6-6
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 6 Configuring Basic Settings
Configuring Interfaces
Configuring Interfaces
By default, all interfaces are enabled. For each interface, you must provide a name and a security level.
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
and stateful failover communications. See Chapter 15, “Using Failover,” to configure the failover and
state links.
This section includes the following topics:
• Security Level Overview, page 6-6
• Setting the Name and Security Level, page 6-7
• Allowing Communication Between Interfaces on the Same Security Level, page 6-8
• Turning Off and Turning On Interfaces, page 6-10
Security Level Overview
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the “Allowing Communication Between Interfaces
on the Same Security Level” section on page 6-8 for more information.
For interfaces that are on different security levels, the level controls the following behavior:
• NAT—When hosts on a higher security interface (inside) access hosts on a lower security interface
(outside), you must configure Network Address Translation (NAT) for the inside hosts or
specifically configure the inside hosts to bypass NAT.
An inside host can communicate with the untranslated local address of the outside host without any
special configuration on the outside interface. However, you can also optionally perform NAT on the
outside network.
• Inspection engines—Some inspection engines are dependent on the security level:
–
SMTP inspection engine—Applied only for inbound connections (from lower level to higher
level), which protects the SMTP servers on the higher security interface.
–
NetBIOS inspection engine—Applied only for outbound connections.
–
XDMCP inspection engine—The XDMCP server can be configured only on the outside
interface.
–
OraServ inspection engine—If a control connection for the OraServ port exists between a pair
of hosts, then only an inbound data connection is permitted through the FWSM.
• Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
• TCP intercept—The TCP intercept feature only applies to hosts or servers on a higher security level.
See the “Other Protection Features” section on page 1-6 for more information about TCP intercept.
This feature is configured using the emb_limit option in the nat and static commands.
To Next Page
Loading...
Need help?
General