Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Move the equipment to one side or the other of the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and
iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ
Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing,
ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered
trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0502R)
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
Copyright © 2002-2003, Cisco Systems, Inc.
All rights reserved.
Copyright Notices
Third-party software used under license accompanies the Cisco Firewall Service Module Software release 1.1(2). One or more of the following notices may apply in
connection with the license and use of such third-party software.
The Catalyst 6500 and Cisco 7600 Series Firewall Service Module contains software covered under the GNU Public License (listed below). If you would like to obtain the
source for the modified GPL code in the Firewall Service Module, please send a request to [email protected].
License Text
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your
freedom to share and change free software—to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation’s
software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License
instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies
of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new
free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain
responsibilities for you if you distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they,
too, receive or can get the source code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the
software.
Also, for each author’s protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by
someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original
authors’ reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent
licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General
Public License. The “Program,” below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under
copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter,
translation is included without limitation in the term “modification”.) Each licensee is addressed as “you.”
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and
the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that
is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish
on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give
any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work
under the terms of Section 1 above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at
no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to
print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users
may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not
normally print such an announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered
independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions
for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution
of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution
medium does not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided
that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution,
a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software
interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution
and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code
for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special
exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel,
and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same
place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or
distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this
License will not have their licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative
works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you
indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or
modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not
responsible for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether
by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so
as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For
example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way
you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is
intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole
purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions
to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the
Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries
not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the
present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the
option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version
number of this License, you may choose any version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software
which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the
two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM
“AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU
ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO
MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL,
SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT
LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. END OF TERMS AND CONDITIONS.
C O N T E N T S
Audience xiii
Organization xiii
Conventions xiv
Safety Overview xv
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 vii
Contents
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
viii 78-14450-02
Contents
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 ix
Contents
Telnet C-30
Configuration C-35
PDM C-38
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
x 78-14450-02
Contents
SNMP C-42
DHCP C-43
VPN C-43
OSPF C-46
Shun C-51
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 xi
Contents
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
xii 78-14450-02
Preface
This preface describes who should read the Catalyst 6500 Series and 7600 Series Firewall Services
Module Installation and Configuration Note, how it is organized, and its document conventions.
Note Except where specifically differentiated, the term “Catalyst 6500 series switches” includes the Catalyst
6500 series switches and the Cisco 7600 Series Internet Router.
This publication does not contain the instructions to install the Catalyst 6500 series switch or Cisco 7600
Series Internet Router chassis. For information on installing the switch chassis, refer to the Catalyst 6500
Series Installation Guide or the Catalyst 7600 Series Internet Router Installation Guide.
Note For translations of the warnings in this publication, see the “Safety Overview” section on page xv.
Audience
Only trained and qualified service personnel (as defined in IEC 60950 and AS/NZS3260) should install,
replace, or service the equipment described in this publication.
Organization
This publication is organized as follows:
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 xiii
Preface
Conventions
Conventions
This publication uses the following conventions:
Convention Description
boldface font Commands, command options and keywords are in
boldface.
italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional.
{x|y|z} Alternative keywords are grouped in braces and
separated by vertical bars.
[x|y|z] Optional alternative keywords are grouped in brackets
and separated by vertical bars.
string A nonquoted set of characters. Do not use quotation
marks around the string or the string will include the
quotation marks.
screen font Terminal sessions and information the system displays
are in screen font.
boldface screen Information you must enter is in boldface screen font.
font
italic screen font Arguments for which you supply values are in italic
screen font.
^ The symbol ^ represents the key labeled Control—for
example, the key combination ^D in a screen display
means hold down the Control key while you press the D
key.
< > Nonprinting characters, such as passwords are in angle
brackets.
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
xiv 78-14450-02
Preface
Safety Overview
Tip Means the following information will help you solve a problem. The tips information might not be
troubleshooting or even an action, but it could be useful information, similar to a Timesaver.
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Safety Overview
Safety warnings appear throughout this publication in procedures that, if performed incorrectly, may
harm you. A warning symbol precedes each warning statement.
Warning This warning symbol means danger. You are in a situation that could cause bodily injury.
Before you work on any equipment, be aware of the hazards involved with electrical
circuitry and be familiar with standard practices for preventing accidents. To see
translations of the warnings that appear in this publication, refer to the Regulatory
Compliance and Safety Information document that accompanied this device.
Warning VaroitusTämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa
ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää
sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien
ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen
mukana olevasta Regulatory Compliance and Safety Information -kirjasesta (määräysten
noudattaminen ja tietoa turvallisuudesta).
Warning AttentionCe symbole d'avertissement indique un danger. Vous vous trouvez dans une
situation pouvant causer des blessures ou des dommages corporels. Avant de travailler
sur un équipement, soyez conscient des dangers posés par les circuits électriques et
familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents.
Pour prendre connaissance des traductions d’avertissements figurant dans cette
publication, consultez le document Regulatory Compliance and Safety Information
(Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 xv
Preface
Safety Overview
Warning WarnungDieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die
zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät
beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und
der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in
dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory
Compliance and Safety Information (Informationen zu behördlichen Vorschriften und
Sicherheit), das zusammen mit diesem Gerät geliefert wurde.
Warning AdvarselDette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til
personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de
faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig
praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av deadvarslene som
finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety
Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med
denne enheten.
Warning AvisoEste símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá
causar danos físicos. Antes de começar a trabalhar com qualquer equipamento,
familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer
práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos
avisos que constam desta publicação, consulte o documento Regulatory Compliance and
Safety Information (Informação de Segurança e Disposições Reguladoras) que
acompanha este dispositivo.
Warning ¡Advertencia!Este símbolo de aviso significa peligro. Existe riesgo para su integridad
física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la
corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de
accidentes. Para ver una traducción de las advertencias que aparecen en esta
publicación, consultar el documento titulado Regulatory Compliance and Safety
Information (Información sobre seguridad y conformidad con las disposiciones
reglamentarias) que se acompaña con este dispositivo.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
xvi 78-14450-02
Preface
Related Documentation
Warning Varning!Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan
leda till personskada. Innan du utför arbete på någon utrustning måste du varamedveten
om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Se
förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory
Compliance and Safety Information (Efterrättelse av föreskrifter och
säkerhetsinformation), vilket medföljer denna anordning.
Related Documentation
For more detailed installation and configuration information, refer to the following publications:
• For additional information about the Catalyst 6500 and Cisco 7600 Series Firewall Services
Module, refer to the Release Notes for Catalyst 6500 and Cisco 7600 Series Firewall Services
Module Software Release 1.1.
• For additional information about Catalyst 6500 series switches and command-line interface (CLI)
commands, refer to the following:
– Site Preparation and Safety Guide
– Regulatory Compliance and Safety Information for the Catalyst 6500 Series and Cisco 7600
series Switches
– Catalyst 6500 Series Switch Installation Guide
– Catalyst 6500 Series Switch Quick Software Configuration Guide
– Catalyst 6500 Series Switch Module Installation Guide
– Catalyst 6500 Series Switch Software Configuration Guide
– Catalyst 6500 Series Switch Command Reference
– Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide
– Catalyst 6500 Series Switch Cisco IOS Command Reference
– ATM Software Configuration and Command Reference—Catalyst 5000 Family and
Catalyst 6500 Series Switches
– System Message Guide—Catalyst 6500 Series, 5000 Family, 4000 Family, 2926G Series,
2948G, and 2980G Switches
– For information about MIBs, refer to this URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
– Release Notes for Catalyst 6500 Series Switches and Cisco 7600 Internet Router for Cisco IOS
Release 12.1(13)E
– Cisco IOS Configuration Guides and Command References—Use these publications to help
you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM
modules.
– For detailed hardware configuration and maintenance procedures, refer to the Catalyst 6500
Family Module Installation Guide.
• The following documents are available for the Catalyst 6500 family switches running
Catalyst operating system software:
– Release Notes for Catalyst 6000 Family Software Release 7.x
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 xvii
Preface
Obtaining Documentation
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical
resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco web sites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which may have shipped with your product. The Documentation CD-ROM is updated monthly
and may be more current than printed documentation. The CD-ROM package is available as a single unit
or through an annual subscription.
Registered Cisco.com users can order the Documentation CD-ROM (product number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
xviii 78-14450-02
Preface
Obtaining Technical Assistance
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere
in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click
Feedback at the top of the page.
You can e-mail your comments to [email protected].
You can submit your comments by mail by using the response card behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information,
networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
• Streamline business processes and improve productivity
• Resolve technical issues with online support
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 xix
Preface
Obtaining Technical Assistance
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
xx 78-14450-02
Preface
Obtaining Additional Publications and Information
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 xxi
Preface
Obtaining Additional Publications and Information
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
xxii 78-14450-02
C H A P T E R 1
Overview
This chapter describes the Catalyst 6500 Series Firewall Services Module, how it operates, and how to
manage it. This chapter contains these sections:
• Before You Begin, page 1-2
• Understanding How the Firewall Services Module Works, page 1-3
• Feature Set, page 1-8
• Specifications and System Limitations, page 1-9
• Front Panel Description, page 1-11
• Hardware Specifications, page 1-12
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 1-1
Chapter 1 Overview
Before You Begin
Yes
Is the Catalyst 6500 Information about the module
switch installed on Release Notes for in this release
your network? Catalyst 6500
Begin to Series Firewall
install Overview
Services Module
No the FWSM Software Release
1.1
Installing the Hardware
Catalyst 6500
Configuring Firewall Services
Series Firewall
Install and Series Module
configure Installation and
the FWSM Administering the module
Configuration Note
Troubleshooting
Tips
79685
Note The Firewall Services Module uses many of the same commands as the PIX application software.
Table A-1 lists the PIX commands used by the module.
Table A-2 lists the Cisco IOS commands for the module.
Table A-4 lists the new commands specific to the module. These commands are described in
Appendix B, “Command Reference.”
Table A-5 lists the PIX commands that were changed for the module.
Table A-6 lists the PIX commands that are not used by the module.
Table A-7 lists the PIX commands used by the module and their PIX version.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
1-2 78-14450-02
Chapter 1 Overview
Understanding How the Firewall Services Module Works
Note The term inside refers to networks or network resources protected by the firewall. The term outside refers
to networks not protected by the firewall.
You also can protect one or more networks, known as demilitarized zones (DMZs). DMZs are those
portions of the network that contain resources that you may want to allow access to for specified users.
Access to a DMZ is usually more restricted than access to the outside network, but less restricted than
access to the inside network.
A DMZ allows you to protect your network resources that need to be accessed by users on the public
Internet, for example, mail servers or web servers. By placing them in a DMZ, you obtain some
protection without jeopardizing the resources on your internal network.
Connections between the inside and outside and DMZ networks are controlled by the module through
the firewall using a network-modeled protection scheme based upon a configuration and security policy.
By implementing a security policy, you can ensure that all traffic from the protected networks only
passes through the firewall to the unprotected network. You also can control who accesses the networks
and with which services. Features on the module allow you to control how your security policy is used.
The security policy determines the security level, which allows you to isolate networks that are assigned
the same security level from each other. To route traffic between different networks, you assign each
network a different security level. A lower security level provides less protection for the interface than
a higher security level. The security levels to your networks can range from 0 to 100.
All interfaces connecting the inside, outside, and DMZ networks through the module are virtual and
logical Layer 3 interfaces consisting of a VLAN, an IP address, and a security level. The module
supports 100 firewall interfaces. All traffic between these VLANs is protected and controlled. Because
the module supports multiple interfaces, you can create one or more DMZ networks.
The Firewall Services Module is a fabric-enabled module that connects to both the Catalyst 6500 bus
and the Switch Fabric Module if one is present. A Switch Fabric Module is not required for the Firewall
Services Module to function.
The module has a 6-Gbps dot1q EtherChannel connection to the backplane where the hosts of the various
security zones are connected to ports on the Catalyst 6500 chassis.
The module can be configured in a multiple, failover, or redundant configuration.
Figure 1-1 shows a firewall configuration. The Multilayer Switch Feature Card (MSFC) is used as a
router on the network inside the firewall. The MSFC is connected to only one of the controlled firewall
interfaces. All other router interfaces configured on the MSFC are considered to be the same security
level as the interface to which the MSFC is connected. For example, traffic between VLAN 201 and
VLAN 202 is routed directly.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 1-3
Chapter 1 Overview
Understanding How the Firewall Services Module Works
Router 1
Internet
209.165.201.2/24
Outside (0)
(VLAN200)
Catalyst 209.165.201.1 (VLAN102)
(VLAN101) 6500
Router 2 DMZ (10) DMZ (20) Router 3
192.2.1.1 192.1.1.1
192.2.1.3 192.1.1.2
FWSM
10.1.1.2/8
20.1.1.1/8 30.1.1.1/8
10.1.1.3/8 10.1.1.4/8
10.2.1.1/8 10.3.1.1/8
77115
(VLAN201) (VLAN202)
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
1-4 78-14450-02
Chapter 1 Overview
Understanding How the Firewall Services Module Works
MSFC
Catalyst
6500
Inside
Inside
4100
100
DMZ1 101
DMZ1 4101
DMZ1 4102 DMZ2 4102
Inside 100 Inside 4100
77116
Redundancy Failover
The failover configuration has these features:
• A dedicated logical interface is created for failover communication. No failover cable is required in
this configuration as is required in the PIX configuration.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 1-5
Chapter 1 Overview
Understanding How the Firewall Services Module Works
Note You must add the dedicated logical VLAN to the VLAN group using the firewall
vlan-group command and activate the dedicated VLAN using the VLAN [X] state active
command.
• All firewall interfaces between the active module and standby module are separated from each other
in Layer 2. The interfaces on the active module must be present on the standby module and the trunk
must be configured to pass all VLANs.
• Both the active module and the standby module have corresponding interfaces in the same VLAN.
• When the active module fails, the switchover to the standby module is transparent to other nodes in
the network. After switchover, all interfaces on the new active module have the IP addresses and the
MAC addresses of the interfaces of the failed module.
The module can be configured to use stateful failover as shown in Figure 1-3. Stateful failover allows
you to maintain the operating state for the connection during the failover from the primary module to the
standby module.
MSFC
Catalyst
6500
Failover
DMZ2 102
When a failover occurs, each module changes its state. The new active module begins accepting traffic.
The new standby module assumes the failover IP and MAC addresses of the module that was previously
the active module. Because network devices do not detect a change in these addresses, there are no ARP
entries changed nor is there a time out anywhere on the network.
Be sure that both modules have the same software version, VLAN configuration, Flash memory, and
RAM; if not, the configuration copied to the standby module will not work. After you configure the
primary module and provide the failover link, the primary module automatically copies the configuration
over to the standby module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
1-6 78-14450-02
Chapter 1 Overview
Understanding How the Firewall Services Module Works
Note We recommend that you separate the failover and logical update interfaces into separate links. Packets
on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in
volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and
failover LAN interfaces the same.
Figure 1-4 shows two modules located in separate chassis: one module is designated as the active module
and the other module is designated as the standby module.
MSFC MSFC
Catalyst Catalyst
6500 6500
Inside
100
6 Gig (dot1q)
Outside EtherChannel
Failover
Failover
VLAN200 (optional)
DMZ2
VLAN102
DMZ1
VLAN101
Inside
VLAN100
6 Gig (dot1q) 6 Gig (dot1q)
EtherChannel EtherChannel
FWSM FWSM
active standby
• A dedicated logical interface is created for failover communication. No failover cable is required in
this configuration as is required in the PIX configuration.
• All firewall interfaces between the active module and the standby module are separated from each
other by Layer 2 requiring at least a 1-Gigabit link between them. Performance is limited to the link
throughput. For better performance, we recommend that you provide up to a 6-Gigabit IEEE 802.1q
EtherChannel link.
• Both of the switches have an identical definition of the firewall interfaces on the MSFC.
• There is a dedicated failover interface between the active module and the standby module used for
the stateful failover. This interface synchronizes the states between the active module and the
standby module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 1-7
Chapter 1 Overview
Feature Set
Feature Set
The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series
switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and
Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in
separate chassis in a failover configuration.
The Firewall Services Module provides the following features:
• Switch fabric compatibility.
• Interface configuration that can be done through both the native Cisco IOS command-line interface
and the module command-line interface.
• PIX 6.0-based feature set and some 6.2 features.
• LAN failover active or standby (both intra- or inter-chassis).
• Dynamic routing, Open Shortest Path First protocol (OSPF) (the module maintains its own OSPF
tables), and Routing Information Protocol (RIP).
• IPSec for management only.
• Command authorization.
• Object grouping.
• URL filtering enhancement—The module checks the outgoing URL requests with the policy defined
on a Websense, Windows NT, or UNIX-based server. The module either permits or denies the
connection depending on the response from the server, which matches a request against a list of
website characteristics that are considered inappropriate for business use.
• Support for PIX 6.0 application inspection which ensures the secure use of applications and
services. Application inspection rules are configured using the fixup command, which is why
application inspection is called “fixup.”
Note Throughout this document, the term “fixup” applies to application inspection and
configuring the application inspection process or application inspection rules.
• Support for Lightweight Directory Access Protocol (LDAP) or Input [buffer] Limiting Scheme
(ILS) fixup for NetMeeting.
• Security—Cisco firewalls provide the latest in security technology, ranging from stateful inspection
firewalls to content-filtering capabilities that help protect your network environment from future
attacks. Another security feature is the Adaptive Security Algorithm (ASA), which maintains the
firewalled areas between the networks controlled by the firewall.
The stateful, connection-oriented ASA creates session flows based on source and destination
addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP
flags. You can control all inbound and outbound traffic by applying security policies to each
connection table entry.
• Reliability—Cisco firewalls provide adaptable security services for operation-critical network
environments by using the integrated stateful failover capabilities within the module. Network
traffic can be sent automatically to a hot standby module in the event of a failure, while maintaining
concurrent connections with automated state synchronization between the primary module and the
standby module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
1-8 78-14450-02
Chapter 1 Overview
Specifications and System Limitations
• Network Address Translation (NAT) and Port Address Translation (PAT)—Cisco firewalls provide
NAT and PAT services that conceal IP addresses of internal networks and expand network address
space for internal networks.
• Denial-of-service (DoS) attack prevention—Cisco firewalls protect the firewall and networks
behind them from attempts to gain access, which can bring a network to a halt.
• Cisco PIX Device Manager (PDM) 2.1 support—PDM is a browser-based Java applet you can use
to configure the Firewall Services Module.
– PDM must be downloaded and installed for the Firewall Services Module release 1.1. Refer to
the “Upgrading the PDM” section on page 3-10 of the Catalyst 6500 Series and Cisco 7600
Series Firewall Services Module Installation and Configuration Note for download and
installation information.
– The Firewall Services Module 1.1(2) software release is shipped with a preinstalled PDM 2.1
image. You can download the image from CCO to upgrade PDM if necessary.
When the Firewall Services Module software is the platform, PDM will display modified screens
for features not supported by the module. To use the PDM to configure the module, refer to the Cisco
PIX Device Manager Installation Guide, Version 2.1.
The following PIX firewall features are not supported by the module:
• Virtual private networks (VPN) (The module supports IPSec VPN only for management purposes.)
• Intrusion detection system (IDS) syslog messages.
• Cisco Secure Policy Manager (CSPM)
• Conduits
• DHCP (Dynamic Host Configuration Protocol) client
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 1-9
Chapter 1 Overview
Specifications and System Limitations
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
1-10 78-14450-02
Chapter 1 Overview
Front Panel Description
WS-SVC-FWM-1
S
U
AT
ST
73755
SHUTDOWN
FIREWALL SERVICES MODULE
STATUS LED
The STATUS LED indicates the operating states of the module. Table 1-2 describes the LED operation.
Color Description
Green All diagnostic tests pass. The module is operational.
Red A diagnostic other than an individual port test failed.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 1-11
Chapter 1 Overview
Hardware Specifications
Color Description
Orange Indicates one of three conditions:
• The module is running through its boot and self-test diagnostic sequence.
• The module is disabled.
• The module is in the shutdown state.
Off The module power is off.
SHUTDOWN Button
Caution Do not remove the module from the switch until the module has shut down completely and the STATUS
LED is orange or off. You can damage the module if you remove it from the switch before it completely
shuts down.
To avoid corrupting the compact Flash memory, you must correctly shut down the module before you
remove it from the chassis or disconnect the power. This shutdown procedure is initiated normally by
commands entered at the supervisor engine CLI prompt or the module CLI prompt.
If the module fails to respond to these commands properly, you must use the SHUTDOWN button on the
front panel to initiate the shutdown procedure. Use a small pointed object (such as a paper clip) to push
the button.
The shutdown procedure may require several minutes. The STATUS LED turns orange when the module
shuts down.
Hardware Specifications
Table 1-3 describes the specifications for the module.
Specification Description
Dimensions (H x W x D) 1.18 x 15.51 x 16.34 in. (30 x 394 x 415 mm)
Weight Minimum: 3 lb (1.36 kg)
Maximum: 5 lb (2.27 kg)
Environmental conditions:
Operating temperature 32 to 104° F (0 to 40° C)
Nonoperating temperature –40 to 167° F (–40 to 75° C)
Humidity 10 to 90%, noncondensing
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
1-12 78-14450-02
C H A P T E R 2
Installing the Firewall Services Module
This chapter describes how to install the Firewall Services Module including the software and hardware
requirements.
This chapter contains these sections:
• System Requirements, page 2-1
• Required Tools, page 2-2
• Installing and Removing the Module, page 2-2
• Using the CLI, page 2-12
System Requirements
This section describes the software and hardware requirements for the module:
• Memory and Storage Requirements, page 2-1
• Software Requirements, page 2-1
• Hardware Requirements, page 2-2
Software Requirements
Table 2-1 lists the Firewall Services Module software versions supported by the Catalyst operating
system and the Cisco IOS software.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 2-1
Chapter 2 Installing the Firewall Services Module
Required Tools
Hardware Requirements
The Cisco IOS software and Catalyst operating system, require a Catalyst 6500 series switch or Cisco
7600 series switch with a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a
Supervisor Engine 2(Catalyst operating system and Cisco IOS) and an MSFC 2. The module is
supported on the Supervisor Engine with Cisco IOS software and the Catalyst operating system software.
Note Before installing the module, you must install the Catalyst 6500 series switch chassis and at least one
supervisor engine. For information on installing the switch chassis, refer to the Catalyst 6000 Family
Installation Guide.
Required Tools
These tools are required to install the module in the Catalyst 6500 series switches:
• Flat-blade screwdriver
• Phillips-head screwdriver
• Wrist strap or other grounding device
• Antistatic mat or antistatic foam
Whenever you handle the module, always use a wrist strap or other grounding device to prevent
electrostatic discharge (ESD).
All Catalyst 6500 series switches support hot swapping, which allows you to install, remove, replace,
and rearrange modules without turning off the system power. For more information on removing the
module from a switch, see the “Removing a Module” section on page 2-3.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
2-2 78-14450-02
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
When the system detects that a module has been installed or removed, the system automatically runs
diagnostic and discovery routines, acknowledges the presence or absence of the module, and resumes
system operation.
This section describes how to install and verify the operation of the Firewall Services Module in the
Catalyst 6500 series switches and contains the following sections:
• Slot Assignments, page 9
• Removing a Module, page 2-3
• Installing a Module, page 2-4
• Verifying the Installation, page 2-11
Slot Assignments
The Catalyst 6006 and 6506 switch chassis have six slots, the Catalyst 6009 and 6509 switch chassis
have nine slots, and the Catalyst 6513 switch chassis has thirteen slots.
Note The Catalyst 6509-NEB switch has vertical slots, which are numbered 1 to 9 from right to left. Install
the modules with the component side facing to the right.
Removing a Module
This section describes how to remove an existing module from a chassis slot.
Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do
not directly touch the backplane with your hand or any metal tool, or you could shock
yourself.
Warning Before you install, operate, or service the system, read the Site Preparation and Safety
Guide. This guide contains important safety information you should know before working
with the system.
Warning Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not
stare into beams or view directly with optical instruments.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 2-3
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
To remove a supervisor engine or module from the chassis, perform these steps:
Step 1 Disconnect any network interface cables attached to the supervisor engine or module.
Step 2 Verify that the captive installation screws on all of the modules in the chassis are tight.
This step ensures that the space created by the removed module is maintained.
Note If the captive installation screws are loose, the electromagnetic interference (EMI)
gaskets on the installed modules will push the modules toward the open slot,
reducing the opening size and making it difficult to install the replacement module.
Step 3 Loosen the two captive installation screws on the supervisor engine or module.
Step 4 Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the
following set of substeps:
Horizontal slots
a. Place your thumbs on the left and right ejector levers, and simultaneously rotate the levers outward
to unseat the module from the backplane connector.
b. Grasp the front edge of the module and slide the module part of the way out of the slot. Place your
other hand under the module to support the weight of the module. Do not touch the module circuitry.
Vertical slots
a. Place your thumbs on the ejector levers located at the top and bottom of the module, and
simultaneously rotate the levers outward to unseat the module from the backplane connector.
b. Grasp the edges of the module, and slide the module straight out of the slot. Do not touch the module
circuitry.
Step 5 Place the module on an antistatic mat or antistatic foam, or immediately reinstall it in another slot.
Step 6 If the slot is to remain empty, install a module filler plate to keep dust out of the chassis and to maintain
proper airflow through the chassis.
Warning Blank faceplates (filler panels) serve three important functions: they prevent exposure
to hazardous voltages and currents inside the chassis; they contain electromagnetic
interference (EMI) that might disrupt other equipment; and they direct the flow of cooling
air through the chassis. Do not operate the system unless all cards and faceplates are in
place.
Installing a Module
This section describes how to install modules in the Catalyst 6500 series switches.
Caution To prevent ESD damage, handle modules by the carrier edges only.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
2-4 78-14450-02
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do
not directly touch the backplane with your hand or any metal tool, or you could shock
yourself.
Warning Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not
stare into beams or view directly with optical instruments.
Warning Before you install, operate, or service the system, read the Site Preparation and Safety
Guide. This guide contains important safety information you should know before working
with the system.
Note If the captive installation screws are loose, the EMI gaskets on the installed
modules will push adjacent modules toward the open slot, reducing the opening
size and making it difficult to install the replacement module.
Step 4 Remove the module filler plate by removing the two Phillips pan-head screws from the filler plate. To
remove a module, refer to “Removing a Module” section on page 2-3.
Step 5 Fully open both ejector levers on the new or replacement module. (See Figure 2-1.)
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 2-5
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
Insert module
between slot guides EMI gasket
4
4
5 5
6
6
WS-X6K-SUP2-2GE
T
1 AT
US
ST
EM
NS
OL
E
R
M
GM
SE
T 100%
Switch Load
ST SY CO PW RE CONSOLE
PORT PORT 1
MODE PORT 2
CONSOLE
SUPERVISOR2 PCMCIA EJECT
1%
WS-X6K-SUP2-2GE
T
2 AT
US
ST
EM
NS
OL
E
R
M
GM
SE
T 100%
Switch Load
ST SY CO PW RE CONSOLE
PORT PORT 1
MODE PORT 2
CONSOLE
SUPERVISOR2 PCMCIA EJECT
1%
FAN
STATUS 5
WS-SVC-FWM-1
S
TU
STA
SHUTDOWN
85912
EMI gasket o
o
WS-SVC-FWM-1
US
AT
ST
FIREWALL SERVICE
S MODULE
Step 6 Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the
following sets of substeps:
Horizontal slots
a. Position the supervisor engine or module in the slot. (See Figure 2-1.) Make sure that you align the
sides of the module carrier with the slot guides on each side of the slot.
b. Carefully slide the supervisor engine or module into the slot until the EMI gasket along the top edge
of the module makes contact with the module in the slot above it and both ejector levers have closed
to approximately 45 degrees with respect to the module faceplate. (See Figure 2-2.)
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
2-6 78-14450-02
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
WS-X6K-SUP2-2GE
T
1 AT
US
ST
EM
NS
O
LE
R
M
G
M
SE
T 100%
Switch Load
ST SY CO PW RE CONSOLE
PORT PORT 1
PORT 2
MODE
CONSOLE
SUPERVISOR2 PCMCIA EJECT
1%
WS-X6K-SUP2-2GE
NK
LI NK
LI
T
LE M
2 AT
US
ST
EM
NS
O
R
M
G
SE
T 100%
Switch Load
ST SY CO PW RE CONSOLE
PORT PORT 1
PORT 2
MODE
CONSOLE
SUPERVISOR2 PCMCIA EJECT
1%
NK
LI NK
LI
Press down
4
Press down
FAN WS-SVC-FWM-1
STATUS 5 US
AT
ST
SHUTDOWN
4
4
WS-SVC-FW
M-1
5 5 US
1mm Gap between the module
AT
ST
EMI gasket and the
FIREWALL SER
VICES MODULE
module above it
6
85913
6
c. Using the thumb and forefinger of each hand, grasp the two ejector levers and press down to create
a small (0.040 inch [1 mm]) gap between the module’s EMI gasket and the module above it. (See
Figure 2-2.)
Caution Do not press down too hard on the levers. They will bend and be damaged.
d. While pressing down, simultaneously close the left and right ejector levers to fully seat the
supervisor engine or module in the backplane connector. The ejector levers are fully closed when
they are flush with the module faceplate. (See Figure 2-3.)
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 2-7
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
WS-X6K-SUP2-2GE
T
1 AT
US
ST
EM
NS
O
LE
R
M
G
M
SE
T 100%
Switch Load
ST SY CO PW RE CONSOLE
PORT PORT 1
PORT 2
MODE
CONSOLE
SUPERVISOR2 PCMCIA EJECT
1%
WS-X6K-SUP2-2GE
NK
LI NK
LI
T
LE M
2 AT
US
ST
EM
NS
O
R
M
G
SE
T 100%
Switch Load
ST SY CO PW RE CONSOLE
PORT PORT 1
PORT 2
MODE
CONSOLE
SUPERVISOR2 PCMCIA EJECT
1%
NK
LI NK
LI
WS-SVC-FWM-1
FAN
US
STATUS 5 ST
AT
SHUTDOWN
85914
Ejector levers flush
with module faceplate
Note Failure to fully seat the module in the backplane connector can result in error
messages.
e. Tighten the two captive installation screws on the supervisor engine or module.
Note Make sure the ejector levers are fully closed before tightening the captive
installation screws.
Vertical slots
a. Position the supervisor engine or switching module in the slot. (See Figure 2-4.) Make sure that you
align the sides of the switching-module carrier with the slot guides on the top and bottom of the slot.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
2-8 78-14450-02
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
WS-SVC-FWM-1
FIREWALL SERVICES MODULE
FAN
STATUS
SUPERVISOR2
WS-X6K-SUP2-2GE
SUPERVISOR2
WS-X6K-SUP2-2GE
ST
AT
STA
U
STA
TUS
TU
S
SYS
S
SY
TEM NS
STE
CO
M
CO
OLE MG
NS
PW
OL
PW
R
E
R
RE
MG
MT
SET
RE
MT
SE
T
CONSOLE
CONSOLE
CONSOLE
CONSOLE
MODE
PORT
MODE
PORT
WS-SVC-FWM-1
FIREWALL SERVICES MODULE
ST
AT
US
PCMCIA
PCMCIA
EJECT
EJECT
100%
100%
1%
1%
Switch
Switch
Load
EMI
Load
PORT 1
PORT 1
gasket
PORT 2
PORT 2
SHUTDOWN
EMI
gasket
o
o
Insert module
between slot guides
6
3
85917
b. Carefully slide the supervisor engine or module into the slot until the EMI gasket along the right
edge of the module makes contact with the module in the slot adjacent to it and both ejector levers
have closed to approximately 45 degrees in relation to the faceplate. (See Figure 2-5.)
c. Using the thumb and forefinger of each hand, grasp the two ejector levers and exert a slight pressure
to the left, deflecting the module approximately 0.040 inches (1 mm) to create a small gap between
the module’s EMI gasket and the module adjacent to it. (See Figure 2-5.)
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 2-9
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
WS-SVC-FWM-1
FIREWALL SERVICES MODULE
ST
AT
U
S
FAN
STATUS
SUPERVISOR2
WS-X6K-SUP2-2GE
SUPERVISOR2
WS-X6K-SUP2-2GE
WS-SVC-FWM-1
FIREWALL SERVICES MODULE
STA
STA
TUS
TU
SYS
S
ST
SY
TEM NS
AT
STE
US
CO
M
CO
OLE MG
NS
PW
OL
PW
R
E
R
RE
MG
MT
SET
RE
MT
SE
T
CONSOLE
CONSOLE
CONSOLE
CONSOLE
MODE
PORT
MODE
PORT
Press left
PCMCIA
PCMCIA
EJECT
EJECT
100%
100%
1%
1%
Switch
Switch
Load
Load
PORT 1
PORT 1
Press left
SHUTDOWN
PORT 2
PORT 2
85916
o
o
Caution Do not exert too much pressure on the ejector levers. They will bend and be damaged.
d. While pressing on the ejector levers, simultaneously close them to fully seat the supervisor engine
or module in the backplane connector. The ejector levers are fully closed when they are flush with
the module faceplate. (See Figure 2-6.)
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
2-10 78-14450-02
Chapter 2 Installing the Firewall Services Module
Installing and Removing the Module
FAN
STATUS
SUPERVISOR2
WS-SVC-FWM-1
FIREWALL SERVICES MODULE
WS-X6K-SUP2-2GE
SUPERVISOR2
WS-X6K-SUP2-2GE
ST
STA
AT
ST
TU
US
AT
S
SY
US
ST
SY
EM
ST
CO
EM
NS
CO
O
NS
LE
PW
O
LE
PW
R
M
R
G
RE
M
M
G
T
SE
RE
M
T
T
SE
T
CONSOLE
CONSOLE
CONSOLE
CONSOLE
MODE
PORT
MODE
PORT
PCMCIA
PCMCIA
EJECT
EJECT
100%
100%
1%
1%
Switch
Switch
Load
Load
PORT 1
PORT 1
SHUTDOWN
PORT 2
PORT 2
85915
All ejector levers flush
with module faceplate
Note Make sure the ejector levers are fully closed before tightening the captive
installation screws.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 2-11
Chapter 2 Installing the Firewall Services Module
Using the CLI
This example shows the output of the show module command on the Cisco 7600 series Internet Router:
Router> show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAD0444099Y
2 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD03475619
3 2 Intrusion Detection System WS-X6381-IDS SAD04250KV5
4 6 Firewall Module WS-SVC-FWM-1 SAD062302U4
When the module initially boots, by default it runs a partial memory test. To perform a full memory test,
enter the hw-module module module_number reset device:partition mem-test-full command. This
command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory
size. Table 2-2 lists the memory test time and approximate boot time for a long memory test.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
2-12 78-14450-02
Chapter 2 Installing the Firewall Services Module
Using the CLI
The module application software is similar to the Cisco PIX firewall software. This publication describes
only the commands unique to the Firewall Services Module. For information about the PIX commands,
refer to the PIX documentation at the following URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 2-13
Chapter 2 Installing the Firewall Services Module
Using the CLI
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
2-14 78-14450-02
C H A P T E R 3
Getting Started
This chapter describes how to begin configuring the Firewall Services Module from the CLI and contains
these sections:
• Configuration Overview, page 3-1
• Saving the Configuration, page 3-8
• Using PDM, page 3-8
Configuration Overview
This section describes the Firewall Services Module configuration and contains these sections:
• Configuring the Switch Interface, page 3-3
• Sessioning into the Module, page 3-5
• Configuring the Module, page 3-7
The Firewall Services Module can be used in a variety of topologies depending on the needs of your
network. For example, in a data center you may want to provide access control or segregate your security
domains. The security domain can be a collection of servers with the same security level. Within that
domain, multiple subnets or server farms can exist.
When you configure the Firewall Services Module to function on the perimeter of the network, the
module can provide access control to the inside network as a whole, or segregate multiple security zones
through VLAN interfaces of different security levels. The security zones can be either in the same
network or can define the boundaries of multiple customer networks.
You can configure secure VLANs with both the Cisco IOS and Catalyst operating system software. The
secure VLAN information is passed from the switch operating system software to the firewall module
when it boots up and comes online. The module accepts traffic on the secure VLANs only after the
firewall interfaces are configured on the module corresponding to the secure VLANs defined on the
switch. The firewall software should not receive traffic on VLANs unknown to the firewall module or
on the secure VLANs without having corresponding firewall interfaces.
When the firewall module comes online, the Network Management Processor (NMP) sends an SCP
message that provides the secure VLANs that are defined for that particular firewall module.
If a VLAN is active and is displayed as a secure VLAN on one of the modules through the NMP CLIs,
the information about the new active VLAN is sent to the Firewall Services Module.
The secure VLAN interface (SVI) is a Layer 3 secure VLAN interface between the module and the router
on the supervisor engine, which allows them to communicate with each other.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 3-1
Chapter 3 Getting Started
Configuration Overview
One SVI is configured between each Firewall Services Module in the chassis and the supervisor engine
module router. With software releases prior to Cisco IOS Release 12.2(14)SY and Catalyst operating
system software version 7.6(1), only one SVI can exist between a given Firewall Services Module and
the router on the supervisor engine.
Multiple VLAN interfaces are supported in Cisco IOS Release 12.2(14)SY with the firewall
multiple-vlan-interfaces command and in the Catalyst operating system software version 7.6(1) with
the set firewall multiple-vlan-interfaces {enable|disable} command.
Note To prevent traffic from bypassing the firewall, policy-routing may be required when enabling support for
multiple VLAN interfaces on the switch.
DMZ17 DMZ18
inside outside
6K-MSFC
DMZ11
79633
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
3-2 78-14450-02
Chapter 3 Getting Started
Configuration Overview
Command Purpose
Step 1 Router# configure terminal Enters VLAN configuration mode.
Step 2 Router(config)# vlan vlan_number Creates VLANs.
Step 3 Router(config)# interface vlan vlan_number Defines a controlled VLAN (SVI) on the MSFC (route
processor).
Note You must configure a controlled VLAN (SVI) on the
MSFC or you will be unable to configure VLANs on
the module.
Step 4 Router(config)# firewall Create multiple VLAN interfaces on the switch.
multiple-vlan-interfaces
Step 5 Router(config)# firewall vlan-group Creates a firewall group of controlled VLANs.
firewall_group vlan_range
Step 6 Router(config) firewall module module number Attaches the VLAN and firewall group to the slot where the
vlan-group firewall_group module is located.
Step 7 Router(config)# end Updates the VLAN database and returns to privileged EXEC
or mode.
Router(vlan)# exit
Step 8 Router#show firewall vlan-group Displays the firewall VLAN groups.
Step 9 Router#show firewall module Displays the module configuration.
Step 10 Router#show interface vlan vlan_number Displays the interface configuration.
Note To prevent trunks from carrying firewall VLANs, enter this command:
switchport trunk allowed vlan {add | except | none | remove} vlan1, [, vlan [, vlan [,...]]]}
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 3-3
Chapter 3 Getting Started
Configuration Overview
Group vlans
----- ------
50 55-57
51 70-85
Router# show firewall module
Module Vlan-groups
8 50,51,
Router# show int vlan 55
Vlan55 is up, line protocol is up
Hardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca)
Internet address is 55.1.1.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type:ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Input queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0
Queueing strategy:fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytes
L3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcast
L3 out Switched:ucast:0 pkt, 0 bytes
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
4 packets output, 256 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Router#
Command Purpose
Step 1 Console> enable Enters the switch configuration mode.
Step 2 Console>(enable) set vlan vlan-number Create the VLAN.
Step 3 Console>(enable) set vlan vlan_list Specifies firewall VLANs and maps them to the module.
firewall-vlan module
Step 4 set firewall multiple-vlan-interfaces Create multiple VLAN interfaces on the switch.
{enable|disable}
Step 5 Console> show vlan firewall-vlan module-number Displays the range of VLANs specified for the module.
Step 6 Console> session 15 (Optional) Accesses the MSFC (using the session 15 or
session 16 command) enabling you to create the appropriate
VLAN interfaces if desirable.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
3-4 78-14450-02
Chapter 3 Getting Started
Configuration Overview
Note If you have not changed the password from the factory-set default, a warning message is displayed. To
change the password from the default, see the “Changing and Recovering Passwords” section on
page 5-11 for more information.
Step 5 If the module does not boot into the maintenance partition, reset the module by entering the following
command:
Cisco IOS:
Router# hw-module module slot_number reset cf:1
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 3-5
Chapter 3 Getting Started
Configuration Overview
FWSM passwd:
FWSM>
Step 3 If the module does not boot into the application partition, reset the module by entering the following
command:
Cisco IOS:
Router# hw-module module slot_number reset cf:4
Note If you have not changed the password from the factory-set default, a warning message is displayed. To
change the password from the default, see the “Changing and Recovering Passwords” section on
page 5-11 for more information.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
3-6 78-14450-02
Chapter 3 Getting Started
Configuration Overview
Command Purpose
Step 1 FWSM(config)# hostname name Defines the host name in the command line prompt.
Step 2 FWSM(config)# nameif vlan_number if_name Specifies the interface name.
security_level
Step 3 FWSM(config)# ip address if_name ip_address mask Defines a local address for each interface.
Step 4 FWSM(config)# access-list acl_ID [deny | permit] Defines an access list. Refer to Appendix B, “Command
protocol {source_addr | local_addr} {source_mask | Reference” and the “access-list” section on page B-2 and
local_mask} operator port {destination_addr |
remote_addr} {destination_mask | remote_mask}
the “access-list (ospf)” section on page B-7.
operator port
Step 5 FWSM(config)# access-group acl_ID in interface Defines access groups.
interface_name
Step 6 FWSM(config)# icmp permit any outside Allows connectivity testing between the switch and the
FWSM(config)# icmp permit any inside FWSM.
Step 7 FWSM(config)# show nameif Displays the configured interfaces.
Step 8 FWSM(config)# show ip Displays the configured IP addresses.
Step 9 FWSM(config)# show access-l Displays the configured access lists.
Note To allow traffic to flow from one interface to another, you must explicitly define an access list and map
that access list to the appropriate interface. Unlike the PIX firewall, traffic from high-security level
interfaces is not allowed to flow freely to an interface with a lower security level. By default, access lists
are defined as deny any any.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 3-7
Chapter 3 Getting Started
Saving the Configuration
Using PDM
Cisco PIX Device Manager (PDM) is a single-device graphical user interface (GUI) application that you
can use to manage your Firewall Services Module. For detailed information about PDM, refer to the
Cisco PIX Device Manager Installation Guide, Version 2.1.
Note PDM must be downloaded and installed for the Firewall Services Module release 1.1. You can download
the image from CCO to upgrade PDM. Refer to “Upgrading the PDM” section on page 3-10 for
download and installation information.
Note The Firewall Services Module 1.1(2) software release is shipped with a preinstalled PDM 2.1 image. You
can download the image from CCO to upgrade PDM if necessary. Refer to “Upgrading the PDM” section
on page 3-10 for download and installation information.
Note Be sure that you have configured the firewall VLAN (SVI) on the MSFC and that the module is
recognized by the switch. Refer to “Configuring the Switch Interface” section on page 3-3 for more
information.
These sections describe the PDM and how to use it with your Firewall Services Module:
• PDM Overview, page 3-9
• PDM Restrictions, page 3-9
• Platform and Browser Requirements, page 3-9
• Setting Up the Module for PDM, page 3-9
• Upgrading the PDM, page 3-10
• Starting PDM, page 3-11
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
3-8 78-14450-02
Chapter 3 Getting Started
Using PDM
PDM Overview
PDM is a signed Java applet that uses certificates and HTTP over SSL (HTTPS) to securely transmit all
information between PDM and the Firewall Services Module. PDM performs the following functions:
• Configures your module without using the module CLI. You do not need to know the CLI commands
to use PDM.
• Monitors the module with real-time graphs and data, including connection and throughput
information. (You can also view up to five days of historical data.)
• Monitors and configures modules individually. You can point your browser to different modules and
administer them from a single workstation.
PDM Restrictions
These commands specific to the module are not supported by PDM 2.1:
• Any OSPF configuration commands; they are ignored but not changed by PDM.
• Any VPN configuration commands; they are ignored but not changed by PDM.
Refer to the PDM 2.1 release notes for the complete list of unsupported commands. The release notes
are located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmrn21/pdmrn21.htm
Note When running PDM 2.1 on the module, the Startup Wizard and VPN Wizard are not available.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 3-9
Chapter 3 Getting Started
Using PDM
Step 1 Log into the Catalyst 6500 series switch where the Firewall Services Module is installed.
Step 2 Enter the enable mode, and then enter the configuration mode.
Step 3 Create a secure VLAN group by entering:
Cisco IOS:
Router# firewall vlan-group VLAN-group vlan-interfaces
Step 5 Telnet to the module and enter the enable mode, and then enter the configuration mode.
Step 6 Run the setup CLI and follow the instructions as follows:
Router># enable
Password:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# firewall vlan-group 5 10,20,50-51
Router(config)# firewall module 3 vlan-group 5
Router(config)# exit
Router# telnet 192.168.1.1
Trying 192.168.1.1 ... Open
FWSM passwd:
Welcome to the FWSM firewall
To complete this setup, follow the instructions that appear on the terminal.
10.1.1.1 is the location of the TFTP server and the PDM image.
Verify that PDM was downloaded to the module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
3-10 78-14450-02
Chapter 3 Getting Started
Using PDM
Starting PDM
To start PDM use the HTTP secure (https) command and enter the following address:
https://IP address of FWSM
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 3-11
Chapter 3 Getting Started
Using PDM
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
3-12 78-14450-02
C H A P T E R 4
Configuring Firewall Services
This chapter describes how to configure firewall services and contains these sections:
• Configuring Firewall Failover, page 4-1
• Using SNMP, page 4-7
• Configuring OSPF Routing Support, page 4-15
• Configuring IPSec for Management, page 4-28
Note Refer to the “Configuring Failover” section on page 4-4 section for a detailed firewall failover
configuration description.
This section describes how to configure failover on the Firewall Services Module:
• Setting up a Single-Chassis Configuration, page 4-1
• Setting Up a Dual-Chassis Configuration, page 4-3
• Configuring Failover, page 4-4
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-1
Chapter 4 Configuring Firewall Services
Configuring Firewall Failover
MSFC
Catalyst
6500
Failover
DMZ2 102
79827
6 Gig (dot1q) 6 Gig (dot1q)
EtherChannel EtherChannel
FWSM FWSM
Command Purpose
Step 1 Router(config)# firewall vlan-group group-name Assigns VLANs to a VLAN group.
vlan-group
Step 2 Router(config)# firewall module slot vlan-group Assigns the VLAN group to the primary module.
group-name
Step 3 Router(config)# failover lan interface if_name Configures the failover interface on the secondary
module.
Step 4 Router(config)# firewall module slot vlan-group Assigns the VLAN group to the secondary module.
group-name
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-2 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring Firewall Failover
Command Purpose
Step 1 Router1(config)# firewall vlan-group group-name Configures the same set of firewall VLANs on both
vlan-group chassis.
Step 2 Router2(config)# firewall module slot vlan-group Provides a trunk connecting the two chassis, carrying
group-name all the firewall VLANs.
MSFC MSFC
Catalyst Catalyst
6500 6500
Inside
100
6 Gig (dot1q)
Outside EtherChannel
Failover
Failover
VLAN200 (optional)
DMZ2
VLAN102
DMZ1
VLAN101
Inside
VLAN100
6 Gig (dot1q) 6 Gig (dot1q)
EtherChannel EtherChannel
FWSM FWSM
77118
active standby
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-3
Chapter 4 Configuring Firewall Services
Configuring Firewall Failover
Configuring Failover
For a failover configuration, both firewall modules need to have the same RAM and Flash memory size
and be running the same software version.
To configure failover, follow these steps:
Step 1 Set up one module as the primary with a firewall configuration without failover.
Note Do not add a firewall configuration on the secondary module because a configuration set on the
secondary module is not synchronized to the active module. This configuration is cleared during the
configuration synchronization from the active module.
Step 2 Create a dedicated logical interface (VLAN) for failover communication using the nameif vlan_id
if_name security_level command.
Note You must add the dedicated logical VLAN to the VLAN group using the firewall vlan-group command
and activate the dedicated VLAN using the VLAN [X] state active command.
Step 3 Configure the module as primary using the failover lan unit primary command.
Step 4 Define the failover interface using the failover lan interface if_name command.
Step 5 Specify the IP address for the primary failover interface using the ip address if_name ip_addr [mask]
command.
This is the IP address used by the primary module on failover interface
Step 6 Assign the IP addresses for all of the interfaces using the ip address if_name ip_address [mask]
command.
Step 7 Specify the failover IP address for the secondary failover interface using the failover ip address if_name
ip_addr command.
This is the IP address used by the secondary module on failover interface.
Step 8 Assign the failover IP addresses for all of the interfaces using the failover ip address if_name ip_addr
command.
This command specifies the IP address used by the standby module on other firewall interfaces. The
client hosts are not expected to use this IP address to communicate to the module.
Step 9 Enable failover on the primary module using the failover command.
Step 10 Store the failover configuration on the primary module in the Flash using the write memory command.
Note This command is required to ensure that the module comes back online with the failover configuration
after a reload (or after a failure recovery).
Step 11 When the primary module becomes the active module (use the show failover command to see the status),
start the failover configuration on the secondary module.
Step 12 The secondary module should not have a firewall configuration. If you need to clear the configuration
on the secondary module, use the clear configure all command.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-4 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring Firewall Failover
Step 13 Enter the same set of failover commands on the secondary module, repeating Step 2 through Step 7.
However, in Step 3 use the failover lan unit secondary command for the secondary module.
The primary and the secondary module should have the identical failover configuration, except for the
failover LAN module configuration as primary and secondary.
Note We recommend that you separate the failover and logical update interfaces into separate links. Packets
on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in
volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and
failover LAN interfaces the same.
Note Make sure both primary and secondary modules have the identical definition for the failover interface.
Step 14 Use the ping command to check the connectivity between the primary and secondary module on the
failover interface.
Enter the icmp permit 0 0 if_name command to configure the failover interface to allow the ping to go
through the firewall.
Step 15 Save the failover configuration on Flash using the write memory command.
The secondary module should detect the primary module and then switch to standby. The firewall
configuration is synchronized from the active module to the standby module.
Warning Configuration replication is not performed from the standby module to the active module.
Configurations are no longer synchronized.
Step 16 Enable failover on the secondary module using the failover command.
Step 17 To enable stateful failover, configure a dedicated interface for stateful failover using the failover link
if_name command, which allows the state information to synchronize.
Note We recommend that you separate the failover and logical update interfaces into separate links. Packets
on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in
volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and
failover LAN interfaces the same.
These examples show how to configure failover on a pair of Firewall Services Modules.
The modules are located in two different switches. A dedicated VLAN (vlan 4000) is created for the
failover protocol. The following conditions apply:
• Most of the configuration is performed on the primary module.
• The primary module is designated using the failover lan unit primary command.
• Shortly after the failover command is entered, the primary module becomes active.
• On the secondary module, only one interface is named using the nameif command. Use the interface
that is dedicated to the failover protocol.
• The same IP address is assigned to the dedicated failover interface that you assigned to the primary
unit (in this example: 10.40.40.1).
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-5
Chapter 4 Configuring Firewall Services
Configuring Firewall Failover
• The same address is assigned that you used on the primary unit with the failover ip address
command. (in this example: 10.40.40.2).
This example shows how to configure the primary module:
FWSM(config)# show vlan
30, 40, 4000
FWSM(config)#
FWSM(config)# fail lan unit pri
FWSM(config)# nameif 4000 fover 50
FWSM(config)# nameif 30 outside 0
FWSM(config)# nameif 40 inside 100
FWSM(config)# ip address fover 10.40.40.1 255.255.255.0
FWSM(config)# ip address inside 10.2.1.1 255.255.255.0
FWSM(config)# ip address outside 10.11.1.2 255.255.255.0
FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0
FWSM(config)# fail ip address inside 10.2.1.2 255.255.255.0
FWSM(config)# fail ip address outside 10.11.1.3 255.255.255.0
FWSM(config)# fail lan int fover
FWSM(config)# logg on
FWSM(config)# logg monitor 7
FWSM(config)# logg con 7
111008: User 'enable_15' executed the 'logging con 7' command.
FWSM(config)# no logg mess 111008
FWSM(config)# no logg mess 111009
FWSM(config)# fail
105002: (Primary) Enabling failover.
FWSM(config)#
No Response from Mate. Switching to Active
Switching to Standby.
FWSM(config)#
Beginning configuration replication from mate.
This unit is in syncing state. 'failover' command will not be effective at this time
End configuration replication from mate.
709006: (Secondary) End Configuration Replication (STB)
Access Rules Download Complete: Memory Utilization < 1%
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-6 78-14450-02
Chapter 4 Configuring Firewall Services
Using SNMP
This example shows how to monitor the failover status on the primary and secondary modules:
Primary module:
FWSM(config)# show fail
Failover On
Failover unit Primary
Failover LAN Interface fover
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Primary - Active
Active time: 29925 (sec)
Interface outside (10.11.1.2): Normal
Interface inside (10.2.1.1): Normal
Other host: Secondary - Standby
Active time: 285 (sec)
Interface outside (10.11.1.3): Normal
Interface inside (10.2.1.2): Normal
Secondary module:
FWSM(config)# show fail
Failover On
Failover unit Secondary
Failover LAN Interface fover
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Secondary - Standby
Active time: 285 (sec)
Interface inside (10.2.1.2): Normal
Interface outside (10.11.1.3): Normal
Other host: Primary - Active
Active time: 30750 (sec)
Interface inside (10.2.1.1): Normal
Interface outside (10.11.1.2): Normal
FWSM(config)#
Using SNMP
You can monitor system events on the Firewall Services Module by using SNMP. You can read SNMP
events, but information on the module cannot be changed with SNMP.
Use CiscoWorks for Windows or any other SNMP V1, MIB-II-compliant browser to receive SNMP traps
and browse a MIB. SNMP traps occur at UDP port 162.
Note The Firewall Services Module does not support browsing of the Cisco syslog MIB.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-7
Chapter 4 Configuring Firewall Services
Using SNMP
You can browse the System and Interface groups of MIB-II. Browsing an MIB is different from sending
traps. Browsing involves doing an snmpget or snmpwalk of the MIB tree from the management station
to determine values.
This section describes how to use SNMP on the Firewall Services Module:
• MIB Support, page 4-8
• SNMP Traps, page 4-8
• Compiling Cisco Syslog MIB Files, page 4-9
• Using the Firewall and Memory Pool MIBs, page 4-10
• SNMP Usage Notes, page 4-15
MIB Support
The Firewall Services Module supports the Cisco Firewall MIB and Cisco Memory Pool MIB.
The Firewall Services Module does not support the following in the Cisco Firewall MIB:
• cfwSecurityNotification NOTIFICATION-TYPE
• cfwContentInspectNotification NOTIFICATION-TYPE
• cfwConnNotification NOTIFICATION-TYPE
• cfwAccessNotification NOTIFICATION-TYPE
• cfwAuthNotification NOTIFICATION-TYPE
• cfwGenericNotification NOTIFICATION-TYPE
SNMP Traps
Traps are unsolicited “comments” from the managed device to the management station for specific
events, such as link up, link down, and syslog event generation.
The snmp-server command causes the Firewall Services Module to send SNMP traps so that the module
can be monitored remotely. Use the snmp-server host command to specify which systems receive the
SNMP traps.
An SNMP object ID (OID) for the module displays in SNMP event traps sent from the module. The
Firewall Services Module provides the system OID in SNMP event traps and SNMP
mib-2.system.sysObjectID equal to the (1.3.6.1.4.1.9.1.227) original PIX firewall OID.
The module responds to an SNMP request from a management station and then the module sends an
event notification trap.
The Firewall Services Module SNMP traps available to an SNMP management station are as follows:
• Generic traps:
– Link up and link down (VLAN connected to the interface or not)
– Cold start
– Authentication failure (mismatched community string)
• Security-related events are sent through the Cisco Syslog MIB:
– Global access denied
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-8 78-14450-02
Chapter 4 Configuring Firewall Services
Using SNMP
Step 1 Identify the IP address of the SNMP management station by using the snmp-server host command.
Step 2 Set the snmp-server options for location, contact, and the community password as required.
You do not need to do further configuration if you only want to send the cold start, link up, and link down
generic traps, and you only want to receive SNMP requests.
Step 3 Add an snmp-server enable traps command statement to the configuration.
Step 4 Set the logging level with the logging history command:
logging history debugging
We recommend that you use the debugging level during initial setup and during testing. After setup, set
the level from debugging to a lower value.
The logging history command sets the severity level for SNMP syslog messages.
Step 5 Start sending syslog traps to the management station using the logging on command.
Step 6 To disable sending syslog traps, use the no logging on command or the no snmp-server enable traps
command.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-9
Chapter 4 Configuring Firewall Services
Using SNMP
Note With certain applications, only files with a .mib extension may show in the file selection window of the
SNMPc. The Cisco syslog MIB files with the .my extension shown. In this case, you should manually
change the .my extension to a .mib extension.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-10 78-14450-02
Chapter 4 Configuring Firewall Services
Using SNMP
Object Object Type Row 1: Returned if Row 1: Returned if Failover Row 2: Returned if Failover
Failover is Disabled is Enabled is Enabled
cfwHardwareType (table Hardware 6 (primary 6 (primary module) 7 (secondary module)
index) module)1
cfwHardwareInformation SnmpAdminString blank blank blank
cfwHardwareStatusValue HardwareStatus 0 (not used) active or 9 (active module) active or 9 (active module)
or standby or 10 (standby or standby or 10 (standby
module) module)
cfwHardwareStatusDetail SnmpAdminString Failover Off blank blank
1. The type of returned values are shown in parentheses.
In the HP OpenView Browse MIB application’s MIB values window, if failover is disabled, a sample
MIB query displays the following information:
cfwHardwareInformation.6:
cfwHardwareInformation.7 :
cfwHardwareStatusValue.6 :0
cfwHardwareStatusValue.7 :0
cfwHardwareStatusDetail.6 :Failover Off
cfwHardwareStatusDetail.7 :Failover Off
In this list, the table index, cfwHardwareType, appears as either .6 or .7 appended to the end of each of
the subsequent objects. The cfwHardwareInformation field is blank, the cfwHardwareStatusValue is 0,
and the cfwHardwareStatusDetail contains Failover Off, which indicates the failover status.
When failover is enabled, a sample MIB query displays the following information:
cfwHardwareInformation.6 :
cfwHardwareInformation.7 :
cfwHardwareStatusValue.6 : active
cfwHardwareStatusValue.7 : standby
cfwHardwareStatusDetail.6 :
cfwHardwareStatusDetail.7 :
In this list, only the cfwHardwareStatusValue contains either active or standby values to indicate the
status of each module.
You can access the MIB objects from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoMemoryPoolMIB.
ciscoMemoryPoolObjects.ciscoMemoryPoolTable
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-11
Chapter 4 Configuring Firewall Services
Using SNMP
In the HP OpenView Browse MIB application’s MIB values window, a sample MIB query displays the
following information:
ciscoMemoryPoolName.1 :FWSM system memory
ciscoMemoryPoolAlternate.1 :0
ciscoMemoryPoolValid.1 :true
ciscoMemoryPoolUsed.1 :12312576
ciscoMemoryPoolFree.1 :54796288
ciscoMemoryPoolLargestFree.1 :0
In this list, the table index, ciscoMemoryPoolName, appears as the .1 value at the end of each subsequent
object value. The ciscoMemoryPoolUsed object lists the number of bytes currently in use (12312576)
and the ciscoMemoryPoolFree object lists the number of bytes currently free (54796288). The other
objects always list the values described in Table 4-2.
The cfwConnectionStatTable object table can be accessed from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.
ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwConnectionStatTable
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-12 78-14450-02
Chapter 4 Configuring Firewall Services
Using SNMP
In the HP OpenView Browse MIB application’s MIB values window, a sample MIB query displays the
following information:
cfwConnectionStatDescription.40.6 :number of connections currently in use by the entire
firewall
cfwConnectionStatDescription.40.7 :highest number of connections in use at any one time
since system startup
cfwConnectionStatCount.40.6 :0
cfwConnectionStatCount.40.7 :0
cfwConnectionStatValue.40.6 :15
cfwConnectionStatValue.40.7 :15
In this list, the table index, cfwConnectionStatService, appears as the .40 appended to each subsequent
object. The table index, cfwConnectionStatType, appears as either .6 to indicate the number of
connections in use or as .7 to indicate the most used number of connections. The
cfwConnectionStatValue object lists the connection count. The cfwConnectionStatCount object always
returns 0 (zero).
Table 4-4 lists the objects required to view the system block usage.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-13
Chapter 4 Configuring Firewall Services
Using SNMP
Note The three rows repeat for every block size listed in the output of the show blocks command.
In the HP OpenView Browse MIB application’s MIB values window a sample MIB query displays the
following information:
cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blocks
cfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startup
cfwBufferStatInformation.4.8 :current number of available 4 byte blocks
cfwBufferStatInformation.80.3 :maximum number of allocated 80 byte blocks
cfwBufferStatInformation.80.5 fewest 80 byte blocks available since system startup
cfwBufferStatInformation.80.8 :current number of available 80 byte blocks
cfwBufferStatInformation.256.3 :maximum number of allocated 256 byte blocks
cfwBufferStatInformation.256.5 :fewest 256 byte blocks available since system startup
cfwBufferStatInformation.256.8 :current number of available 256 byte blocks
cfwBufferStatInformation.1550.3 :maximum number of allocated 1550 byte blocks
cfwBufferStatInformation.1550.5 :fewest 1550 byte blocks available since system startup
cfwBufferStatInformation.1550.8 :current number of available 1550 byte blocks
cfwBufferStatValue.4.3: 1600
cfwBufferStatValue.4.5: 1600
cfwBufferStatValue.4.8: 1600
cfwBufferStatValue.80.3: 400
cfwBufferStatValue.80.5: 396
cfwBufferStatValue.80.8: 400
cfwBufferStatValue.256.3: 1000
cfwBufferStatValue.256.5: 997
cfwBufferStatValue.256.8: 999
cfwBufferStatValue.1550.3: 1444
cfwBufferStatValue.1550.5: 928
cfwBufferStatValue.1550.8: 932
In this list, the first table index, cfwBufferStatSize, appears as first number appended to the end of each
object, such as .4 or .256. The other table index, cfwBufferStatType, appears as .3, .5, or .8 after the first
index. For each block size, the cfwBufferStatInformation object identifies the type of value and the
cfwBufferStatValue object identifies the number of bytes for each value.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-14 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
With SNMP, the MIB table index must be unique for the agent to identify a row from the MIB table. The
table index for ip.ipAddrTable is the module interface IP address, which requires that the IP address is
unique. The SNMP agent might become confused and may return information of another interface (row),
which has the same IP (index).
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-15
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
OSPF allows the module to maintain its own routing table. The OSPF protocol provides the following
features for the module:
• Support of intra-area, interarea, and external (type I and Type II) routes.
• Support of a virtual link being configured on or through the module.
• OSPF link-state advertisement (LSA) flooding.
• Authentication to OSPF packets (both password and MD5 authentication).
• Support for configuring the module as a designated router or a backup designated router. The
module also can be set up as an area border router, however, the ability to configure the module as
an autonomous system boundary router is limited to default information only (for example, injecting
a default route).
• Support for stub areas and not-so-stubby-area (NSSA).
• Area boundary router type-3 LSA filtering.
• Advertisement of static and global address translations.
This section describes how to use OSPF on the Firewall Services Module:
• Enabling OSPF, page 4-17
• Configuring OSPF Interface Parameters, page 4-17
• Configuring OSPF Area Parameters, page 4-18
• Configuring OSPF NSSA, page 4-19
• Configuring Route Summarization Between OSPF Areas, page 4-20
• Configuring Route Summarization when Redistributing Routes into OSPF, page 4-20
• Creating Virtual Links, page 4-21
• Generating a Default Route, page 4-21
• Changing the OSPF Administrative Distances, page 4-22
• Configuring Route Calculation Timers, page 4-22
• Logging Neighbors Going Up or Down, page 4-22
• Changing the LSA Group Pacing, page 4-23
• Blocking OSPF LSA Flooding, page 4-24
• Ignoring MOSPF LSA Packets, page 4-25
• Displaying OSPF Update Packet Pacing, page 4-26
• Area Border Router Type 3 LSA Filtering, page 4-26
• Monitoring and Maintaining OSPF, page 4-27
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-16 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
Enabling OSPF
As with other routing protocols, to enable OSPF you need to create an OSPF routing process, specify
the range of IP addresses to be associated with the routing process, and assign area IDs to be associated
with that range of IP addresses. To enable OSPF, perform this task, beginning in global configuration
mode:
Command Purpose
Step 1 FWSM(config)# router ospf process-id Enables OSPF routing, which places you in router
configuration mode.
Step 2 FWSM(config-router)# network ip-address mask area Defines an interface on which OSPF runs and defines
area-id the area ID for that interface.
Command Purpose
Step 1 FWSM(config)# interface interface_name Specifies the OSPF interface.
Step 2 FWSM(config-interface)# ospf cost cost Explicitly specifies the cost of sending a packet on an
OSPF interface.
Step 3 FWSM(config-interface)# ospf retransmit-interval Specifies the number of seconds between link-state
seconds advertisement (LSA) retransmissions for adjacencies
belonging to an OSPF interface.
Step 4 FWSM(config-interface)# ospf transmit-delay Sets the estimated number of seconds required to send a
seconds link-state update packet on an OSPF interface.
Step 5 FWSM(config-interface)# ospf priority Sets priority to help determine the OSPF designated
number-value router for a network.
Step 6 FWSM(config-interface)# ospf hello-interval Specifies the length of time between the hello packets
seconds that the Cisco IOS software sends on an OSPF interface.
Step 7 FWSM(config-interface)# ospf dead-interval Sets the number of seconds that a device must wait
seconds before it declares a neighbor OSPF router down because
it has not received a hello packet.
Step 8 FWSM(config-interface)# ospf authentication-key Assigns a password to be used by neighboring OSPF
key routers on a network segment that is using the OSPF
simple password authentication.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-17
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
Command Purpose
Step 9 FWSM(config-interface)# ospf message-digest-key Enables OSPF MD5 authentication. The values for the
key-id md5 key key-id and key arguments must match values specified for
other neighbors on a network segment.
Step 10 FWSM(config-interface)# ospf authentication Specifies the authentication type for an interface.
[message-digest | null]
Step 11 FWSM(config-interface)# show ip ospf Displays the OSPF configuration.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-18 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the
no-summary keyword of the area stub router configuration command on the area border router to prevent
it from sending summary link advertisement (LSAs type 3) into the stub area.
To specify an area parameter for your network, perform this task in router configuration mode:
Command Purpose
Step 1 FWSM(config-router)# area area-id authentication Enables authentication for an OSPF area.
Step 2 FWSM(config-router)# area area-id authentication Enables MD5 authentication for an OSPF area.
message-digest
Step 3 FWSM(config-router)# area area-id stub Defines an area to be a stub area.
[no-summary]
Step 4 FWSM(config-router)# area area-id default-cost Assigns a specific cost to the default summary route used
cost for the stub area.
Command Purpose
FWSM(config-router)# area area-id nssa Defines an NSSA area.
[no-redistribution] [default-information-originate]
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-19
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
To control summarization and filtering of type 7 LSAs into type 5 LSAs, perform this task in router
configuration mode on the area border router:
Command Purpose
FWSM(config-router)# summary address prefix mask Controls the summarization and filtering during the translation.
[not advertise] [tag tag]
Command Purpose
FWSM(config-router)# area area-id range ip-address Specifies an address range for which a single route will be
mask [advertise | not-advertise] advertised.
This example shows how to configure route summarization between OSPF areas:
FWSM(config-router)# area 17 range 12.1.0.0 255.255.0.0
Command Purpose
FWSM(config-router)# summary-address {{ip-address Specifies an address and mask that covers redistributed routes,
mask}| {prefix mask}} [not-advertise] [tag tag] so that only one summary route is advertised. Use the optional
not-advertise keyword to filter out a set of routes.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-20 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
This example shows how to configure route summarization when redistributing routes into OSPF:
FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0
Command Purpose
FWSM(config-router)# area area-id virtual-link Establishes a virtual link.
router-id [authentication [message-digest | null]]
[hello-interval seconds][retransmit-interval
seconds] [transmit-delay seconds] [dead-interval
seconds] [[authentication-key key] |
[message-digest-key key-id md5 key]]
To display information about virtual links, use the show ip ospf virtual-links EXEC command.
To display the router ID of an OSPF router, use the show ip ospf EXEC command
Command Purpose
FWSM(config-router)# default-information originate Forces the autonomous system boundary router to generate a
[always] [metric metric-value] [metric-type default route into the OSPF routing domain.
type-value] [route-map map-name]
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-21
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
Command Purpose
FWSM(config-router)# distance ospf {[intra-area Changes the OSPF distance values.
dist1] [inter-area dist2] [external dist3]}
Command Purpose
FWSM(config-router)# timers spf spf-delay Configures route calculation timers.
spf-holdtime
Command Purpose
FWSM(config-router)# log-adj-changes [detail] Sends syslog message when an OSPF neighbor goes up or
down.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-22 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
All LSAs refreshed, 120 external LSAs on Ethernet need three packets
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-23
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
Therefore, the router delays the LSA refresh function for an interval of time instead of performing it
when the individual timers are reached. The accumulated LSAs constitute a group, which is then
refreshed and sent out in one packet or more. The refresh packets are paced as are the check summing
and aging. The pacing interval is configurable; it defaults to 4 minutes, which is randomized to further
avoid synchronization.
Figure 4-4 shows refresh packets. The first timeline shows individual LSA timers; the second timeline
shows individual LSA timers with group pacing.
20 LSAs, 1 packet
37 LSAs, 1 packet
15 LSAs, 1 packet
The group pacing interval is inversely proportional to the number of LSAs the router is refreshing, check
summing, and aging. For example, if you have approximately 10,000 LSAs, decreasing the pacing
interval would benefit you. If you have a very small database (40 to 100 LSAs), increasing the pacing
interval to 10 to 20 minutes might benefit you slightly.
The default value of pacing between LSA groups is 240 seconds (4 minutes). The range is from 10
seconds to 1800 seconds (30 minutes). To change the LSA group pacing interval, perform this task in
router configuration mode:
Command Purpose
FWSM(config-router)# timers lsa-group-pacing seconds Changes the group pacing of LSAs.
The following example changes the OSPF pacing between LSA groups to 280 seconds:
FWSM(config-router)# timers lsa-group-pacing 280
FWSM(config-router)# interface inside
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-24 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
You can block OSPF flooding of LSAs two ways, depending on the type of networks:
• On broadcast, nonbroadcast, and point-to-point networks, you can block flooding over specified
OSPF interfaces.
• On point-to-multipoint networks, you can block flooding to a specified neighbor.
On broadcast, nonbroadcast, and point-to-point networks, to prevent flooding of OSPF LSAs, perform
this task in interface configuration mode:
Command Purpose
FWSM(config-if)# ospf database-filter all out Blocks the flooding of OSPF LSA packets to the interface.
On point-to-multipoint networks, to prevent flooding of OSPF LSAs, perform this task in router
configuration mode:
Command Purpose
FWSM(config-router)# neighbor ip-address Blocks the flooding of OSPF LSA packets to the specified
database-filter all out neighbor.
Command Purpose
FWSM(config-router)# ignore lsa mospf Prevents the router from generating syslog messages when it
receives MOSPF LSA packets.
The following example shows how to prevent flooding of OSPF LSAs to broadcast, nonbroadcast, or
point-to-point networks reachable through Ethernet interface 0:
FWSM(config-router)# router ospf 2
FWSM(config-router)# ignore lsa mospf
FWSM(config-interface)# ospf database-filter all out
FWSM(config-interface)# router ospf 2
FWSM(config)# show ip ospf flood-list inside
The following example shows how to prevent flooding of OSPF LSAs to point-to-multipoint networks
to the neighbor at IP address 1.2.3.4:
FWSM(config-router)# router ospf 109
FWSM(config-router)# neighbor 1.2.3.4 database-filter all out
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-25
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
Command Purpose
Router# show ip ospf flood-list interface-type Displays a list of LSAs waiting to be flooded over an interface.
interface-number
Command Purpose
Step 1 FWSM(config)#router ospf Enables OSPF routing, which places you in router configuration
process-id mode.
Step 2 FWSM(config-router)#area Configures the router to filter interarea routes into the specified
area-id filter-list prefix name area.
in
Step 3 FWSM(config-router)#ip Creates a prefix list with the name specified for the list name
prefix-list list-name [seq argument.
seq-value] deny | permit
network/len [ge ge-value] [le
le-value]
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-26 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring OSPF Routing Support
To filter interarea routes out of a specified area, perform the following task beginning in router
configuration mode:
Command Purpose
Step 1 FWSM(config)#router ospf Enables OSPF routing, which places you in router configuration
process-id mode.
Step 2 FWSM(config-router)#area Configures the router to filter interarea routes out of the specified
area-id filter-list prefix name area.
out
Step 3 FWSM(config-router)#ip Creates a prefix list with the name specified for the list-name
prefix-list name [seq argument.
seq-value] deny | permit
network/len [ge ge-value] [le
le-value]
Command Purpose
FWSM# show ip ospf [process-id] Displays general information about OSPF routing processes.
FWSM# show ip ospf border-routers Displays the internal OSPF routing table entries to the area
FWSM# show ip ospf [process-id [area-id]] database border router and autonomous system border router.
FWSM# show ip ospf [process-id [area-id]] database
[database-summary]
FWSM# show ip ospf [process-id [area-id]] database
[router][self-originate]
FWSM# show ip ospf [process-id [area-id]] database
[router][adv-router [ip-address]]
FWSM# show ip ospf [process-id [area-id]] database
[router] [link-state-id]
FWSM# show ip ospf [process-id [area-id]] database
[network][link-state-id]
FWSM# show ip ospf [process-id [area-id]] database
[summary] [link-state-id]
FWSM# show ip ospf [process-id [area-id]] database
[asbr-summary][link-state-id]
FWSM# show ip ospf [process-id [area-id]] database
[external] [link-state-id]
FWSM# show ip ospf [process-id [area-id]] database
[nssa-external][link-state-id]
FWSM# show ip ospf [process-id [area-id]] database
[opaque-link][link-state-id]
FWSM# show ip ospf [process-id [area-id]] database
[opaque-area][link-state-id]
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-27
Chapter 4 Configuring Firewall Services
Configuring IPSec for Management
Command Purpose
FWSM# show ip ospf [process-id [area-id]] database Displays lists of information related to the OSPF database.
[opaque-as] [link-state-id]
FWSM# show ip ospf flood-list interface Displays a list of LSAs waiting to be flooded over an interface
interface-type (to observe OSPF packet pacing).
FWSM# show ip ospf interface [interface-type Displays OSPF-related interface information.
interface-number]
FWSM# show ip ospf neighbor [interface-name] Displays OSPF neighbor information on a per-interface basis.
[neighbor-id] detail
FWSM# show ip ospf request-list [neighbor] [interface] Displays a list of all LSAs requested by a router.
[interface-neighbor]
FWSM# show ip ospf retransmission-list [neighbor] Displays a list of all LSAs waiting to be resent.
[interface] [interface-neighbor]
FWSM# show ip ospf [process-id] summary-address Displays a list of all summary address redistribution
information configured under an OSPF process.
FWSM# show ip ospf virtual-links Displays OSPF-related virtual links information.
Command Purpose
FWSM(config)# clear ip ospf pid {process | Clears redistribution based on the OSPF routing process ID.
redistribution | counters [neighbor
[neighbor-interface] [neighbor-id]]}
Note The term data authentication indicates data-integrity and data-origin authentication. Within this
document, the term also includes antireplay services, unless otherwise specified.
IPSec provides controlled tunnels between two peers, such as two Firewall Services Modules. These
tunnels are sets of security associations that are established between two remote IPSec peers (modules).
You define which packets are considered sensitive and should be sent through these controlled tunnels,
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-28 78-14450-02
Chapter 4 Configuring Firewall Services
Configuring IPSec for Management
and you define the parameters that should be used to protect these sensitive packets by specifying the
characteristics of these tunnels. When the IPSec peer sees a sensitive packet, it sets up the appropriate
controlled tunnel and sends the packet through the tunnel to the remote peer.
For detailed information about IPSec, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/index.htm
The following steps describe a minimal IPSec configuration where the IPSec security associations are
established through Internet Key Exchange (IKE).
To configure IPSec with IKE for the module, perform this task:
Command Purpose
Step 1 FWSM(config)# access-list access-list-module Creates an access list to define the traffic to protect.
{deny | permit} ip source source-netmask
destination destination-netmask
Step 2 FWSM(config)# crypto ipsec transform-set Configures a transform set that defines how the traffic
transform-set-module transform1 [transform2, will be protected. You can configure multiple transform
transform3]
sets, and then specify one or more of these transform sets
in a crypto map entry in Step 6.
Step 3 FWSM(config)# crypto map map-module seq-num Creates a crypto map entry in IPSec ISAKMP mode.
ipsec-isakmp
Step 4 FWSM(config)# crypto map map-module seq-num match Assigns an access list to a crypto map entry.
address access-list-module
Step 5 FWSM(config)# crypto map map-module seq-num set Specifies the peer to which the IPSec-protected traffic
peer ip-address can be forwarded.The security association is set up with
the peer having an IP address of 192.168.1.100. Specify
multiple peers by repeating this command.
Step 6 FWSM(config)# crypto map map-module seq-num set Specifies which transform sets are allowed for this crypto
transform-set transform-set-module1 map entry. Lists multiple transform sets in order of
[transform-set-module2, transform-set-module6]
priority (highest priority first). You can specify up to six
transform sets.
Step 7 FWSM(config)# crypto map map-module seq-num set (Optional) Specifies a security association lifetime for
security-association lifetime {seconds seconds | the crypto map entry, if you want the security
kilobytes kilobytes}
associations for this entry to be negotiated using different
IPSec security association lifetimes other than the global
lifetimes.
Step 8 FWSM(config)# crypto map map-module seq-num set (Optional) Specifies that IPSec should require perfect
pfs [group1 | group2] forward secrecy (PFS) when requesting new security
associations for this crypto map entry, or should require
PFS in requests received from the peer.
Step 9 FWSM(config)# crypto dynamic-map (Optional) Assigns an access list to a dynamic crypto
dynamic-map-module dynamic-seq-num match address map entry, which determines which traffic should be
access-list-module
protected and which traffic should not protected.
Step 10 FWSM(config)# crypto dynamic-map (Optional) Specifies the peer to which the
dynamic-map-module dynamic-seq-num set peer IPSec-protected traffic can be forwarded. This is rarely
ip-address
configured in dynamic crypto map entries because
dynamic crypto map entries are often used for unknown
peers.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 4-29
Chapter 4 Configuring Firewall Services
Configuring IPSec for Management
Command Purpose
Step 11 FWSM(config)# crypto dynamic-map Specifies which transform sets are allowed for this
dynamic-map-module dynamic-seq-num set dynamic crypto map entry. Lists multiple transform sets
transform-set transform-set-module1,
[transform-set-module2, transform-set-module9]
in order of priority (highest priority first).
Step 12 FWSM(config)# crypto dynamic-map (Optional) Specifies a security association lifetime for
dynamic-map-module dynamic-seq-num set the dynamic crypto map entry, if you want the security
security-association lifetime {seconds seconds |
kilobytes kilobytes}
associations for this entry to be negotiated using different
IPSec security association lifetimes other than the global
lifetimes.
Step 13 FWSM(config)# crypto dynamic-map (Optional) Specifies that IPSec should request PFS when
dynamic-map-module dynamic-seq-num set pfs requesting new security associations for this dynamic
[group1 | group2]
crypto map entry, or should demand PFS in requests
received from the peer.
Step 14 FWSM(config)# crypto map map-module seq-num Adds the dynamic crypto map set into a static crypto map
ipsec-isakmp dynamic dynamic-map-module set. Be sure to set the crypto map entries referencing
dynamic maps to be the lowest-priority entries (highest
sequence numbers) in a crypto map set.
Step 15 FWSM(config)# crypto map map-module interface Applies a crypto map set to an interface on which the
interface-module IPSec traffic will be evaluated.
Step 16 FWSM# sysopt connection permit-ipsec Specifies that IPSec traffic be implicitly trusted
(permitted).
In the Firewall Services Module, VPN and IPSec are available only for management purposes. You
cannot establish IPSec tunnels across the firewall; any tunnel initiated by a VPN client on another switch
should terminate at the Firewall Services Module. The CLI commands you use to configure IPSec for
management have not changed from PIX except for those listed in Table A-6 on page A-5. Refer to the
PIX documentation for details about configuring IPSec.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
4-30 78-14450-02
C H A P T E R 5
Administering the Firewall Services Module
This chapter describe how to administer the Firewall Services Module and contains these sections:
• Administering the Software Images, page 5-1
• Changing and Recovering Passwords, page 5-11
• Resetting the Firewall Services Module, page 5-14
• Troubleshooting the Firewall Services Module, page 5-16
The configurations related to that image is stored in the same partition as the image.
If the module’s application partition gets corrupted, the maintenance partition can be used to recover
the application configuration. The network configuration partition stores the network parameters for
the maintenance partition.
When the application image fails, a log is created in the crash dump partition, which contains all
failure-related information. You can use this log later for debugging using the show crashdump CLI
command from both the maintenance partition and the application partition, if the application
partition recovers without a problem on restart.
You can also upgrade the application from the maintenance partition. You can clear the enable
password for the module from the maintenance partition CLI.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-1
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
This section contains the various administrative tasks you can perform using the software images:
• Quick Software Upgrade, page 5-2
• Logging into the Application Software, page 5-3
• Logging into the Maintenance Software, page 5-3
• Upgrading Software Images, page 5-5
Caution Upgrading the software image is a disaster recovery process. The procedure erases the flash or nvram of
the firewall services module. Ensure that your configuration has been backed up so that you can restore
it after the software upgrade.
To quickly upgrade the Firewall Services Module software image, follow these steps:
Step 1 Make the new software image available on a TFTP server, or make the MSFC a TFTP server by using
this command:
msfc(config)# tftp-server bootflash:image name
Step 2 If the MSFC is the TFTP server, make sure you have a VLAN interface on the MSFC reachable from the
module. For example:
a. On the MSFC, enter these commands:
router(config)# interface Vlan30
router(config)# description to_fwsm_vlan_30
router(config)# ip address 10.20.30.2 255.255.255.0
router(config)# no ip redirects
c. From the module make sure that you can ping the MSFC, by entering this command:
FWSM# ping 10.20.30.2
10.20.30.2 response received -- 0ms
10.20.30.2 response received -- 0ms
10.20.30.2 response received -- 0ms
Step 3 From the module enter the copy tftp flash command:
FWSM# copy tftp flash
Address or name of remote host [127.0.0.1]? 10.20.30.2
Source file name [cdisk]? c6svc-fwm-k9.1-1-0-207.bin
copying tftp://10.20.30.2/c6svc-fwm-k9.1-1-0-207.bin to flash:image
[yes|no|again]?yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-2 78-14450-02
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
Step 1 Log into the Catalyst 6500 series switch using the Telnet connection or the console port connection.
Step 2 At the CLI prompt, establish a console session with the module using the session slot slot_number
processor 1 command:
Cisco IOS:
Router# session slot 8 processor 1
The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote
prompt to end the session Trying 127.0.0.81 ... Open
Cisco Maintenance image
Step 3 If the module does not boot into the application partition, reset the module with the following command:
Cisco IOS:
Router# hw-module module slot_number reset cf:4
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-3
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-4 78-14450-02
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
To log into the Firewall Services Module maintenance partition, follow these steps:
Step 1 Log into the Catalyst 6500 series switch using the Telnet connection or the console port connection.
Step 2 At the CLI prompt, establish a console session with the module using the Cisco IOS session slot
slot_number processor 1 command or the Catalyst operating system session mod command.
Cisco IOS:
Router# session slot 8 processor 1
The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote
prompt to end the session Trying 127.0.0.81 ... Open
Cisco Maintenance image
Step 3 At the Maintenance software login prompt, enter root to log in as the root user or guest to log in as a
guest user.
login: root
Step 4 At the password prompt, enter the password for the account. The default password for both accounts is
cisco.
Password:
Step 5 If the module does not boot into the maintenance partition, reset the module with the following
commands:
Cisco IOS:
Router# hw-module module slot_number reset cf:1
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-5
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
To upgrade the application partition, change the boot sequence to boot the module from the maintenance
partition. The maintenance partition downloads and installs the application image. The supervisor
engine must be executing the run-time image to provide network access to the maintenance partition.
Set the boot sequence for the module using the supervisor engine CLI commands. As the maintenance
partition boots, it determines the application type. If the network parameters are already configured, you
can directly download the new image. If network parameters are not set, you need to manually configure
them.
When you specify the target device and partition number for upgrading the application partition,
software recognition checks are made to ensure that you do not upgrade the maintenance partition.
Before starting the upgrade process, you will need these software images:
• The application image for the module.
• The maintenance partition image for the module.
A TFTP and FTP server are required to copy the images. The TFTP server should be connected to the
switch and the port connecting to the TFTP server should be included in VLAN 1 on the switch.
Another TFTP server is required in the network. This TFTP server must be reachable from the module
when the module image is booted up.
Command Purpose
Step 1 Cisco IOS: Reboots the module into the maintenance partition.
Router# hw-module module
slot_number reset cf:1
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-6 78-14450-02
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
Command Purpose
Step 5 root@localhost# show ip Displays the current settings. If the parameters are not correct,
use the commands described in Step 4. The module image
should be available on the FTP server reachable through
VLAN 1.
Step 6 root@localhost# ping ip_address Pings the FTP server to verify if the configuration is correct.
Step 7 root@localhost# upgrade ftp_url Upgrades the application image from the appropriate directory
cf:x on the FTP server that is reachable from the module.
The ftp_url values contain the following options:
• The username to log in to the FTP server.
The command prompts for the password. Enter the
password for the username you are using to log in to the
FTP server.
• ftp_url is the IP address of the FTP server and the complete
path of the file on the FTP server.
Note If the FTP server does not allow anonymous users, use
the following syntax for the ftp-url value:
ftp://user@host/absolute-path/filename.
This example shows how to upgrade the Firewall Services Module application software:
Router# hw-module module 9 reset cf:1
Router#
00:16:06:%SNMP-5-MODULETRAP:Module 9 [Down] Trap
00:16:06:SP:The PC in slot 9 is shutting down. Please wait ...
00:16:21:SP:PC shutdown completed for module 9
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-7
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
login:root
Password:
[email protected]# upgrade
ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin cf:4
Application image upgrade complete. You can boot the image now.
[email protected]# logout
Router#
00:24:04:%SNMP-5-MODULETRAP:Module 9 [Down] Trap
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-8 78-14450-02
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
The module is now upgraded and ready for further firewall configuration. You can do further application
partition upgrades from the module console, by entering the command:
copy tftp://tftp_ip/file_name flash:
Note If you have changed the passwords for the root and guest accounts of the maintenance partition, they will
be retained across upgrades.
Command Purpose
Step 1 Cisco IOS: Reboots the module into the application partition.
Router# hw-module module
slot_number reset cf:4
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-9
Chapter 5 Administering the Firewall Services Module
Administering the Software Images
Command Purpose
Step 3 FWSM# upgrade-mp ftp_url Upgrades the maintenance partition from the appropriate
tftp-path directory on the TFTP server that is reachable from the module.
The tftp_url values contain the following:
• Username is the username to log in to the TFTP server.
• The command prompts for the password. Enter the
password for the username you are using to log in to the
TFTP server.
• tftp_url is the IP address of the TFTP server and the
complete path of the file on the TFTP server.
Note If the TFTP server does not allow anonymous users, use
the following syntax for ftp_url value:
tftp://absolute-path/filename.
Step 6 root@localhost# show ip (Optional) Verifies the initial configuration after the
maintenance software comes back online after the module is
reset and you log into the maintenance software’s root account.
Step 7 Cisco IOS: (Optional) Resets the module in the application partition.You
Router# hw-module module can reset the module in either cf:4 or cf:5.
slot_number reset cf:x
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-10 78-14450-02
Chapter 5 Administering the Firewall Services Module
Changing and Recovering Passwords
Router#
00:31:11:%SNMP-5-MODULETRAP:Module 9 [Down] Trap
00:31:11:SP:The PC in slot 9 is shutting down. Please wait ...
00:31:25:SP:PC shutdown completed for module 9
00:31:25:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (admin
request)
00:31:28:SP:Resetting module 9 ...
00:31:28:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on
00:33:26:%SNMP-5-MODULETRAP:Module 9 [Up] Trap
00:33:26:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed
00:33:26:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are now
online
fwsm# upgrade-mp
Address or name of remote host [160.251.101.128]? 192.168.253.79
Source file name []? mp-1.0.1-bin.gz
copying upgrade-mp tftp://10.1.1.1/tftpboot/mp.1-1-0-3.bin.gz to flash
[yes|no|again]? y
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 7700916 bytes.
Maintenance partition upgraded.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-11
Chapter 5 Administering the Firewall Services Module
Changing and Recovering Passwords
Note New passwords must be at least six characters in length, and may include uppercase and lowercase
letters, numbers, and punctuation marks.
Note If the Firewall Services Module application image password is lost, you can clear the password by
booting into the maintenance image. If the module maintenance image passwords are lost for the root or
guest account, you can clear both passwords by booting into the application image.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-12 78-14450-02
Chapter 5 Administering the Firewall Services Module
Changing and Recovering Passwords
This example shows how to set the password for the root account:
root@localhost# passwd
Changing password for user root
New password:
Retype new password:
passwd: all authentication tokens updated successfully
To change the password for the guest account, enter the password-guest command. This command is
available from the maintenance partition root account only.
This example shows how to set the password for the guest account:
root@localhost# passwd-guest
Changing password for user guest
New password:
Retype new password:
passwd: all authentication tokens updated successfully
partition_number refers to the number of the application or maintenance partition where you are
resetting the password.
Note If you are resetting the application password, you must be logged into the maintenance partition. If you
are changing the maintenance partition password, you must be logged into the application partition.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-13
Chapter 5 Administering the Firewall Services Module
Resetting the Firewall Services Module
[yn] y
Passwords and aaa commands have been erased.
This example shows how to clear the password for the module application software on partition 4 of the
compact flash:
root@localhost# clear passwd cf:4
Do you wish to erase the passwords? [yn] y
The following lines will be removed from the configuration:
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
Do you want to remove the commands listed above from the configuration?
[yn] y
Passwords and aaa commands have been erased.
Note If you are resetting the maintenance partition password, you must be logged into the application
partition.
This example shows how to clear the password for the module maintenance software on partition cf:1 of
the compact Flash:
root@localhost# clear mp-passwd
Passwords for 'root' and 'guest' accounts cleared successfully.
Note This command is specific to Cisco IOS software and is not available in Catalyst operating system
software.
A full memory test takes more time to complete than a partial memory test depending on the memory
size. Table 2-2 on page 2-12 lists the memory and approximate boot time for a long memory test.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-14 78-14450-02
Chapter 5 Administering the Firewall Services Module
Resetting the Firewall Services Module
Command Purpose
hw-module module mod_num reset Resets the module. The device:partition variable is the string for the
[device:partition] [mem-test-full] boot device, for example, cf: designates the compact Flash and x is the
number for the partition on each device.
Note For the boot device, you can specify cf:4 or cf:5 for the application image or cf:1 for the maintenance
image.
This example shows how to reset the module, installed in slot 9, from the CLI:
Router# hw-mod mod 9 reset
Router#
00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap
00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...
To reboot the module from the application software, perform this task while you are sessioned into the
root account on the module in the privileged mode:
Command Purpose
reboot or reload Reboots the module.
Command Purpose
reset module_number [boot device:partition] Resets the module. The device:partition variable is the string for the
boot device, for example, cf: designates the compact Flash and x is the
number for the partition on each device.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-15
Chapter 5 Administering the Firewall Services Module
Troubleshooting the Firewall Services Module
Note For the boot device, you can specify cf:4 or cf:5 for the application image or cf:1 for the maintenance
image. The default boot partition for the module is cf:4.
This example shows how to reset the module, installed in slot 9, from the from the application partition:
Router# reset mod 9
Router#
00:26:55:%SNMP-5-MODULETRAP:Module 9 [Down] Trap
00:26:55:SP:The PC in slot 8 is shutting down. Please wait ...
To reboot the module from the application software, perform this task while you are sessioned into the
root account on the module in the privileged mode:
Command Purpose
reboot Reboots the module.
Recommended Action Perform a show module command and check that the status is OK.
Symptom When a reset command is entered from the supervisor engine CLI, the system always boots
into the maintenance image.
Possible Cause If the boot device is configured in the supervisor engine as cf:1, when you enter a
reset module command the system always boots to the maintenance image.
Recommended Action Override the configured boot device in the supervisor engine by entering the
boot string during reset. In Cisco IOS software, to boot to the application image, enter the
hw-module mod 9 reset cf:4 (or cf:5) command.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-16 78-14450-02
Chapter 5 Administering the Firewall Services Module
Troubleshooting the Firewall Services Module
Symptom You are unable to log into the maintenance image with the same password for the module
application image.
Possible Cause The module application image and the maintenance image have different password
databases. Any password change performed in the module application image does not change the
maintenance image passwords and vice versa.
Symptom You lost your password for the maintenance image and want to recover it.
Possible Cause The maintenance image does not support resetting passwords from the switch.
Upgrading the maintenance image retains the password for root and guest across the upgrades.
Recommended Action Refer to “Changing and Recovering Passwords” section on page 5-11.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 5-17
Chapter 5 Administering the Firewall Services Module
Troubleshooting the Firewall Services Module
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
5-18 78-14450-02
A P P E N D I X A
Firewall Services Module and PIX Commands
This appendix describes additions, changes, and differences between the Firewall Services Module and
the PIX application commands.
The tables in this appendix describe the following commands:
• Commands that support the maintenance software (Table A-1 on page A-1).
• Cisco IOS commands that support the Firewall Services Module (Table A-2 on page A-3).
• Catalyst operating system commands that support the Firewall Services Module (Table A-3 on page
A-3).
• New commands specific to the module (Table A-4 on page A-3).
These commands are described in Appendix B, “Command Reference.”
• PIX commands that were changed for the module (Table A-5 on page A-5).
• PIX commands that are not used by the module (Table A-6 on page A-5).
• PIX commands used by the module and their PIX version (Table A-7 on page A-7).
For detailed information about the PIX software commands, refer to the PIX documentation listed
in the “Related Documentation” section on page xvii.
The module also supports CLI commands for the supervisor engine, which are described in more detail
in the Catalyst 6500 Series Command Reference.
Command Description
clear ip Clears the network configuration for the interface.
clear log upgrade Clears the application image upgrade log file. This
command is available only in the maintenance
image.
clear password Clears and resets the password.
disable-guest Disables the guest account from the maintenance
image. This command is available only for the root
account. The guest account is enabled by default.
enable-guest Enables the guest account from the maintenance
image root account. This command is available only
for the root account. The guest account is enabled by
default.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 A-1
Appendix A Firewall Services Module and PIX Commands
Command Description
? Displays a list of top-level commands or additional
information for an individual command.
ip Sets the IP parameters. This command is available
from the application and maintenance image and the
guest account in the maintenance image.
ip address ip-address netmask Specifies the IP address and subnet for a node on the
network.
ip broadcast broadcast-address Specifies the IP broadcast address for a node on the
network.
ip domain domain-name Specifies the domain name.
ip gateway gateway-address Specifies the default IP gateway.
ip host hostname Specifies an IP host name.
ip nameserver [name-server1] [name-server2] Specifies the IP name server used to resolve network
[name-server3] names into network addresses.
logout Logs you out of the shell from the maintenance
image and the guest account from the maintenance
image.
passwd Sets the password for the current user from the root
account.
passwd-guest Sets the password for the guest account from the
maintenance image. This command is available only
for the root account.
ping hostname | IP address Sends five ICMP echo-request packets to another
node on the network. To configure ping, you can
also use the command without arguments.
show Displays the system parameters from the
maintenance and guest account from the
maintenance image.
show images Lists the images that are installed in the module
application partitions.
show ip Displays current IP configuration.
show log upgrade Displays the application image upgrade log.
show version Displays the module maintenance image version,
daughter card information, and module application
image version.
show crashdump Displays the contents of the crashdump partition.
The partition is populated when the module
application software crashes.
upgrade [ftp-url] [device:partition-num] Upgrades the maintenance image from the specified
location, when the module is booted into the
application image. This command is also available
from the guest account in the maintenance image.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
A-2 78-14450-02
Appendix A Firewall Services Module and PIX Commands
Table A-2 Cisco IOS Commands for the Firewall Services Module
Command Description
firewall module module_number vlan-group Attaches the VLAN and firewall group to the slot
firewall_group where the module is located.
firewall vlan-group firewall_group vlan_range Creates a firewall group of controlled VLANs.
interface vlan vlan_number Defines a controlled VLAN (SVI) on the MSFC
(route processor).
Note You must configure a controlled VLAN
(SVI) on the MSFC or you will be unable
to configure VLANs on the module.
show firewall module Displays the module configuration.
show firewall vlan-group Displays the firewall VLAN group.
show interface vlan vlan_number Displays the interface configuration.
show firewall module Displays the module configuration.
vlan vlan_number Creates VLANs on the switch.
Table A-3 Catalyst Operating System Commands for the Firewall Services Module
Command Descriptions
set vlan vlan-range firewall-vlan module Sets the specified VLAN range as secure VLANs
on the firewall module.
clear vlan vlan-range firewall-vlan module Clears the specified VLANs from the secure
VLANs for a given firewall module.
show vlan firewall-vlan module Displays the current secure VLANs for a given
firewall module.
Command
access-list id deny | permit {any | ip mask}
area area id authentication areadefault-cost
area area id authentication message-digest
area area id cost
area area id filter-list prefix module [in | out]
area area id nssa [no-redistribution] [default-information-originate]
area area id range prefix mask [advertise | not-advertise]
area area id stub [no-summary]
area area id virtual-link router id [ authentication [message-digest | null]] [hello-interval seconds]
[retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds [[authentication-key
key]| [message-digest-key key id md5 key]]
console-output (clear and show)
default-information originate [ metric value | metric-type { 1 | 2 } | route-map map ]
distance [intra-area d1] [inter-area d2] [external d3]
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 A-3
Appendix A Firewall Services Module and PIX Commands
Command
ip prefix-list list-module [seq seq-value] {deny | permit network/length}[ge ge-value] [le le-value]
ip prefix-list sequence-number
logging rate-limit num [interval] message syslog_id
logging rate-limit num [interval] level syslog_level
show logging rate-limit
clear logging rate-limit
match [interface | route-type | metric | ip address | ip next-hop | ip route-source]
moduleif vlan_id [if_module] [security_level]
network prefix mask area area id
ospf cost cost
ospf retransmit-interval seconds
ospf transmit-delay seconds
ospf priority number ospf hello-interval seconds
ospf dead-interval seconds
ospf authentication-key key
ospf message-digest-key keyed md5 key
ospf authentication [message-digest | null]
redistribute { ospf id | static | connect } [{match { internal | external extern-type } metric
metric-value | metric-type metric-type [internal | external] tag tag-value | subnets }] route-map map
value
route-map map-tag [permit | deny] [seq-num]
router ospf asystem id
set metric [+ | -] metric-value
set metric-type type-1 | type-2 | internal | external
set ip next-hop ip-addres> [ip-address...]
show ip ospf
show ip ospf border-routers
show ip ospf database [router][network][external]
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-link
summary-address addr mask [not-advertise] [tag tag]
timers lsa-group-pacing value
timers spf
upgrade-mp
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
A-4 78-14450-02
Appendix A Firewall Services Module and PIX Commands
Table A-5 PIX Commands Changed for the Firewall Services Module
Command
aaa authentication [supervisor | enable | telnet | ssh | http] console group_tag
fragment size database-limit [interface]
The default fragment size was changed from 200 for PIX to1 for the FWSM. By default, fragmentation
is disabled on the FWSM.
icmp permit | deny [host] src_addr [src_mask] [type] int_name By default, ICMP is set to off in the
FWSM.
interface hardware_id [hardware_speed] [shutdown]
show interface
nameif hardware_id ifname security_level
New syntax is nameif vlan_id if_name security_level. Refer to nameif vlan_number if_name
security_level in Appendix B, “Command Reference”
route if_module ip_address netmask gateway_ip [metric]
Table A-6 PIX Commands Not Used by the Firewall Services Module
Command
apply [(if_name)] list_ID outgoing_src | outgoing_dest
clear apply
show apply [(if_name)] [list_ID outgoing_src | outgoing_dest]
failover rsa key
clock set hh:mm:ss month day year
clock set hh:mm:ss day month year
show clock
conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip
foreign_mask [operator port [port]]
configure floppy
dhcpd auto_config [client_ifx_name ]
dhcpd option {150 | 66}
eeprom update
show eeprom
flashfs downgrade {4.x | 5.0 | 5.1}
filter activex port local_ip mask foreign_ip mask
filter java port [-port] local_ip mask foreign_ip mask
ip address if_name dhcp [setroute]
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 A-5
Appendix A Firewall Services Module and PIX Commands
Table A-6 PIX Commands Not Used by the Firewall Services Module (continued)
Command
ip audit attack [action [alarm] [drop] [reset]]
show ip audit attack
ip audit info [action [alarm] [drop] [reset]]
show ip audit info
ip audit interface if_module audit_module
show ip audit interface
ip audit name audit_name attack [action [alarm] [drop] [reset]]
show ip audit name [module [info | attack]]
ip audit name audit_name info [action [alarm] [drop] [reset]]
show ip audit name
ip audit module audit_module info [action [alarm] [drop] [reset]]
show ip audit module
ip audit signature signature_number disable
show ip audit signature [signature_number]
clear ip audit [module | signature | interface | attack | info]
outbound list_ID permit | deny ip_address [netmask [port[-port]] [protocol]
outbound list_ID except ip_address [netmask [port[-port]] [protocol]
clear outbound
show outbound
session enable
show session
sysopt uauth allow-http-cache
sysopt connection permit-pptp
sysopt connection permit-l2tp
vpdn enable if_name
vpdn group module accept dialin pptp | l2tp
vpdn group module l2tp tunnel hello hello_timeout
vpdn group group_module ppp authentication pap | chap | mschap
vpdn group group_module ppp encryption mppe 40 | 128 | auto [required]
vpdn group group_module client configuration address local address_pool_module
vpdn group group_module client configuration dns dns_server_ip1 [dns_server_ip2]
vpdn group group_module client configuration wins wins_server_ip1 [wins_server_ip2]
vpdn group group_module client authentication aaa aaa_server_group
vpdn group group_module client authentication local
vpdn group group_module client accounting aaa_server_group
vpdn usermodule usermodule password password
vpdn group group_module pptp echo echo_timeout
show vpdn tunnel [l2tp | pptp] [id tunnel_id | packets | state | summary | transport]
show vpdn usermodule [usermodule]
show vpdn session [l2tp | pptp] [id session_id | packets | state | window]
show vpdn pppinterface [id intf_id]
clear vpdn [group | usermodule | tunnel [all | [id tunnel_id]]]
write floppy
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
A-6 78-14450-02
Appendix A Firewall Services Module and PIX Commands
Table A-7 lists the PIX commands used by the module and their PIX version. Commands that were
changed from PIX for the module are described in Appendix B, “Command Reference.” For detailed
information about the PIX software commands, refer to the PIX documentation located at these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 A-7
Appendix A Firewall Services Module and PIX Commands
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
A-8 78-14450-02
Appendix A Firewall Services Module and PIX Commands
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 A-9
Appendix A Firewall Services Module and PIX Commands
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
A-10 78-14450-02
A P P E N D I X B
Command Reference
This appendix describes the Firewall Services Module commands that are unique to this module and the
commands that have been changed from the PIX command implementation for use with the Firewall
Services Module.
For detailed information about the PIX software commands, refer to the PIX documentation located at
these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/
Command Command
access-list, page B-2 route-map, page B-30
access-list (ospf), page B-7 set metric, page B-32
area, page B-8 set metric-type, page B-33
clear console-output, page B-11 show console-output, page B-34
clear logging rate-limit, page B-12 show crashdump, page B-35
default-information originate, page B-13 show firewall module, page B-36
distance, page B-14 show firewall vlan-group, page B-37
firewall module, page B-15 show interface, page B-38
firewall vlan-group, page B-16 show ip ospf, page B-39
interface, page B-17 show logging rate-limit, page B-41
ip prefix-list, page B-18 show vlan, page B-42
logging rate-limit, page B-19 summary-address, page B-43
match, page B-21 timers lsa-group-pacing, page B-44
nameif, page B-22 timers spf, page B-45
network, page B-23 upgrade-mp, page B-46
ospf, page B-24
redistribute, page B-26
route, page B-28
router ospf, page B-29
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-1
Appendix B Command Reference
access-list
access-list
To configure access rules, use the access-list command. Use the no form of this command to remove
access rules from the configuration.
Note The configuration options for the access-lists in module are the same as those supported in PIX 6.0.
module also supports access rules configuration using the object group command as supported in
PIX 6.2.
Note Every interface on the module requires you to explicitly define access lists. By default access lists are
defined as deny any any.
access-list acl_ID deny | permit icmp { host source_addr | local_addr | source_addr | local_addr
source_mask | local_mask | object-group network_obj_grp_id }{ host destination_addr |
remote_addr | destination_addr | remote_addr destination_mask | remote_mask | object-group
network_obj_grp_id }{ [ icmp_type | object-group icmp_type_obj_grp_id] }
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-2 78-14450-02
Appendix B Command Reference
access-list
Syntax Description acl_ID Name of an access list. You can use either a name or number.
deny (Optional) Used with the access-list command to not allow a packet to
traverse the PIX firewall. By default, the PIX firewall denies all inbound or
outbound packets unless you specifically permit access.
When used with a crypto map command statement, deny does not select a
packet for IPSec protection. The deny option prevents traffic from being
protected by IPSec in the context of that particular crypto map entry. In other
words, it does not allow the policy as specified in the crypto map command
statements to be applied to this traffic.
permit Used with the access-list command to select a packet to traverse the PIX
firewall. By default, PIX firewall denies all inbound or outbound packets
unless you specifically permit access.
When used with a crypto map command statement, permit selects a packet
for IPSec protection. The permit option causes all IP traffic that matches the
specified conditions to be protected by IPSec using the policy described by
the corresponding crypto map command statements.
permit icmp Used with the access-list command to allow an ICMP packet to traverse the
PIX firewall. By default, PIX firewall denies all inbound or outbound
packets unless you specifically permit access.
When used with a crypto map command statement, permit selects a packet
for IPSec protection. The permit option causes all IP traffic that matches the
specified conditions to be protected by IPSec using the policy described by
the corresponding crypto map command statements.
protocol Name or number of an IP protocol. This value can be one of the keywords
icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP
protocol number. To match any Internet protocol, including ICMP, TCP, and
UDP, use the keyword ip.
object-group Identifies the object group.
protocol_obj_grp_id Identification of the object group.
host Identifies the host.
source_addr Address of the network or host from which the packet is being sent. Use this
field when an access-list command statement is used in conjunction with an
access-list command statement, or with the aaa match access-list command
and the aaa authorization command.
local_addr Address of the network or host local to the PIX firewall. Specify a
local_addr when the access-list command statement is used in conjunction
with a crypto access-list command statement, a nat 0 access-list command
statement, or a vpngroup split-tunnel command statement. The local_addr
is the address after NAT has been performed.
source_mask Netmask bits (mask) to be applied to source_addr, if the source address is
for a network mask.
local_mask Netmask bits (mask) to be applied to local_addr, if the local address is a
network mask.
network_obj_grp_id Name of the network object group containing a group of hosts and networks
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-3
Appendix B Command Reference
access-list
operator A comparison operand that allows you to specify a port or a port range. Use
without an operator and port to indicate all ports; for example:
access-list acl_out permit tcp any host 209.165.201.1
Use eq and a port to permit or deny access to only that port. For example,
use eq ftp to permit or deny access only to FTP:
access-list acl_out deny tcp any host 209.165.201.1 eq ftp
Use lt and a port to permit or deny access to all ports less than the port you
specify. For example, use lt 1024 to permit or deny access to the well known
ports (1 to 1024):
access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025
Use gt and a port to permit or deny access to all ports greater than the port
you specify. For example, use gt 42 to permit or deny ports 43 to 65535:
access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42
Use neq and a port to permit or deny access to every port except the ports
that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11
to 65535:
access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10
Use range and a port range to permit or deny access to only those ports
named in the range. For example, use range 10 to 1024 to permit or deny
access only to ports 10 through 1024. All other ports are unaffected. The use
of port ranges can dramatically increase the number of IPSec tunnels. For
example, if a port range of 5000 to 65535 is specified for a highly dynamic
protocol, up to 60,535 tunnels can be created.
access-list acl_dmz1 deny tcp any host 192.168.1.4 range 21 1024
port Service you permit or deny access to. Specify services by the port that
handles it, such as smtp for port 25, www for port 80, and so on. You can
specify ports by either a literal name or a number in the range of 1 to 65535.
You can view valid port numbers online at the following website:
http://www.isi.edu/in-notes/iana/assignments/port-numbers.
You can also specify numbers.
service_obj_grp_id Name of the port object group containing a group of services
destination_addr IP address of the network or host to which the packet is being sent. Specify
a destination_addr when the access-list command statement is used in
conjunction with an access-list command statement, or with the aaa match
access-list command and the aaa authorization command. For inbound
connections, destination_addr is the address after NAT has been performed.
For outbound connections, destination_addr is the address before NAT has
been performed.
destination_mask Netmask bits (mask) to be applied to destination_addr, if the destination
address is a network mask.
remote_addr IP address of the network or host remote to the firewall. Specify a
remote_addr when the access-list command statement is used in conjunction
with a crypto access-list command statement, a nat 0 access-list command
statement, or a vpngroup split-tunnel command statement.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-4 78-14450-02
Appendix B Command Reference
access-list
Usage Guidelines The access list behavior on the module differs from that on PIX 6.0 as follows:
• By default all traffic is denied through the module. Explicit access rules need to be configured using
the access-list command and attached to the appropriate interface using the access-list command to
allow traffic to pass through that interface.
• The module does not support the outbound, conduit and apply configuration commands that are
supported in PIX.
• The access lists used in the module are compiled by the software and loaded into a supervisor engine
for subsequent lookup. Each time an access rule is added using any of the following commands a
short delay occurs before a new compilation is begins to catch any additional configurations: filter,
fixup, icmp, telnet, ssh, access-list, established, aaa authentication, aaa authorization and aaa
accounting
After the compilation begins, it may take some time for the new rule set to be downloaded to the
hardware. In the interim, the old access rule set is applied to the incoming traffic. After successfully
download the new set is used to determine access permissions.
• During compilation, if the compilation process runs out of resources, an error message is printed on
the console when the access lists configured on the module are different from those currently being
used in the hardware. To synchronize the configuration, remove the newly added rules that began
the compilation and add fewer rules.
• Access rules with port ranges have a negative impact on the total number of access rules that the
module can support. You should avoid configuring access rules with large port ranges.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-5
Appendix B Command Reference
access-list
Examples This example shows how to define an access list allowing any host to access server 121.23.65.12 using
Telnet:
FWSM(config)# access-list in_acl permit tcp any host 121.23.65.12 eq 23
For further examples, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version 6.
For examples on using access-lists with the object group command, refer to the Cisco PIX Firewall and
VPN Configuration Guide Version 6.2.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-6 78-14450-02
Appendix B Command Reference
access-list (ospf)
access-list (ospf)
To configure access rules, use the access list (ospf) command. Use the no form of this command to
remove access rules from the configuration.
Usage Guidelines This access list syntax is used only in the context of OSPF. Access lists created with this syntax are then
used for defining route maps to be applied to redistributed routes. An access list containing any access
elements defined using the command syntax cannot be applied to an interface using the access-list
command.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-7
Appendix B Command Reference
area
area
To specify an area name in the router configuration submode, use the area command.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-8 78-14450-02
Appendix B Command Reference
area
dead-interval (Optional) Sets the time to wait for hello messages before declaring
a neighbor down.
authentication-key Assigns a password used by neighbors on a network segment using
simple (cleartext) password authentication.
key Used between the client and server for encrypting data between them,
the key must be the same on both the client and server systems. You
can use up to 127 alphanumeric characters which are case-sensitive.
This key has the same value of a TACACS+ server. Any characters
entered past 127 are ignored. You cannot use spaces in the key, but
you can use other special characters. If you do not specify a key,
encryption does not occur.
message-digest-key keyed md5 Specifies a key ID and value for an interface using MD5
key authentication.
Examples The following example mandates authentication for areas 0 and 36.0.0.0 of OSPF routing process 201.
Authentication keys are also provided.
Router(config)# interface ethernet 0
ip address 131.119.251.201 255.255.255.0
ip ospf authentication-key adcdefgh
!
Router(config)# interface ethernet 1
ip address 36.56.0.201 255.255.0.0
ip ospf authentication-key ijklmnop
!
Router(config)# router ospf 201
network 36.0.0.0 0.255.255.255 area 36.0.0.0
network 131.119.0.0 0.0.255.255 area 0
area 36.0.0.0 authentication
area 0 authentication
The following example filters prefixes that are sent from all other areas to area 1:
Router(config)# area 1 filter-list prefix-list AREA_1 in
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-9
Appendix B Command Reference
area
The following example specifies one summary route to be advertised by the ABR to other areas for all
subnets on network 36.0.0.0 and for all hosts on network 192.42.110.0:
Router(config)# interface ethernet 0
ip address 192.42.110.201 255.255.255.0
!
Router(config)# interface ethernet 1
ip address 192.42.120.201 255.255.255.0
!
Router(config)# router ospf 201
network 192.42.110.0 0.0.0.255 area 0
area 36.0.0.0 range 36.0.0.0 255.0.0.0
area 0 range 192.42.110.0 255.255.0.0
The following example establishes a virtual link with default values for all optional parameters:
Router(config)# router ospf 201
network 36.0.0.0 0.255.255.255 area 36.0.0.0
area 36.0.0.0 virtual-link 36.3.4.5
For further examples refer to the Cisco IOS Configuration Guides and Command References.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-10 78-14450-02
Appendix B Command Reference
clear console-output
clear console-output
To clear the contents of the message buffer, use the clear console-output command.
clear console-output
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-11
Appendix B Command Reference
clear logging rate-limit
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-12 78-14450-02
Appendix B Command Reference
default-information originate
default-information originate
To control the redistribution of a default route, use the default-information originate command.
Syntax Description always (Optional) Specifies that a default gateway must be advertised even
if it is not present in the routing table.
metric value (Optional) Specifies the number of hops to the gateway. You an
obtain the hop information by using the traceroute command or by
asking your WAN administrator.
metric-type (Optional) Specifies the metric type.
1 (Optional) Specifies metric type 1.
2 (Optional) Specifies metric type 2.
route-map (Optional) Specifies a route map.
map (Optional) Route map ID.
Examples This example shows how to control the redistribution of a default route:
Router(config)# default-information originate
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-13
Appendix B Command Reference
distance
distance
To define OSPF administrative distances based on route type, use the distance command. To restore the
default value, use the no form of this command.
no distance
Syntax Description intra-area dist1 (Optional) Sets the distance for all routes within an area.
intra-area dist2 (Optional) Sets the distance for all routes from one area to another
area.
external dist3 (Optional) Sets the distance for routes from other routing domains
learned by redistribution.
Examples The following example changes the external distance to 200, making it less reliable:
Router A Configuration
Router(config)# router ospf 1
Router(config)# redistribute ospf 2 subnet
Router(config)# distance external 200
Router B Configuration
Router(config)# router ospf 2
Router(config)# redistribute ospf 1 subnet
Router(config)# distance external 200
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-14 78-14450-02
Appendix B Command Reference
firewall module
firewall module
To attach a group of controlled VLANs to a module, use the firewall module command.
Syntax Description module_number Specifies the module to attach the VLAN group.
vlan-group Specifies a VLAN group
firewall_group Names the VLAN group.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-15
Appendix B Command Reference
firewall vlan-group
firewall vlan-group
To configure a group of controlled VLANs, use the firewall vlan-group command.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-16 78-14450-02
Appendix B Command Reference
interface
interface
To enter the interface configuration submode to enter OSPF commands or the shutdown command, use
the interface command.
interface interface-name
Examples This example shows how to enter the interface configuration submode:
Router(config)# interface sweden
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-17
Appendix B Command Reference
ip prefix-list
ip prefix-list
To configure a prefix list, use the ip prefix-list command.
ip prefix-list list-name [seq seq-value] {deny | permit network/length} [ge ge-value] [le le-value
no ip prefix-list list-name [seq seq-value] {deny | permit network/length} [ge ge-value] [le
le-value]
Examples This example shows how to deny the default route 0.0.0.0/0:
Router(config)# ip prefix-list abc deny 0.0.0.0/0
For further examples refer to the Cisco IOS Configuration Guides and Command References.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-18 78-14450-02
Appendix B Command Reference
logging rate-limit
logging rate-limit
To rate limit the number of syslogs generated from the module, use the logging rate-limit command. To
remove access lists from the configuration, use the no form of this command.
Because the [interval] is optional and defaults to 1 second, you can specify:
logging rate-limit 10 message 106023
• If you want to limit all the syslogs in level 3 to be generated only 5 times per second, use the
following command:
logging rate-limit 5 level 3
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-19
Appendix B Command Reference
logging rate-limit
• Precedence in setting up logging determines the result of the command action as follows:
– The logging rate-limit message command forms an exception for the logging rate-limit level
command if the level is defined. For example:
logging rate-limit 10 message 106023
logging rate-limit 5 level 1
All syslogs other than 106023 in level 1 will be generated at the maximum 5 times per second.
106023 will be generated up to 10 times per second.
– If you set up a configuration in this order:
logging rate-limit 10 message 106023
logging rate-limit 5 level 1
no logging rate-limit 10 message 106023
– To rate limit syslogs from more than 1 level, use the level version of the command multiple
times:
logging rate-limit 5 level 1
logging rate-limit 6 level 3
logging rate-limit 5 2 level 4
The last 1 in the configuration limits the rate of all syslogs in level 4 to 5 in 2 second intervals.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-20 78-14450-02
Appendix B Command Reference
match
match
To define route matching criteria for a route map, use the no form of this command. To disable matching,
use the no form of this command.
Examples This example shows how create a route map that can be used to redistribute internal routes:
Router(config-route-map)# route-map name
Router(config-route-map)# match route-type internal
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-21
Appendix B Command Reference
nameif
nameif
To assign a name to an interface, use the nameif command. To remove the interface name, use the no
form of this command.
Usage Guidelines Specifies the perimeter interface VLAN, name, and security level on an interface.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-22 78-14450-02
Appendix B Command Reference
network
network
To define the interfaces on which OSPF runs and to define the area ID for those interfaces, use the
network area router command. To disable OSPF routing for interfaces defined with the address
wildcard-mask pair, use the no form of this command.
Examples This example shows how to initialize the OSPF routing process 109, and defines four OSPF areas:
10.9.50.0, 2, 3, and 0. Areas 10.9.50.0, 2, and 3 mask specific address ranges, while area 0 enables OSPF
for all other networks.
Router(config)# interface ethernet 0
Router(config)# ip address 131.108.20.1 255.255.255.0
Router(config)# router ospf 109
Router(config-router)# network 131.108.20.0 0.0.0.255 area 10.9.50.0
Router(config-router)# network 131.108.0.0 0.0.255.255 area 2
Router(config-router)# network 131.109.10.0 0.0.0.255 area 3
Router(config-router)# network 0.0.0.0 255.255.255.255 area 0:
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-23
Appendix B Command Reference
ospf
ospf
To configure OSPF use the ospf commands.
Syntax Description authentication-key Assigns a password used by neighbors on a network segment using
simple (cleartext) password authentication.
key The key is used between the client and server for encrypting data
between them, the key must be the same on both the client and server
systems. You can use up to 127 alphanumeric characters which are
case-sensitive. This key has the same value of a TACACS+ server.
Any characters entered past 127 are ignored. You cannot use spaces
in the key, but you can use other special characters. If you do not
specify a key, encryption does not occur.
authentication Specifies authentication.
[message-digest | null] (Optional) Specifies the authentication type for an interface as either
cleartext, message digest, or no authentication.
cost cost Specifies the cost of sending a packet on an OSPF interface.
dead-interval seconds Sets the time to wait for hello messages before declaring a neighbor
down.
message-digest-key keyed Specifies a key ID and value for an interface using MD5
md5 key authentication.
priority number Sets the priority of the OSPF router for DR (designated router) or
BDR (backup designated router) election.
ospf hello-interval seconds Sets a delay value in seconds between hello messages.
retransmit-interval seconds Specifies a delay between LSA retransmissions.
transmit-delay Specifies the estimated time taken to transmit an LSA on an OSPF
interface.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-24 78-14450-02
Appendix B Command Reference
ospf
Examples The following example sets the interface cost value to 65:
Router(config)# ospf cost 65
The following example sets the interval between hello packets to 15 seconds:
Router(config)# ospf hello-interval 15
The following example sets a new key 19 with the password 8ry4222:
Router(config)# ospf message-digest-key 19 md5 8ry4222
For further examples, refer to the corresponding ip ospf commands in Cisco IOS Configuration Guides
and Command References.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-25
Appendix B Command Reference
redistribute
redistribute
To enable redistribution of static or connected routes or routes form another OSPF process, use the
redistribute command. To remove redistribution from the configuration, use the no form of this
command.
[no] redistribute {ospf id | static | connect} [{match { internal | external extern-type} metric
metric-value | metric-type metric-type [internal | external] tag tag-value | subnets}]
route-map map value
Syntax Description ospf id Specifies the OSPF routing process from which routes are to be
distributed.
static Redistributes static routes.
connect Redistributes connected routes.
match (Optional) Specifies the criteria by which OSPF routes are
redistributed into other routing domains.
internal (Optional) Specifies routes that are internal to a specific autonomous
system.
external 1 Specifies routes that are external to the autonomous system, but are
imported into OSPF as Type 1 external route.
external 2 Specifies routes that are external to the autonomous system, but are
imported into OSPF as Type 2 external route.
metric metric-value (Optional) Specifies the metric for the redistributed route. If a value
is not specified for this option, and no value is specified using the
default-metric command, the default metric value is 0. In the case of
OSPF, the default metric is 20. Use a value consistent with the
destination protocol.
metric-type metric-type (Optional) Specifies the external link type associated with the default
route advertised into the OSPF routing domain. It can be one of two
values:
• Type 1 external route
• Type 2 external route
tag tag-value (Optional) Specifies the 32-bit decimal value attached to each
external route. This is values is not used by OSPF itself. It may be
used to communicate information between Autonomous System
Boundary Routers (ASBRs). If none is specified, then the remote
autonomous system number is used for routes from Border Gateway
Protocol (BGP) and Exterior Gateway Protocol (EGP); for other
protocols, zero (0) is used.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-26 78-14450-02
Appendix B Command Reference
redistribute
subnets (Optional) Specifies the redistribution of routes into OSPF, the scope
of redistribution for the specified protocol.
route-map map value (Optional) Specifies a route map that should be interrogated to filter
the importation of routes from this source routing protocol to the
current routing protocol. If not specified, all routes are redistributed.
If this keyword is specified, but no route map tags are listed, no routes
will be imported.
Examples This example shows how to specify a network 172.16.0.0 that will appear as an external link-state
advertisement (LSA) in OSPF 1 with a cost of 100 (the cost is preserved):
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-27
Appendix B Command Reference
route
route
To define a static or default route for an interface, use the route command.
Examples This example shows how to configure a route on the interface “inside” for the network 10.2.2.0/24 with
next hop 10.2.1.5:
FWSM(config)# route inside 10.2.2.0 255.255.255.0 10.2.1.5
FWSM(config)# show route
S 0.0.0.0 0.0.0.0 [0/0] via 10.6.13.1, dmz
C 10.2.1.0 255.255.255.0 is directly connected, inside
S 10.2.2.0 255.255.255.0 [1/0] via 10.2.1.5, inside
C 10.3.1.0 255.255.255.0 is directly connected, outside
C 10.6.13.0 255.255.255.0 is directly connected, dmz
C 127.0.0.0 255.255.255.0 is directly connected, eobc
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-28 78-14450-02
Appendix B Command Reference
router ospf
router ospf
To create or configure an OSPF routing process, use the router ospf command. To remove the routing
process from the configuration, use the no form of this command.
Syntax Description autonomous-systemid Specifies the autonomous system configured for routing.
Examples This example shows how to create and OSPF routing process:
Router(config)# router ospf 12345
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-29
Appendix B Command Reference
route-map
route-map
To create a route map, use the route-map command. To remove a route map from the configuration, use
the no form of this command.
Syntax Description map-tag Defines a meaningful name for the route map. The redistribute
router configuration command uses this name to reference this
route map. Multiple route maps may share the same map tag name.
permit (Optional) Specifies the match criteria are met for this route map.
When this keyword is specified, the route is redistributed as
controlled by the set actions. In the case of policy routing, the packet
is policy routed. If the match criteria are not met, and this keyword is
specified, the next route map with the same map tag is tested. If a
route passes none of the match criteria for the set of route maps
sharing the same name, it is not redistributed by that set.
deny (Optional) Specifies the match criteria are met for the route map.
When the deny keyword is specified, the route is not redistributed. In
the case of policy routing, the packet is not policy routed, and no
further route maps sharing the same map tag name will be examined.
If the packet is not policy routed, the normal forwarding algorithm is
used.
seq-num (Optional) The number that indicates the position a new route map
occupies in the list of route maps already configured with the same
name. If the no form of this command is used, the position of the
route map should be deleted.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-30 78-14450-02
Appendix B Command Reference
route-map
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-31
Appendix B Command Reference
set metric
set metric
To define the actions taken on routes that match the criteria defined for a route map, use the set metric
command. To disable metric criteria, use the no form of this command.
Examples This example shows how to set the metric value for the routing protocol to 100:
Router(config-route-map)# route-map set-metric
Router(config)# set metric 100
Note We recommend that you consult your Cisco technical support representative before changing the default
value. For further information, refer to the Cisco IOS Configuration Guide and Command Reference.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-32 78-14450-02
Appendix B Command Reference
set metric-type
set metric-type
To specify a metric type for a route map, use the set metric-type command.
Syntax Description type-1 Specifies the open Shortest Path First (OSPF) external Type 1 metric.
type-2 Specifies the OSPF external Type 2 metric
Examples This example shows how to set the metric type of the destination protocol to OSPF external Type 1:
Router(config-route-map)# route-map map-type
Router(config-route-map)# set metric-type type-1:
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-33
Appendix B Command Reference
show console-output
show console-output
To view the contents of the message buffer, use the show console-output command.
Syntax Description start_message_number Specifies the starting serial number of the message to be displayed.
end_message_number Specifies the end serial number of the message to be displayed.
Usage Guidelines Messages appearing on the console are redirected to all active Telnet sessions.When no Telnet session
is available, the output is saved to a buffer. The buffer output can be subsequently examined when you
Telnet to the module application software partition. Individual messages are numbered.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-34 78-14450-02
Appendix B Command Reference
show crashdump
show crashdump
To display the contents of the crashdump partition, use the show crashdump command.
show crashdump
Examples This example shows how to display the contents of the crashdump partition:
Router(config)# show crashdump
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-35
Appendix B Command Reference
show firewall module
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-36 78-14450-02
Appendix B Command Reference
show firewall vlan-group
Examples This example shows how to display the configured firewall VLAN groups:
Router(config)# show firewall 20
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-37
Appendix B Command Reference
show interface
show interface
To show all of the VLANs configured, use the show interface command.
Usage Guidelines If VLANs are not configured on the MSFC, you will not be able to define any new VLAN interfaces on
the Firewall Services Module.
Examples This example shows how to display the firewall VLANs configured on all interfaces:
Router(config)# show interface domino
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-38 78-14450-02
Appendix B Command Reference
show ip ospf
show ip ospf
To show the OSPF configuration, use the show ip ospf command.
Syntax Description border-routers Displays the internal OSPF routing table entries to an area border
router and autonomous system boundary router.
database Displays lists of information related to the OSPF database, for a
[router][network][external] specific router, for network LSAs or external LSAs.
interface Displays the information on the interfaces for which OSPF is
enabled.
neighbor Displays the OSPF-neighbor information on a per-interface basis.
request-list Displays a list of all LSAs requested by a router.
retransmission-list Displays a list of all LSAs waiting to be resent.
summary-address Displays a list of all summary address redistribution information
configured under an OSPF process.
virtual-link Displays parameters and the current state of OSPF virtual links.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-39
Appendix B Command Reference
show ip ospf
For further examples, refer to the Cisco IOS Configuration Guides and Command References.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-40 78-14450-02
Appendix B Command Reference
show logging rate-limit
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-41
Appendix B Command Reference
show vlan
show vlan
To display the list of VLANs assigned to the module through the configuration on the supervisor route
process MSFC, use the show vlan command.
show vlan
Examples This example shows how to display the VLANs assigned to the module:
Router(config)# show vlan
10, 33, 100,
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-42 78-14450-02
Appendix B Command Reference
summary-address
summary-address
To create aggregate addresses for external routes, use the summary-address command. To disable
aggregate addressing for external routes, use the no form of this command.
Syntax Description addr The summary address designated for a range of addresses.
mask The IP subnet mask used for the summary route.
not-advertise (Optional) Suppresses routes that match the specified address/mask
pair.
tag tag (Optional) Specifies a tag value that can be used as a match value for
controlling redistribution through route maps.
Examples This example shows the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so
on. Only the address 10.1.0.0 is advertised in an external link-state advertisement.
Router(config)# summary-address 10.1.0.0 255.255.0.0
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-43
Appendix B Command Reference
timers lsa-group-pacing
timers lsa-group-pacing
To change the interval at which OSPF link-state advertisements (LSAs) are collected into a group and
refreshed, checksummed, or aged, use the timers lsa-group-pacing configuration command. To restore
the default value, use the no form of this command.
no timers lsa-group-pacing
Syntax Description seconds Specifies the umber of seconds in the interval at which LSAs are
grouped and refreshed, checksummed, or aged. The range is from 10
to 1800 seconds.
Usage Guidelines
Examples This example shows how to change the OSPF pacing between LSA groups to 60 seconds:
Router(config)# router ospf 1
Router(config-router)# timers lsa-group-pacing 60
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-44 78-14450-02
Appendix B Command Reference
timers spf
timers spf
To configure the delay time between when OSPF receives a topology change and when it starts a shortest
path first (SPF) calculation, use the timers spf command. To configure the hold time between two
consecutive SPF calculations, use the timers spf router configuration command. To return to the default
timer values, use the no form of this command.
Syntax Description spf-delay Specifies the delay time (in seconds) between when OSPF receives a
topology change and when it starts an SPF calculation. It can be an
integer from 0 to 65535. A value of 0 means that there is no delay;
that is, the SPF calculation is started immediately.
spf-holdtime Specifies the minimum time (in seconds) between two consecutive
SPF calculations. It can be an integer from 0 to 65535 seconds. A
value of 0 means that there is no delay; that is, two SPF calculations
can be done, one immediately after the other.
Examples This example shows how to change the delay to 10 seconds and the hold time to 20 seconds:
Router(config)# timers spf 10 20
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-45
Appendix B Command Reference
upgrade-mp
upgrade-mp
To upgrade the maintenance software image, use the upgrade-mp command.
Syntax Description tftp Specifies a download of the maintenance software image through
TFTP and install the image to the maintenance partition.
//location Specifies the location of the TFTP server.
/tftp_pathname This TFTP server must be reachable from the module when the
module image is booted up. The pathname can include any directory
names in addition to the actual last component of the path to the file
on the server.
Usage Guidelines The upgrade-mp command lets you download a maintenance software image through TFTP. The image
is downloaded, installed to the compact Flash and available on the next module reload (reboot).
If the command is used without the location or pathname optional parameters, then the location and
filename are obtained from the user interactively through a series of questions similar to those presented
by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command
settings. If other optional parameters are supplied, then these values would be used in place of the
corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon
and anything after it, causes the command to run without prompting for user input.
The location is an IP address that the firewall can reach. The pathname can include any directory names
besides the actual last component of the path to the file on the server. The pathname cannot contain
spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the upgrade-mp
command.
If your TFTP server has been configured to point to a directory on the system from which you are
downloading the image, you need only use the IP address of the system and the image filename.
For example, the command causes the TFTP server to receive the command and determine the actual file
location from its root directory information:
Router(config)# upgrade-mp tftp://10.1.1.5/mp.1-1-0-3.bin.gz
Examples This example causes the module to prompt you for the filename and location before you start the TFTP
download:
Router(config)# upgrade-mp
Address or name of remote host [127.0.0.1]? 10.1.1.5
Source file name [cdisk]? mp.1-1-0-3.bin.gz
copying tftp://10.1.1.5/mp.1-1-0-3.bin.gz to flash
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!
Received 1695744 bytes.
Maintenance partition upgraded.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-46 78-14450-02
Appendix B Command Reference
upgrade-mp
To set the filename and location specified in the tftp-server command, save memory, and then download
the image to Flash memory, use these commands:
Router(config)# tftp-server outside 10.1.1.5 mp.1-1-0-3.bin.gz
Warning: 'outside' interface has a low security level (0).
write memory
Building configuration...
Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99
[OK]
Router(config)# upgrade-mp tftp:
copying tftp://10.1.1.5/mp.1-1-0-3.bin.gz to flash
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
To override the information in the tftp-server command and specify alternate information about the
filename and location, use this command:
Router(config)# upgrade-mp tftp://10.0.0.1/mp.1-1-0-3.bin.gz
To specify all information, if you have not set the tftp-server command, use this command:
Router(config)# upgrade-mp tftp://10.0.0.1/mp.1-1-0-3.bin.gz
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 B-47
Appendix B Command Reference
upgrade-mp
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
B-48 78-14450-02
A P P E N D I X C
System Messages
This appendix provides the list of system log messages supported in the Firewall Services Module. The
module functions similarly to the PIX firewall application software. Refer to the System Log Messages
for the Cisco Secure PIX Firewall Version 6.0 documentation for information about the system message
logs. The messages are listed by type and by message code within each type.
This appendix includes the following sections:
• System Log Messages, page C-2
• System Message Log Differences, page C-4
• Failover Messages, page C-5
• Connection Messages, page C-10
• SSH, page C-28
• Telnet, page C-30
• AAA and ACL, page C-30
• User Management, page C-34
• Configuration, page C-35
• FWSM Management, page C-36
• PDM, page C-38
• Stateful Failover, page C-39
• Memory and Resource Allocation, page C-41
• SNMP, page C-42
• DHCP, page C-43
• VPN, page C-43
• Internet Protocol Routing, page C-45
• OSPF, page C-46
• Shun, page C-51
Note The messages shown in this appendix apply to Firewall Services Module version 1.1(1) and higher.
When a number is skipped from a sequence, for example, 106019, the message is no longer in the
firewall code.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-1
Appendix C System Messages
System Log Messages
You can configure the module system software to send these messages to the output location of your
choice. For example, you can specify that log messages be sent to the console, to any Telnet session
actively connected to the module console, or to a logging server elsewhere on the network.
The module provides three output locations for sending syslog messages: the console, a host running a
syslog server, and an SNMP management station. If you send messages to a host, they are sent using
either UDP or TCP. The host must have a program (known as a server) called syslogd.
The syslog server runs a Windows NT-based system that accepts TCP and UDP system log messages.
The syslog server provides time-stamped syslog messages, accepts messages on alternate ports, and in
TCP mode stops the firewall traffic if the server log disk is full or the server goes down.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-2 78-14450-02
Appendix C System Messages
System Log Messages
Note Syslog messages received at the module serial console contain only the code portion of the message.
When you view the message description the severity level is provided.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-3
Appendix C System Messages
System Message Log Differences
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-4 78-14450-02
Appendix C System Messages
Failover Messages
Failover Messages
This section contains the messages generated by a failover configuration.
Error Message %FWSM-1-103001: (Primary) No response from other firewall (reason code
= code).
Explanation This message indicates that the primary module is unable to communicate with the
secondary module over the failover cable. (Primary) can also be listed as (Secondary) for the
secondary module.
Recommended Action Verify that the secondary module has the exact same hardware, software version
level, and configuration as the primary module.
Explanation This message indicates that the primary module detected that the network interface on
the secondary module is acceptable. (Primary) can also be listed as (Secondary) for the secondary
module.
Explanation This message indicates that the primary module detects a bad network interface on the
secondary module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Check the network connections on the secondary module, and check the
network hub connection. If necessary, replace the failed network interface.
Error Message %FWSM-1-103004: (Primary) Other firewall reports this firewall failed.
Explanation This message indicates that the primary module receives a message from the secondary
module indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the
secondary module.
Explanation This message indicates that the secondary module reports a failure to the primary
module. (Primary) can also be listed as (Secondary) for the secondary module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-5
Appendix C System Messages
Failover Messages
Explanation Both instances are failover messages. These messages are logged when you force the
failover module pair to switch roles. You can force the failover module pair to switch roles by either
entering the failover active command on the secondary module or the no failover active command
on the primary module. (Primary) can also be listed as (Secondary) for the secondary module.
Possible values for the reason variable are as follows:
– State check
– Bad or incomplete configuration
– Interface check, mate is healthier
– The other module wants to be standby
– In failed state, cannot be active
– Switch to failed state
Recommended Action If the message occurs because of manual intervention, no action is required.
Otherwise, use the cause reported by the secondary module to verify the status of both modules of
the pair.
Recommended Action Check the system log messages for the primary module for an indication of the
nature of the problem (see message %FWSM-1-104001:). (Primary) can also be listed as (Secondary)
for the secondary module.
Explanation This message indicates that a previously failed module now reports that it is operating
again. (Primary) can also be listed as (Secondary) for the secondary module.
Explanation This message indicates that you entered the no failover command on the console.
(Primary) can also be listed as (Secondary) for the secondary module.
Explanation This message indicates that you entered the failover command with no arguments on the
console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the
secondary module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-6 78-14450-02
Appendix C System Messages
Failover Messages
Explanation The firewall is testing the specified network interface with the other module of the
failover pair.
Recommended Action None required. The firewall monitors its network interfaces frequently during
normal operations.
Explanation The test of the specified network interface was successful. (Primary) can also be listed
as (Secondary) for the secondary module.
Explanation This message indicates that this module of the failover pair can no longer communicate
with the other module of the pair. (Primary) can also be listed as (Secondary) for the secondary
module.
Recommended Action Verify that the network connected to the specified interface is functioning
correctly.
Explanation Both instances are failover messages. These messages report the results of monitoring
the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary
module.
Recommended Action If the link status is down, verify that the network connected to the specified
interface is operating correctly.
Explanation This message indicates that the firewall tested a specified network interface. This testing
is performed only if the firewall fails to receive a message from the standby module on that interface
after the expected interval. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action This message reports the result (either Passed or Failed. Allocation is required
if the result is Passed. If the result is Failed, you should check to be sure the network cable is properly
connected to both failover modules and that the network itself is functioning correctly, and verify the
status of the standby module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-7
Appendix C System Messages
Failover Messages
Explanation Block memory has been depleted. This is a transient message and the firewall should
recover. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Use the show blocks command to monitor the current block memory.
Explanation The failover cable is not permitting communication between the primary and secondary
modules. (Primary) can also be listed as (Secondary) for the secondary module.
Explanation When a failover occurs, the active firewall detects a partial configuration in memory.
This situation is caused by an interruption in the replication service. (Primary) can also be listed as
(Secondary) for the secondary module.
Recommended Action Once the failover is detected by the firewall, the firewall automatically reloads
itself and loads the configuration from Flash and resynchronizes with another firewall. If failovers
happen continuously, check the failover configuration and make sure both firewalls can communicate
with each other.
Explanation Failover initially verifies that the number of interfaces configured on the primary and
secondary modules are the same. This message indicates that after the verification that the numbers
are not the same. Failover cannot be enabled until both primary and secondary modules have the same
number of interfaces. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Check the VLAN configuration on the primary and secondary modules. Check
for any nameif command failure on the primary module. (Primary) can also be listed as (Secondary)
for the secondary module. Once these configurations are verified and corrected, type failover on the
primary module to enable failover again.
Error Message %FWSM-1-105039: (Primary) Unable to verify the Interface count with
mate. Failover may be disabled in mate.
Explanation Failover initially verifies that the number of interfaces configured on the primary and
secondary modules are the same. This message indicates that the primary module is not able to verify
the number interfaces configured on the secondary module. This indicates that the primary module
is not able communicate with the secondary module over the failover interface. (Primary) can also
be listed as (Secondary) for the secondary module.
Recommended Action Verify the failover VLAN, interface configuration and status on the primary and
secondary modules. Make sure the secondary module is running the firewall application and failover
is enabled. (Primary) can also be listed as (Secondary) for the secondary module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-8 78-14450-02
Appendix C System Messages
Failover Messages
Explanation The primary and secondary module should run the same failover software version to act
as a failover pair. This message indicates that the secondary module’s failover software version is not
compatible with the primary module. Failover would be disabled on the primary module. (Primary)
can also be listed as (Secondary) for the secondary module.
Recommended Action Maintain consistent software versions between the primary and secondary
modules to enable failover.
Explanation This message indicates that during a configuration sync from the secondary to the
primary module the nameif command has failed in the primary module. The nameif command,
defines the firewall interfaces in the Firewall Services Module. If this command fails during
synchronization, the result is that the interfaces are inconsistent across the failover modules. To avoid
this situation, failover is disabled. (Primary) can also be listed as (Secondary) for the secondary
module.
Recommended Action Correct the reason why nameif failed, and then enable failover.
Explanation Interface used to send failover messages to the secondary module is functioning.
(Primary) can also be listed as (Secondary) for the secondary module.
Explanation Interface used to send failover messages to the secondary module failed. The active
module remains as active and the standby module remains as standby. There will not be any failure
detection or switchover activity until the failover interface becomes normal. (Primary) can also be
listed as (Secondary) for the secondary module.
Recommended Action Verify the VLAN and interface configuration of the failover interface is primary
and secondary.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-9
Appendix C System Messages
Connection Messages
Connection Messages
This section contains connection messages and the messages specific to the following message types:
• FTP and URL
• Routing Messages
• ICMP
• Routing Messages
• RSH
• RSH
• SMTP
• Routing Messages
• ICMP
Explanation This message indicates that the specified connection failed because of an outbound deny
command statement. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
Error Message Modify the security policy if traffic should be permitted. If the message occurs at regular
intervals, contact the remote peer administrator.
Explanation This message indicates that a packet was sent to the same interface that it arrived on. This
usually indicates that a security breach is occurring. When the module receives a packet, it tries to
establish a translation slot based on the security policy you set with the access-list commands, and
your routing policy set with the route command.
When the module polls both policies, the module allows the packet to flow from the higher priority
network to a lower priority network, if it is consistent with the security policy. If a packet comes from
a lower priority network and the security policy does not allow it, the module routes the packet back
to the same interface.
To provide access from an interface with a higher security to a lower security, use the nat and global
commands. For example, use the nat command to allow internal users access to external servers, to
allow the internal users to access perimeter servers, and to allow perimeter users access to external
servers.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-10 78-14450-02
Appendix C System Messages
Connection Messages
To provide access from an interface with a lower security level to a higher security level, use the
static and access-list commands. For example, use the static and access-list commands to let
external users to access internal servers, external users to access perimeter servers, or perimeter
servers to access internal servers.
Recommended Action Fix your configuration to reflect your security policy for handling these attack
events.
Explanation This message indicates that the module discards a packet with an invalid source address.
Invalid sources addresses are those addresses belong to the following:
– Loopback network (127.0.0.0)
– Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
– The destination host (land.c)
If a sysopt connection enforce subnet is enabled, the module discards those packets with an invalid
source subnet preventing them from traversing the firewall and then logs this message.
To further spoof-packet detection, use the access-list command to configure the firewall to discard
packets with source addresses belonging to the internal network.
Recommended Action Determine if an external user is trying to compromise the protected network.
Check for incorrectly configured clients.
Error Message %FWSM-2-106017: Deny IP due to Land Attack from IP_addr to IP_addr
Explanation This message indicates that the module received a packet with the IP source address
equal to the IP destination and the destination port equal to the source port. This indicates a spoofed
packet that is designed to attack systems. This attack is referred to as a land attack. If this message
persists, an attack may be in progress. The packet does not provide enough information to determine
where the attack originates.
Error Message %FWSM-2-106020: Deny IP teardrop fragment (size = num, offset = num)
from IP_addr to IP_addr
Explanation The firewall discarded an IP packet with a teardrop signature containing either a small
offset or fragment overlapping. This is a hostile event to circumvent the module or an intrusion
detection system.
Recommended Action Contact the remote peer administrator or escalate this issue according to your
security policy.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-11
Appendix C System Messages
Connection Messages
Error Message %FWSM-1-106021: Deny protocol reverse path check from src_addr to
dest_addr on interface int_name
Recommended Action An attack is in progress. With this feature enabled, no user action is required.
The module repels the attack.
Explanation This message indicates that the maximum number of connections to the specified static
address has been exceeded. The econns variable is the maximum number of embryonic connections
and nconns is the maximum number of connections permitted for the static or translate (xlate).
Recommended Action Use the show static command to check the limit imposed on connections to a
static address. The limit is configurable.
Explanation This message indicates that the maximum number of embryonic connections from the
specified foreign address through the specified static global address to the specified local address has
been exceeded. When the limit on embryonic connections is reached, the module attempts to accept
them anyway, but puts a time limit on the connections. This allows some connections to succeed even
if the module is very busy. The neconns variable lists the number of embryonic connections received
and the limit variable lists the maximum number of embryonic connections specified in the static or
nat command. This message indicates a more serious overload than indicated in message 201002.
The overload could be caused by SYN attacks, or by a very heavy load of legitimate traffic.
Recommended Action Use the show static command to check the limit imposed on embryonic
connections to a static address.
Explanation This message provides information about connections through the firewall. This message
indicates that the number of connections from a specified foreign address over a specified global
address to the specified local address exceeds the maximum embryonic limit for that static. The
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-12 78-14450-02
Appendix C System Messages
Connection Messages
module attempts to accept the connection if it can allocate memory for that connection. It proxies on
behalf of local host and sends a SYN_ACK packet to the foreign host. The module retains pertinent
state information, drops the packet, and waits for the client’s acknowledgment.
Recommended Action The traffic may be legitimate, or this message might indicate that a denial of
service (DoS) attack is in progress. Check the source address to determine where the packets are
coming from and whether it is a valid host.
Explanation This message indicates that the module has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network
clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and
connections. This message may also be caused by insufficient memory; reduce the amount of
memory usage, or purchase additional memory.
Explanation This message indicates that a connection object (xlate) is in the wrong list.
Explanation The module received a non-zero value (an internal error) when attempting to clear the
configuration in Flash memory. The message includes the reporting subroutine’s filename and line
number.
Recommended Action For performance reasons, the end host should be configured to not inject IP
fragments. This message probably occurred because of NFS. Set the read and write size to be the
interface MTU for NFS.
Explanation This message indicates that a translate (xlate) is created for outbound traffic using a PAT
global address. This message applies to UDP, TCP, and ICMP packets.
Explanation This message indicates that a translate (xlate) is created for outbound traffic using a
global address, or for either outbound or inbound traffic using a static address.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-13
Appendix C System Messages
Connection Messages
Explanation This message indicates that the firewall clears a dynamically allocated translation after
the translate timeout expires.
Explanation This message indicates that a port-mapped translation (PAT xlate) no longer in use has
been reclaimed.
Explanation This message indicates that a NAT and global command cannot be found for a protocol.
The protocol can be TCP, UDP, or ICMP.
Recommended Action This message can be either an internal error or an error in the configuration.
Error Message %FWSM-3-305006: Regular translation creation failed for protocol src
int_name:IP_addr/port dst int_name:IP_addr/port
Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the module. This
message appears as a fix to caveat CSCdr0063, which requested that the module not allow packets
destined to network or broadcast addresses. The module provides this checking for addresses that are
explicitly identified with static command statements. With the change, for inbound traffic, the
module denies translations for a destined IP address identified as a network or broadcast address.
The module uses the global IP and mask from configured static command statements to differ regular
IP addresses from network or broadcast IP addresses. If the global IP address is a valid network
address with a matching network mask, then the module will not create a translate (xlate) for network
or broadcast IP addresses with inbound packets.
Recommended Action This message can be either an internal error or an error in the configuration.
Explanation This message indicates that after the module attempts to translate an address that it
cannot find in any of its global pools it assumes that the address has been deleted and drops the
request.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-14 78-14450-02
Appendix C System Messages
Connection Messages
Explanation A network state container is reserved for the host IP address connected to the interface
name. This is an informational message.
Explanation A network state container for the host IP address connected to interface name is removed.
This is an informational message.
Explanation This message indicates an inconsistency condition when trying to free an unallocated
global IP address back to the address pool. This abnormal condition may occur if the module is
running a stateful failover setup and some of the internal states are momentarily out of sync between
the active and standby module. This condition is not catastrophic and the module will recover
automatically.
Recommended Action Report this condition to Cisco technical support if you continue to see this
message.
Error Message %FWSM-4-307004: Telnet session limit exceeded. Connection request from
IP_addr on interface int_name.
Explanation This message indicates that the maximum number of Telnet connections to the module
is exceeded. The module denies an attempt to connect to its Telnet port from the specified IP address
on the specified network.
Error Message %FWSM-4-308002: static gaddr1 laddr1 netmask mask1 overlapped with
gaddr2 laddr2
Explanation This message indicates that the IP addresses in one or more static command statements
overlap. gaddr is the global address, which is the address on the lower security interface and laddr is
the local address, which is the address on the higher security level interface.
Recommended Action Use the show static command to view the static command statements in your
configuration and fix the commands that overlap. The most common overlap occurs if you specify a
network address, such as 10.1.1.0, and in another static command statement specify a host within that
range such as 10.1.1.5.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-15
Appendix C System Messages
Connection Messages
Explanation This message indicates there is an invalid transport number, in which the source or
destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP.
Explanation This message indicates that the module is unable to allocate a structure to track the data
connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage, or purchase additional memory.
Explanation This message indicates that the specified host successfully stores or retrieves data from
the specified FTP site. This message is used by the module manager to generate reports.
Error Message %FWSM-5-304001: user src_addr Accessed JAVA URL|URL dest_addr: url.
Explanation This message indicates that the specified host successfully accesses the specified URL.
This message is used by the module manager to generate reports.
Error Message %FWSM-5-304002: Access denied URL chars SRC IP_addr DEST IP_addr: chars
Explanation This message indicates that access from the source address failed.
Error Message %FWSM-3-304003: URL Server IP_addr timed out URL string
Explanation This message indicates that access from the URL server failed.
Error Message %FWSM-6-304004: URL Server IP_addr request failed URL chars
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-16 78-14450-02
Appendix C System Messages
Connection Messages
Error Message %FWSM-7-304005: URL Server IP_addr request pending URL chars
Explanation The Websense server is unavailable for access, and the module attempts to either try to
access the same server if it is the only server installed or another server if there is more than one.
Error Message %FWSM-2-304007: URL Server IP_addr not responding, ENTERING ALLOW
mode.
Explanation This message indicates that when you use the allow option of the filter command the
Websense servers are not responding. The module allows all Web requests to continue without
filtering while the servers are not available.
Explanation This message indicates that when you use the allow option of the filter command that
the module received a response message from a Websense server that previously was not responding.
With this response message, the module exits the allow mode and enables the URL filtering feature
again.
Error Message %FWSM-4-406001: FTP port command low port: laddr, port to gaddr on
interface int_number
Error Message %FWSM-4-406002: FTP port command different address: laddr to gaddr on
interface int_number
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-17
Appendix C System Messages
Connection Messages
HTTP
Error Message %FWSM-6-605001: HTTP daemon interface int_name: Connection denied from
IP_addr
Explanation This message indicates that an HTTP connection to the module was denied.
Explanation This message indicates that the number of HTTP connections to the module for Cisco
Secure PDM was exceeded.
Error Message %FWSM-6-605003: HTTP daemon: Login failed from IP_addr for user
"user_id"
Explanation This message indicates that Cisco Secure PDM login to the module failed.
ICMP
Error Message %FWSM-6-106010: Deny inbound icmp src outside: IP_addr dst inside:
IP_addr (type dec, code dec)
Explanation This message indicates that an inbound connection is denied by your security policy.
Explanation This message indicates that the module discards an inbound ICMP Echo Request packet
with a destination address that corresponds to a PAT global address. It is discarded because the
inbound packet cannot specify which PAT host should receive the packet.
Error Message %FWSM-3-106014: Deny inbound icmp src interface name: IP_addr dst
interface name: IP_addr (type dec, code dec)
Explanation This message indicates that the module denies any inbound ICMP packet access. By
default, all ICMP packets are denied access unless specifically permitted using the icmp permit
icmp command.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-18 78-14450-02
Appendix C System Messages
Connection Messages
Error Message %FWSM-2-106018: ICMP packet type ICMP_type denied by outbound list
list_ID src laddr dest faddr
Explanation This message indicates that the outgoing ICMP packets with a specified ICMP type from
a local host to a foreign host is denied by the outbound list.
Explanation When using the icmp command with an access list, if the first matched entry is a permit
entry, ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry
is not matched, the module discards the ICMP packet and generates this syslog message. The icmp
command enables or disables pinging to an interface. With pinging disabled, the module cannot be
detected on the network. This feature is also referred to as configurable proxy pinging.
Explanation The destination for the ICMP error message is different from the source of the IP packet
that generated the ICMP error message.
Recommended Action If the message occurs frequently, this could be an active network probe, an
attempt to use the ICMP error message as a covert channel, or an IP host that is not operating
properly. Contact the administrator of the host that originated the ICMP error message.
Explanation This message occurs when the module sends an ICMP destination unreachable message
and when fragmentation is needed, but the don’t-fragment bit is set.
Routing Messages
This section contains the messages generated by the router configuration.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-19
Appendix C System Messages
Connection Messages
Error Message %FWSM-1-107001: RIP auth failed from IP_addr: version=vers, type=type,
mode=mode, sequence=seq on interface int_name
Explanation This is an alert log message. The module received a RIP reply message with bad
authentication. This could be due to an incorrectly configured router or the module or it could be a
unsuccessful attempt to attack the module’s routing table.
Recommended Action This may be an attack and should be monitored. If you are not familiar with the
source IP address listed in this message, change your RIP authentication keys between trusted
entities. An attacker may be trying to deduce the existing keys.
Error Message %FWSM-1-107002: RIP pkt failed from IP_addr: version=vers on interface
int_name
Explanation This is an alert message. This message indicates a router bug, a packet with non-RFC
values inside, or malformed entries. This situation should not happen and may be an attempt to
exploit the firewall module’s routing table.
Recommended Action This may be an attack and should be monitored. The packet has passed
authentication, if enabled, and bad data is in the packet. The situation should be monitored and the
keys should be changed if there are any doubts as to the originator of the packets.
Explanation This message indicates a route lookup failure. A packet is looking for a destination IP
address, which is not in the routing table.
Recommended Action Check the routing table and make sure there is a route to the destination.
Explanation This is a routing message. This message indicates that the module cannot resolve the
address of a host on one of its immediately connected networks. This usually occurs if the specified
host does not exist or is not reachable on the network. The module expects it to be on, for example,
if the host’s address is incorrectly subnetted.
Recommended Action Check the ARP table and ensure the host is available. If necessary, add a static
ARP statement with the arp command or set the arp timeout value lower so that the ARP table will
refresh sooner.
Check that the host’s IP address is appropriate to the network topology and your subnet scheme.
Verify that the host is reachable by pinging it from another host. Use the show arp command to
display the module’s ARP table.The module minimally must be able to resolve the addresses of its
SNMP server, routers, and syslog host.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-20 78-14450-02
Appendix C System Messages
Connection Messages
Error Message %FWSM-6-312001: RIP hdr failed from IP_addr: cmd=cmd, version=vers
domain=name on interface int_name
Explanation The module received a RIP message with an operation code other than reply, the message
has a version number different than what is expected on this interface, and the routing domain entry
was non-zero.
Recommended Action This message is informational, but may also indicate that another RIP device is
not configured correctly to communicate with the module.
H.225
Explanation The module failed to allocate RAM system memory while starting a connection or has
no memory available.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently,
contact customer support. Also, check the size of the global pool compared to the number of inside
network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of
translates and connections. This message might be caused by insufficient memory; reduce the amount
of memory usage, or purchase additional memory.
Explanation This message indicates that an H.225 message is received out of order. The H.225
message was received before the initial SETUP message, which is not allowed. The module has to
receive an initial SETUP message for that H.225 call-signaling channel before accepting any other
H.225 messages.
Explanation This message indicates that the message has incorrect protocol information.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-21
Appendix C System Messages
Connection Messages
H.245
Error Message %FWSM-7-302003: Built H245 connection for faddr faddr/fport laddr
laddr/lport
Recommended Action This message indicates that an H.245 connection is started from a foreign
address to a local address. This message only occurs if the module detects the use of an Intel Internet
phone. The foreign port (fport) only displays on connections from outside the module. The local port
value (lport) only appears on connections started on an internal port.
Explanation The module failed to allocate RAM system memory while starting a connection or has
no memory available.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently,
contact customer technical support. Also, check the size of the global pool compared to the number
of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval
of translates and connections. This message may also be caused by insufficient memory; reduce the
amount of memory usage, or purchase additional memory.
H.323
Explanation This message indicates that an H.323 UDP back-connection is preallocated to a foreign
address from a local address. This message is only generated if the module detects the use of an Intel
Internet phone. The foreign port (fport) only displays on connections from outside the module. The
local port value (lport) only appears on connections started on an internal interface.
Error Message %FWSM-4-405103: H323 RAS message AdmissionConfirm received from %I/%d
to %I/%d without an AdmissionRequest
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-22 78-14450-02
Appendix C System Messages
Connection Messages
IP Fragmentation
Explanation Too many IP fragments are currently awaiting reassembly. By default, the maximum
number of fragments is 1 (refer to the fragment command in the Cisco PIX Firewall Command
Reference for more information). The firewall limits the number of IP fragments that can be
concurrently reassembled. This restriction prevents memory depletion at the firewall under abnormal
network conditions. In general, fragmented traffic should be a small percentage of the total traffic
mix. A noticeable exception is in a network environment with NFS over UDP; if this type of traffic
is relayed through the firewall, consider using NFS over TCP instead.
Refer to sysopt connection tcpmss bytes command in the Cisco PIX Firewall Command Reference
for more information.
Refer to the sysopt connection tcpmss bytes command page in Chapter 5 of the Configuration Guide
for the Cisco Secure Firewall Version 5.3 for more information.
Recommended Action If this message persists, a DoS (denial of service) attack might be in progress.
Contact the remote peer’s administrator or upstream provider.
Error Message %FWSM-4-209004: Invalid IP fragment, size = bytes exceeds maximum size
= bytes: An IP fragment is malformed.
Explanation The total size of the reassembled IP packet exceeds the maximum possible size of 65,535
bytes.
Recommended Action A possible intrusion event may be in progress. If this message persists, contact
the remote peer’s administrator or upstream provider.
Error Message %FWSM-4-209005: Discard IP fragment set with more than number elements:
src = Too many elements are in a fragment set.
Explanation The module disallows any IP packet that is fragmented into more than 24 fragments.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact
the remote peer’s administrator or upstream provider. You can change the number of fragments per
packet by using the fragment chain xxx int_name command.
SIP
Explanation This message indicates that the fixup SIP preallocated a SIP connection after inspecting
a SIP message.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-23
Appendix C System Messages
Connection Messages
Skinny
Explanation This message indicates that the fixup skinny preallocated a Skinny connection after
inspecting a Skinny message.
RSH
Explanation This message indicates that the module cannot allocate a structure to track the data
connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage, or purchase additional memory.
RTSP
Error Message %FWSM-7-314001: Pre-allocate RTSP UDP back connection for faddr
faddr/fport to laddr laddr/lport
Explanation This message indicates that the module is unable to allocate and RTSP connection.
SMTP
Error Message %FWSM-2-108002: SMTP replaced chars: out src_addr in laddr data: chars
Explanation This is generated by the fixup protocol smtp command. This message indicates that the
module replaces an invalid character in an e-mail address with a space.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-24 78-14450-02
Appendix C System Messages
Connection Messages
TCP
Explanation This message indicates that an attempt to connect to an inside address is denied by your
security policy. Possible TCP_flags values correspond to the flags in the TCP header that were
present when the connection was denied. For example, a TCP packet arrived for which no connection
state exists in the module, and it was dropped. The TCP_flags in this packet are FIN,ACK.
The TCP_flags are as follows:
• ACK—The acknowledgment number was received.
• FIN—Data was sent.
• PSH—The receiver passed data to the application.
• RST—The connection was reset.
• SYN—Sequence numbers were synchronized to start a connection.
• URG—The urgent pointer was declared valid.
Explanation This message indicates that the module discards a TCP packet that has no associated
connection in the module module’s connection table. The module looks for a SYN flag in the packet,
which indicates a request to establish a new connection. If the SYN flag is not set, and there is not
an existing connection, the module discards the packet.
Recommended Action The action is required unless the module receives a large volume of these invalid
TCP packets. If this is the case, trace the packets to the source and determine the reason these packets
were sent.
Explanation This message indicates that the maximum number of connections to the specified static
address was exceeded. The limit-count variable is the maximum of connections permitted for the host
specified by the host-address variable.
Recommended Action Use the show static and show nat commands to check the limit imposed on
connections to an address. The limit is configurable.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-25
Appendix C System Messages
Connection Messages
Reason Description
Reset-I Reset was from the inside.
Reset-O Reset was from the outside.
TCP FINs Normal close down sequence.
FIN Timeout Force termination after 15 seconds awaiting last ACK
SYN Timeout Force termination after two minutes awaiting three-way handshake completion.
Xlate Clear Command-line removal.
Deny Terminate by application inspection.
SYN Control Back channel initiation from wrong side.
Uauth Deny Deny by URL filter.
Unknown Catch-all error.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-26 78-14450-02
Appendix C System Messages
Connection Messages
Error Message %FWSM-6-302009: Rebuilt TCP connection id for faddr faddr/fport gaddr
gaddr/gport laddr laddr/lport
Explanation This message appears after a TCP connection is rebuilt after a failover. A sync packet is
not sent to the other module. The faddr IP address is the foreign host, the gaddr IP address is a global
address on the lower security level interface, and the laddr IP address is the local IP address behind
the module on the higher security level interface.
Explanation This message appears after a TCP connection restarts. conns is the number of
connections.
Explanation A TCP connection slot between two hosts was created. If inbound is specified, then the
original control connection was initiated from the outside.
Error Message %FWSM-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from
src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name
Explanation This message indicates that a header length in TCP is incorrect. Some operating systems
do not handle TCP RSTs (resets) correctly when responding to a connection request to a disabled
socket. If a client tries to connect to an FTP server outside the module and FTP is not listening, then
the server sends an RST. Some operating systems send incorrect TCP header lengths, which causes
this problem. UDP uses ICMP port unreachable messages.
The TCP header length may indicate that it is larger than the packet length resulting in a negative
number of bytes being transferred. A negative number is displayed by syslog as an unsigned number
making it appear far larger than would be normal; for example, showing 4 GB transferred in 1 second.
UDP
Explanation This message indicates that an inbound UDP packet is denied by your security policy.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-27
Appendix C System Messages
SSH
Error Message %FWSM-2-106007: Deny inbound UDP from faddr/fport to laddr/lport due
to DNS flag.
Explanation This message indicates that a UDP packet containing a DNS query or response is denied.
The flag variable is either Response or Query.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching
name server. Add an access-list command statement to permit traffic on UDP port 53. If the outside
port number is 53, a DNS server was probably too slow to respond, and the query was answered by
another server.
Explanation A UDP connection slot between two hosts was deleted. If inbound is specified, then the
original control connection is initiated from the outside.
SSH
Error Message %FWSM-3-315001: Denied SSH session from IP_addr on interface int_name
Explanation This message indicates that the module denies an attempt to connect to the SSH port
from the specified IP address on the specified network interface.
Recommended Action From the console, enter the show ssh command to verify that the module is
configured to permit SSH access from the host or network.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-28 78-14450-02
Appendix C System Messages
SSH
Explanation This message indicates that an SSH session starts. The ip_addr is the address of the host
with the SSH client. The int_name is the interface through which the SSH session is started. The
user_ID is the username to which the client is accessing. Use the ssh show sessions command to view
the status of SSH sessions.
Error Message %FWSM-6-315003: SSH login session failed from IP_addr on (num attempts)
on interface int_name by user "user_id"
Explanation This message appears after an incorrect user ID or password were entered a certain
number of times for the same connection. Up to three attempts are allowed to log into a SSH console
session. The ip_addr is the address of the host with the SSH client. The int_name, is the interface
through which the SSH session is started. The user_ID is the username that the client is attempting
to access.
Recommended Action If this message appears infrequently, no action is required. If this message
appears frequently, it can indicate an attack. Inform the user to verify their username and password.
Error Message %FWSM-3-315004: Fail to establish SSH session because FWSM RSA host
key retrieval failed.
Explanation This message indicates that the module cannot find the module’s RSA host key, which is
required for establishing an SSH session. The firewall host key may be absent because no module
host key has been generated or because the license for this module does not allow DES or 3DES.
Recommended Action From the console, enter the show ca mypubkey rsa command to verify that
module’s RSA host key is present. If not, also enter the show version command to check whether the
module’s license allows DES or 3DES.
Error Message %FWSM-4-315005: SSH session limit exceeded. Connection request from
IP_addr on interface int_name
Explanation This message indicates that the maximum number of SSH connections to the module is
exceeded. The module denies any attempt to connect to its SSH port from the specified IP address on
the specified network.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-29
Appendix C System Messages
Telnet
Error Message %FWSM-6-315011: SSH session from IP_addr on interface int_name for user
"user_id" terminated normally
%FWSM-6-315011: SSH session from IP_addr on interface int_name for user "user_id"
disconnected by SSH server, reason: "text"
Explanation This message appears after an SSH session completes. If you enter quit or exit, this
message displays terminated normally. If the session disconnected for another reason, the text
describes the reason.
Telnet
Error Message %FWSM-6-307001: Denied Telnet login session from IP_addr on interface
int_name.
Explanation This message indicates that the module denies an attempt to connect to the Telnet port
from the specified IP address on the inside network.
Recommended Action From the console, enter the show telnet command to verify that the module is
configured to permit Telnet access from that host or network.
Error Message %FWSM-6-307003: telnet login session failed from IP_addr (num
attempts) on interface int_name.
Explanation This message indicates that an incorrect Telnet password was entered a number of times
for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Explanation This message indicates that an IP packet is denied by the parameters you specified.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-30 78-14450-02
Appendix C System Messages
AAA and ACL
Error Message %FWSM-6-109001: Auth start for user `username' from laddr/lport to
faddr/fport
Explanation This message indicates that the module is configured for AAA and detects an
authentication request by the specified user.
Explanation This message indicates that an authentication request fails because the specified
authentication server cannot be contacted by the module.
Recommended Action Check to be sure the authentication daemon is running on the specified
authentication server.
Error Message %FWSM-6-109003: Auth from laddr to faddr/fport failed (all servers
failed) on interface int_name.
Recommended Action Ping the authentication servers from the module. Make sure the daemons are
running.
Explanation This message indicates that the specified authentication request succeeds.
Error Message %FWSM-6-109006: Authentication failed for user `user' from laddr/lport
to faddr/fport on interface int_name.
Explanation This message indicates that the specified authentication request fails, possibly because
of a wrong password.
Explanation This message indicates that the specified authorization request succeeds.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-31
Appendix C System Messages
AAA and ACL
Error Message %FWSM-6-109008: Authorization denied for user `user' from faddr/fport
to laddr/lport on interface int_name.
Explanation This message indicates that you are not authorized to access the specified address,
possibly because of a wrong password.
Error Message %FWSM-3-109010: Auth from laddr/lport to faddr/fport failed (too many
pending auths) on interface int_name.
Explanation This message indicates that an authentication request cannot be processed because the
server has too many requests pending.
Recommended Action Check to see if the authentication server is too slow to respond to authentication
requests. Enable floodguard with the floodguard enable command.
Error Message %FWSM-2-109011: Authen Session Start: user 'user', sid session_num
Explanation An authentication session started between the host and the module and has not yet
completed.
Error Message %FWSM-5-109012: Authen Session End: user 'user', sid session_num,
elapsed num seconds
Explanation The authentication cache has timed out. Users will need to reauthenticate on their next
connection. You can change the duration of this timer with the timeout uauth command.
Error Message %FWSM-3-109013: User must authenticate before using this service
Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.
Explanation The access list check failed; either it matched a deny, or it matched nothing, such as an
implicit deny. The connection was denied by the user access list, which was defined per the AAA
authorization policy on Cisco Secure ACS.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-32 78-14450-02
Appendix C System Messages
AAA and ACL
Explanation The AAA authorization access-list command statement ID defined on the remote AAA
server has not been configured on the module. This error can occur if you configure the AAA server
before configuring the module.
Recommended Action Use the same access-list command statement ID on the module as you specified
on the AAA server.
Explanation Proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list
command policy.
Recommended Action Check the access-list command statement in the configuration. Contact the
administrator for the peer.
Explanation This message indicates that the user authentication rate is too high for the module to
handle new AAA requests.
Recommended Action Change permission of access list if a permit policy is desired. If messages
persist from the same source address, messages could indicate a foot-printing or port-scanning
attempt. Contact the remote host administrator.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-33
Appendix C System Messages
User Management
User Management
Error Message %FWSM-5-111008: User 'user' executed the 'cmd' command.
Explanation This message indicates that a command change to the configuration has been made.
Error Message %FWSM-5-502101: New user added to local dbase: Uname: username Priv:
priv_lvl Encpass: encrypted_paswd
Error Message %FWSM-5-502102: User deleted from local dbase: Uname: username Priv:
priv_lvl Encpass: encrypted_paswd
Error Message %FWSM-5-502103: User priv level changed: Uname: username From:
old_priv_lvl To: new_priv_lvl
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-34 78-14450-02
Appendix C System Messages
Configuration
Configuration
Error Message %FWSM-5-111001: Begin configuration: IP_addr writing to device
Explanation This message indicates that you entered the write command to store your configuration
on a device (either floppy, Flash memory, TFTP, the failover standby module, or the console
terminal). The IP address indicates whether the login was made at the console port through Telnet
connection.
Explanation This message indicates that the active module starts replicating its configuration to the
standby module. (Primary) can also be listed as (Secondary) for the secondary module.
Explanation This message indicates that the active module completes replicating its configuration on
the standby module. (Primary) can also be listed as (Secondary) for the secondary module.
Explanation This message indicates that the standby module received the first part of the
configuration replication from the active module. (Primary) can also be listed as (Secondary) for the
secondary module.
Explanation This message indicates that the standby module completes replicating a configuration
sent by the active module. (Primary) can also be listed as (Secondary) for the secondary module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-35
Appendix C System Messages
FWSM Management
Explanation This message indicates that the standby module cannot complete replicating a
configuration sent by the active module. The command that caused the failure displays at the end of
the message.
Recommended Action Write down the command name and contact customer technical support.
FWSM Management
Error Message %FWSM-5-111003: IP_addr Erase configuration
Explanation This message indicates that you erased the contents of Flash memory, either by entering
the write erase command at the console, or by clicking OK to clear Flash memory. The IP address
indicates whether the login was made at the console port through Telnet connection.
Recommended Action After erasing the configuration, you must reconfigure the module and save the
new configuration. Alternatively, you can restore information from a configuration that was
previously saved, either on floppy or on a TFTP server elsewhere on the network.
Explanation This message indicates that you entered the config floppy/memory/ network command
or the write floppy/memory/network/standby command. The IP_addr indicates whether the login
was made at the console port through Telnet connection.
Recommended Action No action is required if the message ends with OK. If the message indicates a
failure, try to fix the problem. For example, if writing to a floppy, ensure that the floppy is not write
protected; if writing to a TFTP server, ensure that the server is up.
Explanation This message indicates that you exited configuration mode. The IP address indicates
whether the login was made at the console port through Telnet connection.
Explanation This message indicates that you connected to the module. If authentication is enabled,
the username is reported; otherwise, the string nobody appears. The IP address indicates whether the
login was made at the console port through Telnet connection.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-36 78-14450-02
Appendix C System Messages
FWSM Management
Explanation This message indicates that you enter the reload or configure command to read in a
configuration. The device text can be floppy, memory, net, standby, or terminal. The IP address
indicates whether the login was made at the console port through Telnet connection.
Explanation This syslog message is for accounting purposes. You entered a command that does not
modify the configuration.
Explanation This message indicates that a request to clear the module configuration has finished. The
source file and line number are identified.
Explanation This message indicates the address of the host initiating a module reboot with the reload
command.
Explanation This message indicates that after the module finishes its initial boot and Flash memory
reading sequence, and is ready to begin operating normally.
Error Message %FWSM-6-307003: telnet login session failed from IP_addr (num
attempts) on interface int_name.
Explanation This message indicates that an incorrect Telnet password was entered a number of times
for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-37
Appendix C System Messages
PDM
Error Message %FWSM-6-308001: FWSM console enable password incorrect for num tries
(from IP_addr).
Explanation This message indicates the number of times you incorrectly typed the password to enter
privileged mode. The maximum is three attempts.
Recommended Action The privileged mode password is not necessarily the same as the password for
Telnet access to the module. Verify the password and try again.
Explanation This message indicates that the Firewall Manager denies an attempt to connect to its
Telnet port from the specified IP address on the inside network.
Explanation This message indicates that the maximum number of module management connections
has been exceeded. The module denies an attempt to connect to its management port from the
specified IP address on the specified network.
PDM
Error Message %FWSM-6-606001: PDM session number num from IP_addr started
Explanation This message indicates that a PDM session has been started.
Error Message %FWSM-6-606002: PDM session number num from IP_addr ended
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-38 78-14450-02
Appendix C System Messages
Stateful Failover
Stateful Failover
Error Message %FWSM-3-210001: LU SW_Module_Name error = error_code
Recommended Action If this error persists after traffic lessens through the module, report this error to
customer support.
Explanation Stateful failover could not allocate a block of memory to transmit stateful information to
the standby module.
Recommended Action Check the failover interface to make sure its transmit is normal using the show
interface command. Also, check the current block of memory using the show block command. If
current available count is 0 within any of the blocks of memory, then reload the module software to
recover the lost blocks of memory.
Explanation Stateful failover received an unsupported Logical Update object and was unable to
process it. This situation could be caused by corrupted memory, LAN transmissions, and other
events.
Recommended Action If you see this error infrequently, then no action is required. If this error occurs
frequently, check the stateful failover link LAN connection. If the error was not caused by a faulty
failover link LAN connection, determine if an external user is trying to compromise the protected
network. Check for incorrectly configured clients.
Explanation Stateful failover cannot allocate a new connection on the standby module. This may be
caused by little or no RAM memory available within the module.
Recommended Action Check the available memory using the show mem command to make sure the
module has free memory in the system. If there is no available memory, add more physical memory
to the module.
Explanation Stateful failover was unable to locate an NAT group for the IP address on the standby
module. The active and standby modules probably are out of synchronization.
Recommended Action Enter the write standby command on the active module to synchronize system
memory with the standby module.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-39
Appendix C System Messages
Stateful Failover
Recommended Action Check the available memory using the show mem command to make sure that
the module has free memory in the system. If the memory has been used up, you may need to add
more physical memory.
Explanation Unable to find an translation slot (xlate) record for a stateful failover connection; unable
to process the connection information.
Recommended Action Enter the write standby command on the active module to synchronize system
memory between the active and standby modules.
Explanation Stateful failover was unable to allocate a new record for a UDP connection.
Recommended Action Check the available memory with the show memory command to make sure
that the module has free memory in the system. If the memory has been used up, you may need to
add more physical memory.
Explanation Stateful failover is unable to allocate a specific PAT address which is in use.
Recommended Action If this error reappears frequently, enter the write standby command on the
active module to synchronize system memory between the active and standby modules.
Error Message %FWSM-3-210021: LU create static xlate global_IP ifc int_name failed
Recommended Action If this error reappears frequently, use the write standby command on the active
module to synchronize system memory between the active and standby modules.
Explanation Stateful failover assigns a sequence number for each record sent to the standby module.
When a received record sequence number is out of sequence with the last updated record, the
information in between is assumed lost and this error message is sent.
Recommended Action Unless there are LAN interruptions, check the available memory on both
modules to ensure there is enough memory to process the stateful information. Use the show failover
command to monitor the quality of stateful information updates.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-40 78-14450-02
Appendix C System Messages
Memory and Resource Allocation
Explanation This message indicates that stateful failover update information was sent to the standby
module.
Explanation This message indicates that stateful failover update information is done being sent to the
standby module.
Explanation This message indicates that an update acknowledgment has been received from the
standby module.
Explanation This message indicates that a stateful failover update is transmitted to the standby
module.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently,
contact customer technical support.
Explanation CPU utilization exceeds 100 percent. The utilization time in seconds (number_seconds)
and the percentage of CPU usage (cpu_utilization). This is a value greater than 100 percent.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-41
Appendix C System Messages
SNMP
SNMP
This section contains the messages generated by SNMP.
Error Message %FWSM-3-212001: Unable to open SNMP channel (UDP port udp_port) on
interface interface_name, error code = code
Explanation This message indicates that the module cannot receive SNMP requests destined for the
module from SNMP management stations located on this interface. This does not affect the SNMP
traffic passing through the module through any interface.
Recommended Action An error code of -1 indicates that the module could not open the SNMP
transport for the interface, and once the module reclaims some of its resources when traffic is lighter,
use the snmp-server host command for that interface again.
Error Message %FWSM-3-212002: Unable to open SNMP trap channel (UDP port udp_port)
on interface interface_name, error code = code
Explanation This message indicates that the module will not be able to send its SNMP traps from the
module to SNMP management stations located on this interface. This does not affect the SNMP
traffic passing through the module through any interface.
An error code of -1 indicates that module could not open the SNMP trap transport for the interface
An error code of -2 indicates that module could not bind the SNMP trap transport for the interface.
Recommended Action After the module reclaims some of its resources when traffic is lighter, enter the
snmp-server host command for that interface again.
Explanation This message indicates that of an internal error for an interface was received.
Recommended Action None required. The module SNMP agent will wait for the next SNMP request.
Explanation This message indicates that of an internal error occurred in sending an SNMP response
from the module to the specified host on the specified interface.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-42 78-14450-02
Appendix C System Messages
DHCP
Explanation This message indicates that the length of the incoming SNMP request, which is destined
for the module, exceeds the size of the internal data buffer (512 bytes) used for storing the request
during internal processing; therefore, the module cannot process this request. This does not affect the
SNMP traffic passing through the module through any interface.
Recommended Action Configure the SNMP management station to resend the request with a shorter
length, for example, instead of querying multiple MIB variables in one request, try querying only one
MIB variable in a request. You may need to modify the configuration of the SNMP manager software.
DHCP
Error Message %FWSM-6-604103: DHCP daemon interface int_name: address granted
MAC_addr (IP_addr)
Explanation An external client released an IP address back to the module DHCP server.
VPN
Error Message %FWSM-4-402101: decaps: rec'd IPSEC packet has invalid spi for
destaddr=IP_addr, prot=protocol, spi=spi
Explanation Received an IPSec packet that specifies that the SPI does not exist in the server address
database. This situation may be a temporary condition due to slight differences in aging of server
addresses between the IPSec peers, or it may be because the local server addresses have been cleared.
It may also be because of incorrect packets sent by the IPSec peer. This message might also indicate
an attack.
Recommended Action The peer may not acknowledge that the local SAs have been cleared. If a new
connection is established from the local router, the two peers may then reestablish successfully.
Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new
connection or contact the peer’s administrator.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-43
Appendix C System Messages
VPN
Explanation Received IPSec packet is missing an expected AH or ESP header. The peer is sending
packets that do not match the negotiated security policy. This may be an attack. The packet type is
either AH or ESP.
Explanation An unencapsulated IPSec packet does not match the negotiated identity. The peer is
sending other traffic through this security association. This situation may be due to a security
association selection error by the peer. This situation may be a hostile event.
Error Message %FWSM-4-402106: Rec'd packet not an IPSEC packet (ip) dest_addr=
IP_addr, src_addr= IP_addr, prot= protocol
Explanation Received packet matched the crypto map ACL, but it is not IPSec-encapsulated. IPSec
Peer is sending unencapsulated packets. This situation may occur because of a policy setup error on
the peer. This may also be a hostile event.
Error Message %FWSM-4-404101: ISAKMP: Failed to allocate address for client from pool
pool_id
Explanation The Internet Security Association and Key Management Protocol (ISAKMP), failed to
allocate an IP address for the VPN client from the pool you specified with the ip local pool command.
Recommended Action Enter the ip local pool command to specify additional IP addresses for the pool.
Explanation The MTU for an IPSec tunnel is adjusted from path MTU discovery.
Recommended Action Check the MTU of the IPSec tunnels. If an affected MTU is smaller than
normal, check intermediate links.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-44 78-14450-02
Appendix C System Messages
Internet Protocol Routing
Explanation IPSec has requested internet key exchange (IKE) for new security associations.
Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because
IP options are considered a security risk, the packet was discarded.
Contact the remote host system administrator to determine the problem. Check the local site for loose
source routing or strict source routing.
Recommended Action Reduce other system activity to ease memory demands. If conditions warrant,
upgrade to a larger memory configuration.
Explanation An internal software error occurred, which prevented the creation of new IP routing
table.
Recommended Action Copy the message exactly as it appears, and report it to your technical support
representative.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-45
Appendix C System Messages
OSPF
Explanation The number of routes in the named IP routing table has reached the configured warning
limit.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
Recommended Action Enter the clear ip route * command to reset the route counter. If the message
continues to appear consistently, copy the messages exactly as they appear, and report it to your
technical support representative.
OSPF
Error Message %FWSM-3-318002: Flagged as being an ABR without a backbone area
Explanation The router was flagged as an area border router without a backbone area configured in
the router.
Explanation OSPF has detected a checksum error in the database due to memory corruption.
Explanation The software detected an unexpected condition. The router will take corrective action
and continue.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-46 78-14450-02
Appendix C System Messages
OSPF
Explanation An invalid OSPF packet was received. Details are included in the error message. The
cause might be a incorrect OSPF configuration or an internal error in the sender.
Recommended Action Check the OSPF configuration of the receiver and the sender configuration for
inconsistency.
Explanation The OSPF hello, database description, or database request packet was received, but the
router could not identify the sender.
Error Message %FWSM-4-409005: Invalid length number in OSPF packet from ip_address
(ID ip_address), int_name
Explanation The system received an OSPF packet with a filed length of less than normal header size
or inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error
in the sender of the packet.
Recommended Action From a neighboring address, locate the problem router and reboot it.
Error Message %FWSM-4-409006: Invalid lsa: reason Type number, LSID ip_address from
ip_address, ip_address, int_name
Explanation The router received an LSA with an invalid LSA type. The cause is either memory
corruption or unexpected behavior on a router.
Recommended Action From a neighboring address, locate the problem router and reboot it. To
determine what is causing this problem, contact your Cisco technical support representative for
assistance.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-47
Appendix C System Messages
OSPF
Error Message %FWSM-4-409007: Found LSA with the same host bit set but using
different mask LSA ID ip_address ip_mask New: Destination ip_address ip_mask
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Error Message %FWSM-4-409008: Found generating default LSA with non-zero mask LSA
type : number Mask : ip_address metric : number area : name
Explanation The router tried to generate a default LSA with the wrong mask and possibly wrong
metric due to an internal software error
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Error Message %FWSM-4-409009: OSPF process number cannot start. There must be at
least one \up\ IP interface, for OSPF to use as router ID
Explanation OSPF failed while attempting to allocate a router ID from the IP address of one of its
interfaces.
Recommended Action Make sure that there is at least one interface that is up and has a valid IP address.
If there are multiple OSPF processes running on the router, each requires a unique router ID. You
must have enough interfaces up so that each of them can obtain a router ID.
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Error Message %FWSM-3-318004: area area_name lsid ip_address mask ip_address adv
ip_address type number
Explanation OSPF has a problem locating the LSA, which could lead to a memory leak.
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Error Message %FWSM-3-318005: lsid ip_address adv ip_address type number gateway
ip_address metric number network ip_address mask ip_address protocol number attr
number net-metric number
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-48 78-14450-02
Appendix C System Messages
OSPF
Error Message OSPF found inconsistency between its database and IP routing table
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Error Message %FWSM-5-503001: Process number, Nbr ip_address on int_name from name
to name, reason
Explanation An OSPF neighbor has changed its state. The message describes the change and the
reason for it. This message appears only if the log-adjacency-changes command is configured for
the OSPF process.
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Error Message %FWSM-6-613003: ip_address ip_mask changed from area areaname to area
areaname
Explanation An OSPF configuration change has caused a network range to change areas
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-49
Appendix C System Messages
OSPF
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing
process. A full adjacency cannot be established.
Recommended Action OSPF router ID should be unique. Change the neighbors router ID.
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing
process. A full adjacency cannot be established.
Recommended Action OSPF router ID should be unique. Change the neighbors router ID.
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing
process. A full adjacency cannot be established.
Recommended Action OSPF router ID should be unique. Change the neighbors router ID.
Explanation OSPF process is being reset, and it is going to select a new router ID, which will bring
down all virtual links. To make the links work again, the virtual link configuration needs to be
changed on all virtual link neighbors.
Recommended Action Change virtual link configuration on all the virtual link neighbors, to reflect our
new router ID.
Error Message %FWSM-3-319001: Acknowledge for arp update for IP address dest_addr
not received (number).
Explanation The ARP process in the Firewall Services Module lost internal synchronization because
the system was overloaded.
Recommended Action No immediate action is required. The failure is only temporary. Check the
average load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319002: Acknowledge for route update for IP address dest_addr
not received (number).
Explanation The routing module in The Firewall Services Module lost internal synchronization
because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average
load of the system and make sure it is not used beyond its capabilities.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-50 78-14450-02
Appendix C System Messages
Shun
Error Message %FWSM-3-319003: Arp update for IP address dest_addr failed (number).
Explanation The ARP module in the Firewall Services Module lost internal synchronization because
the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average
load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319004: Route update for IP address dest_addr failed (number).
Explanation The routing module in The Firewall Services Module lost internal synchronization
because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average
load of the system and make sure it is not used beyond its capabilities.
Shun
Error Message %FWSM-4-401001: Shuns cleared
Explanation The clear shun command was entered to remove existing shuns from memory.
Recommended Action None required. This message provides a record of shunning activity.
Explanation A shun command was entered, where the first IP address is the shunned host. The other
addresses and ports are optional and are used to terminate the connection if available.
Recommended Action None required. This message provides a record of shunning activity.
Explanation A single shunned host was removed from the shun database.
Recommended Action None required. This message provides a record of shunning activity.
Explanation A packet was dropped because the host defined by IP source is a host in the shun
database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an
external host on the Internet can be shunned on the outside interface.
Recommended Action None required. This message provides a record of the shunned hosts activity.
This message and the next message (%FWSM-4-401005) can be used to evaluate further risk
assessment concerning this host.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
78-14450-02 C-51
Appendix C System Messages
Shun
Error Message %FWSM-4-401005: Shun add failed: unable to allocate resources for
IP_addr IP_addr port port
Recommended Action The Cisco Secure Intrusion Detection System should continue to attempt to
apply this rule. Attempt to reclaim memory and reapply shun manually, or wait for the Cisco Secure
Intrusion Detection System to do this process.
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
C-52 78-14450-02