Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide, 4.0
Getting Started
Downloads: This chapterpdf (PDF - 397.0KB) The complete bookPDF (PDF - 4.66MB) | Feedback

Connecting to the Firewall Services Module and Managing the Configuration

Table Of Contents

Connecting to the Firewall Services Module and Managing the Configuration

Connecting to the Firewall Services Module

Logging in to the FWSM

Logging out of the FWSM

Managing the Configuration

Saving Configuration Changes

Saving Configuration Changes in Single Context Mode

Saving Configuration Changes in Multiple Context Mode

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline


Connecting to the Firewall Services Module and Managing the Configuration


This chapter describes how to access the command-line interface and work with the configuration. This chapter includes the following sections:

Connecting to the Firewall Services Module

Managing the Configuration

Connecting to the Firewall Services Module

This section describes how to connect or "session" to the FWSM from the switch command line. It also describes how to log out of the FWSM to access the switch CLI. This section includes the following topics:

Logging in to the FWSM

Logging out of the FWSM

Logging in to the FWSM

The FWSM does not have an external console port, you must session in to the FWSM for initial configuration. Later, when you configure interfaces and IP addresses on the FWSM itself, you can access the FWSM CLI remotely through an FWSM interface. See Chapter 22, "Configuring Management Access," for more information.

Without any additional configuration for user authentication (see the "AAA for System Administrators" section on page 22-10), the login method consists of logging in as the default user:

1. The login password lets you access user EXEC mode.

2. To access configuration commands, you must enter privileged EXEC mode, which requires a second password.

3. From privileged EXEC mode, you can access global configuration mode, which does not require a password.


Caution Management access to the FWSM causes a degradation in performance. We recommend that you avoid accessing the FWSM when high network performance is critical.

To session in to the FWSM from the switch, log in, access privileged mode, and then configuration mode, perform the following steps:


Step 1 Session in to the FWSM from the switch using the command appropriate for your switch operating system:

Cisco IOS software

Router# session slot number processor 1

Catalyst operating system software

Console> (enable) session module_number

For multiple context mode, when you session in to the FWSM, you access the system configuration. See Chapter 4, "Configuring Security Contexts," for more information.

Step 2 Log in to the FWSM by entering the login password at the following prompt:

hostname passwd:

By default, the password is cisco.

To change the password, see the "Changing the Passwords" section on page 7-1.

Step 3 To access privileged EXEC mode, enter the following command:

hostname> enable

This command accesses the highest privilege level.

The following prompt appears:

Password:

Step 4 Enter the enable password at the prompt.

By default, the password is blank, and you can press the Enter key to continue. See the "Changing the Passwords" section on page 7-1 to change the enable password.

The prompt changes to:

hostname#

To exit privileged mode, enter disable. You can also enter exit or quit to exit the current access mode (privileged EXEC mode, global configuration mode, and so on).

Step 5 To access configuration mode, enter the following command:

hostname# configure terminal

The prompt changes to the following:

hostname(config)#


Logging out of the FWSM

To end the FWSM session and access the switch CLI, enter the following command:

hostname# exit

Logoff

[Connection to 127.0.0.31 closed by foreign host]
Router#

You might need to enter the exit command multiple times if you are in a configuration mode.

Managing the Configuration

This section describes how to work with the configuration. The FWSM loads the configuration from a text file, called the startup configuration.

When you enter a command, the change is made only to the running configuration in memory. You must manually save the running configuration to the startup configuration for your changes to remain after a reboot.

The information in this section applies to both single and multiple security contexts, except where noted. Additional information about contexts is in Chapter 4, "Configuring Security Contexts,"

This section includes the following topics:

Saving Configuration Changes

Copying the Startup Configuration to the Running Configuration

Viewing the Configuration

Clearing and Removing Configuration Settings

Creating Text Configuration Files Offline

Saving Configuration Changes

This section describes how to save your configuration, and includes the following topics:

Saving Configuration Changes in Single Context Mode

Saving Configuration Changes in Multiple Context Mode

Saving Configuration Changes in Single Context Mode

To save the running configuration to the startup configuration, enter the following command:

hostname# write memory


Note The copy running-config startup-config command is equivalent to the write memory command.


Saving Configuration Changes in Multiple Context Mode

You can save each context (and system) configuration separately, or you can save all context configurations at the same time. This section includes the following topics:

Saving Each Context and System Separately

Saving All Context Configurations at the Same Time

Saving Each Context and System Separately

To save the system or context configuration, enter the following command within the system or context:

hostname# write memory


Note The copy running-config startup-config command is equivalent to the write memory command.


For multiple context mode, context startup configurations can reside on external servers. In this case, the FWSM saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server.

Saving All Context Configurations at the Same Time

To save all context configurations at the same time, as well as the system configuration, enter the following command in the system execution space:

hostname# write memory all [/noconfirm]

If you do not enter the /noconfirm keyword, you see the following prompt:

Are you sure [Y/N]:

After you enter Y, the FWSM saves the system configuration and each context. Context startup configurations can reside on external servers. In this case, the FWSM saves the configuration back to the server you identified in the context URL, except for an HTTP or HTTPS URL, which do not let you save the configuration to the server.

After the FWSM saves each context, the following message appears:

`Saving context `b' ... ( 1/3 contexts saved ) '

Sometimes, a context is not saved because of an error. See the following information for errors:

For contexts that are not saved because of low memory, the following message appears:

The context 'context a' could not be saved due to Unavailability of resources

For contexts that are not saved because the remote destination is unreachable, the following message appears:

The context 'context a' could not be saved due to non-reachability of destination

For contexts that are not saved because the context is locked, the following message appears:

Unable to save the configuration for the following contexts as these contexts are 
locked.
context `a' , context `x' , context `z' .

A context is only locked if another user is already saving the configuration or in the process of deleting the context.

For contexts that are not saved because the startup configuration is read-only (for example, on an HTTP server), the following message report is printed at the end of all other messages:

Unable to save the configuration for the following contexts as these contexts have 
read-only config-urls:
context `a' , context `b' , context `c' .

For contexts that are not saved because of bad sectors in the Flash memory, the following message appears:

The context 'context a' could not be saved due to Unknown errors

Copying the Startup Configuration to the Running Configuration

Copy the new startup configuration to the running configuration using one of these options:

To merge the startup configuration with the current running configuration, enter the following command:

hostname(config)# copy startup-config running-config

A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.

To load the startup configuration and discard the running configuration, restart the FWSM by entering the following command:

hostname# reload

Alternatively, you can use the following commands to load the startup configuration and discard the running configuration without requiring a reboot:

hostname(config)# clear configure all
hostname(config)# copy startup-config running-config

Viewing the Configuration

The following commands let you view the running and startup configurations.

To view the running configuration, enter the following command:

hostname# show running-config

To view the running configuration of a specific command, enter the following command:

hostname# show running-config command

To view the startup configuration, enter the following command:

hostname# show startup-config

Clearing and Removing Configuration Settings

To erase settings, enter one of the following commands.

To clear all the configuration for a specified command, enter the following command:

hostname(config)# clear configure configurationcommand [level2configurationcommand]

This command clears all the current configuration for the specified configuration command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand.

For example, to clear the configuration for all aaa commands, enter the following command:

hostname(config)# clear configure aaa

To clear the configuration for only aaa authentication commands, enter the following command:

hostname(config)# clear configure aaa authentication

To disable the specific parameters or options of a command, enter the following command:

hostname(config)# no configurationcommand [level2configurationcommand] qualifier

In this case, you use the no command to remove the specific configuration identified by qualifier.

For example, to remove a specific nat command, enter enough of the command to identify it uniquely as follows:

hostname(config)# no nat (inside) 1

To erase the startup configuration, enter the following command:

hostname(config)# write erase

To erase the running configuration, enter the following command:

hostname(config)# clear configure all


Note In multiple context mode, if you enter clear configure all from the system configuration, you also remove all contexts and stop them from running.


Creating Text Configuration Files Offline

This guide describes how to use the CLI to configure the FWSM; when you save commands, the changes are written to a text file. Instead of using the CLI, however, you can edit a text file directly on your PC and paste a configuration at the configuration mode command-line prompt in its entirety, or line by line. Alternatively, you can download a text file to the FWSM internal Flash memory. See Chapter 23, "Managing Software, Licenses, and Configurations," for information on downloading the configuration file to the FWSM.

In most cases, commands described in this guide are preceded by a CLI prompt. The prompt in the following example is "hostname(config)#":

hostname(config)# context a

In the text configuration file you are not prompted to enter commands, so the prompt is omitted as follows:

context a

For additional information about formatting the file, see Appendix C, "Using the Command-Line Interface."