With a PIX Security Appliance, it can be taken out of the box, hooked up LAN
cables, powered-on, and then it is ready to be configured. With a FWSM, it is
not a standalone device. It is a security module within a Catalyst chassis.
Before a security policy can be configured in a FWSM, the following tasks must
be completed:
- Initialize the FWSM.
- Configure the switch VLANs.
- Associate VLANs with the FWSM.
The switch CLI is accessible through a Telnet connection to the switch
or through the switch console interface.
Verify FWSM
Installation
Before the FWSM can be used, it must be verified that the
card is installed and recognized by the switch. Enter the show
module command to verify that the system acknowledges the new module
and has brought it online
.
The
syntax for the show module command is shown in Figure
.
Configure the Switch VLANs
The FWSM does not include any external
physical interfaces. Instead, it uses VLAN interfaces
. Hosts are
connected to ports VLANs are assigned to these physical switch ports. To
prevent mismatched VLANs, the administrator should first configure a VLAN on
the MSFC, and then configure the VLANs on the FWSM. VLAN IDs must be the same
for the switch and the FWSM. After the MSFC VLAN is configured, specific VLANs
can be associated with a FWSM.
The first step was to add VLANS to the
MSFC. The next step is to associate VLANs to be inspected by the FWSM. A VLAN
can be linked with a specific FWSM by using the firewall
command.
The firewall vlan-group command creates a
group of firewall VLANs named by the vlan-group parameter.
The syntax for the firewall vlan-group command is shown in
Figure
.
Once a
group of VLANs are assigned to a group, the firewall module
command associates a VLAN group with a specific FWSM.
The syntax for the
firewall module command is shown in Figure

In the
example in Figure
, VLANs 100, 200,
and 300 have been placed into Firewall VLAN-group 1. The FWSM in slot 4 is
associated with VLAN-group 1, VLANs 100, 200, and 300.
Verify the MSFC Configuration
The
administrator can verify that the MSFC is properly configured for interaction
with the FWSM. The show firewall vlan-group command
verifies which VLANs are assigned to each firewall. VLAN-group. The
show firewall module command verifies that the VLAN-groups
are assigned to the associated slot where the FWSM resides
.
Configure the FWSM Interfaces
The
FWSM is now installed. The MSFC VLANs are configured. The FWSM VLANs are
associated with a specific FSWM. The next step is to configure the security
policy on the FWSM. The FWSM can be accessed by using the
session command. Use the default password
cisco for the FWSM when prompted. A prompt for an enable
mode password is then displayed. By default, there is no password, and the
Enter key can be pressed to access the enable mode. It is recommended
that you change the enable password to a valid value and use this for future
access to this mode.
Once on the FWSM, standard security appliance
commands are used to configure interface names, add security levels, and
specify IP addresses.
The example in Figure
shows the use of
the nameif command and associates VLAN 100 as the outside
interface and sets the interface with a security level of 0. It also defines
VLAN 200 as the inside interface. It specifies VLAN 300 as the dmz interface.
In all cases, the use of the ip address command is used to
add an IP address to each interface.
Configure A Default Route
A default route may also need to be
added. In the example in Figure
, a default route
is created, pointing to the VLAN 100 interface of the MSFC.
It may also be necessary to create static routes. Multiple context mode does
not support dynamic routing, so static routes must be used to reach any
networks to which the FWSM is not directly connected, such as when a router is
between the destination network and the FWSM.
Static routes might be
appropriate in single context mode if:
- The network uses a routing protocol other than RIP or OSPF.
- The network is small and static routes can be easily managed.
- The traffic or CPU overhead associated with routing protocols is to be
avoided.
Configure the FWSM access-lists
The administrator
needs to create ACLs to allow outbound as well as inbound traffic because the
FWSM, unlike the security appliances, denies all inbound and outbound
connections that are not explicitly permitted by ACLs
. Explicit access rules need to be configured using the
access-list command and attached to the appropriate
interface using the access-group command to allow traffic
to pass through that interface. Traffic that has been permitted into an
interface can exit through any other interface. Return traffic matching the
session information is permitted without an explicit ACL.