Using Management Center for Firewalls 1.3
Preparing Your Firewall Devices
Download this chapter
Preparing Your Firewall DevicesPreparing Your Firewall Devices
Download the complete book
Using Management Center for Firewalls 1.3 - PDF VersionUsing Management Center for Firewalls 1.3 - PDF Version (PDF - 7 MB)
give_us_feedback

Table Of Contents

Preparing Your Firewall Devices

Bootstrapping PIX Firewalls

Determining When to Bootstrap a PIX Firewall

PIX Firewall Configuration Worksheet

Bootstrapping an Existing PIX Firewall

Bootstrapping a New PIX Firewall

Bootstrapping PIX Firewall to Use Auto Update Server

Verifying PIX Firewall Configuration

Bootstrapping Firewall Services Modules

Determining When to Bootstrap the FWSM

FWSM Configuration Worksheet

Bootstrapping an Existing FWSM

Bootstrapping a New FWSM

Verifying an FWSM Configuration

What Is a Virtual Firewall and How Does It Differ from a Conventional Firewall?

What Is Meant by Security Context?

What Is Meant by Mode?


Preparing Your Firewall Devices

Before you can use Firewall MC to manage a firewall device, you must bootstrap the device. Bootstrapping configures a device, using the CLI, with the basic settings that allow the CiscoWorks Server to connect and deploy commands to it. Firewall devices are those versions of the PIX Firewall or Firewall Services Module (FWSM) that are supported by Firewall MC. This chapter describes how to prepare firewall devices to be managed by Firewall MC and how to prepare a PIX Firewall to use the Auto Update Server (AUS). (FWSM does not support AUS.) If the required configuration exists on the device, Firewall MC can import the settings, and you do not have to follow the bootstrap procedures. However, you should review the bootstrapping procedures to ensure that the device configuration includes the settings required for Firewall MC to connect to and discover each device on your network.

Tip You can also use the PIX Firewall Device Manager (PDM) Startup Wizard to configure the firewall. See Cisco PIX Firewall and VPN Configuration Guide for more information.

Note For Firewall MC and PIX Firewall to communicate, you must configure https in Firewall MC. See Configuring HTTPS (SSL), page 8-32.

Topics to be discussed are:

Bootstrapping PIX Firewalls

Bootstrapping Firewall Services Modules

What Is a Virtual Firewall and How Does It Differ from a Conventional Firewall?

What Is Meant by Security Context?

What Is Meant by Mode?

Bootstrapping PIX Firewalls

Before you can use Firewall MC to manage a PIX Firewall, you must configure the firewall so that Firewall MC can contact and administer it. If the firewall is already configured, you should verify that its configuration is correct for Firewall MC. The procedures in this section take you through using the command line to verify the configuration.

Determining When to Bootstrap a PIX Firewall

PIX Firewall Configuration Worksheet

Bootstrapping an Existing PIX Firewall

Bootstrapping a New PIX Firewall

Bootstrapping PIX Firewall to Use Auto Update Server

Verifying PIX Firewall Configuration

Determining When to Bootstrap a PIX Firewall

The following two scenarios require that you bootstrap a PIX Firewall before managing it with Firewall MC:

You are planning to manage an existing PIX Firewall (configured and running on your network) with Firewall MC; however, the PIX Firewall is not configured to accept HTTP administrative connections from the CiscoWorks Server running Firewall MC.

You are adding a new PIX Firewall to your network.

To verify whether an existing PIX Firewall can be administered by CiscoWorks:

Step 1 Log in to the console terminal connected to the console port.

Step 2 Enter enable.

Step 3 Enter password at the command prompt.

The password identifies the enable password used to administer this PIX Firewall.

The PIX Firewall enters privileged mode.

Step 4 Enter config terminal.

The PIX Firewall enters configuration mode.

Step 5 Enter show http.

Verify that the IP address of the CiscoWorks Server appears in the list and that the HTTP server is enabled. If these two settings exist, you do not need to bootstrap the device. Otherwise, see Bootstrapping an Existing PIX Firewall.

The PIX Firewall lists the allowed hosts and the enable state of the HTTP server.

Note You should also verify that HTTPS access is enabled as described in Verifying PIX Firewall Configuration.

Step 6 Enter exit.

The PIX Firewall exits configuration mode.

PIX Firewall Configuration Worksheet

Before you bootstrap a PIX Firewall, you must collect the information that describes the placement of that PIX Firewall on your network. Complete the following worksheet to identify the information used when you bootstrap a PIX Firewall.

Note This worksheet assumes that Firewall MC will connect to the firewall device using the inside interface. Although the inside interface is recommended for this connection, it is not required.

Question
Answer

What is the enable password?

 

What is the IP address of the inside interface?

 

What is the netmask of the inside interface?

 

What is the hostname?

 

What is the DNS domain name of the network on which the PIX Firewall runs?

 

What is the IP address of the CiscoWorks Server that should have access to the PIX Firewall via HTTP?

 

What is the date and time and the time zone?

 

If you are bootstrapping an existing PIX Firewall, what is the name of the interface used to accept administrative connections?

 


Bootstrapping an Existing PIX Firewall

Before You Begin

Make sure that the interfaces, IP addresses, and routes are defined for this PIX Firewall. To configure a new PIX Firewall, see Bootstrapping a New PIX Firewall.

Step 1 Log in to the console terminal connected to the console port.

Step 2 Enter enable.

Step 3 Enter password at the command prompt.

The password identifies the enable password used to administer this PIX Firewall. The PIX Firewall enters privileged mode.

Step 4 Enter config terminal.

The PIX Firewall enters configuration mode.

Step 5 If you have never used Cisco PIX Device Manager (PDM) to manage this PIX Firewall, follow Step 6 through Step 19. If you are already using PDM to manage this PIX Firewall, skip to Step 20.

Step 6 Enter setup.

The setup command:

Enables the PIX Firewall HTTP server.

Allows you to specify the IP address of the CiscoWorks Server that will manage the PIX Firewall.

Populates those settings required to generate the default certificate used by SSL-based connections to the HTTP server.

Adds to any existing list of hosts allowed to manage the device; it does not replace existing settings.

Timesaver If the settings are correct for a given prompt, press Enter to bypass the question.

Step 7 Enter y at the Pre-configure PIX Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 8 Enter the current enable password for this PIX Firewall.

The Clock (UTC) prompt appears.

Step 9 Verify that the PIX Firewall clock is set to Universal Coordinated Time (UTC), formerly known as Greenwich Mean Time (GMT), then press Enter.

The Year [system year]: prompt appears.

Step 10 Enter the current year, or default to the year stored in the host computer.

The Month [system month]: prompt appears.

Step 11 Enter the current month, or default to the month stored in the host computer.

The Day [system day]: prompt appears.

Step 12 Enter the current day, or default to the day stored in the host computer.

The Time [system time]: prompt appears.

Step 13 Enter the current time in hh:mm:ss format, or default to the time stored in the host computer.

The Inside IP address: prompt appears.

Step 14 Verify the network interface IP address of the PIX Firewall, then press Enter.

The Inside network mask: prompt appears.

Note This step assumes the inside interface is used to manage this PIX Firewall.

Step 15 Verify the network mask that applies to inside IP address, then press Enter.

Enter 0.0.0.0 to specify a default route. You can abbreviate the 0.0.0.0 network mask as 0.

The Host name: prompt appears.

Step 16 Verify the hostname to display in the PIX Firewall command line prompt, then press Enter.

Note The hostname for each device must be unique. Firewall MC cannot manage multiple devices with the same hostname.

The Domain name: prompt appears.

Step 17 Verify the DNS domain name of the network on which the PIX Firewall runs, for example, example.com, then press Enter.

Note The hostname and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

The IP address of host running PIX Device Manager: prompt appears.

Step 18 Enter the IP address of the CiscoWorks Server that will manage this PIX Firewall.

The Use this configuration and write to flash? prompt appears.

Step 19 Enter yes.

If you do not require additional administrative hosts to have access to this firewall, you have performed the necessary configuration. Skip to Step 22.

If you want to manage or monitor the PIX Firewall with PDM, go to Step 20.

Note For security reasons, you should limit the number of administrative hosts to the minimum number required by your organization.

Step 20 Enter http ip_address [netmask] [if_name] to specify that the CiscoWorks Server can connect to and configure the PIX Firewall using HTTP.

When you configure a PIX Firewall to work with PDM, you could be using an interface other than inside for management. This step allows you to specify an additional administrative host, the CiscoWorks Server, on the appropriate interface.

ip_address—Specifies the IP address of the CiscoWorks Server that will manage this PIX Firewall.

netmask—Specifies the network mask for the http ip_address. If you do not specify a network mask, the default is 255.255.255.255 regardless of the class of IP address.

if_name—Specifies the PIX Firewall interface name on which the CiscoWorks Server initiating the HTTP connection resides. The default interface name is inside.

Note Access from any host is allowed if 0.0.0.0 0.0.0.0 (or 0 0) is specified for ip_address and netmask. However, we do not recommend this nonrestrictive configuration.

Step 21 Enter write memory.

The PIX Firewall stores the configuration in Flash memory.

Step 22 Enter exit.

The PIX Firewall exits configuration mode.

Bootstrapping a New PIX Firewall

To bootstrap a new PIX Firewall, you configure only the information required for the Firewall MC to connect to the inside interface of that PIX Firewall. After you connect to the PIX Firewall, use Firewall MC to define the remaining configuration settings, such as the remaining interfaces and routes.

This procedure assumes that:

The PIX Firewall is connected to your network.

You have not configured the PIX Firewall.

You do not intend to use the Cisco PIX Device Manager (PDM) to manage or monitor the PIX Firewall.

The inside interface is used for administrative connections to the PIX Firewall.

The CiscoWorks Server resides on the same network as the inside interface.

This procedure also assumes that the PIX Firewall was booted for the first time and that the terminal displays the Pre-configure PIX Firewall now through interactive prompts [yes]? prompt, which indicates that the setup command has been run. The setup command:

Enables the PIX Firewall HTTP server.

Allows you to specify the IP address of one host that can managed the PIX Firewall.

Populates the settings required to generate the default certificate used by SSL-based connections to the HTTP server.

Step 1 Log in to the console terminal connected to the console port.

Step 2 Enter y at the Pre-configure PIX Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 3 Enter the current enable password for this PIX Firewall.

The Clock (UTC) prompt appears.

Step 4 Set the PIX Firewall clock to Universal Coordinated Time (also known as Greenwich Mean Time), then press Enter.

The Year [system year]: prompt appears.

Step 5 Enter current year, or default to the year stored in the host computer.

The Month [system month]: prompt appears.

Step 6 Enter current month, or default to the month stored in the host computer.

The Day [system day]: prompt appears.

Step 7 Enter current day, or default to the day stored in the host computer.

The Time [system time]: prompt appears.

Step 8 Enter current time in hh:mm:ss format, or default to the time stored in the host computer.

The Inside IP address: prompt appears.

Step 9 Enter the network interface IP address of the PIX Firewall.

The Inside network mask: prompt appears.

Step 10 Enter the network mask that applies to the inside IP address.

Enter 0.0.0.0 to specify a default route. You can abbreviate the 0.0.0.0 network mask as 0.

The Host name: prompt appears.

Step 11 Enter the hostname to display in the PIX Firewall command line prompt.

Note The hostname for each device must be unique. Firewall MC cannot manage multiple devices with the same hostname.

The Domain name: prompt appears.

Step 12 Enter the DNS domain name of the network on which the PIX Firewall runs, for example, "example.com," then press Enter.

Note The hostname and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

The IP address of host running PIX Device Manager: prompt appears.

Step 13 Enter the IP address of the CiscoWorks Server that will manage this PIX Firewall.

The Use this configuration and write to flash? prompt appears.

Step 14 Enter yes.

The inside interface is enabled and the requested configuration is written to Flash memory.

Step 15 Enter exit.

The command line interface exits configuration mode.

Bootstrapping PIX Firewall to Use Auto Update Server

You can specify that you want your firewall to poll an Auto Update Server (AUS) and retrieve any configuration changes from that server. You can specify this option before or after you begin to manage the firewall with Firewall MC. This procedure describes how to prepare the firewall before you begin managing it with Firewall MC.

Caution If you are managing firewalls that are configured for failover (serial or LAN), you cannot use the AutoUpdate server. You must deploy directly to the firewalls from Firewall MC.

If you are already managing the firewall, do not bootstrap the device manually. Instead, select Configuration > Settings > Auto Update Server to specify settings for the AutoUpdate Server at either the group level or device level for this PIX Firewall. For more information on these settings, see Representing Auto Update Servers, page 7-45. For more information about AutoUpdate Server, see Using the AutoUpdate Server 1.1.

Step 1 Log in to the console terminal connected to the PIX Firewall console port.

Step 2 Enter enable.

Step 3 Enter password at the command prompt.

The password identifies the enable password used to administer this PIX Firewall.

The PIX Firewall enters privileged mode.

Step 4 Enter config terminal.

The PIX Firewall enters configuration mode.

Step 5 Enter route if_name ip_address netmask gateway_ip [metric].

This specifies a static (default) route for the specified interface.

Note You must configure a route only if the AUS server is on a different network than either the Firewall MC server or the PIX Firewall. In this case, configure the route to the network on which the AUS server resides.

if_name—The internal or external network interface name.

ip_address—The internal or external network IP address. Enter 0.0.0.0 to specify a default route.

netmask—A network mask to apply to ip_address. Enter 0.0.0.0 to specify a default route.

gateway_ip—The IP address of the gateway router (the next hop address for this route).

metric—The number of hops to gateway_ip. If you are not sure, enter 1. Your network administrator can supply this information or you can use a traceroute command to obtain the number of hops. The default is 1 if you do not specify a metric.

Step 6 Enter auto-update server https://username: password@AUSserver_IP_address:port/ autoupdate/AutoUpdateServlet.

This connects the device to the AUS.

username—Login name used to enter the CiscoWorks Server.

password—Password used to enter the CiscoWorks Server.

AUSserver_IP_address—IP address of the AUS server.

port—Port number of the AUS server. The number is typically 1741.

Step 7 Enter auto-update poll-period poll_period [retry_count] [retry_period].

This changes the polling period for AUS.

poll_period—Period in minutes between poll updates. Default is 720.

retry_count—Number of times to retry if unable to connect to server. Default is 0. (Optional)

retry_period—Time, in minutes, between retries. Default is 5. (Optional)

Step 8 Enter auto-update device-id hardware-serial_ip | hostname | ip_address [if_name | mac-address  [if_name] | string text].

This configures the device to use the specified device ID to identify itself.

if_name—The interface name.

text—Text that identifies the device.

Because a PIX Firewall might have more than one interface, the assigned device ID could be the IP address or MAC address of one of the interfaces.

In the following example, outside is the name of the outside interface and the device ID is the IP address of that outside interface. 

auto-update device-id ipaddress outside

Alternatively, you can use the hostname as the device ID, which is resolved to an address via DNS: 

auto-update device-id hostname

Step 9 Enter write memory.

This stores the current configuration in the PIX Firewall Flash memory.

Step 10 Enter exit.

Verifying PIX Firewall Configuration

You can verify that the PIX Firewall is configured properly by using an HTTPS connection to connect to the PIX Firewall and view the configuration file.

Step 1 From the CiscoWorks Server, open a browser.

Step 2 Enter https://ip_address/exec/show%20config, where ip_address is the IP address of the PIX Firewall.

The PIX Firewall prompts for credentials, which verifies that the HTTP server is enabled on this PIX Firewall. If you are not prompted for credentials, see Bootstrapping an Existing PIX Firewall, or Bootstrapping a New PIX Firewall.

Step 3 At the username prompt, press Tab.

Step 4 At the password prompt, enter the enable password for the PIX Firewall.

The configuration running on this PIX Firewall appears (equivalent to the show config command). Your ability to view the configuration verifies that the CiscoWorks Server can administer this PIX Firewall. If you cannot authenticate, see Bootstrapping an Existing PIX Firewall, or Bootstrapping a New PIX Firewall.

Step 5 Close the browser.

Bootstrapping Firewall Services Modules

Before you can use Firewall MC to manage an FWSM, you must configure the firewall so that Firewall MC can contact and administer it. If the firewall is already configured, you should verify that its configuration is correct for Firewall MC. The procedures in this section take you through using the command line to verify the configuration.

Topics to be discussed are:

Determining When to Bootstrap the FWSM

FWSM Configuration Worksheet

Bootstrapping an Existing FWSM

Verifying an FWSM Configuration

Verifying an FWSM Configuration

Determining When to Bootstrap the FWSM

The following two scenarios require that you bootstrap an FWSM before managing it with Firewall MC:

You are planning to manage an existing FWSM (configured and running on your network) with Firewall MC; however, the FWSM is not configured to accept HTTP administrative connections from the CiscoWorks Server running Firewall MC.

You are adding a new FWSM to your network.

The basic bootstrapping procedure is the same for single context and multiple context modes supported in FWSM 2.1 and later.

After you install a new FWSM, you should confirm that IP connectivity exists between the Firewall MC server and the FWSM before you try to import or deploy.This procedure allows you to verify that an existing FWSM can be administered by the CiscoWorks Server.

Step 1 Log in to the Catalyst 6500 series switch or Cisco 7600 series router in which the FWSM is installed.

Step 2 To determine the module number of the FWSM, enter show module all at the command prompt.

A list of the installed modules appears, showing the Mod, Slot, Ports, Module-Type, Model, Sub, and Status fields.

Step 3 Enter session slot slot-number processor 1, where slot-number is the slot in which the FWSM module resides.

Step 4 Enter the Telnet password used to access this module.

Step 5 Enter enable.

Step 6 Enter password at the command prompt.

The password identifies the enable password used to administer this FWSM.

The FWSM enters privileged mode.

Step 7 Enter config terminal.

The FWSM enters configuration mode.

Step 8 Enter show http.

Verify that the IP address of the CiscoWorks Server appears in the list and that the HTTP server is enabled. If these two settings exist, you do not need to bootstrap the device. Otherwise, see Bootstrapping an Existing FWSM.

The FWSM lists the allowed hosts and the enable state of the HTTP server.

Step 9 Enter exit.

The command line interface exits FWSM configuration mode.

Step 10 Enter logout.

You log out of the FWSM and return to the Catalyst switch prompt.

Step 11 Enter exit to log out of the Catalyst switch.

FWSM Configuration Worksheet

Before you bootstrap an FWSM, you must collect the information that describes the placement of that FWSM on your network. Complete the following worksheet to identify the information used when you bootstrap an FWSM.

Question
Answer

What is the enable password?

 

What is the Telnet password?

 

What is the IP address of the inside interface?

 

What is the netmask of the inside interface?

 

What is the hostname?

 

What is the module ID?

 

What is the DNS domain name of the network on which the firewall device runs?

 

What is the IP address of the CiscoWorks Server that should have access to the FWSM via HTTP?

 

If you are bootstrapping an existing FWSM, what is the name of the interface used to accept administrative connections?

 


Bootstrapping an Existing FWSM

This procedure assumes the interfaces, IP addresses, and routes are defined for this FWSM. To bootstrap a new FWSM, see Bootstrapping a New FWSM.

Step 1 Log in to the Catalyst 6500 series switch or Cisco 7600 series router where the FWSM is installed.

Step 2 To determine the module number for the Firewall Services Module, enter show module all at the command prompt.

A list of the installed modules appears, showing the Mod, Slot, Ports, Module-Type, Model, Sub, and Status fields.

Step 3 Enter session slot  slot-number processor 1, where slot-number is the slot in which the FWSM resides.

Step 4 Enter the Telnet password used to access this module.

Step 5 Enter enable.

Step 6 Enter password at the command prompt.

The password identifies the enable password used to administer this FWSM.

The FWSM enters privileged mode.

Step 7 Enter config terminal.

The FWSM enters configuration mode.

Step 8 If you have never used Cisco PIX Device Manager (PDM) to manage this FWSM, follow Step 9 through Step 17. If you are already using PDM to manage this FWSM, skip to Step 18.

If you configured this FWSM to work with PDM, you could be using an interface other than inside for management. Step 18 allows you to specify an additional administrative host, the CiscoWorks Server, on the appropriate interface. Step 12 assumes the inside interface is used to manage this FWSM.

Step 9 Enter setup.

The setup command:

Enables the FWSM HTTP server.

Allows you to specify the IP address of the CiscoWorks Server that will manage the FWSM.

Populates the settings required to generate the default certificate used by SSL-based connections to the HTTP server.

Adds to any existing list of hosts allowed to manage the device; it does not replace existing settings.

Step 10 Enter y at the Pre-configure FWSM Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 11 Enter the current enable password for this FWSM.

The Inside IP address: prompt appears.

Step 12 Verify the network interface IP address of the FWSM is correct, then press Enter.

The Inside network mask: prompt appears.

Step 13 Verify the network mask that applies to inside IP address, then press Enter.

Enter 0.0.0.0 to specify a default route. You can abbreviate the 0.0.0.0 network mask as 0.

The Host name: prompt appears.

Step 14 Verify the hostname to display in the FWSM command line prompt, then press Enter.

Note The hostname for each device must be unique. FWSM cannot manage multiple devices with the same hostname.

The Domain name: prompt appears.

Step 15 Verify the DNS domain name of the network on which the FWSM runs, for example, example.com, then press Enter.

Note The hostname and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

The IP address of host running PIX Device Manager: prompt appears.

Step 16 Enter the IP address of the CiscoWorks Server that will manage this FWSM.

The Use this configuration and write to flash? prompt appears.

Step 17 Enter yes.

If you do not require additional administrative hosts to have access to this firewall, you have performed the necessary configuration. Skip to Step 20.

If you want to manage or monitor the PIX Firewall with PDM, go to Step 18.

Note For security reasons, you should limit the number of administrative hosts to the minimum number required by your organization.

Step 18 Enter http ip_address [netmask] [if_name] to specify that the CiscoWorks Server can connect to and configure the FWSM using HTTP.

ip_address—Specifies the IP address of the CiscoWorks Server that will manage this PIX Firewall.

netmask—Specifies the network mask for the http ip_address. If you do not specify a network mask, the default is 255.255.255.255 regardless of the class of IP address.

if_name—Specifies the FWSM interface name on which the CiscoWorks Server initiating the HTTP connection resides. The default if_name is "inside."

Note Access from any host is allowed if 0.0.0.0 0.0.0.0 (or 0 0) is specified for ip_address and netmask. However, we do not recommend this nonrestrictive configuration.

Step 19 Enter write memory.

The FWSM stores the current configuration in Flash memory.

Step 20 Enter exit.

The command line interface exits FWSM configuration mode.

Step 21 Enter logout.

You log out of the FWSM and return to the switch or router prompt.

Step 22 Enter exit to log out of the switch or router.

Bootstrapping a New FWSM

To bootstrap a new FWSM, you configure only the information required for the Firewall MC to connect to the inside interface of that FWSM. Also, you must configure a default VLAN group for the module before the module is recognized by the switch. After you bootstrap the FWSM, you can connect to it and use Firewall MC to define the remaining configuration information, such as the remaining interfaces, VLANs, and routes.

Before You Begin

This procedure assumes:

The switch or router that houses the FWSM is connected to your network.

The FWSM is properly installed in the switch or router chassis and the switch or router is powered up.

You have not configured the FWSM.

You do not intend to use the Cisco PIX Device Manager (PDM) to manage or monitor the FWSM.

The inside interface is used for administrative connections to the FWSM.

The CiscoWorks Server resides on the same network as the inside interface.

Note Any VLANs that you define for the FWSM using Firewall MC must also be defined and configured on the switch or router.

To bootstrap a new FWSM in a switch or router on your network:

Step 1 Log in to the Catalyst 6500 series switch or Cisco 7600 series router in which the FWSM is installed.

Step 2 To determine the module number of the FWSM, enter show module all at the command prompt.

A list of the installed modules appears, showing the Mod, Slot, Ports, Module-Type, Model, Sub, and Status fields.

Step 3 Enter EXEC mode, then enter configure terminal to enter configuration mode.

Step 4 To create a VLAN, enter vlan vlan_range for each VLAN number to define the VLAN range that you plan to assign to the FWSM. The vlan_range can be one or more VLANs (1 to 1000 and from 1025 to 4094) as:

A single number (n).

A range (n-x). Separate numbers or ranges by commas, (for example, 5,7-10,13,45-100).

Step 5 To define a controlled multiple-switched VLAN interface (SVI) on the Multilayer Switch Feature Card (MSFC), (also referred to as the route processor), enter interface vlan vlan_number.

Note You must configure a controlled multiple SVI on the MSFC or you will be unable to configure VLANs on the module. You must also define the same VLAN on the FWSM. It is the common VLAN that the two modules must share.

Step 6 To assign an IP address to the VLAN interface, enter the following commands:

config t

interface vlan vlan_number

ip address ip_address net_mask

no shut

Step 7 To exit the VLAN mode and return to configuration mode, enter exit.

Next, you must bind the VLANs that were previously defined in Step 4 and Step 5 to be protected by the FWSM.

Step 8 To create a firewall group of controlled VLANs, enter firewall vlan-group firewall_group vlan_range.

Step 9 To attach the VLAN and firewall group to the slot where the FWSM module is located, enter firewall module module_number vlan-group firewall_group.

Step 10 To update the VLAN database and return to privileged EXEC mode, enter end.

Step 11 Enter session slot slot-number processor 1, where slot-number is the slot that the Firewall Services Module module resides in.

Step 12 Enter the Telnet password used to access this module.

Since this FWSM is new, the default telnet password is cisco.

Step 13 Enter enable.

Step 14 Enter password at the command prompt.

The password identifies the enable password used to administer this FWSM.

The FWSM enters privileged mode.

Step 15 Enter config terminal.

The FWSM enters configuration mode.

Step 16 Enter nameif vlan_number inside 100 to associate the interface with a VLAN, where vlan_number is one of the VLANs that you defined within the range of the firewall group VLAN defined in Step 8.

This command names the interface as inside, assigns it the security level of 100 with the interface, and associates it with a VLAN.

Step 17 Enter setup.

The setup command:

Enables the FWSM HTTP server.

Allows you to specify the IP address of the CiscoWorks Server that will manage the FWSM.

Populates the settings required to generate the default certificate used by SSL-based connections to the HTTP server.

Adds to any existing list of hosts allowed to manage the device; it does not replace existing settings.

Step 18 Enter y at the Pre-configure FWSM Firewall now through interactive prompts [yes]? prompt.

The Enable password [<use current password>]: prompt appears.

Step 19 Enter the current enable password for this FWSM.

The Inside IP address: prompt appears.

Step 20 Enter the network interface IP address of the FWSM.

Step 21 The Inside network mask: prompt appears.

Step 22 Enter the network mask that applies to inside IP address.

Enter 0.0.0.0 to specify a default route. You can abbreviate the 0.0.0.0 network mask as 0.

The Host name: prompt appears.

Step 23 Enter the hostname to display in the FWSM command line prompt.

Firewall MC does not support dashes or underscores (- _) in the hostname.

Note The hostname for each device must be unique. Firewall MC cannot manage multiple devices with the same hostname.

The Domain name: prompt appears.

Step 24 Enter the DNS domain name of the network on which the FWSM runs, for example, "example.com," then press Enter.

Note The hostname and domain name are used to generate the default certificate for the SSL connection. The interface type is determined by the hardware.

The IP address of host running PIX Device Manager: prompt appears.

Step 25 Enter the IP address of the CiscoWorks Server that will manage this FWSM.

The Use this configuration and write to flash? prompt appears.

Step 26 Enter yes.

The inside interface is enabled and the requested configuration is written to Flash memory.

Step 27 Enter exit.

The command line interface exits FWSM configuration mode.

Step 28 Enter logout.

You log out of the FWSM and return to the Catalyst switch prompt.

Step 29 Enter exit to log out of the Catalyst switch.

Verifying an FWSM Configuration

You can verify that the FWSM is configured properly by using an HTTPS connection to connect to the FWSM and view the configuration file. This should be done before importing the firewall device into Firewall MC.

Step 1 From the CiscoWorks Server, open a browser.

Step 2 Enter https://ip_address/exec/show%20config, where ip_address is the IP address of the FWSM.

The FWSM prompts for credentials, which verifies that the HTTP server is enabled on this FWSM. If you are not prompted for credentials, see Bootstrapping an Existing FWSM, or Bootstrapping a New FWSM.

Step 3 At the username prompt, press Tab.

Step 4 At the password prompt, enter the enable password for the FWSM.

The current configuration running on this FWSM appears (equivalent to the show config command). Your ability to view the configuration verifies that the CiscoWorks Server can administer this FWSM. If you cannot authenticate, see Bootstrapping an Existing FWSM, or Bootstrapping a New FWSM.

Step 5 Close the browser.

What Is a Virtual Firewall and How Does It Differ from a Conventional Firewall?

A firewall is a network security device that separates networks in an attempt to provide added security, support corporate policies by enforcing access to and from the network, and safeguards against malicious attacks.

Firewalls protect inside networks from unauthorized access on an outside network. The firewall can also protect inside networks from each other, for example, by keeping a human resources network separate from a user network. If you have network resources that need to be available to an outside user, such as a web or FTP server, you can place these resources on a separate network behind the firewall, called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there affects only the servers and does not affect the other inside networks. You can also control outside access by inside users (for example, access to the Internet), by allowing only certain addresses out, by requiring authentication or authorization, or by coordinating with an external URL filtering server.

Conventional firewalls are physical, standalone hardware components that reside on your network. Virtual firewalls are logical firewalls that provide the same functionality as conventional firewalls, but are integrated with other hardware components.

The Firewall Services Module (FWSM) is a firewall card that you install in the Catalyst 6500 series switches and Cisco 7600 series routers. It is designed to allow multiple virtual firewall instances (also referred to as security contexts) to run on a single hardware platform. Each security context has its own configuration and policies, and each is treated by Firewall MC as an independent device.

Firewall MC is not aware that certain virtual firewalls reside on the same FWSM. You can use the Firewall MC grouping mechanism to group virtual firewalls in a single group and configure settings at the group level so common properties can be inherited and shared.

Virtual firewalls running on the same FWSM can also belong to different groups within the device hierarchy. For example, a service provider might want to assign virtual firewalls on a single FWSM to different levels of subscribers.

Firewall MC allows you to add different types or versions of devices to the same group. However, if, at the group level, you specify any feature that applies to only Layer 2 (L2) firewalls, and you request to generate a Layer 3 (L3) firewall that resides within the same group, a warning or error results.

Note Firewall MC currently supports multiple instances running on an FWSM only.

What Is Meant by Security Context?

You can partition a single FWSM into multiple virtual firewalls, known as security contexts. Each context is an independent system, with its own security policy, interfaces, and administrators. Multiple contexts are equivalent to having multiple standalone firewalls.

Each security context has its own configuration that identifies the security policy, interfaces, and almost all options you can configure on a standalone firewall. If desired, you can allow individual context administrators to implement the security policy on the context.

In addition to individual security contexts, the FWSM includes a system configuration that identifies basic settings for the card, including a list of contexts. This configuration resides as the startup configuration in the Flash partition.

The system administrator adds and manages contexts by configuring them in the system configuration. The system administrator has privileges to manage all contexts. The system configuration does not include any network interfaces or network settings for itself; instead, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the Admin context.

The Admin context is just like any other context, except that when a user logs into the Admin context (for example, over an SSH connection), that user has system administrator rights, and can access the system execution space and all other contexts. Typically, the Admin context provides network access to network-wide resources, such as a syslog server or context configuration server.

You might want to use multiple security contexts if:

You are a service provider and want to sell firewall services to many customers. By enabling multiple security contexts on the FWSM, you can implement a cost-effective, space-saving solution that keeps all customer traffic separate and secure, and also eases your configuration.

You are a large enterprise or a college campus and want to keep departments completely separate.

You are an enterprise that wants to provide distinct security polices to different departments.

You have any network that requires more than one firewall.

What Is Meant by Mode?

The FWSM 2.1 has two configuration modes:

Single—Only one firewall security context exists, so the FWSM blade behaves as a single firewall device. Context management is therefore not a factor.

Multiple—Multiple independent virtual firewall security contexts exist. Context creation and blade-wide resource management are done within a terminal console called system context.

Note Switching between single mode and multiple mode is not supported.

The FWSM 2.1 can run in either Layer 3 (L3) Mode or Layer 2 (L2) Mode.

L2 Mode—VLAN-based Layer 2 interfaces are used. Use of firewalls is within the same subnet. L2 mode is also referred to as transparent mode. When the FWSM is running in transparent mode, it acts as a Layer 2 firewall. The FWSM acts like a "bump in the wire," and is not a router hop. The FWSM connects the same network on its inside and outside ports, but each port must be on a different VLAN. No dynamic routing protocols or NAT are required.

L3 Mode—Layer 3 IP interfaces are used. Use of firewalls is between different networks. L3 mode is also referred to as routed mode. When the FWSM is in router mode, it acts as a Layer 3 firewall. The FWSM is considered to be a router hop in the network. It performs Network Address Translation (NAT) between connected networks, and can use Open Shortest Path First (OSPF) or passive Routing Information Protocol (RIP) in single context mode.

Note Virtual and transparent mode information are not shown as part of the configuration. As a result, no information is displayed if you use the show run command.

The FWSM supports a maximum of 256  interfaces per context or in single context mode. In multiple context mode, the FWSM has an overall limit of 2000 VLAN interfaces across all contexts. You can share interfaces between contexts if your network requires it.

Mode information defined in Firewall MC must match the information contained in the configuration files, or an error results.