Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Firewall Services Module (FWSM) Questions

Hello,

I have some questions on FWSM and any help will be appreciated:

Basically what we are trying to do is simple in architecture: Relocating production Vlans behind the FWSM blade.. In comparison, this is much simpler than putting it on the perimeter and have the whole network behind it where you need to do complex

routing etc..

I have defined one outside interface where FWSM interfaces with the campus network ... The idea is to put VLANS (not complex) behind this interface. The filtering (ACL)s for incoming traffic is done on the outside interface.

1) In order to make a distinction between different vlans, would it be possible to use more then one access-list on the outside interface ?

(If I specify only one access-list for all the incoming traffic from outside to the vlans, it will be difficult to troubleshoot when having problems with specific vlans)

2) ACL Command: "access-list x permit tcp any any established" can not be used for FWSM.. Is there anything else I can use to replace "established" ?

3) If I want to put comments in the FWSM configuration file, how can I do that ?

Thanks in advance

--osman

Montreal, Quebec

1 REPLY

Re: Firewall Services Module (FWSM) Questions

Osman,

All good questions. Answers in-line below:

1) In order to make a distinction between different vlans, would it be possible to use more then one access-list on the outside interface ?

(If I specify only one access-list for all the incoming traffic from outside to the vlans, it will be difficult to troubleshoot when having problems with specific vlans)

A - Unfortunately, the answer is no. This can mean that you have a large ACl on your outside interface as you indicated but applying one ACL in one direction per interface is a Cisco standard.

2) ACL Command: "access-list x permit tcp any any established" can not be used for FWSM.. Is there anything else I can use to replace "established" ?

A - By default, the FWSM already performs a function similar to the "established" command. Due to the Adaptive Security Algorithm (ASA), the FWSM will monitor all traffic outbound and autoimatically allow the return traffic back in. In general, the "established" keyword is a bad idea. All it does is look to see if the ACK, FIN, PSH, RST, SYN, or URG set TCP control bits are set. If they are, the traffic is allowed. Falsely setting control bits is not hard to do and can allow hackers into your network if they know what they are doing. The FWSM ASA is far more advanced than this but effectively does what you need.

3) If I want to put comments in the FWSM configuration file, how can I do that ?

A - Currently you cannot. This is a new feature coming in the FWSM 2.2 release. Right now, your only option is to put a line in your text file that contains the config (on your TFTP server for example) with a '!' preceeding it.

Hope this helps.

Scott

328
Views
0
Helpful
1
Replies
CreatePlease login to create content