Cisco Catalyst 6500 Series

To Next Page

To Previous Page

10-9

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide

OL-6392-01

Chapter 10 Controlling Network Access with Access Control Lists

Access Control List Overview

If you want to allow an outside host to access an inside host, you can apply an inbound ACL on the

outside interface. You need to specify the translated address of the inside host in the ACL because that

address is the address that can be used on the outside network. (See Figure 10-2.)

Figure 10-2 IP Addresses in ACLs: NAT used for Destination Addresses

See the following commands for this example:

FWSM/contexta(config)# access-list OUTSIDE extended permit ip host 209.165.200.225 host

209.165.201.5

FWSM/contexta(config)# access-group OUTSIDE in interface outside

209.165.200.225

Inside

Outside

Static NAT

209.165.201.510.1.1.34

ACL

Permit from 209.165.200.225 to 209.165.201.5

104636

Main Page

Default Chapter4
- Table of Contents4
Document Objectives17
- About this Guide17
Chapter 2 Configuring the Switch for the Firewall Services Module18
Related Documentation18
Document Organization18
Document Conventions19
Obtaining Documentation19
- Ordering Documentation20
Documentation Feedback20
Obtaining Technical Assistance20
Obtaining Additional Publications and Information22
- Vlan Interfaces34
- Switch Overview39
- Assigning Vlans to the Firewall Services Module40
- Verifying the Module Installation40
- Adding Switched Virtual Interfaces to the MSFC43
- Configuring the Switch for Failover49
- Customizing the FWSM Internal Interface49
- Managing the Firewall Services Module Boot Partitions50
Chapter 3 Connecting to the Firewall Services Module and Managing the Configuration53
- Sessioning and Logging into the Firewall Services Module53
- Managing the Configuration at the CLI55
- Firewall Mode Overview59
  - Routed Mode Overview59
    - Network Address Translation60
Chapter 4 Configuring the Firewall Mode60
- How Data Moves through the FWSM in Routed Firewall Mode61
- Transparent Mode Overview66
- Setting the Firewall Mode74
- Security Context Overview75
Chapter 5 Managing Security Context76
- IP Routing Support79
- Sharing Resources and Interfaces between Contexts79
  - Sharing Resources80
  - Shared Interface Limitations81
- Logging into the FWSM in Multiple Context Mode83
- Enabling or Disabling Multiple Context Mode84
- Configuring Resource Management85
- Configuring a Security Context93
- Removing a Security Context96
- Changing the Admin Context96
- Changing between Contexts and the System Execution Space96
- Changing the Security Context URL97
- Reloading a Security Context98
  - Reloading by Clearing the Configuration98
  - Reloading by Removing and Re-Adding the Context98
- Monitoring Security Contexts98
- Changing the Passwords107
Chapter 6 Configuring Basic Setting109
- Setting the Host Name110
Setting the Host Name111
Setting the Domain Name111
Adding a Login Banner111
Configuring Interfaces112
- Security Level Overview112
- Setting the Name and Security Level113
- Allowing Communication between Interfaces on the same Security Level114
- Turning off and Turning on Interfaces116
Configuring Connection Limits for Non-NAT Configurations116
CHAPTER 7 Configuring Bridging Parameters and ARP Inspection119
- Customizing the MAC Address Table119
- Configuring ARP Inspection121
CHAPTER 8 Configuring IP Addresses, Routing, and DHCP123
- Configuring IP Addresses123
  - Assigning IP Addresses to Interfaces for a Routed Firewall124
  - Setting the Management IP Address for a Transparent Firewall124
- Configuring the Default Route124
- C H a P T E R 8 Configuring IP Addresses, Routing, and DHCP124
- Configuring Static Routes125
- Configuring OSPF126
- Configuring RIP140
  - RIP Overview140
  - Enabling RIP140
- Configuring the DHCP Server141
  - Enabling the DHCP Server141
  - Using Cisco IP Phones with a DHCP Server142
- Configuring DHCP Relay143
- NAT Overview145
CHAPTER 9 Configuring Network Address Translation146
- NAT Overview146
- Using Dynamic NAT and PAT160
  - Dynamic NAT and PAT Implementation161
  - Configuring NAT or PAT167
- Using Static NAT170
- Using Static PAT171
- Bypassing NAT173
- NAT Examples176
  - Overlapping Networks177
  - Redirecting Ports178
CHAPTER 10 Controlling Network Access with Access Control Lists181
- Access Control List Overview181
  - Access Control List Types and Uses182
  - Access Control List Guidelines186
- Adding an Extended Access Control List193
- Adding an Ethertype Access Control List196
- Adding a Standard Access Control List197
- Simplifying Access Control Lists with Object Grouping198
- Manually Committing Access Control Lists and Rules204
- Adding Remarks to Access Control Lists205
- Logging Extended Access Control List Activity206
- Allowing Remote Management209
- Allowing Telnet209
- Allowing SSH210
Chapter 11 Allowing Remote Management210
- Configuring SSH Access211
- Using an SSH Client212
- Allowing HTTPS for PDM212
- Allowing a VPN Management Connection213
- Allowing ICMP to and from the FWSM218
- Configuring AAA221
- AAA Overview221
Chapter 12 Configuring AAA222
- About Accounting223
- AAA Server and Local Database Support224
- Configuring the Local Database226
- Identifying a AAA Server226
- Configuring Authentication for CLI Access228
- Configuring Authentication to Access Privileged Mode228
  - Configuring Authentication for the Enable Command229
  - Authenticating Users Using the Login Command229
- Configuring Command Authorization230
- Viewing the Current Logged-In User238
- Recovering from a Lockout239
- Configuring Authentication for Network Access240
- Configuring Authorization for Network Access243
  - Configuring TACACS+ Authorization244
  - Configuring RADIUS Authorization245
    - Configuring the RADIUS Server to Download Per-User Access Control Lists245
    - Configuring the RADIUS Server to Download Per-User Access Control List Names247
- Configuring Accounting for Network Access247
Chapter 13 Configuring Application Protocol Inspection249
- Inspection Engine Overview249
- Configuring an Inspection Engine252
- Detailed Information about Inspection Engines253
CHAPTER 14 Filtering HTTP, HTTPS, or FTP Requests Using an External Server271
- Filtering Overview271
- Configuring General Filtering Parameters272
- Filtering HTTP Urls275
- Filtering HTTPS Urls276
- Filtering FTP Requests276
- Viewing Filtering Statistics276
- Using Failover279
- Understanding Failover279
  - Failover Overview280
  - Regular and Stateful Failover280
Chapter 15 Using Failover280
- Failover and State Links281
  - Failover Link281
  - State Link281
- Module Placement282
  - Intra-Chassis Failover282
  - Inter-Chassis Failover282
- Transparent Firewall Requirements287
- Primary/Secondary Status and Active/Standby Status288
- Configuration Replication288
- Disabling Configuration Synchronization290
- Failover Triggers290
- Failover Actions290
- Failover Monitoring291
  - Module Health Monitoring291
  - Interface Monitoring292
- Configuring Failover293
  - Configuring the Primary Module293
  - Configuring the Secondary Module296
- Verifying the Failover Configuration297
- Forcing Failover301
- Disabling Failover301
- Monitoring Failover301
  - Failover System Messages302
- Snmp302
Chapter 16 Managing Software and Configuration Files307
- Installing Application or PDM Software307
- Installing Maintenance Software311
- Downloading and Backing up Configuration Files311
  - Downloading a Text Configuration312
  - Backing up the Configuration313
    - Copying the Configuration to a Server313
    - Copying the Configuration from the Terminal Display314
Chapter 17 Monitoring and Troubleshooting the Firewall Services Module315
- Monitoring the Firewall Services Module315
  - Using System Messages315
  - Using SNMP315
    - SNMP Overview316
    - Enabling SNMP317
- Troubleshooting the Firewall Services Module318
Appendix329
A Specifications329
- Physical Attributes329
- Feature Limits330
Appendix A Specification330
- Managed System Resources331
- Fixed System Resources332
- Rule Limits333
Appendix335
- Sample Configurations335
  - Routed Mode Examples335
Appendix B Sample Configuration336
- Example 1: Admin Context Configuration337
- Example 1: Customer a Context Configuration338
- Example 1: Customer B Context Configuration338
- Example 1: Customer C Context Configuration338
- Example 1: Switch Configuration339
- Transparent Mode Examples349
  - Example 5: Security Contexts with Outside Access349
  - Example 6: Failover352
Appendix357
Understanding the Command-Line Interface357
- Command Prompts357
- Syntax Formatting358
- Abbreviating Commands358
- Command Line Editing359
- Filtering Show Command Output359
- Command Output Paging360
- Adding Comments360
- Text Configuration Files360
- Command Help362
Appendix363
Addresses, Protocols, and Ports Reference363
- IP Addresses and Subnet Masks363
- Protocols and Applications367
- TCP and UDP Ports368
- ICMP Types371

Cisco Catalyst 6500 Series - Page 189

Table of Contents

Other manuals for Cisco Catalyst 6500 Series

Related product manuals