© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 21 Firewall Services Module
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Describe the FWSM features and benefits. Explain the similarities and differences between the FWSM and the PIX Firewall. Describe a typical deployment scenario for the FWSM. Initialize the FWSM. Configure the switch VLANs. Configure the FWSM interfaces. Prepare the FWSM to work with PDM. Install PDM on the FWSM.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA FWSM Overview
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA FWSM Key Features Brings switching and firewall into a single chassis. Based on PIX Firewall technology. Supports up to 100 firewall VLANs. Supports entire PIX Firewall 6.0 feature set and some 6.2 features. No license required. 5-Gbps throughput, full duplex. 1 million concurrent connections. Multiple blades supported in one chassis.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA FWSM Key Features (Cont.) Dynamic routing via RIP and OSPF. High availability via intra- or interchassis stateful failover. Management available via CLI, PDM, PIX MC, and AVVID partners. Supports secure, out-of-band management via IPSec on management VLAN.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA FWSM and PIX Firewall Feature Comparison
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA FWSM and PIX Firewall Feature Comparison (cont.)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Cisco Catalyst 6500 Switch Requirements The FWSM has the following requirements for the Catalyst 6500 switch: Supervisor Engine 2 with Multilayer Switch Feature Card 2. Native Cisco IOS Software Release 12.1(13)E or later. Hybrid Catalyst OS Software Release 7.5(1) or later.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Network Model
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Firewall with the FWSM MSFC Router 1 FWSM VLAN 200 VLAN 100 VLAN DMZ(40) Inside (100) Internet Outside (0).2.1 Catalyst Web/FTP Router 2 Router DMZ(50) VLAN VLAN 202VLAN
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Packet Flow with MSFC as Connected Router on Inside Catalyst OutsideDMZ DMZ1 101 Inside MSFCMSFC FWSMFWSM
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Packet Flow with MSFC as Connected Router on Inside (Cont.) Catalyst OutsideDMZ DMZ1 101 Inside MSFCMSFC FWSMFWSM
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Packet Flow with MSFC Not Used as Connected Router on Any Firewall Interface Catalyst OutsideDMZ Inside MSFCMSFC FWSMFWSM
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Getting Started
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Getting Started with the FWSM Before you can begin configuring the FWSM, you must complete the following tasks: Initialize the FWSM. Configure the switch VLANs. Configure the FWSM interfaces.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Initializing the FWSM To initialize the FWSM, log in to the module root account and configure the following: IP address Subnet mask IP broadcast address IP host FWSM Default gateway Domain module DNS server (if using a DNS server)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA FWSM Initialization Commands ip broadcast broadcast-address FWSM(config)# ip host hostname FWSM(config)# Configures the IP host name used in the CLI prompt, show commands and log messages session slot mod {processor processor-id} Router# Establishes a console session with the module Configures the IP broadcast address for the module FWSM(config)# ip address ip-address netmask Configures the IP address and subnet mask for the module
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA FWSM Initialization Commands (Cont.) ip nameserver name-server1[name-server2][name-server3] FWSM(config)# ip gateway gateway-address FWSM(config)# ip domain domain-name FWSM(config)# Configures the domain name for the module Configures the default gateway for the module Configures one or more IP addresses as DNS servers
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Initializing the FWSM Example Router#session slot 9 processor 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying Open Cisco Maintenance Image login: root Password: Maintenance image version: 1.1(0.3) FWSM(config)# ip host MYFWSM MYFWSM(config)# ip address MYFWSM(config)# ip broadcast MYFWSM(config)# ip gateway MYFWSM(config)# ip domain cisco.com MYFWSM(config)# ip nameserver
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the Switch VLAN firewall vlan-group firewall_group vlan_range Router(config-vlan)# vlan vlan_number no shut Router(config)# Creates VLANs interface vlan vlan_number Router(config)# Defines a controlled VLAN on the MSFC Creates a firewall group of controlled VLANs Router(config-vlan)# firewall module module_number vlan-group firewall_group Attaches the VLAN and firewall group to the slot where the FWSM is located Router(config-vlan)# end Updates the VLAN database and returns you to privileged EXEC mode
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Switch VLAN Configuration Example Router(config)# interface vlan 100 Router(config)# vlan 200 no shut Router(config-vlan)# vlan 100 no shut Router(config-vlan)# vlan 101 no shut Router(config-vlan)# vlan 102 no shut Router(config-vlan)# firewall vlan-group 3 100,101,102,200 Router(config-vlan)# firewall module 3 vlan-group 3 Router(config-vlan)# end Router(config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring the FWSM Interfaces moduleif vlan_id if_module security_level fwsm(config)# Assigns a module and security level to each interface on the module ip address if_name ip_address [netmask] fwsm(config)# Configures an IP address and netmask for each module interface fwsm(config)# moduleif vlan100 inside security100 fwsm(config)# moduleif vlan101 dmz40 security40 fwsm(config)# moduleif vlan102 dmz50 security50 fwsm(config)# moduleif vlan200 outside security0 fwsm(config)# ip address inside fwsm(config)# ip address dmz fwsm(config)# ip address dmz fwsm(config)# ip address outside
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Using PDM with the FWSM
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PDM and the FWSM Like the PIX Firewall, the FWSM can be configured and monitored by PDM; however, use of PDM with the FWSM has the following limitations: The FWSM supports only PDM version 2.1. Startup Wizard and VPN Wizard are not available. OSPF and VPN configuration commands specific to the FWSM are not supported by PDM.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Preparing the FWSM for PDM Complete the following steps to prepare the FWSM to use PDM: 1. Verify that the FWSM is installed in the switch. 2. Verify that you have configured the firewall VLAN on the MSFC. 3. Verify that the module is recognized by the switch. 4. Verify that you have completed the basic FWSM configuration described earlier in this chapter. 5. Telnet to the module and enter configuration mode. 6. Execute the setup command and follow the instructions. 7. Use the copy tftp flash command to install the PDM image.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Using PDM with the FWSM Start PDM by entering the FWSMs IP address in your browser as follows: The is the IP address of one of the VLAN interfaces on the module.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Troubleshooting the FWSM
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Status LED
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Resetting and Rebooting the FWSM Router(config)# hw-mod module 9 reset Proceed with reload of module? [confirm] y % reset issued for module 9 hw-mod module module_number reset Router(config)# Resets and reboots the FWSM
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Memory Test hw-module module module_number mem-test-full Router(config)# Configures the FWSM to perform a full memory test when it initially boots Router(config)# hw-module module 9 mem-test-full
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary The FWSM is a line card for the Cisco Catalyst 6500 family of switches and the Cisco 7600 Series Internet routers. The FWSM is a high-performance firewall solution based on PIX Firewall technology. The FWSM supports all features of PIX Firewall Software Version 6.0 and some features of 6.2. The FWSM offers support for 100 VLANs and OSPF. The FWSM supports inter- and intrachassis failover. PDM can be used to configure and monitor the FWSM.