-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, 6.1F
-
About This Guide
- Getting Started
-
Device Setup and Management
-
Using the Startup Wizard
-
Configuring Device Settings and Management
-
Configuring Interfaces
-
Configuring Security Contexts
-
Configuring Dynamic And Static Routing
-
Configuring Multicast Routing
-
Configuring DHCP and DNS
-
Configuring Failover
-
Configuring AAA Servers and User Accounts
-
Configuring Management Access
-
Configuring Logging
-
Configuring Certificates
-
-
Configuring the Firewall
-
Firewall Mode Overview
-
Adding Global Objects
-
Configuring Access Rules and EtherType Rules
-
Configuring NAT
-
Configuring Service Policy Rules
-
Configuring Application Layer Protocol Inspection
-
Configuring AAA Rules
-
Configuring Filter Rules
-
Configuring Advanced Connection Features
-
Configuring ARP Inspection and Bridging Parameters
-
- Monitoring the Firewall Services Module
-
Specifications
-
Index
-
Table Of Contents
A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X -
Index
A
AAA
accounting 24-11
authentication
CLI access 15-24
CLI access, system 15-25
network access 24-1
authentication directly with the FWSM 24-3
authorization
command 15-26
downloadable access lists 24-6
network access 24-5
local database support 14-6
maximum rules A-7
overview 14-1
performance 24-1
server
adding 14-9
types 14-3
support summary 14-3
web clients 24-13
ABR
definition of 10-4
acceleration, Trusted Flow. See Trusted Flow Acceleration
Access Group panel 11-2
description 11-2
fields 11-2
access lists
commitment 20-2
downloadable 24-6
expanded 20-3
implicit deny 20-2
inbound 20-3
IP address guidelines with NAT 20-5
maximum rules 20-3
memory limits 20-3
memory partitions 9-10
NAT addresses 20-5
outbound 20-3
overview 20-1
ACEs
expanded 20-3
maximum 20-3
Active/Active failover
about 13-2
command replication 13-2
configuration synchronization 13-2
Active/Standby failover 13-2
adaptive security algorithm 1-17
Add/Edit Access Group dialog box 11-3
description 11-3
fields 11-3
Add/Edit Filtering Entry dialog box 10-11
description 10-11
fields 10-12
Add/Edit IGMP Join Group dialog box 11-4
description 11-4
fields 11-4
Add/Edit IGMP Static Group dialog box 11-7
description 11-7
fields 11-7
Add/Edit Multicast Group dialog box 11-16
description 11-16
fields 11-16
Add/Edit Multicast Route dialog box
description 11-8
fields 11-8
Add/Edit OSPF Area dialog box 10-8
description 10-8
fields 10-8
Add/Edit OSPF Neighbor Entry dialog box 10-20
description 10-20
fields 10-20
Restrictions 10-20
Add/Edit Periodic Time Range dialog box 19-15
Add/Edit Redistribution dialog box 10-18
description 10-18
fields 10-18
Add/Edit Rendezvous Point dialog box 11-14
description 11-14
fields 11-15
restrictions 11-15
Add/Edit Route Summarization dialog box 10-10
about 10-10
fields 10-10
Add/Edit SSH Configuration dialog box 15-5
description 15-5
fields 15-5
Add/Edit Summary Address dialog box
description 10-21
fields 10-21
Add/Edit Time Range dialog box 19-14
Add/Edit Virtual Link dialog box 10-22
description 10-22
fields 10-22
Addresses tab 19-2
admin context
overview 9-2
administrative access
using ICMP for 15-13
Advanced DHCP Options dialog box 12-6
description 12-6
fields 12-7
Advanced OSPF Interface Properties dialog box 10-16
description 10-16
fields 10-16
Advanced OSPF Virtual Link Properties dialog box 10-23
description 10-23
fields 10-23
alternate address, ICMP message 15-14, 15-15
APN, GTP application inspection 23-86
APPE command, denied request 23-80
application firewall 23-93
application inspection
about 23-2
applying 23-4
configuring 23-4
described 23-58
enabling for different protocols 23-27
Apply button 2-10
Area/Networks tab 10-7
description 10-7
fields 10-7
area border router 10-4
ARP inspection
configuring 27-1
ARP spoofing 27-2
ARP table
monitoring 30-1
static entry 27-3
ASBR
definition of 10-4
ASDM
maximum connections A-5
version 2-14
authenticating a certificate 17-1
authentication
CLI access 15-24
CLI access, system 15-25
FTP 24-3
HTTP 24-2
network access 24-1
overview 14-2
Telnet 24-2
web clients 24-13
Authentication tab 10-13
description 10-13
fields 10-13
authorization
command 15-26
downloadable access lists 24-6
network access 24-5
overview 14-2
autostate messaging 4-15
B
bandwidth 2-15
limiting 9-17
maximum A-3
BGP
monitoring 10-40
booting
from the switch 4-17
boot partitions 4-16
BPDUs
forwarding on the switch 4-14
bridge groups
overview 1-16
bridging
MAC address table
learning, disabling 27-6
overview 27-4
static entry 27-6
management IP address 7-1
building blocks 19-1
bypassing the firewall, in the switch 4-9
C
CA certificate 17-1
call agents
MGCP application inspection 23-107, 23-108
Cancel button 2-10
CDUP command, denied request 23-80
CEF A-3
certificate
exporting 17-14
fingerprint 17-2
importing 17-15
installing 17-15
managing 17-5
certificate authentication 17-1
certificate enrollment 17-2
Cisco IOS versions A-2
Cisco IP Phones, application inspection 23-21
classes
command authorization
about 15-26
configuring 15-26
multiple contexts 15-27
Compact Flash 4-16
Configure IGMP Parameters dialog box 11-5
description 11-5
fields 11-5
connection
deleting A-5
connection limits
TCP and UDP 26-1
connections per second 2-15
context mode
viewing 2-14
contexts
control plane path 1-17
conversion error, ICMP message 15-14, 15-15
CPU usage 2-14
CRL
cache refresh time 17-13
checking 17-13
enforce next update 17-13
retrieval method 17-12
retrieval policy 17-11
CTIQBE
application inspection, enabling 23-27
cut-through proxy 24-1
D
default class 9-19
default policy 22-2
default routes
defining equal cost routes 10-39
definition of 10-39
device ID, including in messages 16-8
DHCP
configuring 12-4
monitoring
interface lease 30-2
IP addresses 30-2
server 30-2
statistics 30-3
services 12-1
statistics 30-3
transparent firewall 20-8
DHCP relay
overview 12-1
DHCP Relay - Add/Edit DHCP Server dialog box 12-3
fields 12-4
restrictions 12-3
DHCP Relay panel
description 12-1
fields 12-2
prerequisites 12-1
restrictions 12-1
DHCP Server panel 12-4
description 12-4
fields 12-5
DHCP services 12-1
digital certificates 17-1
DMZ, definition 1-1
DNS
application inspection, enabling 23-27
inspection
about 23-6
managing 23-6
rewrite, about 23-7
DNS and NAT 21-15
DNS client 12-8
downloadable access lists
configuring 24-6
converting netmask expressions 24-10
DSCP bits 1-18
dynamic NAT
See NAT
E
echo reply, ICMP message 15-13
ECMP 10-39
Edit DHCP Relay Agent Settings dialog box 12-3
description 12-3
fields 12-3
prerequisites 12-3
restrictions 12-3
Edit DHCP Server dialog box 12-6
description 12-6
fields 12-6
Edit OSPF Interface Authentication dialog box 10-13
description 10-13
fields 10-13
Edit OSPF Interface Properties dialog box 10-15
fields 10-15
Edit OSPF Process Advanced Properties dialog box 10-6
description 10-6
fields 10-6
Edit PIM Protocol dialog box 11-10
description 11-10
fields 11-10
EIGRP 20-8
enrolling
certificate 17-2
ESMTP
application inspection, enabling 23-27
established command
maximum rules A-7
security level requirements 8-1
EtherChannel, backplane
load-balancing 4-14
overview 4-14
Ethernet
EtherType access list
applying in both directions 20-8
compatibilty with extended access lists 20-2
implicit deny 20-2
MPLS, allowing 20-9
supported EtherTypes 20-8
exporting a certificate 17-14
external filtering server 25-7
F
failover
defining standby IP addresses 13-14, 13-15
enable 13-20
enabling Active/Standby 13-11
enabling Stateful Failover 13-12
graphs 29-4
in multiple context mode 13-20
make active 29-4
make standby 29-4
monitoring 29-1
PISA 26-14
reload standby 29-4
stateful 13-3
Stateful Failover 13-21
stateless 13-3
status 29-1
switch configuration 4-14
trunk 4-14
Trusted Flow Acceleration 26-9
failover groups
about 13-23
adding 13-24
editing 13-24
monitoring 29-8
reset 29-10
filtering
benefits of 25-7
maximum rules A-7
overview 25-1
rules 25-8
security level requirements 8-1
servers supported 25-2
URLs 25-2
Filtering panel 10-11
benefits 10-11
description 10-11
fields 10-11
restrictions 10-11
fingerprint
certificate 17-2
firewall mode
configuring 18-1
overview 18-1
viewing 2-14
Flash memory
overview 4-16
partitions 4-16
size A-3
fragments 1-13
FTP
application inspection
enabling 23-27
viewing 23-60, 23-62, 23-69, 23-70, 23-76, 23-77, 23-87, 23-88, 23-94, 23-101, 23-104, 23-107, 23-110, 23-112, 23-114, 23-117
filtering option 25-10
FTP inspection
about 23-8
configuring 23-8
G
gateways
MGCP application inspection 23-109
global addresses
guidelines 21-15
GRE tagging with PISA 26-14
GTP
application inspection
enabling 23-27
viewing 23-81
GTP inspection
configuring 23-10
H
H.323
transparent firewall guidelines 18-3
H.323 inspection
about 23-12
configuring 23-11
limitations 23-13
H225
application inspection, enabling 23-27
H323 RAS
application inspection, enabling 23-28
Help button 2-10
HELP command, denied request 23-80
Help menu 2-7
history metrics 7-2
HSRP 18-3
HTTP
application inspection
enabling 23-28
viewing 23-93
filtering
configuring 25-9
HTTP(S)
filtering 25-2
maximum connections A-5
maximum rules A-7
HTTP inspection
configuring 23-13
HTTPS
enabling access to ASDM 15-1
filtering option 25-10
I
ICMP
application inspection, enabling 23-28
maximum rules A-7
rules for access to ADSM 15-13
ICMP Error
application inspection, enabling 23-28
ICMP types
IGMP
access groups 11-2
configuring interface parameters 11-5
group membership 11-3
interface parameters 11-5
static group assignment 11-6
IGMP panel
IGMP
overview 11-2
ILS
application inspection, enabling 23-28
ILS inspection 23-14
import certificate panel 17-3
importing a certificate 17-15
inbound access lists 20-3
information reply, ICMP message 15-14, 15-15
information request, ICMP message 15-14, 15-15
inside, definition 1-1
inspection engines
security level requirements 8-1
See application inspection
installation
module verification 4-3
installing a certificate 17-15
Instant Messaging inspection 23-20
interface
status 2-14
throughput 2-15
Interface panel 10-12
interfaces
maximum A-4
monitoring 30-5
shared 9-6
IOS versions A-2
IP address 7-1
management, transparent firewall 7-1
IP addresses
overlapping between contexts 9-4
IP fragment database, editing 26-20
IPX 4-9
ISNs, randomizing
using Modular Policy Framework 26-1
J
Java applet filtering 25-2
Java console 3-8
Join Group panel 11-3
description 11-3
fields 11-4
K
Kerberos
configuring 14-9
support 14-6
key pair panel
key-pair name 17-4
size 17-4
usage 17-4
key pairs 17-4
adding 17-4
showing details 17-5
L
Layer 2 firewall
See transparent firewall
Layer 3/4
matching multiple policy maps 22-3
LDAP
application inspection 23-14
configuring 14-9
support 14-6
load-balancing, backplane EtherChannel 4-14
local user database
configuring 14-7
support 14-6
lockout recovery 15-34
logging
viewing last 10 messages 2-15
login
FTP 24-3
loops, avoiding 4-14
LSA
about Type 1 31-3
about Type 2 31-4
about Type 3 31-4
about Type 4 31-5
about Type 5 31-6
about Type 7 31-6
M
MAC address
Trusted Flow Acceleration 26-7
MAC address table 27-4
built-in-switch 27-5
learning, disabling 27-6
monitoring 30-4
overview 27-4
static entry 27-6
managing
certificates 17-5
man-in-the-middle attack 27-2
mask reply, ICMP message 15-14, 15-15
mask request, ICMP message 15-14, 15-15
memory
access list use of 20-3
Flash A-3
RAM A-3
rules use of 20-3
memory partitions 9-10
reallocating rules 9-16
setting the total number 9-11
sizes 9-12
memory usage 2-14
menus 2-5
MGCP
application inspection
configuring 23-108
enabling 23-28
viewing 23-106
MGCP inspection
configuring 23-15
mobile redirection, ICMP message 15-14, 15-15
mode
context 9-9
Modular Policy Framework
See MPF
monitoring
ARP table 30-1
DHCP
interface lease 30-2
IP addresses 30-2
server 30-2
statistics 30-3
failover groups 29-8
history metrics 7-2
interfaces 30-5
MAC address table 30-4
routes 31-9
MPF
about 22-1
default policy 22-2
features 22-1
flows 22-3
matching multiple policy maps 22-3
MPLS
LDP 20-9
router-id 20-9
TDP 20-9
MRoute panel 11-9
description 11-7
fields 11-7
MSFC
definition A-2
overview 1-15
SVIs 4-9
Multicast panel
description 11-1
fields 11-1
Multicast Route panel 11-9
multicast traffic 18-3
Multilayer Switch Feature Card
multiple mode, enabling 9-9
multiple SVIs 4-8
N
N2H2 filtering server 25-7
name resolution 12-8
NAT
application inspection 23-58
bypassing NAT
overview 21-10
DNS 21-15
dynamic NAT
configuring 21-24
implementation 21-18
overview 21-6
exemption from NAT
overview 21-10
identity NAT
overview 21-10
order of statements 21-14
overview 21-1
PAT
configuring 21-24
implementation 21-18
overview 21-8
policy NAT
maximum rules A-7
overview 21-10
RPC not supported with 23-24
same security level 21-14
security level requirements 8-1
static NAT
configuring 21-27
overview 21-8
static PAT
overview 21-9
transparent mode 21-3
types 21-6
xlate bypass
overview 21-13
NETBIOS
application inspection, enabling 23-28
network objects 19-1
network processors 1-17
NPs 1-17
NTLM support 14-5
NT server
configuring 14-9
support 14-5
O
object groups
expanded 20-3
Options menu 2-6
OSPF
about 10-4
adding an LSA filter 10-11
authentication settings 10-13
authentication support 10-4
configuring authentication 10-13
defining a static neighbor 10-20
defining interface properties 10-15
interaction with NAT 10-4
interface properties 10-12, 10-14
LSA filtering 10-11
LSAs 10-4
LSA types 31-3
monitoring LSAs 31-3
neighbor states 31-7
route redistribution 10-17
static neighbor 10-19
summary address 10-20
virtual links 10-22
OSPF area
defining 10-7
OSPF Neighbors panel 31-7
description 31-7
fields 31-7
OSPF parameters
dead interval 10-16
hello interval 10-16
retransmit interval 10-16
transmit delay 10-16
OSPF route summarization
about 10-9
defining 10-10
outbound access lists 20-3
outside, definition 1-1
oversubscribing resources 9-18
P
packet
classifier 9-3
parameter problem, ICMP message 15-14, 15-15
partitions
application 4-16
boot 4-16
crash dump 4-16
Flash memory 4-16
maintenance 4-16
network configuration 4-16
PAT
See NAT
PDP context, GTP application inspection 23-84
PIM
interface parameters 11-9
overview 11-9
register message filter 11-16
rendezvous points 11-14
shortest path tree settings 11-18
PISA integration 26-12
policy map
Layer 3/4
flows 22-3
policy NAT
about 21-10
PortFast 4-5
PPTP
application inspection, enabling 23-28
Process Instances tab 10-5
description 10-5
fields 10-5
Properties tab 10-14
description 10-14
fields 10-14
Protocol panel (IGMP) 11-5
description 11-5
fields 11-5
Protocol panel (PIM) 11-9
description 11-9
fields 11-10
proxy ARP, disabling 10-43
proxy servers
SIP and 23-19
Q
QoS compatibility 1-18
R
RADIUS
configuring a server 14-9
downloadable access lists 24-6
network access authentication 24-3
network access authorization 24-6
support 14-4
RAM, amount
memory, amount
RAM 2-14
rapid link failure detection 4-15
RealPlayer 23-18
rebooting
from the switch 4-17
redirect, ICMP message 15-13, 15-15
Redistribution panel 10-17
description 10-17
fields 10-17
Related Documentation 1-iv
reloading
from the switch 4-17
Rendezvous Points panel 11-14
description 11-14
fields 11-14
Request Filter panel 11-16
description 11-16
fields 11-16
requirements A-2
reset
inbound connections 26-20
outside connections 26-20
Reset button 2-10
resetting
from the switch 4-17
resource management
default class 9-19
oversubscribing 9-18
overview 9-18
unlimited 9-18
RIP
authentication 10-24
definition of 10-24
support for 10-24
RIP panel 10-24
fields 10-25
limitations 10-24
RIP Version 2 Notes 10-25
RNFR command, denied request 23-80
RNTO command, denied request 23-80
router advertisement, ICMP message 15-13, 15-14, 15-15
router solicitation, ICMP message 15-14, 15-15
Routes panel 31-9
description 31-9
fields 31-9
Route Summarization tab 10-9
about 10-9
fields 10-9
Route Tree panel 11-18
description 11-18
fields 11-18
routing
other protocols 20-7
RPC
application inspection, enabling 23-28
RSH
application inspection, enabling 23-28
RSH connections A-5
RTSP
application inspection, enabling 23-28
RTSP inspection
about 23-18
configuring 23-18
rules
default allocation A-7
filtering 25-7
ICMP 15-13
maximum 20-3
memory partitions 9-10
pools for contexts A-7
reallocating memory A-7
reallocating memory per partition 9-16
S
same security level communication
NAT 21-14
SCCP (Skinny) inspection
about 23-21
configuration 23-21
configuring 23-21
SDI
configuring 14-9
support 14-5
secure computing smartfilter 25-2
Secure Copy panel 15-9
description 15-9
fields 15-9
limitations 15-9
Secure Shell panel
description 15-4
fields 15-5
security contexts
admin context
overview 9-2
classifier 9-3
command authorization 15-27
memory partitions 9-10
MSFC compatibility 1-16
multiple mode, enabling 9-9
overview 9-1
resource management 9-18
unsupported features 9-2
segment size
maximum and minimum 26-20
session management path 1-17
Setup panel 10-5
about 10-5
shared interfaces 9-6
shared VLANs 9-6
single mode
backing up configuration 9-9
configuration 9-9
enabling 9-9
restoring 9-9
SIP
application inspection, enabling 23-28
SIP inspection
about 23-19
configuring 23-19
instant messaging 23-20
SITE command, denied request 23-80
Skinny
application inspection, enabling 23-28
SMTP inspection 23-22
SNMP
application inspection
enabling 23-28
viewing 23-124
software
version 2-14
source quench, ICMP message 15-15
source-quench, ICMP message 15-13
SPAN session 4-2
specifications A-1
spoofing, preventing 26-19
SQLNET
application inspection, enabling 23-28
SSH
maximum rules A-7
stateful application inspection 23-58
Stateful Failover 13-3
enabling 13-12
Logical Updates Statistics 29-7, 29-9
settings 13-21
stateful inspection
overview 1-17
stateless failover 13-3
Static Group panel 11-6
description 11-6
fields 11-6
static NAT
See NAT
Static Neighbor panel 10-19
description 10-19
fields 10-19
static PAT
See NAT
static routes
about 10-38
floating 10-38
status bar 2-9
stealth firewall
See transparent firewall
STOU command, denied request 23-80
subordinate certificate 17-1
Summary Address panel 10-20
description 10-20
fields 10-20
Sun RPC inspection
about 23-24
configuring 23-24
supervisor engine versions A-2
supervisor IOS A-2
SVIs
configuring 4-10
dummy 4-15
multiple 4-8
overview 4-8
switch
ASDM
prerequisite configuration 4-3
supported features 4-1
assigning VLANs to FWSM 4-11
autostate messaging 4-15
BPDU forwarding 4-14
connecting to 4-4
failover compatibility with transparent firewall 4-14
failover configuration 4-14
maximum modules A-3
resetting the module 4-17
SNMP 4-3
SSH 4-3
supported hardware and software 4-2
system requirements A-2
trunk for failover 4-14
verifying module installation 4-3
VLAN addition 4-10
switched virtual interfaces
See SVIs
Switch Fabric Module A-3
switch MAC address table 27-5
switch port
secured 4-6
switch ports
administrative state 4-5
mode 4-5
overview 4-5
PortFast 4-5
speed 4-5
VLAN assignment 4-6
system configuration
overview 9-2
system execution space
session authentication 15-25
system messages
device ID, including 16-8
viewing last 10 2-15
system requirements A-2
T
TACACS+
command authorization, configuring 15-29
configuring a server 14-9
network access authorization 24-5
support 14-4
TCP
application inspection 23-58
back-to-back connections A-5
connection, deleting A-5
maximum segment size 26-20
sequence randomization 26-11
TIME_WAIT state 26-20
Telnet
authentication
session from switch 15-25
system execution space 15-25
maximum rules A-7
TFTP
application inspection, enabling 23-28
TIME_WAIT state 26-20
time exceeded, ICMP message 15-13, 15-14, 15-15
timestamp reply, ICMP message 15-14, 15-15
timestamp request, ICMP message 15-14, 15-15
Tools menu 2-6
traffic usage 2-15