4-2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 4 Configuring the Firewall Mode
Firewall Mode Overview
IP Routing Support
The FWSM acts as a router between connected networks, and each interface requires an IP address on a
different subnet. In single context mode, the routed firewall supports OSPF and RIP (in passive mode).
Multiple context mode supports static routes only. We recommend using the advanced routing
capabilities of the upstream and downstream routers, such as the MSFC, instead of relying on the FWSM
for extensive routing needs.
Network Address Translation
NAT substitutes the local address on a packet with a global address that is routable on the destination
network. In routed mode, you typically configure NAT for inside hosts that access an outside network,
but you can optionally bypass NAT if you are using routable addresses.
Some of the benefits of NAT include the following:
• You can use private addresses on your inside networks. Private addresses are not able to be routed
on the Internet. See the “Private Networks” section on page D-2 for more information.
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
• NAT can resolve IP routing problems by supporting overlapping IP addresses.
Figure 4-1 shows a typical NAT scenario, with a private network on the inside. When the inside user
sends a packet to a web server on the Internet, the local source address of the packet is changed to a
routable global address. When the web server responds, it sends the response to the global address, and
the firewall receives the packet. The firewall then translates the global address to the local address before
sending it on to the user.
See Chapter 9, “Configuring Network Address Translation,” for more information.
Figure 4-1 NAT Example
Web Server
www.cisco.com
FWSM
Outside
Inside
209.165.201.2
10.1.2.1
10.1.2.27
104669
Source Addr Translation
209.165.201.1010.1.2.27
Originating
Packet
Dest Addr Translation
209.165.201.10 10.1.2.27
Responding
Packet
To Next Page
Loading...
Need help?
General