mpls unicast mpls multicast any hex_number The hex_number is any EtherType that can be identified by a 16 bit hexadecimal number greater than or equal to 0x600 See RFC 1700 Assigned Numbers at http www ietf org rfc rfc1700 txt for a list of EtherTypes When you enter the access list command for a given access list name the ACE is added to the end of the acces...

Page 237: ... another access list command specifying the same access list name To add an ACE enter the following command hostname config access list access_list_name standard deny permit any ip_address mask The following sample access list identifies routes to 192 168 1 0 24 hostname config access list OSPF standard permit 192 168 1 0 255 255 255 0 Simplifying Access Lists with Object Grouping This section des...

Page 238: ...0 destinations and a port object group with 5 ports Permitting the ports from sources to destinations could result in 50 000 ACEs 5 x 100 x 100 in the expanded access list Adding Object Groups This section describes how to add object groups and includes the following topics Adding a Protocol Object Group page 13 12 Adding a Network Object Group page 13 13 Adding a Service Object Group page 13 14 A...

Page 239: ...cts the commands you already set remain in place unless you remove them with the no form of the command Note A network object group supports IPv4 and IPv6 addresses depending on the type of access list For more information about IPv6 access lists see Configuring IPv6 Access Lists section on page 10 5 To add a network group perform the following steps Step 1 To add a network group enter the followi...

Page 240: ...fig service description text The description can be up to 200 characters Step 3 To define the ports in the group enter the following command for each port or range of ports hostname config service port object eq port range begin_port end_port For a list of permitted keywords and well known port assignments see the Protocols and Applications section on page E 11 For example to create service groups...

Page 241: ...ype ping hostname config service description Ping Group hostname config icmp type icmp object echo hostname config icmp type icmp object echo reply Nesting Object Groups To nest an object group within another object group of the same type first create the group that you want to nest according to the Adding Object Groups section on page 13 12 Then perform the following steps Step 1 To add or edit a...

Page 242: ...cess_list_name line line_number extended deny permit tcp udp object group nw_grp_id object group svc_grp_id object group nw_grp_id object group svc_grp_id You do not have to use object groups for all parameters for example you can use an object group for the source address but identify the destination address with an address and mask The following normal access list that does not use object groups...

Page 243: ...tname config access group ACL_IN in interface inside Displaying Object Groups To display a list of the currently configured object groups enter the following command hostname config show object group protocol network service icmp type id grp_id If you enter the command without any parameters the system displays all configured object groups The following is sample output from the show object group ...

Page 244: ...t OUT remark this is the inside admin address hostname config access list OUT extended permit ip host 209 168 200 3 any hostname config access list OUT remark this is the hr admin address hostname config access list OUT extended permit ip host 209 168 200 4 any Access List Group Optimization The access list optimization feature reduces the number of ACEs per group by merging and or deleting redund...

Page 245: ...th rule y and rule z and rule y has an opposite permission action rule x cannot be merged with rule z even though both rules have the same permission action Before optimization access list test extended permit tcp any any range 50 100 rule x access list test extended deny tcp any any range 80 130 rule y access list test extended permit tcp any any range 60 120 rule z After optimization access list...

Page 246: ...Optimization To configure access list group optimization perform the following steps Step 1 To enable access list group optimization use the following command hostname config access list optimization enable To disable access list group optimization use the no form of the command Step 2 To show the optimized access list information use the following command hostname config show access list id optim...

Page 247: ...zed access lists Whenever a new rule is added deleted the optimization process is repeated and the message Access Lists Optimization Complete defines the end of the optimization process During that processing time some of the access lists information may not be accurate until the optimization process is complete Show the non optimized original access list again hostname config show access list tes...

Page 248: ...ss list test line 4 3 extended permit tcp any host 10 10 10 7 eq domain hitcnt 0 0x00000000 Merged to 4 2 ADJACENT access list test line 4 4 extended permit tcp any 10 10 10 8 255 255 255 254 eq domain hitcnt 0 0xa4246eba 4 5 access list test line 4 5 extended permit tcp any host 10 10 10 9 eq domain hitcnt 0 0x00000000 Merged to 4 4 ADJACENT access list test line 5 extended permit udp any any hit...

Page 249: ... running config Destination filename running config hostname config Access Lists Optimization Complete Access Rules Download Complete Memory Utilization 1 Note Having access list optimization enabled at all time could be a waste of computational and memory resources If you are satisfied with how the optimized access lists are merged the original access lists can be replaced with the optimized ones...

Page 250: ... After the command is picked up the security appliance finishes any currently running task and then services the command to deactivate the ACL Multiple periodic entries are allowed per time range command If a time range command has both absolute and periodic values specified then the periodic commands are evaluated only after the absolute start time is reached and are not further evaluated after t...

Page 251: ... named Sales to a time range named New_York_Minute hostname config access list Sales line 1 extended deny tcp host 209 165 200 225 host 209 165 201 1 time range New_York_Minute Logging Access List Activity This section describes how to configure access list logging for extended access lists and Webtype access lists This section includes the following topics Access List Logging Overview page 13 25 ...

Page 252: ...e hit count to 0 If no packets match the ACE during an interval the FWSM deletes the flow entry Note An ACL only denies SYN packets so if another type of packet comes in that packet will not show up in the access list hit counters TCP packet types other than SYN packets including RST SYN ACK ACK PSH and FIN are dropped by the FWSM before they can be dropped by an access list Only SYN packets can c...

Page 253: ... hit cnt 1 first hit Although 20 additional packets for this connection arrive on the outside interface the traffic does not have to be checked against the access list and the hit count does not increase If one more connection by the same host is initiated within the specified 10 minute interval and the source and destination ports remain the same then the hit count is incremented by 1 and the fol...

Page 254: ...sage 106100 XXX 1 106101 The number of ACL log deny flows has reached limit number To configure the maximum number of deny flows and to set the interval between deny flow alert messages 106101 enter the following commands To set the maximum number of deny flows permitted per context before the FWSM stops logging enter the following command hostname config access list deny flow max number The numbe...

Page 255: ...red to determine if specific failover conditions are met If those conditions are met failover occurs FWSM supports two failover configurations Active Active failover and Active Standby failover Each failover configuration has its own method for determining and performing failover With Active Active failover both units can pass network traffic This lets you configure load balancing on your network ...

Page 256: ...icense Requirements Both units must have the same license In the occurrence of a license mismatch a failover pair enters pseudo standby mode a condition in which failover is disabled FWSMs in an active active configuration return to the active standby state and do not pass any traffic Failover and State Links This section describes the failover and the state links which are dedicated connections b...

Page 257: ... link The state traffic can be large and performance is improved with separate links The state link interface is not configured as a normal networking interface it exists only for Stateful Failover communications and optionally for the failover communication if you share the state and failover links In multiple context mode the state link resides in the system context This interface and the failov...

Page 258: ...ilover communications between FWSMs we recommend that you configure a trunk port between the two switches that carries the failover and state VLANs The trunk ensures that failover communication between the two units is subject to minimal failure risk For other VLANs you must ensure that both switches have access to all firewall VLANs and that monitored VLANs can successfully pass hello packets bet...

Page 259: ...onfiguration Guide using ASDM OL 20748 01 Chapter 14 Configuring Failover Understanding Failover Figure 14 2 Normal Operation Active FWSM VLAN 200 VLAN 100 VLAN 201 Mktg Inside Eng Standby FWSM Trunk VLANs 10 11 Internet VLAN 202 VLAN 11 VLAN 10 Failover Links VLAN 203 Switch Switch 132920 ...

Page 260: ...guring Failover Understanding Failover If the primary FWSM fails then the secondary FWSM becomes active and successfully passes the firewall VLANs Figure 14 3 Figure 14 3 FWSM Failure Failed FWSM VLAN 200 VLAN 100 VLAN 201 Mktg Inside Eng Active FWSM Trunk VLANs 10 11 Internet VLAN 202 VLAN 203 VLAN 11 VLAN 10 Failover Links Switch Switch 132921 ...

Page 261: ...must configure the FWSM to allow BPDUs See the Switch Hardware and Software Compatibility section on page A 1 for switch software versions that allow BPDUs automatically To allow BPDUs through the FWSM configure an EtherType ACL and apply it to both interfaces according to the Adding an EtherType Access List section on page 13 9 Loops can occur if both modules are active at the same time such as w...

Page 262: ...r This section describes each failover configuration in detail This section includes the following topics Active Standby Failover page 14 8 Active Active Failover page 14 12 Determining Which Type of Failover to Use page 14 17 Active Standby Failover This section describes Active Standby failover and includes the following topics Active Standby Failover Overview page 14 9 Primary Secondary Status ...

Page 263: ... By default the MAC address used for the active FWSM comes from the Burned in MAC address of the primary FWSM Under certain circumstances MAC addresses used for the active FWSMs are changed such as in the following cases Case 1 The primary FWSM in a failover pair is replaced with a new FWSM Case 2 The secondary FWSM boots and becomes active because it did not detect the primary FWSM In Case 1 abov...

Page 264: ...figuration except for the failover commands used to communicate with the active unit and the active unit sends its entire configuration to the standby unit In multiple context mode when you enter the write standby command in the system execution space all contexts are replicated If you enter the write standby command within a context the command replicates only the context configuration On the sta...

Page 265: ...on commands except for the mode and failover lan unit commands copy running config startup config delete mkdir rename rmdir write memory The following commands are not replicated to the standby unit all forms of the copy command except for copy running config startup config all forms of the write command except for write memory asdm disconnect debug failover lan unit failover suspend config sync m...

Page 266: ...n a Become active Mark active as failed No hello messages are received on any monitored interface or the failover link Formerly active unit recovers No failover Become standby No action None Standby unit failed power or hardware No failover Mark standby as failed n a When the standby unit is marked as failed then the active unit will not attempt to fail over even if the interface failure threshold...

Page 267: ...hat is now in the standby state take over the standby MAC address and IP addresses Note A failover group failing on a unit does not mean that the unit has failed The unit may still have another failover group passing traffic on it When creating the failover groups you should create them on the unit that will have failover group 1 in the active state Primary Secondary Status and Active Standby Stat...

Page 268: ...boot at the same time the primary unit becomes the active unit The secondary unit obtains the running configuration from the primary unit Once the configuration has been synchronized each failover group becomes active on its preferred unit Note If you previously changed the number or size of memory partitions on the primary unit see the Managing Memory for Rules section on page 4 11 then after the...

Page 269: ...ritten to the peer unit This includes configuration information for security contexts that are in the standby state You must enter the command in the system execution space on the unit that has failover group 1 in the active state If you enter the write standby command in a security context only the configuration for the security context is written to the peer unit You must enter the command in th...

Page 270: ...ndary unit Note When configuring Active Active failover make sure that the combined traffic for both units is within the capacity of each unit Table 14 2 shows the failover action for each failure event For each failure event the policy whether or not failover occurs actions for the active failover group and actions for the standby failover group are given Table 14 2 Failover Behavior for Active A...

Page 271: ... features supported by each type of failover configuration Regular and Stateful Failover FWSM supports two types of failover regular and stateful This section includes the following topics Regular Failover page 14 18 Stateful Failover page 14 18 State link failed No failover No action No action State information will become out of date and sessions will be terminated if a failover occurs Failover ...

Page 272: ...ng The HTTP connection table unless HTTP replication is enabled The routing tables Multicast traffic information Note If failover occurs during an active Cisco IP SoftPhone session the call will remain active because the call session state information is replicated to the standby unit When the call is terminated the IP SoftPhone client will lose connection with the CallManager This occurs because ...

Page 273: ...link is marked as failed You should restore the failover link as soon as possible because the unit cannot fail over to the standby while the failover link is down Note If a failed unit does not recover and you believe it should not be failed you can reset the state by entering the failover reset command If the failover condition persists however the unit will fail again Interface Monitoring You ca...

Page 274: ... does not recover and you believe it should not be failed you can reset the state by entering the failover reset command If the failover condition persists however the unit will fail again Rapid Link Failure Detection Detecting and responding to a failover condition can take up to 45 seconds However if you are using Catalyst operating system software Release 8 4 1 and higher or Cisco IOS software ...

Page 275: ...context mode and be in the same firewall mode as the primary unit If the primary unit is in multiple context mode the secondary unit must also be in multiple context mode You do not need to configure the firewall mode of the security contexts on the secondary unit because the failover and state links reside in the system context The secondary unit obtains the security context configuration from th...

Page 276: ... interface to be used as the failover interface hostname config failover lan interface if_name vlan vlan The if_name argument assigns a name to the interface specified by the vlan argument b Assign the active and standby IP address to the failover link hostname config failover interface ip if_name ip_addr mask standby ip_addr The standby IP address must be in the same subnet as the active IP addre...

Page 277: ...he configuration hostname config write memory Note In multiple context mode enter write memory all in the system execution space to save all context configurations Configuring the Secondary Unit The only configuration required on the secondary unit is for the failover interface The secondary unit requires these commands to initially communicate with the primary unit After the primary unit sends it...

Page 278: ...over Settings You can configure the following optional Active Standby failover setting when you are initially configuring failover or after failover has already been configured Unless otherwise noted the commands should be entered on the active unit This section includes the following topics Configuring Failover Preemption page 14 24 Enabling HTTP Replication with Stateful Failover page 14 25 Conf...

Page 279: ...command in global configuration mode hostname config failover polltime seconds To change the unit hold time enter the following command in global configuration mode hostname config failover holdtime seconds The defaults are as follows The interface poll time is 15 seconds The unit poll time is 1 second The holdtime time is 3 times the poll time with a minimum value of 3 seconds if you specify a po...

Page 280: ...t configuration from the primary unit Note The mode command does not get replicated to the secondary unit Configuring Active Active Failover This section describes how to configure Active Active failover You must configure the secondary unit to recognize the failover link before the secondary unit can obtain the running configuration from the primary unit This section includes the following topics...

Page 281: ...e active IP address always stays with the primary unit while the standby IP address stays with the secondary unit Step 3 Optional To enable Stateful Failover configure the state link The state link must be configured on an unused interface a Specify the interface to be used as the state link hostname config failover link if_name vlan vlan The if_name argument assigns a logical name to the interfac...

Page 282: ...o a failover group hostname config context context_name hostname config context join failover group 1 2 Step 6 Enable failover hostname config failover Step 7 To enable monitoring on an interface change to the context and enter the following command hostname config changeto context context_name hostname config monitor interface interface_name The maximum number of interfaces to monitor on the FWSM...

Page 283: ...to save the configuration to Flash memory hostname config write memory Step 6 If necessary force any failover group that is active on the primary to the active state on the secondary unit To force a failover group to become active on the secondary unit enter the following command in the system execution space on the primary unit hostname no failover active group group_id The group_id argument spec...

Page 284: ...on for both failover groups you must enter the following command in each group This command should be entered in the system execution space hostname config failover group 1 2 hostname config fover group replication http Configuring Interface and Unit Poll Times You can configure the amount of time between hello messages when monitoring the health of the interfaces in a failover group Decreasing th...

Page 285: ...aracters can be any combination of numbers letters or punctuation The hex key argument specifies a hexadecimal encryption key The key must be 32 hexadecimal characters 0 9 a f Note To prevent the failover key from being replicated to the peer unit in clear text for an existing failover configuration disable failover on the active unit or in the system execution space on the unit that has failover ...

Page 286: ...tateful Failover Logical Update Statistics Link fover Vlan100 up Stateful Obj xmit xerr rcv rerr General 1950 0 1733 0 sys cmd 1733 0 1733 0 up time 0 0 0 0 RPC services 0 0 0 0 TCP conn 6 0 0 0 UDP conn 0 0 0 0 ARP tbl 106 0 0 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 15 0 0 0 VPN IPSEC upd 90 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 Logical Update Queue Information Cur Max T...

Page 287: ...o message on the failover link before declaring the peer failed Interface Poll frequency n seconds The number of seconds you set with the failover polltime interface command The default is 15 seconds Interface Policy Displays the number or percentage of interfaces that must fail to trigger failover Monitored Interfaces Displays the number of interfaces monitored out of the maximum possible failove...

Page 288: ...he interface is either administratively shutdown or is physically down failed The interface has failed and is not passing stateful data Stateful Obj For each field type the following statistics are shown They are counters for the number of state information packets sent between the two units the fields do not necessarily show active connections through the unit xmit Number of transmitted packets t...

Page 289: ...side 10 132 8 5 Normal admin Interface third 10 132 9 5 Normal admin Interface inside 10 130 8 5 Normal admin Interface fourth 10 130 9 5 Normal ctx1 Interface outside 10 1 1 1 Normal ctx1 Interface inside 10 2 2 1 Normal ctx2 Interface outside 10 3 3 2 Normal ctx2 Interface inside 10 4 4 2 Normal Other host Secondary Group 1 State Standby Ready Active time 190 sec VPN IPSEC upd IPSec connection i...

Page 290: ...l 124 0 65 0 Xlate_Timeout 0 0 0 0 VPN IKE upd 15 0 0 0 VPN IPSEC upd 90 0 0 0 VPN CTCP upd 0 0 0 0 VPN SDI upd 0 0 0 0 VPN DHCP upd 0 0 0 0 Logical Update Queue Information Cur Max Total Recv Q 0 1 1895 Xmit Q 0 0 1940 The following is sample output from the show failover group command for Active Active failover The information displayed is similar to that of the show failover command but limited...

Page 291: ...triggering failover Monitored Interfaces Displays the number of interfaces monitored out of the maximum possible Group 1 Last Failover at Group 2 Last Failover at The date and time of the last failover for each group in the following form hh mm ss UTC DayName Month Day yyyy UTC Coordinated Universal Time is equivalent to GMT Greenwich Mean Time This host Other host For each host the display shows ...

Page 292: ... Number of errors that occurred while transmitting packets to the other unit rcv Number of received packets rerr Number of errors that occurred while receiving packets from the other unit General Sum of all stateful objects sys cmd Logical update system commands for example LOGIN and Stay Alive up time Up time which the active unit passes to the standby unit RPC services Remote Procedure Call conn...

Page 293: ...ple context mode enter this command in the system execution space Entering show running config all failover displays the failover commands in the running configuration and includes commands for which you have not changed the default value Testing the Failover Functionality To test failover functionality perform the following steps Step 1 Test that your active unit or failover group is passing traf...

Page 294: ...g failover active group group_id Controlling and Monitoring Failover This section describes how to control and monitor failover This section includes the following topics Forcing Failover page 14 40 Disabling Failover page 14 41 Disabling Configuration Synchronization page 14 41 Restoring a Failed Unit or Failover Group page 14 41 Monitoring Failover page 14 42 Forcing Failover To force the standb...

Page 295: ...s being applied to the standby FWSM You can disable the automatic configuration synchronization to avoid incomplete configurations being applied to the standby FWSM You need to disable configuration synchronization when upgrading a software image or changing the configuration on the active FWSM to verify that the configuration files are complete before the configuration is synchronized with the st...

Page 296: ...switchover failover will logically shut down and then bring up interfaces generating system log messages 411001 and 411002 This is normal activity Debug Messages To see debug messages enter the debug fover command See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information Note Because debugging output is assigned high priority i...

Page 297: ...P A R T 2 Configuring the Security Policy ...

Page 298: ......

Page 299: ...plying an Access List to an Interface page 15 4 Inbound and Outbound Access List Overview Traffic flowing across an interface in the FWSM can be controlled in two ways Traffic that enters the FWSM can be controlled by attaching an inbound access list to the source interface Traffic that exits the FWSM can be controlled by attaching an outbound access list to the destination interface To allow any ...

Page 300: ...llows all traffic on each inside interface see Figure 15 1 Figure 15 1 Inbound Access Lists See the following commands for this example hostname config access list INSIDE extended permit ip any any hostname config access group INSIDE in interface inside hostname config access list HR extended permit ip any any hostname config access group HR in interface hr hostname config access list ENG extended...

Page 301: ...t ip any any hostname config access group INSIDE in interface inside hostname config access list HR extended permit ip any any hostname config access group HR in interface hr hostname config access list ENG extended permit ip any any hostname config access group ENG in interface eng hostname config access list OUTSIDE extended permit tcp host 209 165 201 4 host 209 165 200 225 eq www hostname conf...

Page 302: ...web server with the IP address 209 165 201 12 this IP address is the address visible on the outside interface after NAT hostname config access list ACL_OUT extended permit tcp any host 209 165 201 12 eq www hostname config access group ACL_OUT in interface outside You also need to configure NAT for the web server The following access lists allow all hosts to communicate between the inside and hr n...

Page 303: ... Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface hostname config access group ETHER in interface outside ...

Page 304: ...alyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 15 Permitting or Denying Network Access Applying an Access List to an Interface ...

Page 305: ... page 16 29 Using Static PAT page 16 31 Bypassing NAT page 16 33 NAT Examples page 16 37 NAT Overview This section describes how NAT works on the FWSM and it includes the following topics Introduction to NAT page 16 2 NAT in Routed Mode page 16 2 NAT in Transparent Mode page 16 3 NAT Control page 16 5 NAT Types page 16 6 Policy NAT page 16 10 NAT and PAT Global Pool Usage page 16 14 NAT and Same S...

Page 306: ...referred to as NAT When discussing NAT the terms inside and outside are relative and represent the security relationship between any two interfaces The higher security level is inside and the lower security level is outside for example interface 1 is at 60 and interface 2 is at 50 so interface 1 is inside and interface 2 is outside Some of the benefits of NAT are as follows You can use private add...

Page 307: ...apped addresses that points to the downstream router through the FWSM If the real destination address is not directly connected to the FWSM then you also need to add a static route on the FWSM for the real destination address that points to the downstream router Without NAT traffic from the upstream router to the downstream router does not need any routes on the FWSM because it uses the MAC addres...

Page 308: ...WSM then undoes the translation of the mapped address 209 165 201 10 back to the real address 10 1 1 1 27 Because the real address is directly connected the FWSM sends it directly to the host For host 192 168 1 2 the same process occurs except that the FWSM looks up the route in its route table and sends the packet to the downstream router at 10 1 1 3 based on the static route Figure 16 2 NAT Exam...

Page 309: ...de interface must match a NAT rule See Figure 16 4 Figure 16 4 NAT Control and Same Security Traffic Similarly if you enable outside dynamic NAT or PAT with NAT control then all outside traffic must match a NAT rule when it accesses an inside interface See Figure 16 5 Figure 16 5 NAT Control and Inbound Traffic Static NAT with NAT control does not cause these restrictions By default NAT control is...

Page 310: ...rol but do not want to perform NAT This section includes the following topics Dynamic NAT page 16 6 PAT page 16 8 Static NAT page 16 8 Static PAT page 16 9 Bypassing NAT when NAT Control is Enabled page 16 10 Dynamic NAT Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network The mapped pool can include fewer addresses than the re...

Page 311: ...he packet Figure 16 7 Remote Host Attempts to Initiate a Connection to a Mapped Address Note For the duration of the translation a remote host can initiate a connection to the translated host if an access list allows it Because the address is unpredictable a connection to the host is unlikely However in this case you can rely on the security of the access list Web Server www example com Outside In...

Page 312: ...not configurable Users on the destination network cannot reliably initiate a connection to a host that uses PAT even if the connection is allowed by an access list Not only can you not predict the real or mapped port number of the host but the FWSM does not create a translation at all unless the translated host is the initiator See the following Static NAT or Static PAT sections for reliable acces...

Page 313: ...ements for each server that uses the same mapped IP address but different ports See Figure 16 8 Figure 16 8 Static PAT See the following commands for this example hostname config static inside outside tcp 209 165 201 3 ftp 10 1 2 27 ftp netmask 255 255 255 255 hostname config static inside outside tcp 209 165 201 3 http 10 1 2 28 http netmask 255 255 255 255 hostname config static inside outside t...

Page 314: ...you specify the interface on which you want to allow the real addresses to appear so you can use identity NAT when you access interface A and use regular translation when you access interface B Static identity NAT also lets you use policy NAT which identifies the real and destination addresses when determining the real addresses to translate See the Policy NAT section on page 16 10 for more inform...

Page 315: ...accesses the server at 209 165 200 225 the real address is translated to 209 165 202 130 so that the host appears to be on the same network as the servers which can help with routing Figure 16 9 Policy NAT with Different Destination Addresses See the following commands for this example hostname config access list NET1 permit ip 10 1 2 0 255 255 255 0 209 165 201 0 255 255 255 224 hostname config a...

Page 316: ...mit tcp 10 1 2 0 255 255 255 0 209 165 201 11 255 255 255 255 eq 23 hostname config nat inside 1 access list WEB hostname config global outside 1 209 165 202 129 hostname config nat inside 2 access list TELNET hostname config global outside 2 209 165 202 130 For policy static NAT and for NAT exemption which also uses an access list to identify traffic both translated and remote hosts can originate...

Page 317: ...cy static NAT in undoing the translation the ACL in the static command is not used If the destination address in the packet matches the mapped address in the static rule the static rule is used to untranslate the address Note Policy NAT does not support SQL Net but it is supported by regular NAT See the Inspection Engine Overview section on page 22 2 for information about NAT support for other pro...

Page 318: ...andby devices to track global node utilization upon failover You can specify a single address for dynamic PAT or a range of mapped addresses for dynamic NAT See the show global usage command for this example of dynamic NAT global pool usage hostname config show global usage NAT Global Pool ID interface In use Most used Total 209 165 201 10 209 165 201 20 1 outside 1 1 11 See the show global usage ...

Page 319: ...1 When 10 1 1 1 makes a connection the specific statement for 10 1 1 1 is used because it matches the real address best We do not recommend using overlapping statements they use more memory and can slow the performance of the FWSM Maximum Number of NAT Statements The FWSM supports the following numbers of nat global and static commands divided between all contexts or in single mode nat command 2 K...

Page 320: ...interface You configure the FWSM to statically translate the ftp example com real address 10 1 3 14 to a mapped address 209 165 201 10 that is visible on the outside network See Figure 16 12 In this case you want to enable DNS reply modification on this static statement so that inside users who have access to ftp example com using the real address receive the real address from the DNS server and n...

Page 321: ...e If a user on a different network for example DMZ also requests the IP address for ftp cisco com from the outside DNS server then the IP address in the DNS reply is also modified for this user even though the user is not on the Inside interface referenced by the static command DNS Server Outside Inside User 132946 1 2 3 4 5 DNS Reply Modification 209 165 201 10 10 1 3 14 DNS Reply 209 165 201 10 ...

Page 322: ...fication Using Outside NAT See the following command for this example hostname config static outside inside 10 1 2 56 209 165 201 10 netmask 255 255 255 255 dns Configuring NAT Control NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule See the NAT Control section on page 16 5 for more information To enable NAT control enter the following ...

Page 323: ...side 10 1 1 12 to outside 10 1 1 12 flags Ii NAT from inside 10 1 1 13 to outside 10 1 1 13 flags Ii NAT from inside 10 1 1 14 to outside 10 1 1 14 flags Ii NAT from inside 10 1 1 15 to outside 10 1 1 15 flags Ii NAT from inside 10 1 1 25 to outside 10 1 1 25 flags Ii NAT from inside 10 1 1 26 to outside 10 1 1 26 flags Ii The following sample output from the show xlate detail command shows xlate ...

Page 324: ...global command to specify the mapped addresses when exiting another interface in the case of PAT this is one address Each nat command matches a global command by comparing the NAT ID a number that you assign to each command See Figure 16 14 Figure 16 14 nat and global ID Matching See the following commands for this example hostname config nat inside 1 10 1 2 0 255 255 255 0 hostname config global ...

Page 325: ...side interface and the DMZ interface share a mapped pool or a PAT address when exiting the Outside interface See Figure 16 15 Figure 16 15 nat Commands on Multiple Interfaces See the following commands for this example hostname config nat inside 1 10 1 2 0 255 255 255 0 hostname config nat inside 1 192 168 1 0 255 255 255 0 hostname config nat dmz 1 10 1 1 0 255 255 255 0 hostname config global ou...

Page 326: ...name config global outside 1 209 165 201 3 209 165 201 10 hostname config global dmz 1 10 1 1 23 If you use different NAT IDs you can identify different sets of real addresses to have different mapped addresses For example on the Inside interface you can have two nat commands on two different NAT IDs On the Outside interface you configure two global commands for these two IDs Then when traffic fro...

Page 327: ...dynamic NAT global commands first in the order they are in the configuration and then uses the PAT global commands in order You might want to enter both a dynamic NAT global command and a PAT global command if you need to use dynamic NAT for a particular application but want to have a backup PAT statement in case all the dynamic NAT addresses are depleted Similarly you might enter two PAT statemen...

Page 328: ...hen it accesses an outside interface for example traffic on a DMZ is translated when accessing the Inside and the Outside interfaces then you must configure a separate nat command without the outside option In this case you can identify the same addresses in both statements and use the same NAT ID See Figure 16 19 Note that for outside NAT DMZ interface to Inside interface the inside host uses a s...

Page 329: ...group of addresses when they access any lower or same security level interface you must apply a global command with the same NAT ID on each interface or use a static command NAT is not required for that group when it accesses a higher security interface because to perform NAT from outside to inside you must create a separate nat command using the outside keyword If you do apply outside NAT then th...

Page 330: ...command is the same for each translation but the port is dynamically assigned Figure 16 21 Dynamic PAT For more information about dynamic NAT see the Dynamic NAT section on page 16 6 For more information about PAT see the PAT section on page 16 8 Note If you change the NAT configuration and you do not want to wait for existing translations to time out before the new NAT information is used you can...

Page 331: ...ormation outside If this interface is on a lower security level than the interface you identify by the matching global statement then you must enter outside to identify the NAT instance as outside NAT tcp tcp_max_conns Sets the maximum number of simultaneous TCP connections for the entire subnet up to 65 536 The default is 0 which means the maximum connections emb_limit Sets the maximum number of ...

Page 332: ... on page 16 20 for more information about how NAT IDs are used 0 is reserved for identity NAT See the Configuring Identity NAT section on page 16 34 for more information about identity NAT See the preceding policy NAT command for information about other options Step 2 To identify the mapped address es to which you want to translate the real addresses when they exit a particular interface enter the...

Page 333: ... 80 hostname config access list TELNET permit tcp 10 1 2 0 255 255 255 0 209 165 201 11 255 255 255 255 eq 23 hostname config nat inside 1 access list WEB hostname config global outside 1 209 165 202 129 hostname config nat inside 2 access list TELNET hostname config global outside 2 209 165 202 130 Note FWSM and ASA behave differently when you configure dynamic NAT without the global keyword On F...

Page 334: ... the access list extended command See the Adding an Extended Access List section on page 13 6 The first address in the access list is the real address the second address is either the source or destination address depending on where the traffic originates For example to translate the real address 10 1 1 1 to the mapped address 192 168 1 1 when 10 1 1 1 sends traffic to the 209 165 200 224 network ...

Page 335: ...6 hostname config static outside inside 10 1 1 6 209 165 201 15 netmask 255 255 255 255 The following command statically maps an entire subnet hostname config static inside dmz 10 1 1 0 10 1 2 0 netmask 255 255 255 0 Using Static PAT This section describes how to configure a static port translation Static PAT lets you translate the real IP address to a mapped IP address as well as the real port to...

Page 336: ...network the access list and static commands are hostname config access list TEST extended tcp host 10 1 1 1 209 165 200 224 255 255 255 224 eq telnet hostname config static inside outside tcp 192 168 1 1 telnet access list TEST In this case the second address is the destination address However the same configuration is used for hosts to originate a connection to the mapped address For example when...

Page 337: ...arate translation for all inside traffic and the inside hosts use a different mapped address from the Telnet server you can still configure traffic initiated from the Telnet server to use the same mapped address as the static statement that allows Telnet traffic to the server You need to create a more exclusive nat statement just for the Telnet server Because nat statements are read for the best m...

Page 338: ...slations To configure identity NAT enter the following command hostname config nat real_interface 0 real_ip mask dns outside tcp tcp_max_conns emb_limit udp udp_max_conns norandomseq See the Configuring Dynamic NAT or PAT section on page 16 26 for information about the options For example to use identity NAT for the inside 10 1 1 0 24 network enter the following command hostname config nat inside ...

Page 339: ...ns tcp tcp_max_conns emb_limit udp udp_max_conns norandomseq Create the extended access list using the access list extended command See the Adding an Extended Access List section on page 13 6 This access list should include only permit ACEs Make sure the source address in the access list matches the real_ip in this command Policy NAT and static NAT consider the inactive or time range keywords and ...

Page 340: ...iginate connections NAT exemption lets you specify the real and destination addresses when determining the real traffic to exempt similar to policy NAT so you have greater control using NAT exemption than identity NAT However unlike policy NAT NAT exemption does not consider the ports in the access list Use static identity NAT to consider ports in the access list Figure 16 26 shows a typical NAT e...

Page 341: ...cess list EXEMPT permit ip 10 1 2 0 255 255 255 0 any hostname config nat inside 0 access list EXEMPT To use dynamic outside NAT for a DMZ network and exempt another DMZ network enter the following command hostname config nat dmz 1 10 1 2 0 255 255 255 0 outside dns hostname config global inside 1 10 1 1 45 hostname config access list EXEMPT permit ip 10 1 3 0 255 255 255 0 any hostname config nat...

Page 342: ...u only want to allow the inside interface to access hosts on the DMZ then you can use dynamic NAT for the inside addresses and static NAT for the DMZ addresses you want to access This example shows static NAT To configure static NAT for these two interfaces perform the following steps The 10 1 1 0 24 network on the DMZ is not translated Step 1 Translate 192 168 100 0 24 on the inside to 10 1 2 0 2...

Page 343: ...2 2 2 When the FWSM receives this packet the FWSM translates the source address from 192 168 100 2 to 10 1 3 2 3 Then the FWSM translates the destination address from 10 1 2 2 to 192 168 100 2 and the packet is forwarded Redirecting Ports Figure 16 28 illustrates a typical network scenario in which the port redirection feature might be useful Figure 16 28 Port Redirection Using Static PAT In the c...

Page 344: ...65 201 5 telnet 10 1 1 6 telnet netmask 255 255 255 255 Step 3 Redirect FTP requests for IP address 209 165 201 5 to 10 1 1 3 by entering the following command hostname config static inside outside tcp 209 165 201 5 ftp 10 1 1 3 ftp netmask 255 255 255 255 Step 4 Redirect HTTP requests for the FWSM outside interface address to 10 1 1 5 by entering the following command hostname config static insid...

Page 345: ...he FWSM uses cut through proxy to significantly improve performance compared to a traditional proxy server The performance of a traditional proxy server suffers because it analyzes every packet at the application layer of the OSI model The FWSM cut through proxy challenges a user initially at the application layer and then authenticates against standard RADIUS TACACS or the local database After th...

Page 346: ... for FTP For HTTP or HTTPS authentication once authenticated a user never has to reauthenticate no matter how low the timeout uauth command is set because the browser caches the string Basic Uuhjksdkfhk in every subsequent connection to that particular site This can be cleared only when the user exits all instances of the web browser and restarts Flushing the cache is of no use Applications Requir...

Page 347: ... FWSM intercepts the HTTP connection and enforces authentication For example assume that outside TCP port 889 is translated to port 80 www and that any relevant access lists permit the traffic static inside outside tcp 10 48 66 155 889 192 168 123 10 www netmask 255 255 255 255 Then when users try to access 10 48 66 155 on port 889 the FWSM intercepts the traffic and enforces HTTP authentication U...

Page 348: ...e command which identifies traffic within the command However you cannot use both methods in the same configuration See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information Step 4 Optional If you are using the local database for network access authentication and you want to limit the number of consecutive failed login attempts...

Page 349: ...ompted for a new password Note Customizing the login prompt causes the FWSM to use MSCHAPv2 for the user password Please check for MSCHAPv2 compatibility with your RADIUS server and back end database before enabling this feature To customize the login prompt perform the following steps Step 1 To customize the login prompt enter the following command hostname config auth prompt prompt text Where te...

Page 350: ... or rejects the authentication attempt for example hostname config auth prompt reject Authentication failed Try again hostname config auth prompt accept Authentication succeeded To set rejection messages for invalid credentials expired password and for unknown rejection reasons enter the following commands hostname config auth prompt reject Authentication failed Try again hostname config auth prom...

Page 351: ... to 0 HTTPS authentication might not work If a browser initiates multiple TCP connections to load a web page after HTTPS authentication the first connection is let through but the subsequent connections trigger authentication As a result users are continuously presented with an authentication page even if the correct username and password are entered each time To work around this set the uauth tim...

Page 352: ...an enter this command before you enable HTTP authentication so that if you later enable HTTP authentication usernames and passwords are already protected by secured web client authentication Disabling Authentication Challenge per Protocol You can configure whether the FWSM challenges users for a username and password By default the FWSM prompts the user when a AAA rule enforces authentication for ...

Page 353: ...r more information see the access group command entry in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference Authentication and authorization statements are independent however any unauthenticated traffic matched by an authorization statement will be denied For authorization to succeed a user must first authenticate with the FWSM Note We suggest ...

Page 354: ...ure the FWSM to authenticate users for network access you are also implicitly enabling RADIUS authorizations therefore this section contains no information about configuring RADIUS authorization on the FWSM It does provide information about how the FWSM handles dynamic user specific access list information received from RADIUS servers You can configure a RADIUS server to download an access list to...

Page 355: ...ost 10 0 0 252 permit icmp any host 10 0 0 252 permit ip any any For more information about creating downloadable access lists and associating them with users see the user guide for your version of Cisco Secure ACS On the FWSM the downloaded access list has the following name ACSACL ip acl_name number The acl_name argument is the name that is defined on Cisco Secure ACS acs_ten_acl in the precedin...

Page 356: ... ip inacl 3 permit icmp 10 1 0 0 255 0 0 0 10 0 0 0 255 0 0 0 For information about making unique per user the access lists that are sent in the cisco av pair attribute see the documentation for your RADIUS server On the FWSM the downloaded access list name has the following format AAA user username The username argument is the name of the user that is being authenticated The downloaded access lis...

Page 357: ...you must enable authentication For more information see the Enabling Network Access Authentication section on page 17 3 If you want the FWSM to provide accounting data per IP address enabling authentication is not necessary and you can continue to the next step Step 2 Using the access list command create an access list that identifies the source addresses and destination addresses of traffic you w...

Page 358: ...entication or authorization is not exempted even if the MAC address of the device is specified To identify MAC addresses for exemption perform the following steps Step 1 To configure a MAC list enter the following command hostname config mac list id deny permit mac macmask Where the id argument is the hexadecimal number that you assign to the MAC list To exempt a MAC address use the permit keyword...

Page 359: ...g mac list abc permit 00a0 c95d 0282 ffff ffff ffff hostname config aaa mac exempt match abc The following entry bypasses authentication for all Cisco IP Phones which have the hardware ID 0003 E3 hostname config mac list acd permit 0003 E300 0000 FFFF FF00 0000 hostname config aaa mac exempt match acd The following example bypasses authentication for a a group of MAC addresses except for 00a0 c95d...

Page 360: ...es Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 17 Applying AAA for Network Access Using MAC Addresses to Exempt Traffic from Authentication and Authorization ...

Page 361: ...emove specific undesirable objects from HTTP traffic such as ActiveX objects or Java applets that may pose a security threat in certain situations You can also use URL filtering to direct specific traffic to an external filtering server such an Secure Computing SmartFilter formerly N2H2 or Websense filtering server Filtering servers can block traffic to specific sites or types of sites as specifie...

Page 362: ...k the tag ActiveX blocking does not occur when users access an IP address referenced by the alias command Enabling ActiveX Filtering This section describes how to remove ActiveX objects in HTTP traffic passing through the FWSM To remove ActiveX objects enter the following command in global configuration mode hostname config filter activex port port except local_ip local_mask foreign_ip foreign_mas...

Page 363: ...pecify a range of ports by using a hyphen between the starting port number and the ending port number To create an exception to a previous filter condition specify the keyword except Note The filter exception rule works only when you use the default port The local IP address and mask identify one or more internal hosts that are the source of the traffic to be filtered The foreign address and mask ...

Page 364: ... Secure Computing SmartFilter formerly N2H2 for filtering HTTP and HTTPS filtering Although FWSM performance is less affected when using an external server users may notice longer access times to websites or FTP servers when the filtering server is remote from the FWSM When filtering is enabled and a request for content is directed through the FWSM the request is sent to the content server and to ...

Page 365: ... server The port number is the Secure Computing SmartFilter server port number of the filtering server the FWSM also listens for UDP replies on this port Note The default port is 4005 This is the default port used by the Secure Computing SmartFilter server to communicate to the FWSM via TCP or UDP For information on changing the default port see the Filtering by N2H2 Administrator s Guide The time...

Page 366: ...um number of blocks that will be buffered Note Buffering URLs longer than 1159 bytes is only supported for the Websense filtering server Step 2 To configure the maximum memory available for buffering pending URLs and for buffering long URLs with Websense enter the following command hostname config url block url mempool memory pool size Replace memory pool size with a value from 2 to 10240 for a ma...

Page 367: ...ter url http port port except local_ip local_mask foreign_ip foreign_mask allow cgi truncate longurl deny longurl truncate proxy block Replace port with one or more port numbers if a different port than the default port for HTTP 80 is used Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests Replace foreign_ip and foreign_mask with the IP addr...

Page 368: ...pt specific traffic from filtering enter the following command hostname config filter url except source_ip source_mask dest_ip dest_mask For example the following commands cause all HTTP requests to be forwarded to the filtering server except for those from 10 0 2 54 hostname config filter url http 0 0 0 0 hostname config filter url except 10 0 2 54 255 255 255 255 0 0 Note If you have the filter ...

Page 369: ...successful return code is 250 CWD command successful If the filtering server denies the request alters the FTP return code to show that the connection was denied For example the FWSM changes code 250 to 550 Requested file is prohibited by URL filtering policy To enable FTP filtering enter the following command hostname config filter ftp port port except localIP local_mask foreign_IP foreign_mask a...

Page 370: ...mation about the filtering server or to show statistics enter the following command hostname show url server statistics The following is sample output from the show url server statistics command which shows filtering statistics hostname show url server statistics URL Server Statistics Vendor websense URLs total allowed denied 50 35 15 HTTPSs total allowed denied 1 1 0 FTPs total allowed denied 3 1...

Page 371: ... Caching Statistics The following is sample output from the show url cache command hostname show url cache URL Filter Cache Stats Size 128KB Entries 1724 In Use 456 Lookups 45 Hits 8 This shows how the cache is used Viewing Filtering Performance Statistics The following is sample output from the show perfmon command hostname show perfmon PERFMON STATS Current Average Xlates 0 s 0 s Connections 0 s...

Page 372: ...Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 18 Applying Filtering Services Viewing Filtering Statistics and Configuration hostname show running config filter filter url http 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ...

Page 373: ...lowing topics ARP Inspection Overview page 19 1 Adding a Static ARP Entry page 19 2 Enabling ARP Inspection page 19 2 ARP Inspection Overview By default all ARP packets are allowed through the FWSM You can control the flow of ARP packets by enabling ARP inspection ARP inspection settings apply to all bridge groups When you enable ARP inspection the FWSM compares the MAC address IP address and sour...

Page 374: ...name ip_address mac_address Where the interface_name is the source interface for the ARP packets The ip_address is the source address and mac_address is the associated MAC address For example to allow ARP responses from the router at 10 1 1 1 with the MAC address 0009 7cbe 2100 on the outside interface enter the following command hostname config arp outside 10 1 1 1 0009 7cbe 2100 Note The transpa...

Page 375: ...in the table the FWSM does not flood the original packet on all interfaces of the bridge group as a normal bridge does Instead it generates the following packets for directly connected devices or for remote devices Packets for directly connected devices The FWSM generates an ARP request for the destination IP address so that the FWSM can learn which interface receives the ARP response Packets for ...

Page 376: ...nd reenables MAC address learning The clear configure mac learn command reenables MAC address learning on all interfaces Viewing the MAC Address Table You can view the entire MAC address table including static and dynamic entries the MAC address table for an interface or the MAC address table for a bridge group To view the MAC address table enter the following command hostname show mac address tab...

Page 377: ...nd flexible way to configure FWSM features For example you can use Modular Policy Framework to create a timeout configuration that is specific to a particular TCP application as opposed to one that applies to all TCP applications This section includes the following topics Modular Policy Framework Supported Features page 20 1 Modular Policy Framework Configuration Overview page 20 2 Default Global ...

Page 378: ...he traffic and specifies what to do with it For example you might want to drop all HTTP requests with a body length greater than 1000 bytes You can create a self contained inspection policy map that identifies the traffic directly with match commands or you can create an inspection class map for reuse or for more complicated matching See the Defining Actions in an Inspection Policy Map section on ...

Page 379: ... configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces a global policy Not all inspections are enabled by default You can only apply one global policy so if you want to alter the global policy you need to either edit the default policy or disable it and apply a new one An interface policy overrides t...

Page 380: ...and matches the default inspection traffic class map inspection_default match default inspection traffic Note See the Incompatibility of Certain Feature Actions section on page 20 17 for more information about the special match default inspection traffic command used in the default class map Another class map that exists in the default configuration is called class default and it matches all traff...

Page 381: ...rwise specified you can include only one match command in the class map Any traffic The class map matches all traffic hostname config cmap match any Access list The class map matches traffic specified by an extended access list If the FWSM is operating in transparent firewall mode you can use an EtherType access list hostname config cmap match access list access_list_name For more information abou...

Page 382: ...ng with the match default inspection traffic command to narrow the matched traffic Because the match default inspection traffic command specifies the ports and protocols to match any ports or protocols in the access list are ignored The following is an example for the class map command hostname config access list udp permit udp any any hostname config access list tcp permit tcp any any hostname co...

Page 383: ...ation traffic with criteria specific to the application such as a URL string You then identify the class map in the policy map and enable actions The difference between creating a class map and defining the traffic match directly in the inspection policy map is that you can create more complex match criteria and you can reuse class maps Some traffic matching commands can specify regular expression...

Page 384: ...pecify the action you want to perform on the matching traffic by entering the following command hostname config pmap c drop drop connection mask reset log log Not all options are available for each application Other actions specific to the application might also be available See Chapter 22 Applying Application Layer Protocol Inspection for the exact options available The drop keyword drops all pac...

Page 385: ...class map has the same type of lowest priority match command as another class map then the class maps are matched according to the order they are added to the policy map If the lowest priority command for each class map is different then the class map with the higher priority match command is matched first For example the following three class maps contain two types of match commands match content...

Page 386: ... type of class map allows you to match criteria that is specific to an application For example for HTTP traffic you can match a particular URL Note Not all applications support inspection class maps See the CLI help for a list of supported applications A class map groups multiple traffic matches in a match all class map or lets you match any of a list of matches in a match any class map The differ...

Page 387: ...the match commands available for each application see Chapter 22 Applying Application Layer Protocol Inspection The following example creates an HTTP class map that must match all criteria hostname config cmap class map type inspect http match all http traffic hostname config cmap match req resp content type mismatch hostname config cmap match request body length gt 1000 hostname config cmap match...

Page 388: ...nvoked Asterisk A quantifier that indicates that there are 0 1 or any number of the previous expression For example lo se matches lse lose loose and so on Plus A quantifier that indicates that there is at least 1 of the previous expression For example lo se matches lose and loose but not lse x or x Minimum repeat quantifier Repeat at least x times For example ab xy 2 z matches abxyxyz abxyxyxyz an...

Page 389: ...message INFO Regular expression match succeeded If the regular expression does not match the input text you see the following message INFO Regular expression match failed Step 2 To add a regular expression after you tested it enter the following command hostname config regex name regular_expression Where the name argument can be up to 40 characters in length The regular_expression argument can be ...

Page 390: ... class maps use the same name space so you cannot reuse a name already used by another type of class map The match any keyword specifies that the traffic matches the class map if it matches at least one of the regular expressions The CLI enters class map configuration mode Step 3 Optional Add a description to the class map by entering the following command hostname config cmap description string S...

Page 391: ... applied to an interface all features are bidirectional all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions When you use a global policy all features are unidirectional features that are normally bidirectional when applied to a single interface only apply to the ingress of each interface when applied ...

Page 392: ...y map Actions are performed in the following order 1 TCP and UDP connection settings and TCP state bypass 2 Application inspection multiple types The order of application inspections applied when a class of traffic is classified for multiple inspections is as follows Only one inspection type can be applied to the same traffic WAAS inspection is an exception because it can applied along with other ...

Page 393: ...xample when UDP traffic for port 69 reaches the FWSM then the FWSM applies the TFTP inspection when TCP traffic for port 21 arrives then the FWSM applies the FTP inspection So in this case only you can configure multiple inspections for the same class map Normally the FWSM does not use the port number to determine the inspection applied thus giving you the flexibility to apply inspections to non s...

Page 394: ...face For example if you configure connection limits on the inside and outside interfaces but the inside policy sets the maximum connections to 2000 while the outside policy sets the maximum connections to 3000 then a non stateful Ping might be denied at a lower level if it is outbound than if it is inbound Default Layer 3 4 Policy Map The configuration includes a default Layer 3 4 policy map that ...

Page 395: ...cation Types with PISA Integration section on page 21 4 Note If there is no match default_inspection_traffic command in a class map then at most one inspect command is allowed to be configured under the class Step 5 Repeat Step 3 and Step 4 for each class map you want to include in this policy map The following is an example of a policy map command for connection policy It limits the number of con...

Page 396: ...olicy map create a service policy that applies it to one or more interfaces or that applies it globally to all interfaces Interface service policies take precedence over the global service policy for a given feature For example if you have a global policy with FTP inspection and an interface policy with TCP connection settings then both FTP inspection and TCP connection settings are applied to the...

Page 397: ... Traffic to Specific Servers page 20 22 Applying Inspection to HTTP Traffic with NAT page 20 22 Applying Inspection to HTTP Traffic Globally In this example see Figure 20 1 any HTTP connection TCP traffic on port 80 that enters the FWSM through any interface is classified for HTTP inspection Figure 20 1 Global HTTP Inspection See the following commands for this example hostname config class map ht...

Page 398: ...ccess list serverA hostname config class map http_serverB hostname config cmap match access list serverB hostname config policy map policy_serverA hostname config pmap class http_serverA hostname config pmap c inspect http http_map_serverA hostname config pmap c set connection conn max 100 hostname config policy map policy_serverB hostname config pmap class http_serverB hostname config pmap c insp...

Page 399: ... static inside outside 209 165 200 225 10 1 1 1 hostname config access list http_client extended permit tcp host 10 1 1 1 any eq 80 hostname config class map http_client hostname config cmap match access list http_client hostname config policy map http_client hostname config pmap class http_client hostname config pmap c inspect http hostname config service policy http_client interface inside insid...

Page 400: ... 24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 20 Using Modular Policy Framework Modular Policy Framework Examples ...

Page 401: ...s the ISN of the TCP SYN passing in both the inbound and outbound directions Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session TCP initial sequence number randomization can be disabled if required For example If another in line firewall is also randomizing the initial sequence numbers there is ...

Page 402: ...5 hostname config class map CONNS hostname config cmap match access list CONNS Note In 3 x when you used the set connection command for an access list match access list then connection settings were applied to each individual ACE in 4 0 connection settings are applied to the access list as a whole Step 2 To add or edit a policy map that sets the actions to take with the class map traffic enter the...

Page 403: ...eout conn command affects all traffic flows unless you otherwise use the set connection timeout command for eligible traffic Step 5 To set the timeout for idle connections for all protocols enter the following command hostname config pmap c set connection timeout idle hh mm 0 where the idle hh mm 0 argument defines the idle time after which an established connection of any protocol closes between ...

Page 404: ... set connection timeout idle 2 0 0 hostname config pmap c service policy conns interface outside You can enter set connection commands with multiple parameters or you can enter each parameter as a separate command The FWSM combines the commands into one line in the running configuration For example if you entered the following two commands in class configuration mode hostname config pmap c set con...

Page 405: ...the Using GRE for Tagging section When a UDP packet is denied due to the FWSM service policy the corresponding session is not immediately deleted Instead it is allowed to time out and the packets that hit this session in the meantime are dropped It is possible for an end user application to use the special GRE key that is used between the FWSM and the PISA In such instances the PISA generates a sy...

Page 406: ...at you want to deny based on the application type add a class map using the class map command See the Identifying Traffic Layer 3 4 Class Map section on page 20 4 for more information For example you can match an access list hostname config access list BAD_APPS extended permit any 10 1 1 1 255 255 255 255 hostname config class map denied_apps hostname config cmap match access list BAD_APPS Step 2 ...

Page 407: ...e by applying a service policy to that interface You can only apply one policy map to each interface The following is an example configuration for PISA integration hostname config access list BAD_APPS extended permit 10 1 1 0 255 255 255 0 10 2 1 0 255 255 255 0 hostname config class map denied_apps hostname config cmap description Apps to be blocked hostname config cmap match access list BAD_APPS...

Page 408: ...d increase the MTU size on VLANs used between the PISA and the FWSM The GRE encapsulation adds 32 bytes 20 bytes for the outer IP header and 12 bytes for the GRE header To change the MTU on a routed switch port or a Layer 3 interface SVI enter the following command Router config if mtu mtu_size For an SVI the mtu_size is between 64 and 9216 bytes For a routed switch port the mtu_size is between 15...

Page 409: ...the GRE key used for the tagging The interface ifname argument shows if tagging is enabled on an interface The summary keyword shows all interfaces with tagging enabled The following command shows the mapping of protocol name to ID Router show ip nbar protocol id protocol_name If you enter the protocol_name the mapped ID is shown When omitted the complete list of protocol names and IDs is shown To...

Page 410: ...SM 6 302014 Teardown TCP connection 144547133155839947 for inside 10 1 1 12 33407 to outside 209 165 201 10 21 duration 0 00 00 bytes 160 PISA denied protocol Viewing PISA Connections on the FWSM To monitor connections from the PISA use the show conn command Connections that are tagged by the PISA are listed in the output with the p flag The following is sample output from the show conn command ho...

Page 411: ...onnection SYN packet the accelerated path an established connection or the control plane path advanced inspection See the Stateful Inspection Overview section on page 1 8 for more detailed information about the stateful firewall TCP packets that match existing connections in the accelerated path can pass through the FWSM without rechecking every aspect of the security policy This feature maximizes...

Page 412: ... specified networks enters the FWSM and there is not an accelerated path entry then the packet goes through the session management path to establish the connection in the accelerated path Once in the accelerated path the traffic bypasses the accelerated path checks Unsupported Features The following features are not supported when you use TCP state bypass Application inspection Application inspect...

Page 413: ...h the class map traffic enter the following commands hostname config policy map name hostname config pmap class class_map_name hostname config pmap c where the class_map_name is the class map from Step 1 For example hostname config policy map tcp_bypass_policy hostname config pmap class bypass_traffic hostname config pmap c Step 3 Enable TCP state bypass by entering the following command hostname ...

Page 414: ...nterface according to the routing table Normally the FWSM only looks at the destination address when determining where to forward the packet Unicast RPF instructs the FWSM to also look at the source address this is why it is called Reverse Path Forwarding For any traffic that you want to allow through the FWSM the FWSM routing table must include a route back to the source address See RFC 2267 for ...

Page 415: ...xample system log messages show an attack then you can block or shun connections based on the source IP address and other identifying parameters No new connections can be made until you remove the shun Note If you have an IPS that monitors traffic then the IPS can shun connections automatically To shun a connection manually perform the following steps Step 1 If necessary view information about the...

Page 416: ... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 21 Configuring Advanced Connection Features Blocking Unwanted Connections ...

Page 417: ...on engines can affect overall throughput Several common inspection engines are enabled on the FWSM by default but you might need to enable others depending on your network This chapter includes the following sections Inspection Engine Overview page 22 2 When to Use Application Protocol Inspection page 22 2 How Inspection Engines Work page 22 2 Inspection Limitations page 22 3 Default Inspection Po...

Page 418: ...wn port is used to negotiate dynamically assigned port numbers Other applications embed an IP address in the packet that needs to match the source address that is normally translated when it goes through the FWSM If you use applications like these then you need to enable application inspection When you enable application inspection for a service that embeds IP addresses the FWSM translates embedde...

Page 419: ...t the FWSM forwards the packet to the destination system 6 The destination system responds to the initial request 7 The FWSM receives the reply packet looks up the connection in the connection database and forwards the packet because it belongs to an established session The default configuration of the FWSM includes a set of application inspection entries that associate supported protocols with sp...

Page 420: ... and resegmenting the message as appropriate To account for this limitation you must perform the following actions on the FWSM Increase the MSS on the TCP receiver Lower the MTU on the FWSM interface Only if possible disable the advanced protocol inspection When application inspection is enabled for a protocol and another application utilizes the same port as that inspected application protocol th...

Page 421: ...a If the MTU is too small to allow the Java or ActiveX tag to be included in one packet stripping may not occur ICMP All ICMP traffic is matched in the default class map ICMP ERROR All ICMP traffic is matched in the default class map ILS LDAP TCP 389 No PAT MGCP UDP 2427 2727 RFC 2705bis 05 NetBIOS Datagram Service UDP UDP 138 NetBIOS Name Service UDP UDP 137 No NAT No PAT No WINS support PPTP TCP...

Page 422: ...ou can perform special actions when you enable inspection 3 Activating inspections on an interface SNMP UDP 161 162 No NAT or PAT RFC 1155 1157 1212 1213 1215 v 2 RFC 1902 1908 v 3 RFC 2570 2580 SQL Net TCP 1521 v 1 and v 2 SunRPC UDP 111 TCP 111 No PAT Payload not NATed The default class map includes UDP port 111 if you want to enable Sun RPC inspection for TCP port 111 you need to create a new c...

Page 423: ...s a class map that contains an inspection command and then matches another class map that also has an inspection command only the first matching class is used For example SNMP matches the inspection_default class To enable SNMP inspection enable SNMP inspection for the default class in Step 5 Do not add another class that matches SNMP For example to limit inspection to traffic from 10 1 1 0 to 192...

Page 424: ...d or delete an inspection or to identify an additional class map for your actions then enter global_policy as the name Step 4 To identify the class map from Step 1 to which you want to assign an action enter the following command hostname config pmap class class_map_name hostname config pmap c If you are editing the default policy map it includes the inspection_default class map You can edit the a...

Page 425: ...section on page 22 36 identify the map name in this command h323 h225 map_name If you added an H 225 application map according to H 225 Map Commands section on page 22 50 identify the map name in this command h323 ras map_name http policy_map_name If you added an HTTP inspection policy map according to the Configuring an HTTP Inspection Policy Map for Additional Inspection Control section on page ...

Page 426: ...page 22 10 Limitations and Restrictions page 22 10 Enabling and Configuring CTIQBE Inspection page 22 11 Verifying and Monitoring CTIQBE Inspection page 22 12 CTIQBE Sample Configurations page 22 13 CTIQBE Inspection Overview The inspect ctiqbe command enables CTIQBE protocol inspection which supports NAT PAT and bidirectional NAT This enables Cisco IP SoftPhone and other Cisco TAPI JTAPI applicat...

Page 427: ...rface address for Cisco IP SoftPhone registrations to succeed The CTIQBE listening port TCP 2748 is fixed and is not user configurable on Cisco CallManager Cisco IP SoftPhone or Cisco TSP Enabling and Configuring CTIQBE Inspection To enable CTIQBE inspection or change the default port used for receiving CTIQBE traffic perform the following steps Step 1 Create a class map or modify an existing clas...

Page 428: ...lass map ctiqbe_port hostname config cmap match port tcp eq 2748 hostname config cmap policy map sample_policy hostname config pmap class ctiqbe_port hostname config pmap c inspect ctiqbe hostname config pmap c service policy sample_policy interface outside hostname config Verifying and Monitoring CTIQBE Inspection The show ctiqbe command displays information regarding the CTIQBE sessions establis...

Page 429: ...e 3 most used Flags D DNS d dump I identity i inside n no random r portmap s static TCP PAT from inside 10 0 0 99 1117 to outside 209 165 201 2 1025 flags ri idle 0 00 22 timeout 0 00 30 UDP PAT from inside 10 0 0 99 16908 to outside 209 165 201 2 1028 flags ri idle 0 00 00 timeout 0 04 10 UDP PAT from inside 10 0 0 99 16909 to outside 209 165 201 2 1029 flags ri idle 0 00 23 timeout 0 04 10 The s...

Page 430: ...e extended permit tcp any any eq 1503 access group voice in interface inside access group voice in interface outside policy map global_policy class inspection_default inspect ctiqbe Note TCP port 1503 must be allowed to pass through the security appliance for virtual conference room collaboration to work with Cisco IP SoftPhone through the security appliance The following figure shows a sample con...

Page 431: ...ss list voice extended permit tcp any any eq h323 access list voice extended permit tcp any any eq 1503 access group voice in interface inside access group voice in interface outside policy map global_policy class inspection_default inspect ctiqbe Note To allow successful collaboration and application sharing TCP ports 1503 and 1720 must be allowed to pass through The following is sample output fo...

Page 432: ... connections Network Processor 2 connections IPv6 connections DCERPC Inspection DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely This typically involves a client querying a server called the Endpoint Mapper listening on a well known port number for the dynamically allocated network informa...

Page 433: ...s hostname config pmap p b To configure the timeout for DCERPC pinholes and override the global system pinhole timeout of two minutes enter the following command hostname config pmap p timeout pinhole hh mm ss Where the hh mm ss argument is the timeout for pinhole connections Value is between 0 0 1 and 1193 0 0 c To configure options for the endpoint mapper traffic enter the following command host...

Page 434: ... for PAT because multiple PAT rules are applicable for each A record and the PAT rule to use is ambiguous Enforces the maximum DNS message length the default is 512 bytes and the maximum length is 65535 bytes The FWSM performs reassembly as needed to verify that the packet length is less than the maximum length configured The FWSM drops the packet if it exceeds the maximum length Note If you enter...

Page 435: ...gned address 209 165 201 5 When a web client on the inside interface attempts to access the web server with the URL http server example com the host running the web client sends a DNS request to the DNS server to resolve the IP address of the web server The FWSM translates the non routable source address in the IP header and forwards the request to the ISP network on its outside interface When the...

Page 436: ...500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference Using the Alias Command for DNS Rewrite The alias command causes the FWSM to translate addresses on an IP network residing on any interface into addresses on another IP network connected through a different interface The syntax for this command is as follows hostname config alias inside mapped address real ad...

Page 437: ...are as follows acl name The name you give the access list mapped address The translated IP address of the web server port The TCP port that the web server listens to for HTTP requests Step 3 Apply the access list created in Step 2 to the outside interface To do so use the access group command as follows hostname config access group acl name in interface outside Step 4 If DNS inspection is disabled...

Page 438: ...c DNS server is on the outside interface The site NAT policies are as follows The outside DNS server holds the authoritative address record for server example com Hosts on the outside network can contact the web server with the domain name server example com through the outside DNS server or with the IP address 209 165 200 225 Clients on the inside network can access the web server with the domain...

Page 439: ...8 100 10 dns b Uses the static rule to rewrite the A record as follows because the dns option is included outside 209 165 200 225 dmz 192 168 100 10 Note If the dns option were not included with the static command DNS Rewrite would not be performed and other processing for the packet continues c Searches for any NAT to translate the web server address dmz 192 168 100 10 when communicating with the...

Page 440: ...is the hostname with a domain suffix as in server example com The period after the hostname is important mapped address is the translated IP address of the web server The following example configures the FWSM for the scenario shown in Figure 22 5 It assumes DNS inspection is already enabled Example 22 3 DNS Rewrite with Three NAT Zones hostname config static dmz outside 209 165 200 225 192 168 100...

Page 441: ...se the interface interface_ID option where interface_ID is the name assigned to the interface with the nameif command The FWSM begins inspecting DNS traffic as specified Example 22 4 Enabling and Configuring DNS Inspection The following example creates a class map to match DNS traffic on the default port 53 and enables DNS inspection in the sample_policy policy map and applies DNS inspection to th...

Page 442: ...d on the source and destination IP address along with the protocol and the DNS ID instead of the source and destination ports If the DNS client and DNS server use TCP for DNS the connection is cleared like a normal TCP connection However if clients receive DNS responses from multiple DNS servers you can disable the default DNS behavior on a per context basis When DNS Guard is disabled a response f...

Page 443: ...mand has the action applied b Specify the action you want to perform on the matching traffic by entering the following command hostname config pmap c drop send protocol error drop connection send protocol error mask reset log rate limit message_rate Not all options are available for each match or class command See the CLI help or the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewal...

Page 444: ...pient addresses enter the following command hostname config pmap p match cmd RCPT count gt count Where count is the number of recipient addresses h Optional To match the command line length enter the following command hostname config pmap p match cmd line length gt length Where length is the command line length i Optional To match the ehlo reply parameters enter the following command hostname conf...

Page 445: ...or class name is the regular expression that matches a sender address or a class map The regular expression used to match a class map can select multiple sender addresses q Optional To match the length of a sender s address enter the following command hostname config pmap p match sender address length gt length Where length is the number of characters in the sender s address The following example ...

Page 446: ...s are negotiated through PORT or PASV commands The channels are allocated in response to a file upload a file download or a directory listing event Note If you disable FTP inspection engines with the no inspect ftp command outbound users can start connections only in passive mode and all inbound FTP is disabled Using the strict Option Using the strict option with the inspect ftp command increases ...

Page 447: ... the range from 1 to 1024 are reserved for well known connections if the negotiated port falls in this range then the TCP connection is freed Command pipelining The number of characters present after the port numbers in the PORT and PASV reply command is cross checked with a constant value of 8 If it is more than 8 then the TCP connection is closed The FWSM replaces the FTP server response to the ...

Page 448: ...s you determined in Step 1 To do so use a match port or match access list command If you need to identify two or more non contiguous ports create an access list with the access list extended command add an ACE to match each port and then use the match access list command The following commands show how to use an access list to identify multiple TCP ports with an access list hostname config access ...

Page 449: ...the mask syst response command c Optional If you want to disallow specific FTP commands use the request command deny command and specify each FTP command that you want to disallow as follows hostname config ftp map request command deny ftp_command ftp_command hostname config ftp map where ftp_command with one or more FTP commands that you want to restrict See Table 22 3 for a list of the FTP comma...

Page 450: ... FWSM begins inspecting FTP traffic as specified The following example shows how to identify FTP traffic define a FTP map define a policy and apply the policy to the outside interface Example 22 5 Enabling and Configuring Strict FTP Inspection hostname config class map ftp_port hostname config cmap match port tcp eq 21 hostname config cmap ftp map sample_map hostname config ftp map request command...

Page 451: ...ted commands on a FWSM without the required license the FWSM displays an error message GTP Inspection Overview GPRS provides uninterrupted connectivity for mobile subscribers between GSM networks and corporate networks or the Internet The GGSN is the interface between the GPRS wireless data network and other networks The SGSN performs mobility data session management and data compression See Figur...

Page 452: ...SN request to achieve load balancing on the GGSNs GTP Maps and Commands You can enforce additional inspection parameters on GTP traffic The gtp map command lets you specify a set of such parameters When you enable GTP inspection with the inspect gtp command you have the option of specifying a GTP map If you do not specify a map with the inspect gtp command the FWSM uses the default GTP map which i...

Page 453: ...s hostname config class map class_map_name hostname config cmap where class_map_name is the name of the traffic class When you enter the class map command the CLI enters class map configuration mode Step 3 Use a match access list command to identify GTP traffic with the access list you created in Step 1 hostname config cmap match access list acl name Step 4 Optional If you want to enforce addition...

Page 454: ...ve created in optional Step 4 Step 8 Use the service policy command to apply the policy map globally or to a specific interface as follows hostname config pmap c service policy policy_map_name global interface interface_ID hostname config where policy_map_name is the policy map you configured in Step 5 If you want to apply the policy map to traffic on all the interfaces use the global option If yo...

Page 455: ...deleted_pdpmcb 0 pdp_non_existent 0 You can use the vertical bar to filter the display Type for more display filtering options Use the show service policy inspect gtp pdp context command to display PDP context related information The following is sample output from the show service policy inspect gtp pdp context command hostname show service policy inspect gtp pdp context detail 1 in use 1 most us...

Page 456: ...e an object to represent the pool of load balancing GSNs perform the following steps Step 1 Define a new network object group representing the pool of load balancing GSNs To do so use the object group command hostname config object group network GSN pool name hostname config where GSN pool name is the object group name for GGSNs Step 2 Specify the load balancing GSNs using the network object comma...

Page 457: ... config gtp map GTPMAP hostname config gtp map permit response to object group SGSNS from object group GGSNS For additional GGSN load balancing information and configurations refer to the Cisco GGSN Release 7 0 Configuration Guide and the Cisco MultiProcessor WAN Module User Guide GTP Sample Configuration Figure 22 7 shows a sample GTP inspection configuration Figure 22 7 GTP Inspection Setup Samp...

Page 458: ...r09186a00807873e8 ht ml As per Figure 22 6 two GGSNs GGSN1 and GGSN2 are configured on the MWAM module firewall multiple vlan interfaces firewall module 4 vlan group 1 firewall module 10 vlan group 1 firewall vlan group 1 3 40 44 84 115 119 172 200 202 400 500 800 900 mwam module 9 port 1 allowed vlan 1 3 40 44 84 172 200 202 400 500 800 900 mwam module 9 port 2 allowed vlan 1 3 40 44 84 172 200 2...

Page 459: ...llows hostname show running config Building configuration Current configuration 1460 bytes Last configuration change at 21 33 19 UTC Wed Dec 13 2006 NVRAM config last updated at 01 54 40 UTC Sat Nov 18 2006 version 12 3 service timestamps debug datetime msec service timestamps log datetime msec no service password encryption service gprs ggsn hostname GGSN2ADCTX boot start marker boot end marker n...

Page 460: ...point 1 access point name sj gtp cisco com ip address pool local localpool11 control plane line con 0 line vty 0 no login line vty 1 4 login line vty 5 15 login end GGSN3 is configured as follows hostname show running config Building configuration Current configuration 1533 bytes Last configuration change at 21 33 47 UTC Wed Dec 13 2006 NVRAM config last updated at 01 56 07 UTC Sat Nov 18 2006 ver...

Page 461: ...0 1 1 120 ip local pool localpool22 10 8 4 4 10 8 4 254 ip classless ip route 0 0 0 0 0 0 0 0 10 1 1 1 no ip http server gprs maximum pdp context allowed 50000 gprs qos default response requested gprs access point list gtp test access point 1 access point name sj gtp cisco com ip address pool local localpool22 control plane line con 0 line vty 0 no login line vty 1 4 login line vty 5 15 login end ...

Page 462: ...gtpacl extended permit tcp any any eq ftp access list gtpacl extended permit tcp any any eq telnet access list gtpacl extended permit tcp any any eq ssh access list 112 extended permit tcp object group servers object group clients eq www access list 112 extended permit tcp object group servers object group clients eq https access list 112 extended permit tcp object group servers object group clien...

Page 463: ...word 3USUcOPFUiMCO4Jk encrypted no snmp server location no snmp server contact telnet timeout 5 ssh 171 69 42 198 255 255 255 255 mgmt ssh timeout 5 class map inspection_default match default inspection traffic policy map global_policy class inspection_default inspect dns maximum length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect rsh inspect rtsp inspect...

Page 464: ...he necessary embedded IPv4 addresses in the H 225 and H 245 messages Because H 323 messages are encoded in PER encoding format the FWSM uses an ASN 1 decoder to decode the H 323 messages Dynamically allocate the negotiated H 245 and RTP RTCP connections How H 323 Works The H 323 protocols collectively may use up to two TCP connection and four to six UDP connections FastConnect uses only one TCP co...

Page 465: ...e FWSM keeps a record that contains the TPKT length for the next expected message If the FWSM needs to perform NAT on IP addresses in messages it changes the checksum the UUIE length and the TPKT if it is included in the TCP packet with the H 225 message If the TPKT is sent in a separate TCP packet the FWSM proxy ACKs that TPKT and appends a new TPKT to the H 245 message with the new length Note T...

Page 466: ...rough the security appliance the FWSM cannot open a proper pinhole to allow such a call to be successful For this reason some additional H 225 configuration is required in this scenario To provide the necessary configuration you identify an HSI and its associated endpoints within an HSI group After this configuration is completed when the FWSM sees the HSI as one of the communicating hosts in an H...

Page 467: ... CLI enters class map configuration mode Step 3 Use a match access list command to identify H 323 traffic with the access list you created in Step 1 hostname config cmap match access list acl name Step 4 Optional If required by your network topology configure an H 225 map For more information about whether your network requires an H 225 map see the Topologies Requiring H 225 Configuration section ...

Page 468: ...s the name of the policy map The CLI enters the policy map configuration mode and the prompt changes accordingly Step 6 Specify the class map created in Step 2 that identifies the H 323 traffic Use the class command to do so as follows hostname config pmap class class_map_name hostname config pmap c where class_map_name is the name of the class map you created in Step 2 The CLI enters the policy m...

Page 469: ...access list h323_acl permit udp any any eq 1718 hostname config access list h323_acl permit udp any any eq 1719 hostname config access list h323_acl permit tcp any any eq 1720 hostname config class map h323 traffic hostname config cmap match access list h323_acl hostname config cmap h225 map sample_map hostname config h225 map hsi group 1 hostname config h225 map hsi grp hsi 10 10 15 11 hostname c...

Page 470: ... there is no active call between the endpoints even though the H 225 session still exists This could happen if at the time of the show h225 command the call has already ended but the H 225 session has not yet been deleted Alternately it could mean that the two endpoints still have a TCP connection opened between them because they set maintainConnection to TRUE so the session is kept open until the...

Page 471: ...host commands this command is used for troubleshooting H 323 RAS inspection engine issues The show h323 ras command displays connection information for troubleshooting H 323 inspection engine issues The following is sample output from the show h323 ras command hostname show h323 ras Total 1 GK Caller 172 30 254 214 10 130 56 14 This output shows that there is one active registration between the ga...

Page 472: ...side bridge group 1 security level 100 interface Vlan100 nameif outside bridge group 1 security level 0 interface BVI1 ip address 10 0 0 8 255 255 255 0 access list h323 gup permit extended permit udp any any eq 1719 access group h323 gup permit in interface inside access group h323 gup permit in interface outside Note RAS inspection should be turned on for interfaces through which the gatekeeper ...

Page 473: ...5 201 6 22754 The following output from the show conn command shows the secondary channel established between the H 323 Gatekeepers and the H 323 GUP connections marked with the flag n hostname config show conn 3 in use 37 most used Network Processor 1 connection UDP out 209 165 201 6 1719 in 10 0 0 7 1719 idle 0 00 45 Bytes 672 FLAGS H TCP out 209 165 201 6 22754 in 10 0 0 7 15970 idle 0 00 04 By...

Page 474: ...get ras hostname config dial peer exit Configure dial peer to forward voice calls to 4085550100 to voice port 1 0 0 in router R2 hostname config dial peer voice 102 pots hostname config dial peer destination pattern 4085550100 hostname config dial peer port 1 0 0 hostname config dial peer exit hostname config exit Configuration of the IOS H 323 gateway router R1 on the inside interface hostname co...

Page 475: ...meif inside hostname config if security level 100 hostname config if ip address 10 100 100 2 255 0 0 0 hostname config if hostname config if access list voice extended permit udp any any eq 1719 hostname config access list voice extended permit tcp any any eq h323 hostname config hostname config access group voice in interface outside hostname config access group voice in interface inside hostname...

Page 476: ...filtering see Chapter 18 Applying Filtering Services Note The no inspect http command also disables the filter url command The enhanced HTTP inspection feature which is also known as an application firewall and is available when you configure an HTTP map see Configuring an HTTP Inspection Policy Map for Additional Inspection Control can help prevent attackers from using HTTP messages for circumven...

Page 477: ...ns for each match command you should identify the traffic directly in the policy map a Create the class map by entering the following command hostname config class map type inspect http match all match any class_map_name hostname config cmap Where class_map_name is the name of the class map The match all keyword is the default and specifies that traffic must match all criteria to match the class m...

Page 478: ...expression class map you created in Step 2 The length gt max_bytes is the maximum message body length in bytes i Optional To match text found in the HTTP response message body or to comment out Java applet and Active X object tags in order to filter them enter the following command hostname config cmap match not response body active x java applet regex regex_name class regex_class_name length gt m...

Page 479: ...ies Router Firewall Services Module Command Reference for the exact options available The drop connection keyword drops the packet and closes the connection The reset keyword drops the packet closes the connection and sends a TCP reset to the server and or client The log keyword which you can use alone or with one of the other keywords sends a system log message You can specify multiple class or m...

Page 480: ...egex url1 hostname config cmap match regex url2 hostname config cmap exit hostname config class map type regex match any methods_to_log hostname config cmap match regex get hostname config cmap match regex put hostname config cmap exit hostname config class map type inspect http http_url_policy hostname config cmap match request uri regex class url_to_log hostname config cmap match request method ...

Page 481: ...ts carried over the Internet or over other packet networks Using NAT and PAT with MGCP lets you support a large number of devices on an internal network with a limited set of external global addresses Examples of media gateways are as follows Trunking gateways that interface between the telephone network and a VoIP network Such gateways typically manage a large number of digital circuits Residenti...

Page 482: ... AuditEndpoint AuditConnection RestartInProgress The first four commands are sent by the call agent to the gateway The Notify command is sent by the gateway to the call agent The gateway may also send a DeleteConnection command The registration of the MGCP gateway with the call agent is achieved by the RestartInProgress command The AuditEndpoint and the AuditConnection commands are sent by the cal...

Page 483: ...GCP map configuration mode which is accessible by entering the mgcp map command in global configuration mode Note Using call agents to control the MGCP gateways does not restrict calls between the gateways For example the FWSM does not deny voice calls based on the call agent or gateway IP addresses configured by using the mgcp map command The gateways can make voice calls even when they are not c...

Page 484: ...ent as follows hostname config mgcp map call agent ip_address group_id c Configure the gateways To do so use the gateway command once per gateway as follows hostname config mgcp map gateway ip_address group_id d Optional If you want to change the maximum number of commands allowed in the MGCP command queue use the command queue command as follows hostname config mgcp map command queue command_limi...

Page 485: ...config access list mgcp_acl permit udp any any eq 2727 hostname config class map mgcp traffic hostname config cmap match access list mgcp_acl hostname config cmap mgcp map sample_map hostname config mgcp map call agent 10 10 11 5 101 hostname config mgcp map call agent 10 10 11 6 101 hostname config mgcp map call agent 10 10 11 7 102 hostname config mgcp map call agent 10 10 11 8 102 hostname conf...

Page 486: ...ay IP host pc 2 Transaction ID 2052 Endpoint name aaln 1 Call ID 9876543210abcdef Connection ID Media IP 192 168 5 7 Media port 6058 The following is sample output from the show mgcp sessions command hostname show mgcp sessions 1 in use 1 most used Gateway IP host pc 2 connection ID 6789af54c9 active 0 00 11 The following is sample output from the show mgcp sessions detail command hostname show mg...

Page 487: ...CP backup port TCP 2428 is enabled hostname config if access list mgcp extended permit udp any host 10 0 0 210 eq 2428 hostname config access list mgcp extended permit udp any any eq 2427 hostname config access list mgcp extended permit udp any any eq tftp Apply the above access lists on the inside and outside interfaces for incoming traffic hostname config access group mgcp in interface outside h...

Page 488: ...fig interface FastEthernet 0 1 hostname config if ip address 209 165 201 1 255 0 0 0 hostname config if no shut hostname config if ip host FWSM CCM 14 10 0 0 210 hostname config if exit hostname config ip route 10 0 0 0 255 0 0 0 209 165 201 2 hostname config mgcp hostname config mgcp call agent FWSM CCM 14 hostname config mgcp dtmf relay voip codec all mode out of band hostname config ccm manager...

Page 489: ...73 Using RealPlayer page 22 74 Restrictions and Limitations page 22 74 Enabling and Configuring RTSP Inspection page 22 74 RTSP Inspection Overview You control RTSP application inspection with the inspect rtsp command available in policy map class configuration mode This command is disabled by default The inspect rtsp command lets the FWSM pass RTSP packets RTSP is used by RealAudio RealNetworks A...

Page 490: ...and for live content not available via Multicast On the FWSM add an inspect rtsp port command Restrictions and Limitations The following restrictions apply to RTSP inspection The FWSM does not support multicast RTSP or RTSP messages over UDP The FWSM does not have the ability to recognize HTTP cloaking which hides RTSP messages in the HTTP messages The FWSM cannot perform NAT on RTSP messages beca...

Page 491: ...me is the name of the policy map The CLI enters the policy map configuration mode and the prompt changes accordingly Step 6 Specify the class map created in Step 3 that identifies the RTSP traffic Use the class command to do so as follows hostname config pmap class class_map_name hostname config pmap c where class_map_name is the name of the class map you created The CLI enters the policy map clas...

Page 492: ...ion page 22 86 SIP Sample Configuration page 22 87 SIP Inspection Overview SIP as defined by the IETF enables call handling sessions particularly two party audio conferences or calls SIP works with SDP for call signalling SDP specifies the ports for the media stream Using SIP the FWSM can support any SIP VoIP gateways and VoIP proxy servers SIP and SDP are defined in the following RFCs SIP Session...

Page 493: ...5 0 is not supported SIP inspection NATs the SIP text based messages recalculates the content length for the SDP portion of the message and recalculates the packet length and checksum It dynamically opens media connections for ports specified in the SDP portion of the SIP message as address ports on which the endpoint should listen SIP inspection has a database with indices CALL_ID FROM TO from th...

Page 494: ...ore regular expression class maps to group regular expressions according to the Creating a Regular Expression Class Map section on page 20 14 s Step 3 Optional Create a SIP inspection class map by performing the following steps A class map groups multiple traffic matches Traffic must match all of the match commands to match the class map if match all is specified Traffic must match any one of the ...

Page 495: ...owing command hostname config cmap match not content type sdp regex class class_name regex_name Where the regex regex_name argument is the regular expression you created in Step 1 The class regex_class_name is the regular expression class map you created in Step 2 g Optional To match a SIP IM subscriber enter the following command hostname config cmap match not im subscriber regex class class_name...

Page 496: ...s described in Step 3 If you use a match not command then any traffic that does not match the criterion in the match not command has the action applied b Specify the action you want to perform on the matching traffic by entering the following command hostname config pmap c drop drop connection mask reset log Not all options are available for each match or class command See the CLI help or the Cata...

Page 497: ...es g To enable state checking validation enter the following command hostname config pmap p state checking action drop drop connection reset log log h To enable strict verification of the header fields in the SIP messages according to RFC 3261 enter the following command hostname config pmap p strict header validation action drop drop connection reset log log Note To send a TCP reset from the univ...

Page 498: ...p_disconnect hh mm ss This command configures the idle timeout after which SIP media is deleted and media xlates are closed Range is from 1 to 10 minutes To configure the timeout for the SIP invite use the following command hostname config timeout sip_invite hh mm ss In the absence of the EXPIRE field in the SIP header this command configures the idle timeout after which pinholes for provisional r...

Page 499: ...nection Clear on BYE Message In Figure 22 13 when 200 OK is not received for the BYE message media connections are removed after the timeout sip disconnect occurs 191377 UAC UAC INVITE 100 Trying 200 OK Media CONN entry generate on FWSM BYE 200 OK Timer 180 ringing RTP Media CONN entry existing time CONN entry deletes on receipt of 200 OK or after SIP disconnect timer expires whichever is earlier ...

Page 500: ...4 the media connection is cleared after 200 OK is received for the CANCEL message If 200 OK is not received for the CANCEL SIP message the media connection is cleared after the timeout sip disconnect occurs 191378 UAC UAC INVITE 100 Trying Media CONN entry generate on FWSM CANCEL 200 OK Timer 180 ringing with SDP Media CONN entry existing time Firewall Service Module FWSM CONN entry deletes on rec...

Page 501: ... 1xx 2xx responses is configurable or configured based on the EXPIRE field When the EXPIRE field exists in the SIP INVITE message and is less than 30 minutes the timeout for pinholes for receiving 1xx 2xx responses is set to the EXPIRE field value If the EXPIRE field value in the SIP INVITE header is greater than 30 minutes the timeout for provisional responses is set to 30 minutes In the absence ...

Page 502: ...0 command The show timeout sip command displays the timeout value of the designated protocol The show sip command displays information for SIP sessions established across the FWSM Along with the debug sip show local host and show service policy inspect sip commands this command is used for troubleshooting SIP inspection engine issues Note We recommend that you configure the pager command before en...

Page 503: ...if nameif outside hostname config if security level 0 hostname config if ip address 10 2 0 10 255 0 0 0 hostname config if Vlan 12 is an outside Vlan that routes all packets to 10 x x x network back to the FWSM with the next hop IP address set to 10 2 0 10 This is done by configuring policy based routing at the up stream router hostname config if interface Vlan50 hostname config if nameif inside h...

Page 504: ...e config pmap c inspect tftp hostname config pmap c inspect sip privacy Router configuration hostname config interface GigabitEthernet0 2 hostname config if ip address 10 2 0 5 255 0 0 0 hostname config if ip policy route map privacy hostname config if duplex auto hostname config if speed auto hostname config if media type rj45 hostname config if no negotiation auto hostname config if hostname con...

Page 505: ...the default port configuration This section includes the following topics SCCP Inspection Overview page 22 89 Supporting Cisco IP Phones page 22 90 Restrictions and Limitations page 22 90 Configuring and Enabling SCCP Inspection page 22 90 Verifying and Monitoring SCCP Inspection page 22 92 SCCP Skinny Sample Configuration page 22 93 SCCP Inspection Overview Skinny SCCP is a simplified protocol us...

Page 506: ...rt 69 While you do need a static identity entry for the TFTP server this does not have to be an identity static entry When you use NAT a static identity entry maps to the same IP address When you use PAT it maps to the same IP address and port When the Cisco IP Phones are on a higher security interface compared to the TFTP server and Cisco CallManager no access list or static identity entry is req...

Page 507: ...re than one non contiguous port for SCCP inspection enter the access list extended command and define an ACE to match each port Then enter the match command to associate the access lists with the SCCP traffic class Step 3 Name the policy map by entering the following command hostname config policy map policy_map_name Replace policy_map_name with the name of the policy map as in the following examp...

Page 508: ...hostname config cmap match port tcp eq 2000 hostname config cmap exit hostname config policy map sample_policy hostname config pmap class sccp_port hostname config pmap c inspect skinny hostname config pmap c exit hostname config service policy sample_policy interface outside Verifying and Monitoring SCCP Inspection The show skinny command assists in troubleshooting SCCP Skinny inspection engine i...

Page 509: ...ity level 100 hostname config if ip address 10 100 100 2 255 0 0 0 hostname config if hostname config if interface Vlan90 hostname config if nameif callmgr hostname config if security level 75 hostname config if ip address 209 165 201 254 255 0 0 0 TFTP port is enabled for the IP address of the CallManager so that phones on the inside and outside can download configuration files from the CallManag...

Page 510: ...ctions TCP out 209 165 201 211 49692 in 209 165 201 210 49723 idle 0 00 27 Bytes 12394 FLAGS UBOI UDP out 209 165 201 211 19212 in 10 0 0 2 24002 idle 0 00 00 Bytes 3575654 FLAGS K Multicast sessions Network Processor 1 connections Network Processor 2 connections IPV6 connections SMTP and Extended SMTP Inspection This section describes how to enable SMTP and ESMTP application inspection and change...

Page 511: ...are ignored With SMTP inspection enabled a Telnet session used for interactive SMTP may hang if the following rules are not observed SMTP commands must be at least four characters in length must be terminated with carriage return and line feed and must wait for a response before issuing the next reply An SMTP server responds to client requests with numeric reply codes and optional human readable s...

Page 512: ... to which the port mapper process listens If you need to assign a range of contiguous ports use the range keyword as in the following example hostname config cmap match port tcp range begin_port_number end_port_number Tip To identify two or more non contiguous ports enter the access list extended command and define an ACE to match each port Then rather than the match port command use the match acc...

Page 513: ...gned to the interface with the nameif command The FWSM begins inspecting SMTP traffic as specified Example 22 13 Configuring and Enabling ESMTP Inspection hostname config class map smtp_port hostname config cmap match port tcp eq 25 hostname config cmap policy map sample_policy hostname config pmap class smtp_port hostname config pmap c inspect esmtp hostname config pmap c service policy sample_po...

Page 514: ...he access list extended command and define an ACE to match each port Then rather than the match port command use the match access list command to associate the access list with the SNMP traffic class Step 4 Create an SNMP map that will contain the parameters of SNMP inspection Use the snmp map command to do so as follows hostname config cmap snmp map map_name hostname config snmp map where map_nam...

Page 515: ... the name assigned to the interface with the nameif command The FWSM begins inspecting SNMP traffic as specified Example 22 14 enables SNMP application inspection on traffic sent to TCP ports 161 and 162 from the outside interface Example 22 14 Configuring SNMP Application Inspection hostname config class map snmp_port hostname config cmap match port tcp range 161 162 hostname config cmap snmp map...

Page 516: ...is packet and opens both embryonic TCP and UDP connections on that port Note NAT or PAT of Sun RPC payload information is not supported Enabling and Configuring Sun RPC Inspection Sun RPC inspection is enabled by default Note To enable or configure Sun RPC inspection over UDP you do not have to define a separate traffic class or a new policy map You simply add the inspect sunrpc command into a pol...

Page 517: ...nfig pmap class class_map_name hostname config pmap c where class_map_name is the name of the class map you created in Step 2 The CLI enters the policy map class configuration mode and the prompt changes accordingly Step 6 Enable Sun RPC application inspection To do so enter the following command hostname config pmap c inspect sunrpc hostname config pmap c Step 7 Use the service policy command to ...

Page 518: ...ou can also specify UDP a different port number or a range of ports To specify a range of ports separate the starting and ending port numbers in the range with a hyphen for example 111 113 The service type identifies the mapping between a specific service type and the port number used for the service To determine the service type which in this example is 100003 use the sunrpcinfo command at the UN...

Page 519: ...MEOUT 1 209 165 201 5 0 192 168 100 2 2049 100003 0 30 00 2 209 165 201 5 0 192 168 100 2 2049 100003 0 30 00 3 209 165 201 5 0 192 168 100 2 647 100005 0 30 00 4 209 165 201 5 0 192 168 100 2 650 100005 0 30 00 The entry in the LOCAL column shows the IP address of the client or server on the inside interface while the value in the FOREIGN column shows the IP address of the client or server on the...

Page 520: ...see the inspect tftp command page in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference XDMCP Inspection XDMCP inspection is enabled by default however the XDMCP inspection engine is dependent upon proper configuration of the established command For information about XDMCP inspection see the established and inspect pptp and command pages in the ...

Page 521: ...P A R T 3 System Administration ...

Page 522: ......

Page 523: ...lnet Access The FWSM allows Telnet connections to the FWSM for management purposes You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel The FWSM allows a maximum of 5 concurrent Telnet connections per context if available with a maximum of 100 connections divided between all contexts You can control the number of Telnet sessions allowed per context us...

Page 524: ...e hostname config telnet timeout 30 To allow all users on the 192 168 3 0 network to access the FWSM on the inside interface enter the following command hostname config telnet 192 168 3 0 255 255 255 0 inside Allowing SSH Access The FWSM allows SSH connections to the FWSM for management purposes The FWSM allows a maximum of 5 concurrent SSH connections per context if available with a maximum of 10...

Page 525: ...ld be increased until all pre production testing and troubleshooting has been completed Step 4 Optional To restrict the version of SSH accepted by the FWSM enter the following command By default the FWSM accepts both versions hostname config ssh version 1 2 For example to generate RSA keys and let a host on the inside interface with an address of 192 168 1 2 access the FWSM enter the following com...

Page 526: ...TPS server enter the following command hostname config http server enable For example to enable the HTTPS server and let a host on the inside interface with an address of 192 168 1 2 access ASDM enter the following commands hostname config http server enable hostname config http 192 168 1 2 255 255 255 255 inside To allow all users on the 192 168 3 0 network to access ASDM on the inside interface ...

Page 527: ... from 1 to 65 534 with 1 being the highest priority and 65 534 the lowest Use this same priority number for the following isakmp commands Step 2 To set the Diffie Hellman group used for key exchange enter the following command hostname config isakmp policy priority group 1 2 Group 1 is 768 bits and Group 2 is 1024 bits and therefore more secure Step 3 To set the authentication algorithm enter the ...

Page 528: ...fig isakmp policy 1 group 2 hostname config isakmp policy 1 hash sha hostname config isakmp enable outside hostname config crypto ipsec transform set vpn_client esp 3des esp sha hmac hostname config crypto ipsec transform set site_to_site esp 3des ah sha hmac Configuring VPN Client Access In routed mode a host with Version 3 0 or 4 0 of the Cisco VPN client can connect to the FWSM for management p...

Page 529: ...owing command hostname config access list acl_name extended permit protocol host fwsm_interface_address pool_addresses mask This access list identifies traffic from the local pool see Step 4 destined for the FWSM interface See the Adding an Extended Access List section on page 13 6 for more information about access lists Step 6 To assign the VPN address pool to a tunnel group enter the following c...

Page 530: ...ngs see Configuring Basic Settings for All Tunnels and then perform the following steps Step 1 To set the shared key used by both peers enter the following command hostname config isakmp key keystring address peer address Step 2 To identify the traffic allowed to go over the tunnel enter the following command hostname config access list acl_name extended deny permit protocol host fwsm_interface_ad...

Page 531: ... key 7mfi02lirotn address 209 165 200 223 hostname config access list TUNNEL extended permit ip host 209 165 200 225 209 165 201 0 255 255 255 224 hostname config crypto map telnet_tunnel 2 ipsec isakmp hostname config crypto map telnet_tunnel 1 match address TUNNEL hostname config crypto map telnet_tunnel 1 set peer 209 165 202 129 hostname config crypto map telnet_tunnel 1 set transform set vpn ...

Page 532: ... icmp permit host 10 1 1 15 inside AAA for System Administrators This section describes how to enable CLI authentication command authorization and command accounting for system administrators Before you configure AAA for system administrators first configure the local database or AAA server according to Chapter 11 Configuring AAA Servers and the Local Database Note In multiple context mode you can...

Page 533: ...enable authentication enter the system enable password when you enter the enable command set by the enable password command However if you do not use enable authentication after you enter the enable command you are no longer logged in as a particular user To maintain your username use enable authentication If you configure enable authentication see the Configuring Authentication for the Enable Com...

Page 534: ...ering LOCAL alone For example to enable authentication for sessions from the switch to the FWSM system execution space enter the following commands starting from the switch CLI Router session slot 1 processor 1 for an FWSM in slot 1 The default escape character is Ctrl then x You can also type exit at the remote prompt to end the session Trying 127 0 0 41 Open User Access Verification Password cis...

Page 535: ... console LOCAL server_group LOCAL The user is prompted for the username and password If you use a TACACS or RADIUS server group for authentication you can configure the FWSM to use the local database as a fallback method if the AAA server is unavailable Specify the server group name followed by LOCAL LOCAL is case sensitive We recommend that you use the same username and password in the local data...

Page 536: ...uration commands If you want to control the access to commands the FWSM lets you configure command authorization where you can determine which commands are available to a user This section includes the following topics Command Authorization Overview page 23 14 Configuring Local Command Authorization page 23 15 Configuring TACACS Command Authorization page 23 18 Command Authorization Overview You c...

Page 537: ... associate each command that is issued with a particular administrator Because all administrators with permission to use the changeto command can use the enable_15 username in other contexts command accounting records may not readily identify who was logged in as the enable_15 username If you use different accounting servers for each context tracking who was using the enable_15 username requires c...

Page 538: ...e Local Database section on page 11 7 Default Command Privilege Levels By default the following commands are assigned to privilege level 0 All other commands are at level 15 show checksum show curpriv enable enable mode help show history login logout pager show pager clear pager quit show version If you move any configure mode commands to a lower level than 15 be sure to move the configure command...

Page 539: ...an configure the context command but not the allocate interface command which inherits the settings from the context command Step 2 To enable local command authorization enter the following command hostname config aaa authorization command LOCAL Even if you set command privilege levels command authorization does not take place unless you enable command authorization with this command For example t...

Page 540: ... show running config all privilege all privilege show level 15 command aaa privilege clear level 15 command aaa privilege configure level 15 command aaa privilege show level 15 command aaa server privilege clear level 15 command aaa server privilege configure level 15 command aaa server privilege show level 15 command access group privilege clear level 15 command access group privilege configure l...

Page 541: ...I authentication see the Configuring Authentication for CLI and ASDM Access section on page 23 10 Configure enable authentication see the Configuring Authentication to Access Privileged EXEC Mode section on page 23 13 Configuring Commands on the TACACS Server You can configure commands on a Cisco Secure Access Control Server ACS as a shared profile component for a group or for individual users For...

Page 542: ...le word you must permit unmatched arguments even if there are no arguments for the command for example enable or help see Figure 23 2 Figure 23 2 Permitting Single Word Commands To disallow some arguments enter the arguments preceded by deny For example to allow enable but not enable password enter enable in the commands field and deny password in the arguments field Be sure to check the Permit Un...

Page 543: ...rguments to the TACACS server as you enter them For example if you enter sh log then the FWSM sends the entire command to the TACACS server show logging However if you enter sh log mess then the FWSM sends show logging mess to the TACACS server and not the expanded command show logging message You can configure multiple spellings of the same argument to anticipate abbreviations see Figure 23 4 Fig...

Page 544: ...see the Configuring the Local Database section on page 11 7 and command privilege levels see the Configuring Local Command Authorization section on page 23 15 Configuring Command Accounting You can send accounting messages to the TACACS accounting server when you enter any command other than show commands at the CLI If you customize the command privilege level using the privilege command see the A...

Page 545: ...1 P_PRIV Privileged EXEC mode levels 2 to 15 P_CONF Configuration mode Table 23 2 CLI Authentication and Command Authorization Lockout Scenarios Feature Lockout Condition Description Workaround Single Mode Workaround Multiple Mode Local CLI authentication No users in the local database If you have no users in the local database you cannot log in and you cannot add any users Log in and reset the pa...

Page 546: ...and reset the passwords and aaa commands Session in to the FWSM from the switch From the system execution space you can change to the context and complete the configuration changes You can also disable command authorization until you fix the TACACS configuration Local command authorization You are logged in as a user without enough privileges You enable command authorization but then find that the...

Page 547: ... page 24 14 Configuring Auto Update Support page 24 18 Note Because the FWSM runs its own operating system upgrading the Cisco IOS software does not affect the operation of the FWSM Managing Licenses When you install the software the existing activation key is extracted from the original image and stored in a file in the FWSM file system This section includes the following topics Obtaining an Acti...

Page 548: ... Activation Key To enter the activation key enter the following command hostname config activation key key The key is a four element hexadecimal string with one space between each element For example a key in the correct form might look like the following key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e The leading 0x specifier is optional all values are assumed to be hexadecimal If you are already...

Page 549: ...o the maintenance partition which might not be convenient if you have an operational application partition This method supports downloading from an FTP server only To upgrade ASDM you can only install to the current application partition from the FWSM CLI See the Managing the Firewall Services Module Boot Partitions section on page 2 10 for more information about application and maintenance partit...

Page 550: ...wsm_address disk For example to copy the application software from an FTP server enter the following command hostname copy ftp 10 94 146 80 tftpboot user1 cdisk flash copying ftp 10 94 146 80 tftpboot user1 cdisk to flash Received 6128128 bytes Erasing current image This may take some time Writing 6127616 bytes of image Image installed Step 3 To run the new software you need to reload the system I...

Page 551: ...t Then perform this procedure on the secondary unit After you complete the upgrade procedure for the secondary unit make both failover groups active on the secondary unit using the no failover active command in the system execution space of the primary unit Then upgrade the active unit If upgrading to a minor or major release using failover If you have a failover pair upgrade the primary unit firs...

Page 552: ...e enable set boot device cf 4 5 mod_num Step 5 To boot the FWSM into the maintenance partition enter the command for your operating system at the switch prompt For Cisco IOS software enter the following command Router hw module module mod_num reset cf 1 For Catalyst operating system software enter the following command Console enable reset mod_num cf 1 Step 6 To session in to the FWSM enter the co...

Page 553: ...ion partition that you set as the default in Step 4 enter the command for your operating system For Cisco IOS software enter the following command Router hw module module mod_num reset For Catalyst operating system software enter the following command Console enable reset mod_num Step 12 To session in to the FWSM enter the command for your operating system Cisco IOS software Router session slot nu...

Page 554: ...or of the device WARNING This command will initiate a Reboot Proceed with change mode confirm Confirm to reload the FWSM Installing ASDM from the FWSM CLI When you log in to the FWSM during normal operation you can copy ASDM software to the current application partition from a TFTP FTP HTTP or HTTPS server For multiple context mode you must be in the system execution space To check connectivity us...

Page 555: ...an upgrade from 3 1 1 to 3 1 3 without first installing the maintenance releases in between To ensure long term compatibility and stability we recommend upgrading both units to the same version as soon as possible The FWSM does not support upgrading from between major or minor releases for example from 2 3 to 3 1 without downtime Note To upgrade failover pairs from the maintenance partition see th...

Page 556: ...d reloading and is in the Standby Ready state force the active unit to fail over to the standby unit by entering the following command on the active unit Note Use the show failover command to verify that the standby unit is in the Standby Ready state primary no failover active Step 5 Reload the former active unit now the new standby unit by entering the following command primary reload Step 6 Opti...

Page 557: ...he preempt command they will automatically become active on their designated unit after the preempt delay has passed If the failover groups are not configured with the preempt command you can return them to active status on their designated units using the failover active group command Upgrading Failover Pairs to a New Minor or Major Release To upgrade two units in an Active Active or Active Stand...

Page 558: ... Maintenance Software Release To determine the maintenance software release you must boot in to the maintenance partition and view the release by performing the following steps Step 1 If necessary end the FWSM session by entering the following command hostname exit Logoff Connection to 127 0 0 31 closed by foreign host Router You might need to enter the exit command multiple times if you are in a ...

Page 559: ...aintenance Software If you need to upgrade the maintenance software perform the following steps Step 1 Download the maintenance software from Cisco com at the following URL http www cisco com cgi bin tablebuild pl cat6000 serv maint Put the software on a TFTP HTTP or HTTPS server that is accessible from the FWSM admin context Step 2 If required log out of the maintenance partition and reload the a...

Page 560: ...owing command hostname reload Alternatively you can log out of the FWSM in preparation for booting in to the maintenance partition from the maintenance partition you can install application software to both application partitions To end the FWSM session enter the following command hostname exit Logoff Connection to 127 0 0 31 closed by foreign host Router You might need to enter the exit command m...

Page 561: ...h memory disk For example hostname show file info admin cfg disk admin cfg type is ascii text file size is 959 bytes Downloading a Text Configuration to the Startup or Running Configuration You can download a text file from the following server types to the single mode configuration or the multiple mode system configuration TFTP FTP HTTP HTTPS For a multiple mode context see the Downloading a Cont...

Page 562: ...xample to copy the configuration from a TFTP server enter the following command hostname copy tftp 209 165 200 226 configs startup cfg startup config To copy the configuration from an FTP server enter the following command hostname copy ftp admin letmein 209 165 200 227 configs startup cfg type an startup config To copy the configuration from an HTTP server enter the following command hostname cop...

Page 563: ...ig running config ftp user password server path filename To copy to local flash memory enter the following command hostname copy startup config running config disk path filename Be sure the destination directory exists If it does not exist first create the directory using the mkdir command Backing Up a Context Configuration in Flash Memory In multiple context mode copy context configurations that ...

Page 564: ...ntext mode only This section includes the following topics Configuring Communication with an Auto Update Server page 24 18 Viewing Auto Update Server Status page 24 20 Configuring Communication with an Auto Update Server To configure an Auto Update Server perform the following steps Step 1 To specify the URL of the AUS use the following command hostname config auto update server url source interfa...

Page 565: ...n minutes to check for an update The default is 720 minutes 12 hours The retry count argument specifies how many times to try reconnecting to the server if the first attempt fails The default is 0 The retry period argument specifies how long to wait in minutes between retries The default is 5 Step 4 Optional If the Auto Update Server has not been contacted for a certain period of time the followin...

Page 566: ...date Server status enter the following command hostname config show auto update The following is sample output from the show auto update command hostname config show auto update Server https 209 165 200 224 1742 management cgi 1276 Certificate will be verified Poll period 720 minutes retry count 2 retry period 5 minutes Timeout none Device ID host name corporate Next poll in 4 93 minutes Last poll...

Page 567: ...so describes the syslog message format options and variables This section includes the following topics Logging Overview page 25 1 Enabling and Disabling Logging page 25 2 Configuring Log Output Destinations page 25 4 Filtering Syslog Messages page 25 11 Customizing the Log Configuration page 25 15 Understanding Syslog Messages page 25 19 Logging Overview The FWSM supports the generation of an aud...

Page 568: ... configuration and generates its own messages If you log in to the system or admin context and then change to another context messages you view in your session are only those that are related to the current context Syslog messages that are generated in the system execution space including failover messages are viewed in the admin context along with messages generated in the admin context You canno...

Page 569: ...ging enabled Facility 16 Timestamp logging disabled Standby logging disabled Deny Conn when Queue Full disabled Console logging disabled Monitor logging disabled Buffer logging disabled Trap logging level errors facility 16 3607 messages logged Logging to infrastructure 10 1 2 3 History logging disabled Device ID inside interface IP address 10 1 1 1 Mail logging disabled ASDM logging disabled Prin...

Page 570: ... the FWSM you must specify a log output destination If you enable logging without specifying a log output destination the FWSM generates messages but does not save them to a location from which you can view them This section includes the following topics Sending Syslog Messages to a Syslog Server page 25 4 Sending Syslog Messages to an E mail Address page 25 6 Sending Syslog Messages to ASDM page ...

Page 571: ...r the syslog server is operational The port argument specifies the port that the syslog server listens to for syslog messages Valid port values are 1025 through 65535 for either protocol The default UDP port is 514 The default TCP port is 1470 For example hostname config logging host dmz1 192 168 1 5 If you want to designate more than one syslog server as an output destination enter a new command ...

Page 572: ...wing command hostname config logging mail severity_level message_list Where the severity_level argument specifies the severity levels of messages to be sent to the e mail address You can specify the severity level number 0 through 7 or name For severity level names see the Severity Levels section on page 25 20 For example if you set the severity level to 3 then the FWSM sends syslog messages for s...

Page 573: ...the following topics Configuring Logging for ASDM page 25 7 Clearing the ASDM Log Buffer page 25 8 Configuring Logging for ASDM Note To start logging to ASDM as defined in this procedure be sure to enable logging for all output locations See the Enabling Logging to All Configured Output Destinations section on page 25 2 To disable logging see the Disabling Logging to All Configured Output Destinat...

Page 574: ...a Telnet or SSH session 2 View syslog messages in the current session This section includes the following topics Configuring Logging for Telnet and SSH Sessions page 25 8 Viewing Syslog Messages in the Current Session page 25 9 Configuring Logging for Telnet and SSH Sessions Note To start logging to a Telnet or SSH session as defined in this procedure be sure to enable logging for all output locat...

Page 575: ... 25 9 Viewing the Log Buffer page 25 10 Automatically Saving the Full Log Buffer to Flash Memory page 25 10 Automatically Saving the Full Log Buffer to an FTP Server page 25 11 Saving the Current Contents of the Log Buffer to Internal Flash Memory page 25 11 Clearing the Contents of the Log Buffer page 25 11 Enabling the Log Buffer as an Output Destination Note To start logging to the buffer as de...

Page 576: ...192 the FWSM uses 8 KB of memory for the log buffer The following example specifies that the FWSM uses 16 KB of memory for the log buffer hostname config logging buffer size 16384 Automatically Saving the Full Log Buffer to Flash Memory Unless configured otherwise the FWSM sends messages to the log buffer on a continuing basis overwriting old messages when the buffer is full If you want to keep a ...

Page 577: ...ved This path is relative to the FTP root directory The username argument specifies a username that is valid for logging in to the FTP server The password argument specifies the password for the username specified For example hostname config logging ftp server 10 1 1 1 syslogs logsupervisor 1luvMy10gs Saving the Current Contents of the Log Buffer to Internal Flash Memory At any time you can save t...

Page 578: ...m administrators of a possible problem Filtering Syslog Messages by Class The syslog message class provides a method of categorizing syslog messages by type equivalent to a feature or function of the FWSM For example the auth class denotes user authentication This section includes the following topics Message Class Overview page 25 12 Sending All Messages in a Class to a Specified Output Destinati...

Page 579: ...verity_level argument further restricts the syslog messages to be sent to the output destination by specifying a severity level For more information about message severity levels see the Severity Levels section on page 25 20 The following example specifies that all syslog messages related to the class ha high availability also known as failover with a severity level of 1 alerts should be sent to t...

Page 580: ...ment specifies the name of the list Do not use the names of severity levels as the name of a syslog message list Prohibited names include emergency alert critical error warning notification informational and debugging Similarly do not use the first three characters of these words at the beginning of a filename For example do not use a filename that starts with the characters err The level level ar...

Page 581: ...Messages in EMBLEM Format page 25 16 Disabling a Syslog Message page 25 17 Changing the Severity Level of a Syslog Message page 25 17 Changing the Amount of Internal Flash Memory Available for Syslog Messages page 25 18 Configuring the Logging Queue The FWSM has a fixed number of blocks in memory that can be allocated for buffering syslog messages while they are waiting to be sent to the configure...

Page 582: ... the specified FWSM interface IP address regardless of the interface from which the syslog message is sent This keyword provides a single consistent device ID for all syslog messages that are sent from the device The string text argument specifies that the text string should be used as the device ID The string can contain up to16 characters You cannot use blank spaces or any of the following chara...

Page 583: ...age message_number For example hostname config no logging message 113019 To reenable a disabled syslog message enter the following command hostname config logging message message_number For example hostname config logging message 113019 To see a list of disabled syslog messages enter the following command hostname config show logging message To reenable logging of all disabled syslog messages ente...

Page 584: ...gging message 403503 syslog 403503 default level errors current level alerts enabled hostname config no logging message 403503 level 3 hostname config show logging message 403503 syslog 403503 default level errors enabled Changing the Amount of Internal Flash Memory Available for Syslog Messages You can have the FWSM save the contents of the log buffer to internal flash memory in two ways Configur...

Page 585: ...mory must be 4000 KB before the FWSM can save a new log file hostname config logging flash minimum free 4000 Understanding Syslog Messages This section describes the contents of syslog messages generated by the security appliance It includes the following topics Syslog Message Format page 25 19 Severity Levels page 25 20 Syslog Message Format Syslog messages begin with a percent sign and are struc...

Page 586: ...orts traps and SNMP read access but does not support SNMP write access You can configure the FWSM to send traps event notifications to a network management station NMS or you can use the NMS to browse the MIBs on the FWSM MIBs are a collection of definitions and the FWSM maintains a database of values for each definition Browsing a MIB entails issuing an SNMP get request from the NMS Use CiscoWork...

Page 587: ...ct resource usage data efficiently schedule polling on a per context basis Table 25 3 SNMP MIB and Trap Support MIB and Trap Description CISCO CRYPTO ACCELERATOR MIB The FWSM supports browsing of the MIB CISCO ENTITY MIB CISCO ENTITY ALARM MIB CISCO ENTITY FRU CONTROL MIB CISCO ENTITY REDUNDANCY MIB The FWSM supports browsing of the following groups and tables entLogicalTable entPhysicalTable The ...

Page 588: ...GER 2 2 means extended access list SNMPv2 SMI enterprises 9 9 278 1 1 2 1 2 1 1 STRING aaa SNMPv2 SMI enterprises 9 9 278 1 1 2 1 2 2 1 STRING aaa SNMPv2 SMI enterprises 9 9 278 1 1 2 1 3 1 1 INTEGER 1 SNMPv2 SMI enterprises 9 9 278 1 1 2 1 3 2 1 INTEGER 1 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 3 3 97 97 97 1 INTEGER 2 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 4 3 97 97 97 1 INTEGER 1 SNMPv2 SMI ente...

Page 589: ...s current ACL hit counter for ACL aaa where 3 97 97 97 denotes the access list name in ASCII characters The access list name aaa translates to 97 97 97 where 97 is the ASCII equivalent of the character a The 3 denotes the number of characters in the ASCII list name The following example shows an unexpanded access list with a network object group which can be retrieved through SNMP operations The h...

Page 590: ...access list aaa line 1 extended permit tcp host 50 1 1 3 host 60 1 1 3 hitcnt 0 0xa2b03187 not exposed snmpwalk 60 0 0 2 c public v 2c 1 3 6 1 4 1 9 9 278 SNMPv2 SMI enterprises 9 9 278 1 1 1 1 2 3 97 97 97 INTEGER 2 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 3 3 97 97 97 1 INTEGER 2 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 4 3 97 97 97 1 INTEGER 1 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 5 3 97 97 97 1 S...

Page 591: ...server host outside 60 0 0 1 community public version 2c udp port 161 FWSM show ipv6 access list ipv6 access list allow_ipv6 1 elements ipv6 access list allow_ipv6 line 1 permit tcp any any eq www hitcnt 0 0xfabbda56 snmpwalk 60 0 0 2 c public v 2c 1 3 6 1 4 1 9 9 278 returns as SNMPv2 SMI enterprises 9 9 278 1 1 1 1 2 10 97 108 108 111 119 9 5 105 112 118 54 INTEGER 3 SNMPv2 SMI enterprises 9 9 2...

Page 592: ...8 111 119 95 105 112 118 54 1 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 23 10 97 108 108 111 119 95 105 112 118 54 1 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 24 10 97 108 108 111 119 95 105 112 118 54 1 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 25 10 97 108 108 111 119 95 105 112 118 54 1 SNMPv2 SMI enterprises 9 9 278 1 1 3 1 26 10 97 108 108 111 119 95 105 112 118 54 1 SNMPv2 SMI enterprises 9 9 278 1 1...

Page 593: ...of the following traps limit reached rate limit reached The FWSM supports browsing of the following tables ciscoL4L7ResourceLimitTable ciscoL4L7ResourceRateLimitTable CISCO MEMORY POOL MIB The FWSM supports browsing of the following table ciscoMemoryPoolTable The memory usage described in this table applies only to the security appliance general purpose processor and not to the network processors ...

Page 594: ...Services Module Configuring SNMP CISCO UNIFIED FIREWALL MIB The FWSM supports browsing of the MIB The FWSM supports browsing of the following group cufwUrlFilterGlobals This group provides global URL filtering statistics IF MIB The FWSM supports browsing of the following tables ifTable ifXTable Table 25 3 SNMP MIB and Trap Support continued MIB and Trap Description ...

Page 595: ...er local IP MIB ip 24 7 1 9 1 4 50 0 0 0 8 0 1 4 0 0 0 0 INTEGER 2 2 means local or connected route IP MIB ip 24 7 1 9 1 4 60 0 0 0 8 0 1 4 0 0 0 0 INTEGER 2 2 means local or connected route IP MIB ip 24 7 1 10 1 4 50 0 0 0 8 0 1 4 0 0 0 0 Gauge32 0 IP MIB ip 24 7 1 10 1 4 60 0 0 0 8 0 1 4 0 0 0 0 Gauge32 0 IP MIB ip 24 7 1 11 1 4 50 0 0 0 8 0 1 4 0 0 0 0 Gauge32 0 IP MIB ip 24 7 1 11 1 4 60 0 0 0...

Page 596: ...RouteIfIndex from the inetCidrRouteTable enter the following snmpget 60 0 0 2 c public v 2c ip 24 7 1 7 1 4 50 0 0 0 8 0 1 4 0 0 0 0 returns as IP MIB ip 24 7 1 7 1 4 50 0 0 0 8 0 1 4 0 0 0 0 INTEGER 1 Note You cannot perform an SNMP query for IPv6 route entries Up to a three minute delay may occur between route entries displayed in the show route command and you can perform an SNMP query for this...

Page 597: ...1 1 4 50 0 0 1 Hex STRING 00 04 23 B3 9D EA IP MIB ip 35 1 4 2 1 4 60 0 0 1 Hex STRING 00 0E 0C 4E F6 CC For an SNMP request for a specific IP address from the ipNetToPhysicalTable enter the following snmpwalk 60 0 0 2 c public v 2c IP MIB ip 35 1 4 1 1 4 50 0 0 1 returns IP MIB ip 35 1 4 1 1 4 50 0 0 1 Hex STRING 00 04 23 B3 9D EA The ipNetToPhysicalTable object is indexed by ipNetToPhysicalIfInd...

Page 598: ... to the FWSM enter the following command NAT MIB The FWSM supports browsing of the MIB The FWSM sends the following trap packet discard The FWSM supports browsing of the following tables natAddrBindTable natAddrPortBindTable RFC1213 MIB The FWSM supports browsing of the following table ip ipAddrTable SNMP core traps The FWSM sends the following SNMP core traps authentication An SNMP request fails ...

Page 599: ...or contact information enter the following command hostname config snmp server contact location text Where text defines the SNMP server location or contact information Step 5 To enable the FWSM to send traps to the NMS enter the following command hostname config snmp server enable traps all syslog snmp trap cpu threshold trap entity trap ipsec trap nat trap remote access trap resource trap Enter t...

Page 600: ...mand hostname config cpu threshold rising threshold_value monitoring level Step 6 To enable syslog messages to be sent as traps to the NMS enter the following command hostname config logging history level You must also enable syslog traps using the preceding snmp server enable traps command Step 7 To enable logging and generate syslog messages which can then be sent to an NMS enter the following c...

Page 601: ... and debug messages during troubleshooting When you are done testing the FWSM follow the steps in the Disabling the Test Configuration section on page 26 5 This section includes Enabling ICMP Debug Messages and System Log Messages page 26 1 Pinging FWSM Interfaces page 26 2 Pinging Through the FWSM page 26 4 Disabling the Test Configuration page 26 5 Enabling ICMP Debug Messages and System Log Mes...

Page 602: ...d 1 seq 768 209 165 201 2 209 165 201 1 Inbound ICMP echo reply len 32 id 1 seq 768 209 165 201 1 209 165 201 2 Outbound ICMP echo request len 32 id 1 seq 1024 209 165 201 2 209 165 201 1 Inbound ICMP echo reply len 32 id 1 seq 1024 209 165 201 1 209 165 201 2 The preceding example shows the ICMP packet length 32 bytes the ICMP packet identifier 1 and the ICMP sequence number the ICMP sequence num...

Page 603: ...2 Ping Failure at FWSM Interface If the ping reaches the FWSM and the FWSM responds you see debug messages like the following ICMP echo reply len 32 id 1 seq 256 209 165 201 1 209 165 201 2 ICMP echo request len 32 id 1 seq 512 209 165 201 2 209 165 201 1 If the ping reply does not return to the router then you might have a switch loop or redundant IP addresses see Figure 26 3 Routed FWSM 10 1 1 5...

Page 604: ... is working correctly if configured For transparent mode which does not use NAT this test confirms that the FWSM is operating correctly if the ping fails in transparent mode contact Cisco TAC To ping between hosts on different interfaces perform the following steps Step 1 To add an access list allowing ICMP from any source host enter the following command hostname config access list ICMPACL extend...

Page 605: ...ailed 305005 or 305006 If the ping is from an outside host to an inside host and you do not have a static translation which is required with NAT control you see message 106010 deny inbound icmp Note The FWSM only shows ICMP debug messages for pings to the FWSM interfaces and not for pings through the FWSM to other hosts Figure 26 5 Ping Failure Because the FWSM is not Translating Addresses Disabli...

Page 606: ...n reset the passwords and portions of AAA configuration to the default values You must log in to the maintenance partition to perform this procedure Step 1 Set the application boot partition by entering the following command at the switch prompt Router set boot device cf n mod_num The default boot partition for the module is cf 4 The maintenance partition is cf 1 Later in this procedure you specif...

Page 607: ...r you have reset the password you can log in to the FWSM using the default values When you are logged into the FWSM reboot it by entering the reload or reboot command Reset the FWSM to boot from the maintenance partition by entering the hw module module mod_num reset cf 1 command For more information see the Setting the Default Boot Partition section on page 2 10 and the Resetting the FWSM or Boot...

Page 608: ...front end network processors the packet capture feature is implemented in these network processors So all the packets that hit the FWSM can be captured by these front end processors if an appropriate capture is configured for those traffic interfaces On the ingress side the packets are captured the moment the packet hits the FWSM interfaces and on the egress side the packets are captured just befo...

Page 609: ...ed permit ip any any Step 2 To configure the capture enter the following command hostname config capture name access list acl_name interface interface_name By default configuring a capture creates a linear capture buffer of size 512 KB You can optionally configure a circular buffer By default only 68 bytes of the packets are captured in the buffer You can optionally change this value See the captu...

Page 610: ... section on page 7 1 for more information Symptom Traffic does not pass through the FWSM Possible Cause The VLANs are not configured on the switch or are not assigned to the FWSM Recommended Action Configure the VLANs and assign them to the FWSM according to the Assigning VLANs to the Firewall Services Module section on page 2 2 Symptom You cannot configure a VLAN interface within a context Possib...

Page 611: ...inspection engine which treats ICMP connections as stateful connections Symptom Traffic does not go through the FWSM from a higher security interface to a lower security interface Possible Cause You did not apply an access list to the higher security interface to allow traffic through Unlike the PIX firewall the FWSM does not automatically allow traffic to pass between interfaces Recommended Actio...

Page 612: ...26 12 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Chapter 26 Troubleshooting the Firewall Services Module Common Problems ...

Page 613: ...P A R T 4 Reference ...

Page 614: ......

Page 615: ...ies switches or the Cisco 7600 series routers The configuration of both series is identical and the series are referred to generically in this guide as the switch The switch includes a switch the supervisor engine as well as a router the MSFC 2 The switch supports Cisco IOS software on both the switch supervisor engine and the integrated MSFC router Note The Catalyst operating system software is n...

Page 616: ...ction Virtual Switching System Cisco IOS Software Release 12 2 18 SXF and higher 720 32 No No No 12 2 18 SXF2 and higher 2 720 32 No No No 12 2 33 SXI 720 10GE No Yes Yes 12 2 33 SXI 720 32 No Yes No 12 2 33 SXI2 720 10GE No Yes Yes 12 2 33 SXI2 720 32 No Yes No 12 2 18 ZYA 32 PISA Yes No No Cisco IOS Software Modularity Release 12 2 18 SXF4 720 32 No No No Table 2 Support for FWSM on the Cisco 76...

Page 617: ...ecification Description Bandwidth CEF256 line card with a 6 Gbps path to the Switch Fabric Module if present or the 32 Gbps shared bus Memory 1 GB RAM 128 MB Flash memory Modules per switch Maximum four modules per switch If you are using failover you can still only have four modules per switch even if two of them are in standby mode Table A 4 Feature Limits Specification Context Mode Single Multi...

Page 618: ...g fragments are dropped If the frame is not the first packet in a connection then the FWSM reassembles the first 8782 bytes and passes those on and the remaining fragments are also passed on but without the reassembly check Jumbo Ethernet packets 8500 Bytes 8500 Bytes Security contexts N A 250 security contexts depending on your software license Syslog servers 16 4 per context Maximum of 16 divide...

Page 619: ...per context Maximum of 100 connections divided between all contexts 1 ASDM sessions use two HTTPS connections one for monitoring that is always present and one for making configuration changes that is present only when you make changes For example the system limit of 80 ASDM sessions represents a limit of 160 HTTPS connections 2 The admin context can use up to 15 Telnet and SSH connections 3 Embry...

Page 620: ...table entries concurrent 65 536 65 536 divided between all contexts DNS inspections rate 5000 per second 5000 per second divided between all contexts Global statements 4204 4204 divided between all contexts Inspection statements 32 32 per context NAT statements 2048 2048 divided between all contexts Packet reassembly concurrent 30 000 30 000 fragments divided between all contexts Route table entri...

Page 621: ...ximum number of rules is recalculated and might not match the total system number available for 12 partitions To view the maximum number of rules for partitions enter the following command in the system execution space hostname config show resource rule For example the following is sample output from the show resource rule command and shows the maximum rules as 19219 per partition with 12 partitio...

Page 622: ... non production environment prior to making the change to ensure that all existing contexts and rules can be accommodated When failover is used both FWSMs need to be reloaded at the same time after making partition changes Reloading both FWSMs causes an outage with no possibility for a zero downtime reload At no time should two FWSMs with a mismatched number of partitions or rule limits synchroniz...

Page 623: ...hoose to reallocate some access list rules ACL Rule to inspections hostname config show np 3 acl count 0 CLS Rule Current Counts CLS Filter Rule Count 0 CLS Fixup Rule Count 9001 CLS Est Ctl Rule Count 4 CLS AAA Rule Count 15 CLS Est Data Rule Count 4 CLS Console Rule Count 16 CLS Policy NAT Rule Count 0 CLS ACL Rule Count 30500 CLS ACL Uncommitted Add 0 CLS ACL Uncommitted Del 0 Note The establis...

Page 624: ...s of rules control and data Both of these types are shown in the show np 3 acl count and show resource rules display but you set both rules using the est keyword which correlates with the number of established commands Be sure to double the value you enter here when comparing the total number of configured rules with the total number of rules shown in the show commands The aaa max_nat_rules argume...

Page 625: ...exts Example page B 8 Example 4 IPv6 Configuration Example page B 13 Example 1 Multiple Mode Firewall with Outside Access The following configuration creates three security contexts plus the admin context each with an inside and an outside interface The Customer C context includes a DMZ interface where a Websense server for HTTP filtering resides on the service provider premises see Figure B 1 Ins...

Page 626: ...vation key to allow more than two contexts The mode and activation key are not stored in the configuration file even though they endure reboots If you view the configuration on the FWSM using the write terminal show startup config or show running config commands the mode displays after the FWSM Release blank means single mode system means you are in multiple mode in the system configuration and co...

Page 627: ...contextb cfg member silver context customerC description This is the context for customer C allocate interface vlan3 allocate interface vlan7 vlan8 config url disk contextc cfg member bronze class gold limit resource all 7 limit resource rate conns 2000 limit resource conns 20000 class silver limit resource all 5 limit resource rate conns 1000 limit resource conns 10000 class bronze limit resource...

Page 628: ...01 3 255 255 255 224 interface vlan 5 nameif inside security level 100 ip address 10 1 2 1 255 255 255 0 passwd hell0 enable password enter55 route outside 0 0 209 165 201 1 1 The Customer A context has a second network behind an inside router that requires a static route All other traffic is handled by the default route pointing to the router route inside 192 168 1 0 255 255 255 0 10 1 2 2 1 nat ...

Page 629: ...inside 1 10 1 4 0 255 255 255 0 This context uses dynamic NAT for inside users that access the outside global outside 1 209 165 201 9 netmask 255 255 255 255 A host on the admin context requires access to the Websense server for management using pcAnywhere so the Websense server uses a static translation for its private address static dmz outside 209 165 201 6 192 168 2 2 netmask 255 255 255 255 a...

Page 630: ... management host on the outside needs access to the Syslog server and the FWSM To connect to the FWSM the host uses a VPN connection FWSM uses RIP on the inside interfaces to learn routes Because the FWSM does not advertise routes with RIP the upstream router needs to use static routes for FWSM traffic see Figure B 2 The Department networks are allowed to access the Internet and use PAT Figure B 2...

Page 631: ...5 255 0 static dept2 dept1 10 1 2 0 10 1 2 0 netmask 255 255 255 0 The syslog server uses a static translation so the outside management host can access the server static dmz outside 209 165 201 5 192 168 2 2 netmask 255 255 255 255 access list DEPTS remark Allows all dept1 and dept2 hosts to access the access list DEPTS remark outside for any IP traffic access list DEPTS extended permit ip any an...

Page 632: ...imeout 30 logging trap 5 System log messages are sent to the syslog server on the DMZ network logging host dmz 192 168 2 2 logging enable Switch Configuration Example 2 The following lines in the switch configuration relate to the FWSM interface vlan 3 ip address 209 165 201 1 255 255 255 224 no shutdown Example 3 Shared Resources for Multiple Contexts Example The following configuration includes ...

Page 633: ...using the activation key command The mode and the activation key are not stored in the configuration file even though they endure reboots If you view the configuration on the FWSM using the write terminal show startup config or show running config commands the mode displays after the FWSM Release blank means single mode system means you are in multiple mode in the system configuration and context ...

Page 634: ... 209 165 201 3 255 255 255 224 interface vlan 201 nameif inside security level 100 ip address 10 1 0 1 255 255 255 0 interface vlan 300 nameif shared security level 50 ip address 10 1 1 1 255 255 255 0 passwd v00d00 enable password d011 route outside 0 0 209 165 201 2 1 nat inside 1 10 1 0 0 255 255 255 0 This context uses PAT for inside users that access the outside global outside 1 209 165 201 6...

Page 635: ...vel 50 ip address 10 1 1 2 255 255 255 0 passwd cugel enable password rhialto nat inside 1 10 1 2 0 255 255 255 0 The inside network uses PAT when accessing the outside global outside 1 209 165 201 8 netmask 255 255 255 255 The inside network uses dynamic NAT when accessing the shared network global shared 1 10 1 1 31 10 1 1 37 The web server can be accessed from outside and requires a static tran...

Page 636: ...m interface vlan 200 nameif outside security level 0 ip address 209 165 201 5 255 255 255 224 interface vlan 203 nameif inside security level 100 ip address 10 1 3 1 255 255 255 0 interface vlan 300 nameif shared security level 50 ip address 10 1 1 3 255 255 255 0 passwd maz1r1an enable password ly0ne e route outside 0 0 209 165 201 2 1 nat inside 1 10 1 3 0 255 255 255 0 The inside network uses P...

Page 637: ...d with both IPv6 and IPv4 addresses The IPv6 default route is set with the ipv6 route command An IPv6 access list is applied to the outside interface Figure B 4 Example 4 IPv4 and IPv6 Dual Stack Configuration password pkd enable password happy hostname ubik interface vlan 100 nameif outside security level 0 ip address 10 142 10 100 255 255 255 0 ipv6 address 2001 400 3 1 100 64 ipv6 nd suppress r...

Page 638: ...www access group OUTACL in interface outside Transparent Mode Sample Configurations This section includes the following topics Example 5 Multiple Mode Transparent Firewall with Outside Access Example page B 14 Example 5 Multiple Mode Transparent Firewall with Outside Access Example The following configuration creates three security contexts plus the admin context Each context allows OSPF traffic t...

Page 639: ...the configuration file even though it endures reboots If you view the configuration on FWSM using the write terminal show startup config or show running config commands the mode displays after the FWSM Release blank means single mode system means you are in multiple mode in the system configuration and context means you are in multiple mode in a context hostname Farscape password passw0rd enable p...

Page 640: ...context customerC description This is the context for customer C allocate interface vlan153 allocate interface vlan7 config url disk contextc cfg member bronze class gold limit resource all 7 limit resource rate conns 2000 limit resource conns 20000 class silver limit resource all 5 limit resource rate conns 1000 limit resource conns 10000 class bronze limit resource all 3 limit resource rate conn...

Page 641: ...uration enter the changeto context name command To change back to the system enter changeto system firewall transparent passwd hell0 enable password enter55 interface vlan 151 nameif outside security level 0 bridge group 45 interface vlan 5 nameif inside security level 100 bridge group 45 interface bvi 45 ip address 10 1 2 1 255 255 255 0 route outside 0 0 10 1 2 2 1 access list INTERNET remark Al...

Page 642: ...o context name command To change back to the system enter changeto system firewall transparent passwd fl0wer enable password treeh0u e interface vlan 153 nameif outside security level 0 bridge group 100 interface vlan 7 nameif inside security level 100 bridge group 100 interface bvi 100 ip address 10 1 4 1 255 255 255 0 route outside 0 0 10 1 4 2 1 access list INTERNET remark Allows all inside hos...

Page 643: ... causes it to become the active unit upon boot even if the secondary unit is in the active state The secondary FWSM is also in multiple context mode and has the same software release Figure B 6 Example 6 See the following sections for the configurations for this scenario Primary FWSM Configuration Example 6 page B 19 Secondary FWSM System Configuration Example 6 page B 22 Switch Configuration Exam...

Page 644: ... vlan 10 and 11 interfaces are created when you enter the failover lan interface and failover link commands interface vlan 10 description LAN Failover interface interface vlan 11 description STATE Failover interface interface vlan 200 interface vlan 201 interface vlan 202 interface vlan 203 failover lan interface faillink vlan 10 failover link statelink vlan 11 failover lan unit primary failover p...

Page 645: ...5 201 4 255 255 255 224 standby 209 165 201 8 interface vlan 202 nameif inside security level 100 ip address 10 0 2 1 255 255 255 0 standby 10 0 2 2 passwd secret1978 enable password 7samura1 monitor interface inside nat inside 1 0 0 0 0 0 0 0 0 0 0 global outside 1 209 165 201 11 netmask 255 255 255 224 This context uses dynamic PAT for inside users that access the outside route outside 0 0 209 1...

Page 646: ...ou are in multiple mode in the system configuration and context means you are in multiple mode in a context failover lan interface faillink vlan 10 failover interface ip faillink 192 168 253 1 255 255 255 252 standby 192 168 253 2 failover lan unit secondary failover Switch Configuration Example 6 The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM For inf...

Page 647: ...uration Primary Unit Example 7 page B 24 Context B Configuration Primary Unit Example 7 page B 25 Context C Configuration Primary Unit Example 7 page B 25 System Configuration Primary Unit Example 7 You must first enable multiple context mode using the mode multiple command Then enter the activation key to allow more than two contexts using the activation key command The mode and the activation ke...

Page 648: ...ilover lan unit primary failover interface ip faillink 192 168 253 1 255 255 255 252 standby 192 168 253 2 failover interface ip statelink 192 168 253 5 255 255 255 252 standby 192 168 253 6 failover interface policy 1 failover replication http failover admin context contexta context contexta allocate interface vlan200 allocate interface vlan4 config url disk contexta cfg context contextb allocate...

Page 649: ...level 100 bridge group 2 interface bvi 2 ip address inside 10 0 2 1 255 255 255 0 standby 10 0 2 2 monitor interface inside monitor interface outside route outside 0 0 10 0 2 4 1 telnet 10 0 2 14 255 255 255 255 inside access list INTERNET remark Allows all inside hosts to access the outside for access list INTERNET remark any IP traffic access list INTERNET extended permit ip any any access group...

Page 650: ...y failover Switch Configuration Example 7 The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM For information about configuring redundancy for the switch see the switch documentation firewall multiple vlan interfaces firewall module 1 vlan group 1 firewall vlan group 1 4 6 10 11 200 202 interface vlan 200 ip address 10 0 3 3 255 255 255 0 standby 200 ip 10...

Page 651: ...nter the mode multiple command on both the primary and secondary unit to change modes the mode multiple command is not replicated to the secondary unit even in existing Active Standby failover configurations Both FWSMs must be licensed for the same number of security contexts Primary FWSM Configuration Example 8 The following sections include the configuration for the primary FWSM System Context C...

Page 652: ...mpt replication http interface policy 50 failover group 2 secondary preempt replication http interface policy 50 admin context contexta context contexta description administrative context allocate interface vlan4 config url disk contexta cfg join failover group 1 context contextb allocate interface vlan201 allocate interface vlan5 config url ftp admin passw0rd 10 0 3 16 contextb cfg join failover ...

Page 653: ...nitor interface outside nat inside 1 0 0 0 0 0 0 0 0 0 0 global outside 1 10 0 5 1 netmask 255 255 255 0 This context uses dynamic PAT for inside users that access the outside route outside 0 0 10 0 5 5 1 telnet 10 0 2 14 255 255 255 255 inside access list INTERNET extended permit ip any any access group INTERNET in interface inside Allows all inside hosts to access the outside for any IP traffic ...

Page 654: ...rimary FWSM failover failover lan unit secondary failover lan interface faillink vlan 10 failover key MySecretKey failover interface ip faillink 192 168 253 1 255 255 255 252 standby 192 168 253 2 When you enable failover with the failover command the secondary FWSM obtains the configuration from the primary FWSM Switch Configuration Example 8 The following lines in the Cisco IOS switch configurat...

Page 655: ...ing page C 5 Adding Comments page C 5 Text Configuration Files page C 6 Note The CLI uses similar syntax and other conventions to the Cisco IOS CLI but the FWSM operating system is not a version of Cisco IOS software Do not assume that a Cisco IOS CLI command works with or has the same function on the FWSM Firewall Mode and Security Context Mode The FWSM runs in a combination of the following mode...

Page 656: ...mum FWSM settings The user EXEC mode prompt appears as follows when you first access the FWSM hostname hostname context Privileged EXEC mode Privileged EXEC mode lets you see all current settings up to your privilege level Any user EXEC mode command will work in privileged EXEC mode Enter the enable command in user EXEC mode which requires a password to start privileged EXEC mode The prompt includ...

Page 657: ...h w or erase the line with u The FWSM permits up to 512 characters in a command additional characters are ignored Command Completion To complete a command or keyword after entering a partial string press the Tab key The FWSM only completes the command or keyword if the partial string matches only one command or keyword For example if you enter s and press the Tab key the FWSM does not complete the...

Page 658: ...ude all output that matches the expression You can also display all output beginning with the line that matches the expression The syntax for using filtering options with the show command is as follows hostname show command include exclude begin grep v regexp In this command string the first vertical bar is the operator and must be included in the command This operator directs the output of the sh...

Page 659: ...with a colon to create a comment However the comment only appears in the command history buffer and not in the configuration Therefore you can view the comment with the show history command or by pressing an arrow key to retrieve a previous command but because the comment is not in the configuration the write terminal command does not display it Table C 2 Using Special Characters in Regular Expres...

Page 660: ...in this guide In examples commands are preceded by a CLI prompt The prompt in the following example is hostname config hostname config context a In the text configuration file you are not prompted to enter commands so the prompt is omitted context a Command Specific Configuration Mode Commands Command specific configuration mode commands appear indented under the main command when entered at the c...

Page 661: ...py the configuration passwords to another FWSM in their encrypted form but you cannot unencrypt the passwords yourself If you enter an unencrypted password in a text file the FWSM does not automatically encrypt them when you copy the configuration to the FWSM The FWSM only encrypts them when you save the running configuration from the command line using the copy running config startup config or wr...

Page 662: ...C 8 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Appendix C Using the Command Line Interface Text Configuration Files ...

Page 663: ... 4 1 9 9 467 1 1 5 ccaMaxCryptoConnections 1 3 6 1 4 1 9 9 467 1 2 1 1 ccaGlobalNumActiveAccelerators 1 3 6 1 4 1 9 9 467 1 2 1 2 ccaGlobalNumNonOperAccelerators 1 3 6 1 4 1 9 9 467 1 2 1 3 ccaGlobalInOctets 1 3 6 1 4 1 9 9 467 1 2 1 4 ccaGlobalOutOctets 1 3 6 1 4 1 9 9 467 1 2 1 5 ccaGlobalInPkts 1 3 6 1 4 1 9 9 467 1 2 1 6 ccaGlobalOutPkts 1 3 6 1 4 1 9 9 467 1 2 1 7 ccaGlobalOutErrPkts 1 3 6 1 ...

Page 664: ... 1 2 2 1 25 ccaAcclDHKeysGenerated 1 3 6 1 4 1 9 9 467 1 2 2 1 26 ccaAcclDHDerivedSecretKeys 1 3 6 1 4 1 9 9 467 1 2 2 1 27 ccaAcclRSAKeysGenerated 1 3 6 1 4 1 9 9 467 1 2 2 1 28 ccaAcclRSASignings 1 3 6 1 4 1 9 9 467 1 2 2 1 29 ccaAcclRSAVerifications 1 3 6 1 4 1 9 9 467 1 2 2 1 30 ccaAcclRSAEncryptPkts 1 3 6 1 4 1 9 9 467 1 2 2 1 31 ccaAcclRSAEncryptOctets 1 3 6 1 4 1 9 9 467 1 2 2 1 32 ccaAcclR...

Page 665: ...placeholder only 1 3 6 1 4 1 9 9 147 1 2 1 1 cfwHardwareStatusTable Index cfwHardwareType Primary unit Secondary unit 1 3 6 1 4 1 9 9 147 1 2 1 1 1 2 cfwHardwareInformation Description of the resource 1 3 6 1 4 1 9 9 147 1 2 1 1 1 3 cfwHardwareStatusValue Current status of the resource Applies only to a failover pair Does not apply to a standalone blade 1 3 6 1 4 1 9 9 147 1 2 1 1 1 4 cfwHardwareS...

Page 666: ...ute metric 1 3 6 1 2 1 4 24 7 1 17 inetCidrRouteStatus Route status CISCO IP PROTOCOL FILTER MIB cippfIpFilterTable show run access list Index cippfIpProfileName cippfIpFilterIndex 1 3 6 1 4 1 9 9 278 1 1 1 1 1 cippfIpProfileName ACL name 1 3 6 1 4 1 9 9 278 1 1 3 1 1 cippfIpFilterIndex ACE line number 1 3 6 1 4 1 9 9 278 1 1 3 1 3 cippfIpFilterAction Permit Deny 1 3 6 1 4 1 9 9 278 1 1 3 1 4 cipp...

Page 667: ... group 1 3 6 1 4 1 9 9 278 1 1 4 1 1 cippfIpFilterExtDescription ACL entry cippfIpFilterExtTables SNMP filter tables 1 3 6 1 4 1 9 9 278 1 1 4 1 2 cippfIpFilterLogLevel Log level 1 3 6 1 4 1 9 9 278 1 1 4 1 3 cippfIpFilterLogInterval Log interval cippfIpFilterStatsTable show access list acl name Index cippfIpProfileName cippfIpFilterIndex 1 3 6 1 4 1 9 9 278 1 1 1 1 1 cippfIpProfileName ACL name 1...

Page 668: ...1 3 6 1 4 1 9 9 171 1 2 1 14 cikeGlobalOutNotifys 1 3 6 1 4 1 9 9 171 1 2 1 15 cikeGlobalOutP2Exchgs 1 3 6 1 4 1 9 9 171 1 2 1 16 cikeGlobalOutP2ExchgInvalids 1 3 6 1 4 1 9 9 171 1 2 1 17 cikeGlobalOutP2ExchgRejects 1 3 6 1 4 1 9 9 171 1 2 1 18 cikeGlobalOutP2SaDelRequests 1 3 6 1 4 1 9 9 171 1 2 1 19 cikeGlobalInitTunnels 1 3 6 1 4 1 9 9 171 1 2 1 20 cikeGlobalInitTunnelFails 1 3 6 1 4 1 9 9 171 ...

Page 669: ...1 19 cikeTunInOctets 1 3 6 1 4 1 9 9 171 1 2 3 1 20 cikeTunInPkts 1 3 6 1 4 1 9 9 171 1 2 3 1 21 cikeTunInDropPkts 1 3 6 1 4 1 9 9 171 1 2 3 1 22 cikeTunInNotifys 1 3 6 1 4 1 9 9 171 1 2 3 1 23 cikeTunInP2Exchgs 1 3 6 1 4 1 9 9 171 1 2 3 1 24 cikeTunInP2ExchgInvalids 1 3 6 1 4 1 9 9 171 1 2 3 1 25 cikeTunInP2ExchgRejects 1 3 6 1 4 1 9 9 171 1 2 3 1 26 cikeTunInP2SaDelRequests 1 3 6 1 4 1 9 9 171 1...

Page 670: ...9 9 171 1 3 1 19 cipSecGlobalOutUncompOctets 1 3 6 1 4 1 9 9 171 1 3 1 20 cipSecGlobalHcOutUncompOctets 1 3 6 1 4 1 9 9 171 1 3 1 21 cipSecGlobalOutUncompOctWraps 1 3 6 1 4 1 9 9 171 1 3 1 22 cipSecGlobalOutPkts 1 3 6 1 4 1 9 9 171 1 3 1 23 cipSecGlobalOutDrops 1 3 6 1 4 1 9 9 171 1 3 1 24 cipSecGlobalOutAuths 1 3 6 1 4 1 9 9 171 1 3 1 25 cipSecGlobalOutAuthFails 1 3 6 1 4 1 9 9 171 1 3 1 26 cipSe...

Page 671: ...ecTunOutSaCompAlgo 1 3 6 1 4 1 9 9 171 1 3 2 1 26 cipSecTunInOctets 1 3 6 1 4 1 9 9 171 1 3 2 1 27 cipSecTunHcInOctets 1 3 6 1 4 1 9 9 171 1 3 2 1 28 cipSecTunInOctWraps 1 3 6 1 4 1 9 9 171 1 3 2 1 29 cipSecTunInDecompOctets 1 3 6 1 4 1 9 9 171 1 3 2 1 30 cipSecTunHcInDecompOctets 1 3 6 1 4 1 9 9 171 1 3 2 1 31 cipSecTunInDecompOctWraps 1 3 6 1 4 1 9 9 171 1 3 2 1 32 cipSecTunInPkts 1 3 6 1 4 1 9 ...

Page 672: ...emoteProtocol 1 3 6 1 4 1 9 9 171 1 3 3 1 13 cipSecEndPtRemotePort 1 3 6 1 4 1 9 9 171 1 3 4 1 2 cipSecSpiDirection 1 3 6 1 4 1 9 9 171 1 3 4 1 3 cipSecSpiValue 1 3 6 1 4 1 9 9 171 1 3 4 1 4 cipSecSpiProtocol 1 3 6 1 4 1 9 9 171 1 3 4 1 5 cipSecSpiStatus 1 3 6 1 4 1 9 9 171 1 4 3 1 1 2 cipSecTunHistTermReason 1 3 6 1 4 1 9 9 171 1 4 3 1 1 3 cipSecTunHistActiveIndex 1 3 6 1 4 1 9 9 171 1 4 3 1 1 4 ...

Page 673: ... 6 1 4 1 9 9 171 1 4 3 1 1 32 cipSecTunHistInDropPkts 1 3 6 1 4 1 9 9 171 1 4 3 1 1 33 cipSecTunHistInReplayDropPkts 1 3 6 1 4 1 9 9 171 1 4 3 1 1 34 cipSecTunHistInAuths 1 3 6 1 4 1 9 9 171 1 4 3 1 1 35 cipSecTunHistInAuthFails 1 3 6 1 4 1 9 9 171 1 4 3 1 1 36 cipSecTunHistInDecrypts 1 3 6 1 4 1 9 9 171 1 4 3 1 1 37 cipSecTunHistInDecryptFails 1 3 6 1 4 1 9 9 171 1 4 3 1 1 38 cipSecTunHistOutOcte...

Page 674: ...e Resource type Conns Xlates Hosts SSH Telnet ASDM IPSec MAC Address 1 3 6 1 4 1 9 9 480 1 1 2 1 3 crlResourceLimitValueType Absolute or percentage 1 3 6 1 4 1 9 9 480 1 1 2 1 4 crlResourceLimitMin Always set to zero Not applicable to FWSM 1 3 6 1 4 1 9 9 480 1 1 2 1 5 crlResourceLimitMax Configured limit value 1 3 6 1 4 1 9 9 480 1 1 2 1 8 crlResourceLimitCurrentUsage Current resource usage 1 3 6...

Page 675: ... perfmon detail 1 3 6 1 4 1 9 9 xxx 1 1 3 cneAddrTranslation1min xlate for one minute 1 3 6 1 4 1 9 9 xxx 1 1 4 cneAddrTranslation5min xlate for five minutes CISCO PROCESS MIB show cpu cpmCPUTotalTable Index cpmCPUTotalIndex Always set to one 1 3 6 1 4 1 9 9 109 1 1 1 1 2 cpmCPUTotalPhysicalIndex entPhysicalIndex always set to zero 1 3 6 1 4 1 9 9 109 1 1 1 1 3 cpmCPUTotal5sec CPU utilization for ...

Page 676: ...rasGlobalInPkts 1 3 6 1 4 1 9 9 392 1 3 6 crasGlobalOutPkts 1 3 6 1 4 1 9 9 392 1 3 7 crasGlobalInOctets 1 3 6 1 4 1 9 9 392 1 3 8 crasGlobalInDecompOctets 1 3 6 1 4 1 9 9 392 1 3 9 crasGlobalOutOctets 1 3 6 1 4 1 9 9 392 1 3 10 crasGlobalOutUncompOctets 1 3 6 1 4 1 9 9 392 1 3 11 crasGlobalInDropPkts 1 3 6 1 4 1 9 9 392 1 3 12 crasGlobalOutDropPkts 1 3 6 1 4 1 9 9 392 1 3 21 1 2 crasGroup 1 3 6 1...

Page 677: ...6 1 4 1 9 9 392 1 3 21 1 31 crasSessionInPkts 1 3 6 1 4 1 9 9 392 1 3 21 1 32 crasSessionOutPkts 1 3 6 1 4 1 9 9 392 1 3 21 1 33 crasSessionInDropPkts 1 3 6 1 4 1 9 9 392 1 3 21 1 34 crasSessionOutDropPkts 1 3 6 1 4 1 9 9 392 1 3 21 1 35 crasSessionInOctets 1 3 6 1 4 1 9 9 392 1 3 21 1 36 crasSessionOutOctets 1 3 6 1 4 1 9 9 392 1 3 21 1 37 crasSessionState 1 3 6 1 4 1 9 9 392 1 3 22 1 2 crasActGr...

Page 678: ...bal statistics 1 3 6 1 4 1 9 9 491 1 3 1 3 cufwUrlfRequestsProcRate1 1 3 6 1 4 1 9 9 491 1 3 1 4 cufwUrlfRequestsProcRate5 1 3 6 1 4 1 9 9 491 1 3 1 5 cufwUrlfRequestsNumAllowed 1 3 6 1 4 1 9 9 491 1 3 1 6 cufwUrlfRequestsNumDenied 1 3 6 1 4 1 9 9 491 1 3 1 7 cufwUrlfRequestsDeniedRate1 1 3 6 1 4 1 9 9 491 1 3 1 8 cufwUrlfRequestsDeniedRate5 1 3 6 1 4 1 9 9 491 1 3 1 9 cufwUrlfRequestsNumCacheAllo...

Page 679: ...9 9 491 1 3 3 1 1 14 cufwUrlfServerAvgRespTime5 ENTITY MIB 1 3 6 1 2 1 47 1 3 6 1 2 1 47 1 1 1 entPhysicalTable Information about a physical entity Index entPhysicalIndex 1 3 6 1 2 1 47 1 1 1 1 2 entPhysicalDescr 1 3 6 1 2 1 47 1 1 1 1 3 entPhysicalVendorType 1 3 6 1 2 1 47 1 1 1 1 4 entPhysicalContainedIn 1 3 6 1 2 1 47 1 1 1 1 5 entPhysicalClass 1 3 6 1 2 1 47 1 1 1 1 6 entPhysicalParentRelPos 1...

Page 680: ... 1 3 6 1 2 1 2 2 1 4 ifMtu MTU of the interface 1 3 6 1 2 1 2 2 1 5 ifSpeed Speed of the interface 1 3 6 1 2 1 2 2 1 6 ifPhysAddress MAC address of the interface 1 3 6 1 2 1 2 2 1 7 ifAdminStatus Admin status 1 3 6 1 2 1 2 2 1 8 ifOperStatus Operational status 1 3 6 1 2 1 2 2 1 9 ifLastChange Last changed time 1 3 6 1 2 1 2 2 1 10 ifInOctets Total octets received 1 3 6 1 2 1 2 2 1 11 ifInUcastPkts...

Page 681: ...t packets sent out 1 3 6 1 2 1 31 1 1 1 12 ifHCOutMulticastPkts Total multicast packets sent out 1 3 6 1 2 1 31 1 1 1 13 ifHCOutBroadcastPkts Total broadcast packets sent out 1 3 6 1 2 1 31 1 1 1 14 ifLinkUpDownTrapEnable Link up down trap enabled 1 3 6 1 2 1 31 1 1 1 15 ifHighSpeed Interface speed 1 3 6 1 2 1 31 1 1 1 1 ifPromiscuousMode Is the interface in promiscuous mode 1 3 6 1 2 1 31 1 1 1 1...

Page 682: ...indMapIndex natAddrBindType natAddrBindInTranslates natAddrBindOutTranslates NatAddressPortBindTable show xlate state portmap detail Index ifIndex natAddrPortBindLocalAddrType natAddrPortBindLocalAddr natAddrPortBindLocalPort natAddrPortBindProtocol 1 3 6 1 2 1 123 1 8 1 1 natAddrPortBindLocalAddrType ipv4 or ipv6 1 3 6 1 2 1 123 1 8 1 1 2 natAddrPortBindLocalAddr local_addr 1 3 6 1 2 1 123 1 8 1 ...

Page 683: ...ad only packets 1 3 6 1 2 1 11 12 snmpInGenErrs General errors 1 3 6 1 2 1 11 13 snmpInTotalReqVars Total variables queried 1 3 6 1 2 1 11 14 snmpInTotalSetVars Total variables modified 1 3 6 1 2 1 11 15 snmpInGetRequests Total Get requests received 1 3 6 1 2 1 11 16 snmpInGetNexts Total GetNext requests received 1 3 6 1 2 1 11 17 snmpInSetRequests Total Set requests received 1 3 6 1 2 1 11 18 snm...

Page 684: ... 1 1 7 sysServices Services offered by the system TCP MIB tcpConnectionTable show conn protocol tcp Index tcpConnectionLocalAddressType tcpConnectionLocalAddress tcpConnectionLocalPort tcpConnectionRemAddressType tcpConnectionRemAddress tcpConnectionRemPort 1 3 6 1 2 1 6 19 1 1 tcpConnectionLocalAddressType ipv4 or ipv6 1 3 6 1 2 1 6 19 1 2 tcpConnectionLocalAddress local_addr 1 3 6 1 2 1 6 19 1 3...

Page 685: ...lAddressType ipv4 or ipv6 1 3 6 1 2 1 7 7 1 2 udpEndpointLocalAddress local_addr 1 3 6 1 2 1 7 7 1 3 udpEndpointLocalPort local_port 1 3 6 1 2 1 7 7 1 4 udpEndpointRemoteAddressType ipv4 or ipv6 1 3 6 1 2 1 7 7 1 5 udpEndpointRemoteAddress foreign_addr 1 3 6 1 2 1 7 7 1 6 udpEndpointRemotePort foreign_port 1 3 6 1 2 1 7 7 1 7 udpEndpointInstance Always set to one Not applicable to FWSM 1 3 6 1 2 1...

Page 686: ...D 24 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Appendix D Mapping MIBs to CLI Commands ...

Page 687: ...s section describes how to use IPv4 addresses with FWSM An IPv4 address is a 32 bit number written in dotted decimal notation four 8 bit fields octets converted from binary to decimal numbers separated by dots The first part of an IP address identifies the network on which the host resides while the second part identifies the particular host on the given network The network number field is called ...

Page 688: ... you convert a single Class A B or C network into multiple networks With a subnet mask you can create an extended network prefix that adds bits from the host number to the network prefix For example a Class C network prefix always consists of the first three octets of the IP address But a Class C extended network prefix uses part of the fourth octet as well Subnet masking is easy to understand if ...

Page 689: ...scribe how to determine the network address to use with a subnet mask for a Class C size and a Class B size network This section includes the following topics Class C Size Network Address page E 4 Class B Size Network Address page E 4 Table E 1 Hosts Bits and Dotted Decimal Masks Hosts1 1 The first and last number of a subnet are reserved except for 32 which identifies a single host Bits Mask Dott...

Page 690: ...he network by dividing 65 536 the total number of addresses using the third and fourth octet by the number of host addresses you want For example 65 536 divided by 4096 hosts equals 16 Therefore there are 16 subnets of 4096 addresses each in a Class B size network Step 2 Determine the multiple of the third octet value by dividing 256 the number of values for the third octet by the number of subnet...

Page 691: ...00 0000 0008 0800 200C 417A Note The hexadecimal letters in IPv6 addresses are not case sensitive It is not necessary to include the leading zeros in an individual field of the address But each field must contain at least one digit So the example address 2001 0DB8 0000 0000 0008 0800 200C 417A can be shortened to 2001 0DB8 0 0 8 800 200C 417A by removing the leading zeros from the third through si...

Page 692: ...t sent to a unicast address is delivered to the interface identified by that address An interface may have more than one unicast address assigned to it Multicast A multicast address is an identifier for a set of interfaces A packet sent to a multicast address is delivered to all addresses identified by that address Anycast An anycast address is an identifier for a set of interfaces Unlike a multic...

Page 693: ...esses Link Local Address All interfaces are required to have at least one link local address You can configure multiple IPv6 addresses per interfaces but only one link local address A link local address is an IPv6 unicast address that can be automatically configured on any interface using the link local prefix FE80 10 and the interface identifier in modified EUI 64 format Link local addresses are ...

Page 694: ...k layer address The same interface identifier may be used on multiple interfaces of a single node as long as those interfaces are attached to different subnets For all unicast addresses except those that start with the binary 000 the interface identifier is required to be 64 bits long and to be constructed in the Modified EUI 64 format The Modified EUI 64 format is created from the 48 bit MAC addr...

Page 695: ...cal FF05 2 site local Multicast address should not be used as source addresses in IPv6 packets Note There are no broadcast addresses in IPv6 IPv6 multicast addresses are used instead of broadcast addresses Anycast Address The IPv6 anycast address is a unicast address that is assigned to more than one interface typically belonging to different nodes A packet that is routed to an anycast address is ...

Page 696: ... Subnet Router anycast addresses for all interfaces for which it is configured to act as a router The All Routers multicast addresses IPv6 Address Prefixes An IPv6 address prefix in the format ipv6 prefix prefix length can be used to represent bit wise contiguous blocks of the entire address space The IPv6 prefix must be in the form documented in RFC 2373 where the address is specified in hexadeci...

Page 697: ...ication port and accounting port commands Table E 4 Protocol Literal Values Literal Value Description ah 51 Authentication Header for IPv6 RFC 1826 eigrp 88 Enhanced Interior Gateway Routing Protocol esp 50 Encapsulated Security Payload for IPv6 RFC 1827 gre 47 Generic Routing Encapsulation icmp 1 Internet Control Message Protocol RFC 792 icmp6 58 Internet Control Message Protocol for IPv6 RFC 246...

Page 698: ... TCP 19 Character Generator citrix ica TCP 1494 Citrix Independent Computing Architecture ICA protocol cmd TCP 514 Similar to exec except that cmd has automatic authentication ctiqbe TCP 2748 Computer Telephony Interface Quick Buffer Encoding daytime TCP 13 Day time RFC 867 discard TCP UDP 9 Discard domain TCP UDP 53 DNS dnsix UDP 195 DNSIX Session Management Module Audit Redirector echo TCP UDP 7...

Page 699: ...pcanywhere data TCP 5631 pcAnywhere data pim auto rp TCP UDP 496 Protocol Independent Multicast reverse path flooding dense mode pop2 TCP 109 Post Office Protocol Version 2 pop3 TCP 110 Post Office Protocol Version 3 pptp TCP 1723 Point to Point Tunneling Protocol radius UDP 1645 Remote Authentication Dial In User Service radius acct UDP 1646 Remote Authentication Dial In User Service accounting r...

Page 700: ...tp UDP 69 Trivial File Transfer Protocol time UDP 37 Time uucp TCP 540 UNIX to UNIX Copy Program who UDP 513 Who whois TCP 43 Who Is www TCP 80 World Wide Web xdmcp UDP 177 X Display Manager Control Protocol Table E 5 Port Literal Values continued Literal TCP or UDP Value Description Table E 6 Protocols and Ports Opened by Features and Services Feature or Service Protocol Port Number Comments DHCP...

Page 701: ...N A Telnet TCP 23 Table E 6 Protocols and Ports Opened by Features and Services continued Feature or Service Protocol Port Number Comments Table E 7 ICMP Types ICMP Number ICMP Name 0 echo reply 3 unreachable 4 source quench 5 redirect 6 alternate address 8 echo 9 router advertisement 10 router solicitation 11 time exceeded 12 parameter problem 13 timestamp request 14 timestamp reply 15 informatio...

Page 702: ...E 16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 Appendix E Addresses Protocols and Ports ICMP Types ...

Page 703: ...is the source of inbound traffic See also rule outbound ACL ActiveX A set of object oriented programming technologies and tools used to create mobile or portable programs An ActiveX program is roughly equivalent to a Java applet Address Resolution Protocol See ARP address translation The translation of a network address and or port to another network address or port See also IP address interface P...

Page 704: ...of data One of the functions of the IPSec framework Authentication establishes the integrity of datastream and ensures that it is not tampered with in transit It also provides confirmation about the origin of the datastream See also AAA encryption and VPN B BGP Border Gateway Protocol BGP performs interdomain routing in TCP IP networks BGP is an Exterior Gateway Protocol which means that it perfor...

Page 705: ...or the CLI cookie A cookie is a object stored by a browser Cookies contain information such as user preferences to persistent storage CPU Central Processing Unit Main processor CRC cyclical redundancy check Error checking technique in which the frame recipient calculates a remainder by dividing frame contents by a prime binary divisor and compares the calculated remainder to a value stored in the ...

Page 706: ...sender and receiver decryption Application of a specific algorithm or cipher to encrypted data so as to render the data comprehensible to those who are authorized to see the information See also encryption DES Data encryption standard DES was published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM Cisco uses DES in classic...

Page 707: ... Dynamic PAT Dynamic Port Address Translation Dynamic PAT lets multiple outbound sessions appear to originate from a single IP address With PAT enabled the FWSM chooses a unique port number from the PAT IP address for each outbound translation slot xlate This feature is valuable when an ISP cannot allocate enough unique IP addresses for your outbound connections The global pool addresses always co...

Page 708: ... routed through the FWSM FTP File Transfer Protocol Part of the TCP IP protocol stack used for transferring files between hosts G GGSN gateway GPRS support node A wireless gateway that allows mobile cell phone users to access the public data network or specified private IP networks global configuration mode Global configuration mode lets you to change the FWSM configuration All user EXEC privilege...

Page 709: ...ata transport methods H 323 RAS Registration admission and status signaling protocol Enables devices to perform registration admissions bandwidth changes and status and disengage procedures between VoIP gateway and the gatekeeper H 450 2 Call transfer supplementary service for H 323 H 450 3 Call diversion supplementary service for H 323 Hash Hash Algorithm A hash algorithm is a one way function th...

Page 710: ...ley and part of another protocol suite called SKEME inside ISAKMP framework This is the protocol formerly known as ISAKMP Oakley and is defined in RFC 2409 IKE Extended Authentication IKE Extended Authenticate Xauth is implemented per the IETF draft ietf ipsec isakmp xauth 04 txt extended authentication draft This protocol provides the capability of authenticating a user within IKE using TACACS or...

Page 711: ...e intf3 for the second perimeter interface and so on to the last interface The numbers in the intf string corresponds to the position of the interface card in the FWSM You can use the default names or if you are an experienced user give each interface a more meaningful name See also inside intfn outside intfn Any interface usually beginning with port 2 that connects to a subset network of your des...

Page 712: ... transform describes a security protocol AH or ESP with its corresponding algorithms The IPSec protocol used in almost all transform sets is ESP with the DES algorithm and HMAC SHA for authentication ISAKMP Internet Security Association and Key Management Protocol A protocol framework that defines payload formats the mechanics of implementing a key exchange protocol and the negotiation of a securi...

Page 713: ... for message authentication in SNMP v 2 MD5 verifies the integrity of the communication authenticates the origin and checks for timeliness MD5 has a smaller digest and is considered to be slightly faster than SHA 1 MDI Media dependent interface MDIX Media dependent interface crossover Message Digest A message digest is created by a hash algorithm such as MD5 or SHA 1 that is used for ensuring mess...

Page 714: ...e network over the VPN tunnel NetBIOS Network Basic Input Output System A Microsoft protocol that supports Windows host name registration session management and data transfer The FWSM supports NetBIOS by performing NAT of the packets for NBNS UDP port 137 and NBDS UDP port 138 netmask See mask network In the context of FWSM configuration a network is a group of computing devices that share part of...

Page 715: ...to other untrusted networks outside the FWSM the Internet See also interface interface names outbound P PAC PPTP Access Concentrator A device attached to one or more PSTN or ISDN lines capable of PPP operation and of handling the PPTP protocol The PAC need only implement TCP IP to pass traffic to one or more PNSs It may also tunnel non IP protocols PAT See Dynamic PAT interface PAT and Static PAT ...

Page 716: ...dent of the interface hardware the PNS may use any combination of IP interface hardware including LAN and WAN devices Policy NAT Lets you identify local traffic for address translation by specifying the source and destination addresses or ports in an access list POP Post Office Protocol Protocol that client e mail applications use to retrieve mail from a mail server Pool See IP pool Port A field i...

Page 717: ...s are specified in a FWSM configuration as part of defining a security policy by their literal values or port numbers Possible FWSM protocol literal values are ahp eigrp esp gre icmp igmp igrp ip ipinip ipsec nos ospf pcp snp tcp and udp Proxy ARP Enables the FWSM to reply to an ARP request for IP addresses in the global pool See also ARP public key A public key is one of a pair of keys that are g...

Page 718: ...n a PIM multicast environment RPC Remote Procedure Call RPCs are procedure calls that are built or specified by clients and executed on servers with the results returned over the network to the clients RSA A public key cryptographic algorithm named after its inventors Rivest Shamir and Adelman with a variable key length The main weakness of RSA is that it is significantly slow to compute compared ...

Page 719: ... establish IPSec SAs manually An IKE SA is used by IKE only and unlike the IPSec SA it is bidirectional SASL Simple Authentication and Security Layer An Internet standard method for adding authentication support to connection based protocols SASL can be used between a security appliance and an LDAP server to secure user authentication SCCP Skinny Client Control Protocol A Cisco proprietary protoco...

Page 720: ...ticated keying material with rapid key refreshment SMR Stub Multicast Routing SMR allows the FWSM to function as a stub router A stub router is a device that acts as an IGMP proxy agent IGMP is used to dynamically register specific hosts in a multicast group on a particular LAN with a multicast router Multicast routers route multicast data transmissions to hosts that are registered to receive spec...

Page 721: ...em Plus A client server protocol that supports AAA services including command authorization See also AAA RADIUS TAPI Telephony Application Programming Interface A programming interface in Microsoft Windows that supports telephony functions TCP Transmission Control Protocol Connection oriented transport layer protocol that provides reliable full duplex data transmission TCP Intercept With the TCP i...

Page 722: ...er See also TAPI tunnel mode An IPSec encryption mode that encrypts both the header and data portion payload of each packet Tunnel mode is more secure than transport mode tunnel A method of transporting data in one protocol by encapsulating it in another protocol Tunneling is used for reasons of incompatibility implementation simplification or security For example a tunnel lets a remote VPN client...

Page 723: ...al voice traffic such as telephone calls and faxes over an IP based network DSP segments the voice signal into frames which then are coupled in groups of two and stored in voice packets These voice packets are transported using IP in compliance with ITU T specification H 323 VPN Virtual Private Network A network connection between two peers over the public network that is made private by strict au...

Page 724: ...lly updated with the NetBIOS names of network devices currently available and the IP address assigned to each one WINS provides a distributed database for registering and querying dynamic NetBIOS names to IP address mapping in a routed network environment It is the best choice for NetBIOS name resolution in such a routed network because it is designed to solve the problems that occur with name res...

Page 725: ...sword management 17 6 performance 17 1 prompts 17 6 server adding 11 9 types 11 3 support summary 11 3 with web clients 17 6 abbreviating commands C 3 access lists ACE logging configuring 13 26 ACE order 13 2 comments 13 18 commitment 13 5 deny flows managing 13 27 downloadable 17 10 EtherType adding 13 10 expanded 13 6 extended adding 13 6 extended overview 13 6 implicit deny 13 3 inbound 15 1 in...

Page 726: ... 25 unit poll time 14 25 criteria for failover 14 25 device initializtion 14 9 primary status 14 9 saving the configuration 14 10 secondary status 14 9 standby state 14 9 status 14 32 synchronizing the configurations 14 10 triggers 14 11 Active Directory password management 17 6 adaptive security algorithm 1 8 admin context changing 4 33 overview 4 3 alternate address ICMP message E 15 application...

Page 727: ...dresses assigning 6 6 overview 1 7 bridge table See MAC address table bufferwraps save to interal Flash 25 10 send to FTP server 25 11 bypassing firewall checks 21 10 bypassing the firewall in the switch 2 6 C CA CRs and 12 2 public key cryptography 12 1 revoked certificates 12 2 capturing packets 26 8 Catalyst 6500 See switch CEF A 3 Certificate Revocation Lists See CRLs certification authority S...

Page 728: ...ents C 5 saving 3 3 switch 2 1 text file 3 6 URL for a context 4 29 viewing 3 5 configuration mode accessing 3 2 prompt C 2 configuring 8 33 configuring RHI 8 33 connection advanced features 21 1 blocking 21 15 deleting A 5 limits 21 1 rate limiting 21 2 timeouts 21 1 connection limits per context 4 26 console port external 3 1 contexts See security contexts control plane path 1 8 conversion error...

Page 729: ...b routing 8 24 stuck in active 8 23 EMBLEM format using in logs 25 17 embryonic connection limits 21 2 ESMTP inspection configuring 22 96 overview 22 94 established command maximum rules A 7 security level requirements 6 2 EtherChannel backplane load balancing 2 8 overview 2 8 EtherType access list adding 13 10 applying in both directions 13 9 compatibilty with extended access lists 13 10 implicit...

Page 730: ...long HTTP URLs setting the size 18 7 truncating 18 8 maximum rules A 7 overview 18 1 security level requirements 6 1 servers supported 18 4 show command output C 4 URLs 18 4 firewall mode configuring 5 1 overview 5 1 Flash memory overview 2 10 partitions 2 10 size A 3 format of messages 25 19 fragments 1 4 limitations A 4 fragment size configuring 21 15 FTP filtering 18 9 FTP inspection configurin...

Page 731: ...aintenance software 24 12 module verification 2 2 software using the CLI 24 3 software using the maintenance partition 24 5 Instant Messaging 22 77 interfaces configuring poll times 14 25 14 30 global addresses 16 28 health monitoring 14 19 maximum A 4 naming 6 3 6 6 6 7 shared 4 7 turning off 6 12 turning on 6 12 viewing monitored interface status 14 39 IOS upgrading 2 1 IOS versions A 2 IP addre...

Page 732: ...3 lockout recovery 23 23 log bufferwraps save to internal Flash 25 10 send to FTP server 25 11 logging access lists 13 25 class filtering messages by 25 12 types 25 13 device id including in system log messages 25 16 email configuring as output destination 25 6 destination address 25 6 source address 25 6 EMBLEM format 25 16 facility option 25 5 filtering messages by message class 25 13 by message...

Page 733: ...interface name 4 28 mapping MIBs to CLIs D 1 mask reply ICMP message E 15 mask request ICMP message E 15 match commands inspection class map 20 8 Layer 3 4 class map 20 5 memory access list use of 13 6 Flash A 3 RAM A 3 rules use of 13 6 memory partitions 4 12 reallocating rules 4 19 setting the total number 4 13 sizes 4 14 message classes about 25 12 list of 25 13 message list creating 25 14 filt...

Page 734: ...figuration 16 36 overview 16 10 identity NAT configuration 16 34 overview 16 10 NAT ID 16 20 order of statements 16 15 overlapping addresses 16 38 overview 16 1 PAT configuring 16 26 implementation 16 20 overview 16 8 static 16 31 policy NAT dynamic configuring 16 26 maximum rules A 7 overview 16 10 static configuring 16 30 static PAT configuring 16 32 port redirection 16 39 RPC not supported with...

Page 735: ...ulation timers 8 18 route map 8 5 route summarization 8 17 stub area 8 14 summary route cost 8 14 outbound access lists 15 1 outside definition 1 1 oversubscribing resources 4 22 P packet capture 26 8 classifier 4 3 flow routed firewall 5 2 transparent firewall 5 12 paging screen displays C 5 parameter problem ICMP message E 15 parameter problem ICMP message E 15 partitions application 2 10 boot 2...

Page 736: ...ccess authentication 17 3 network access authorization 17 10 password management 17 6 support 11 4 rapid link failure detection 2 9 RAS H 323 troubleshooting 22 55 rate limiting connections 21 2 RealPlayer 22 73 rebooting from the FWSM CLI 26 6 from the switch 2 11 redirect ICMP message E 15 redirect ICMP message E 15 Registration Authority description 12 2 regular expression 20 11 Related Documen...

Page 737: ...ing 12 4 signatures IKE authentication method 12 2 RSA keys generating 23 3 RSH connections A 5 RTSP inspection configuring 22 74 overview 22 73 rules default allocation A 7 maximum 13 6 memory partitions 4 12 pools for contexts A 7 reallocating memory A 8 reallocating memory per partition 4 19 running configuration backing up 24 17 clearing 3 5 downloading 24 15 saving 3 3 viewing 3 5 S same secu...

Page 738: ...t C 4 shunning 21 15 single mode backing up configuration 4 10 configuration 4 11 enabling 4 10 restoring 4 11 SIP inspection instant messaging 22 77 overview 22 77 timeout values configuring 22 82 troubleshooting 22 86 site to site tunnel 23 8 SMTP inspection configuring 22 96 overview 22 94 SNMP MIBs 25 20 overview 25 20 traps 25 32 software installation any partition 24 5 current partition 24 3...

Page 739: ...dule 2 11 sessioning to the module 3 1 system requirements A 1 trunk for failover 2 9 verifying module installation 2 2 switched virtual interfaces See SVIs Switch Fabric Module A 3 SYN attacks monitoring 4 40 SYN cookies 4 40 syntax formatting C 3 syslog server as output destination 25 4 designating 25 5 designating more than one 25 5 EMBLEM format configuring 25 17 enabling 25 5 system execution...

Page 740: ... ICMP message E 15 time exceeded ICMP message E 15 time ranges access lists 13 24 timestamp reply ICMP message E 15 timestamp including in system log messages 25 15 timestamp reply ICMP message E 15 traffic flow routed firewall 5 2 transparent firewall 5 12 transparent firewall ARP inspection enabling 19 2 overview 19 1 static entry 19 2 data flow 5 12 DHCP packets allowing 13 7 failover considera...

Page 741: ...pt C 2 unreachable ICMP message E 15 upgrading IOS 2 1 URLs context configuration changing 4 33 context configuration setting 4 29 filtering 18 4 V viewing logs 25 4 virtual firewalls See security contexts virtual HTTP 17 3 virtual reassembly 1 4 virtual SSH 17 3 virtual Telnet 17 3 VLANs allocating to a context 4 28 assigning to FWSM 2 2 interfaces 2 2 mapped interface name 4 28 maximum A 4 share...

Page 742: ...Index IN 18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL 20748 01 ...

Reviews:

No comments