Home > Articles > Cisco Network Technology > General Networking > Cisco Firewall Configuration Fundamentals

Cisco Firewall Configuration Fundamentals

Chapter Description

This chapter describes the configuration fundamentals for IOS and ASA-based firewalls, highlighting the similarities between the product families.

From the Book

Cisco Firewalls

Cisco Firewalls


Basic FWSM Configuration

Before having access to the Firewall Services Module (FWSM), you need to perform some configurations on the Catalyst 6500 chassis where it resides.

Example 3-10 teaches how to locate a FWSM in a given 6500 chassis and verify the status of the module using the show module command. It also shows the Etherchannel connection (consisting of six Gigabit Ethernet ports) to the Switching Fabric. (You can see the logical representation of the Etherchannel connection in Figure 3-3.)

Example 3-10. Viewing Information About Modules on a Catalyst 6500

! Displaying Information about installed modules on a Catalyst 6500 switch
CAT6500B# show module
Mod   Ports Card Type                       Model             Serial No.
--- ----- -------------------------------------- ------------------ -----------
   1   48  CEF720 48 port 10/100/1000mb Ethernet                   WS-X6748-GE-TX     SAL1026SYKR
   4    6  Firewall Module                                       WS-SVC-FWM-1       SAD11270BNW
   5    2  Supervisor Engine 720 (Active)                          WS-SUP720-3B       SAL1015JH6H

Mod MAC addresses                       Hw    Fw           Sw                            Status

--- ---------------------------------- ------ ------------ ------------ -------
     1  0017.5916.59b8 to 0017.5916.59e7   2.4   12.2(14r)S5  12.2(18)SXF1 Ok
     4  001b.d59c.0ce0 to 001b.d59c.0ce7   4.2   7.2(1)       4.0(3)         Ok
     5  0013.c43a.ced8 to 0013.c43a.cedb   5.2   8.4(2)            12.2(18)SXF1 Ok

Mod  Sub-Module                  Model              Serial       Hw     Status
---- --------------------------- ------------------ ----------- ------- -------
     1  Centralized Forwarding Card WS-F6700-CFC       SAD102308FL  2.0         Ok
     5  Policy Feature Card 3       WS-F6K-PFC3B       SAL1015JHTB  2.3         Ok
     5  MSFC3 Daughterboard         WS-SUP720          SAL1010F7PX  2.5          Ok

Mod  Online Diag Status
---- -------------------
     1  Pass
     4  Pass
     5  Pass
! Verifying Etherchannel information for the FWSM
CAT6500B#    show etherchannel summary
Flags:  D - down        P - bundled in port-channel
          I - stand-alone s - suspended
          H - Hot-standby (LACP only)
          R - Layer3      S - Layer2
          U - in use        f - failed to allocate aggregator
          M - not in use, minimum links not met
          u - unsuitable for bundling
          w - waiting to be aggregated
Number of channel-groups in use: 1
Number of aggregators:               1

Group  Port-channel  Protocol    Ports
273    Po273(SU)            -        Gi4/1(P)   Gi4/2(P)   Gi4/3(P)        Gi4/4(P)
                                       Gi4/5(P)   Gi4/6(P)

Figure 3-3

Figure 3-3 Logical Representation and Logical Topology for FWSM Analysis

Example 3-11 shows the baseline configuration tasks that should be accomplished on the Catalyst 6500 before using the FWSM. These tasks include the following:

  • Creating VLANS: Using exactly the same procedure used for any other VLAN.
  • Creating VLAN Groups: Instead of directly assigning VLANs to the FWSM, the configuration uses VLAN-Groups.
  • Associating VLAN Groups with the physical module: Only the VLAN Groups defined with the firewall module vlan-group command become visible in the FWSM. The Catalyst 6500 behaves as a regular multilayer switch for all the VLANs that were not explicitly assigned to the services module.

Example 3-11 also registers the commands to verify the VLAN and VLAN-Group information (related to the FWSM) in the Catalyst 6500 chassis.

Example 3-11. Baseline Configuration for the Catalyst 6500

! Creating VLANs on the Catalyst 6500
vlan 1100
 name SEC-MGMT
vlan 1240
 name FWSM-OUT1
vlan 1242
 name FWSM-DMZ1
! Creating VLAN Groups (SVCLC = Services Line Card)
svclc vlan-group 1  1100
svclc vlan-group 2  1240,1242
! Assigning VLAN Groups to the Firewall Module (installed in slot 4)
firewall module 4 vlan-group 1,2
! Verifying VLAN and VLAN-Group information
CAT6500B# show firewall vlan-group
Display vlan-groups created by both ACE module and FWSM
Group    Created by      vlans
-----    ----------      -----
    1           ACE      1100
    2           ACE      1240,1242
CAT6500B# show firewall module 4 state
Firewall module 4:
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: 1100,1240,1242
Pruning VLANs Enabled: 2-1001
Vlans allowed on trunk: 1100,1240,1242
Vlans allowed and active in management domain: 1100,1240,1242
Vlans in spanning tree forwarding state and not pruned: 1100,1240,1242

Example 3-12 shows the procedure for getting access to the FWSM that resides in module 4, from the Catalyst 6500 console. This access is actually a Telnet connection that uses a reserved loopback address (belonging to network This example also displays the source and destination IP addresses and L4 ports for the Telnet session.

Example 3-12. Accessing the FWSM from the Catalyst 6500 Console

CAT6500B# session slot 4 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying Open
User Access Verification
Type help or '?' for a list of available commands.
FWSM2> enable
Password: ********
! Viewing the Telnet connection from the Catalyst 6500 to the FWSM
CAT6500B# show tcp brief
TCB       Local Address           Foreign Address        (state)
46DCBBD0          ESTAB

Figure 3-3 displays the logical representation of the FWSM Etherchannel connection to the Catalyst backplane. It also shows the logical topology that serves as the base for the analysis of the configuration fundamentals related to the FWSM.

Example 3-13 refers to the topology on Figure 3-3 and assembles the fundamental commands for initial FWSM configuration. The FWSM does not have external network interfaces. All its logical interfaces are VLANs created on the underlying chassis and assigned to it through the firewall module vlan-group command (refer to Example 3-11).

One important difference between ASA appliances and the FWSM is that Internet Control Message Protocol (ICMP) traffic needs to be explicitly permitted on a per-interface basis (using icmp permit commands) on the Firewall Module. Conversely, the default behavior of ASA is to accept ICMP packets directed to its interfaces (refer to Example 3-7).

Example 3-13. Baseline FWSM Configuration

! Configuring Logical Interfaces
interface Vlan1100
 description *** Management Access ***
 nameif mgmt
 security-level 100
 ip address
interface Vlan1240
 nameif out1
 security-level 0
 ip address
interface Vlan1242
 nameif dmz1
 security-level 50
 ip address
! Enabling ICMP Ping to and from logical interfaces
icmp permit any echo mgmt
icmp permit any echo-reply mgmt
icmp permit any echo out1
icmp permit any echo-reply out1
icmp permit any echo dmz1
icmp permit any echo-reply dmz1

Example 3-14 assembles some show commands that enable the visualization of interface-related information on the FWSM. The VLANs visible on the FWSM side can be seen from the Catalyst 6500's CLI with the aid of the show firewall commands presented in Example 3-11.

Example 3-14. Displaying Information About Interfaces and VLANs on the FWSM

FWSM2# show nameif
Interface                Name                     Security
Vlan1100                 mgmt                     100
Vlan1240                 out1                       0
Vlan1242                 dmz1                      50
FWSM2# show vlan
1100, 1240, 1242
FWSM2# show interface vlan 1100
Interface Vlan1100 "mgmt", is up, line protocol is up
  Hardware is EtherSVI, BW Unknown Speed-Capability, DLY 10 usec
        Description: *** Management Access ***
        MAC address 001b.d4de.3580, MTU 1500
        IP address, subnet mask
  Traffic Statistics for "mgmt":
        798 packets input, 130180 bytes
        15 packets output, 1270 bytes
        55112 packets dropped
4. Remote Management Access to ASA and FWSM | Next Section Previous Section