Cisco Certified Expert. The better understanding you have of the attributes and architecture, the better your ability to design, deploy, manage, and troubleshoot a security infrastructure. Table and Table provide additional requirements and specifications. As you can clearly see from the specification in the previous two tables, good things do come in small packages!
|Published (Last):||10 April 2014|
|PDF File Size:||2.69 Mb|
|ePub File Size:||20.86 Mb|
|Price:||Free* [*Free Regsitration Required]|
This includes the configuration of the IP address, default routing, static and dynamic NATing, Access Control Lists ACLs statements in order to allow the desired traffic or block the unwanted traffic, application servers like Websense for the inspection of the internet traffic from the inside network, and the Webserver for the Internet users. Therefore, the failover cannot work between the FWSMs with different licenses. See Table for supported supervisor engine and software releases.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared default configuration. If your network is live, make sure that you understand the potential impact of any command. This configuration can also be used for the Cisco series routers, with the required components as shown:.
Supervisor engine with Cisco IOS software. Refer to the Cisco Technical Tips Conventions for more information on document conventions. The FWSM is a high-performance, space-saving, stateful firewall module that installs in the Catalyst series switches and the Cisco series routers. Firewalls protect inside networks from unauthorized access by users on an outside network.
The firewall can also protect inside networks from each other, for example, when you keep a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone DMZ.
The firewall allows limited access to the DMZ, but because the DMZ includes only the public servers, an attack there affects only the servers and does not affect the other inside networks. You can also control when inside users access outside networks, for example, access to the Internet, if you allow only certain addresses out, require authentication or authorization, or coordinate with an external URL filtering server.
The FWSM includes many advanced features, such as multiple security contexts that are similar to virtualized firewalls, transparent Layer 2 firewall or routed Layer 3 firewall operation, hundreds of interfaces, and many more features.
During the discussion of networks connected to a firewall, the outside network is in front of the firewall, the inside network is protected and behind the firewall, and a DMZ, while behind the firewall, allows limited access to outside users. Because the FWSM lets you configure many interfaces with varied security policies, which includes many inside interfaces, many DMZs, and even many outside interfaces if desired, these terms are used in a general sense only.
In this section, you are presented with the information to configure the features described in this document. They are RFC addresses, which have been used in a lab environment. The configuration of both series is identical and the series are referred to generically in this document as the switch. The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces.
If you use FWSM failover within the same switch chassis, do not assign the VLAN s you reserved for failover and stateful communications to a switch port. But, if you use failover between chassis, you must include the VLANs in the trunk port between the chassis.
For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer. Each group can contain unlimited VLANs. The list can contain unlimited VLANs. You should also change the security level from the default, which is 0.
If you name an interface inside , and you do not set the security level explicitly, then the FWSM sets the security level to For example, you should assign your most secure network, such as the inside host network, to level , while the outside network connected to the Internet can be level 0.
Other networks, such as DMZs, can be in between. You can change the name if you reenter this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.
A default route identifies the gateway IP address A default route is simply a static route with 0. Routes that identify a specific destination take precedence over the default route. Dynamic NAT translates a group of real addresses The mapped pool can include fewer addresses than the real group.
When a host you want to translate accesses the destination network, the FWSM assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out.
You need to create an ACL in order to deny the traffic from the inside network Static NAT creates a fixed translation of real address es to mapped address es. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host, if there is an access list that allows it.
The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host, if there is an access list that allows it, while dynamic NAT does not.
You also need an equal number of mapped addresses as real addresses with static NAT. These are the two static NAT statements shown. The first one is meant to translate the real IP The url-server command designates the server that runs the Websense URL filtering application. Additionally, if you change your configuration on the security appliance, this does not update the configuration on the application server. This must be done separately, in accordance to the vendor instructions.
If all URL servers are removed from the server list, then all filter commands related to URL filtering are also removed. Once you designate the server, enable the URL filtering service with the filter url command.
The filter url command allows the prevention of access of outbound users from World Wide Web URLS that you designate with the Websense filtering application. Use the OIT in order to view an analysis of show command output.
View the module information in accordance to your operating system in order to verify that the switch acknowledges the FWSM and has brought it online:.
These are internal ports that are grouped together as an EtherChannel. But, you can choose to boot from the cf:5 application partition or into the cf:1 maintenance partition. In order to change the default boot partition, enter the command for your operating system:. The cf:n argument is the partition, either 1 maintenance , 4 application , or 5 application.
If you do not specify the partition, the default partition is used, which is typically cf Where cf:n is the partition, either 1 maintenance , 4 application , or 5 application. Check this example with VLAN and in order to clarify:.
Then disable the VLAN interface , which the hosts in currently use as their default gateway. You need to do the similar changes for VLANs if present. You can have a default gateway on a different piece of wire than the hosts that use it. Issue the set connection advanced-options tcp-state-bypass command in class configuration mode in order to pass asymmetrically routed packets through the firewall. Contents Introduction. Problem: Unable to pass asymmetrically routed packets through the firewall.
Overview of FWSM Firewall
This includes the configuration of the IP address, default routing, static and dynamic NATing, Access Control Lists ACLs statements in order to allow the desired traffic or block the unwanted traffic, application servers like Websense for the inspection of the internet traffic from the inside network, and the Webserver for the Internet users. Therefore, the failover cannot work between the FWSMs with different licenses. See Table for supported supervisor engine and software releases. The information in this document was created from the devices in a specific lab environment.
FWSM Basic Configuration Example
The different components of the FWSM that are pictured in Figure are discussed in the sections that follow. Most of the memory-intensive tasks and complex operations are performed in the CP. The high performance is achieved by moving the frequently used simple tasks within the packet processing to the Network Processors. The CP is responsible for the following tasks:. You can verify the Gigabit Ethernet ports on the CP by executing the show nic command. Each NP has four Gigabit Ethernet interfaces. For maximizing the efficiency of the six Gigabit Ethernet interfaces between the FastPath NPs and the Pinnacle, the switch software automatically bundles them together and creates an