6-7
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 6 Configuring Basic Settings
Configuring Interfaces
• TCP sequence randomization—Each TCP connection has two Initial Sequence Numbers (ISNs): one
generated by the client and one generated by the server. The FWSM randomizes the ISN that is
generated by the host/server on the higher security interface. At least one of the ISNs must be
randomly generated so that attackers cannot predict the next ISN and potentially hijack the session.
• Maximum connections limit—You can set a limit on the number of TCP and UDP connections
allowed through the FWSM, but only connections from a higher security interface to a lower
security interface are tracked. This limit is set using the max_conns option in the nat and static
commands.
• established command—This command allows return connections from a lower security host to a
higher security host if there is already an established connection from the higher level host to the
lower level host.
These behaviors do not affect interfaces that are on the same security level. For example, you do not have
to perform NAT, nor do you have to configure the interfaces to bypass NAT. You can, however, optionally
configure NAT for these interfaces. Similarly, inspection engines are applied to both interfaces, as is
filtering.
Note By default, the Cisco PIX firewall allows traffic to flow freely from an inside network (higher security
level) to an outside network (lower security level). However, the FWSM does not allow any traffic to
pass between interfaces unless you explicitly permit it with an access control list (ACL). While you still
have to specify the security level for an interface on the FWSM, the security level does not provide an
explicit permission for traffic to travel from a high security interface to a low security interface.
Setting the Name and Security Level
By default, all interfaces are enabled. However, you must assign a name and security level to each
interface before you can fully configure the FWSM. Many commands use the interface name instead of
the interface (VLAN) ID.
You can assign a name to a VLAN that has not yet been assigned to the FWSM (see the “Assigning
VLANs to the Firewall Services Module” section on page 2-2), but you see a warning message.
Note If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
and stateful failover communications. See Chapter 15, “Using Failover,” to configure the failover and
state links.
For multiple context mode, follow these guidelines:
• Configure the context interfaces from within each context.
• You can only configure context interfaces that you already assigned to the context in the system
configuration.
• The system configuration does not include configurable interfaces, except for failover interfaces. Do
not configure failover interfaces with this procedure. See Chapter 15, “Using Failover,” for more
information.
In transparent firewall mode, you can use only two interfaces, one inside and one outside.
To Next Page
Loading...
Need help?
General