Firewall Services Module Operation
Getting started with the FWSM

With a PIX Security Appliance, it can be taken out of the box, hooked up LAN cables, powered-on, and then it is ready to be configured. With a FWSM, it is not a standalone device. It is a security module within a Catalyst chassis. Before a security policy can be configured in a FWSM, the following tasks must be completed:

  • Initialize the FWSM.
  • Configure the switch VLANs.
  • Associate VLANs with the FWSM.

The switch CLI is accessible through a Telnet connection to the switch or through the switch console interface.

Verify FWSM Installation
Before the FWSM can be used, it must be verified that the card is installed and recognized by the switch. Enter the show module command to verify that the system acknowledges the new module and has brought it online .

The syntax for the show module command is shown in Figure .

Configure the Switch VLANs
The FWSM does not include any external physical interfaces. Instead, it uses VLAN interfaces . Hosts are connected to ports VLANs are assigned to these physical switch ports. To prevent mismatched VLANs, the administrator should first configure a VLAN on the MSFC, and then configure the VLANs on the FWSM. VLAN IDs must be the same for the switch and the FWSM. After the MSFC VLAN is configured, specific VLANs can be associated with a FWSM.

The first step was to add VLANS to the MSFC. The next step is to associate VLANs to be inspected by the FWSM. A VLAN can be linked with a specific FWSM by using the firewall command.

The firewall vlan-group command creates a group of firewall VLANs named by the vlan-group parameter. The syntax for the firewall vlan-group command is shown in Figure .

Once a group of VLANs are assigned to a group, the firewall module command associates a VLAN group with a specific FWSM.

The syntax for the firewall module command is shown in Figure

In the example in Figure , VLANs 100, 200, and 300 have been placed into Firewall VLAN-group 1. The FWSM in slot 4 is associated with VLAN-group 1, VLANs 100, 200, and 300.

Verify the MSFC Configuration
The administrator can verify that the MSFC is properly configured for interaction with the FWSM. The show firewall vlan-group command verifies which VLANs are assigned to each firewall. VLAN-group. The show firewall module command verifies that the VLAN-groups are assigned to the associated slot where the FWSM resides .

Configure the FWSM Interfaces
The FWSM is now installed. The MSFC VLANs are configured. The FWSM VLANs are associated with a specific FSWM. The next step is to configure the security policy on the FWSM. The FWSM can be accessed by using the session command. Use the default password cisco for the FWSM when prompted. A prompt for an enable mode password is then displayed. By default, there is no password, and the Enter key can be pressed to access the enable mode. It is recommended that you change the enable password to a valid value and use this for future access to this mode.

Once on the FWSM, standard security appliance commands are used to configure interface names, add security levels, and specify IP addresses.

The example in Figure shows the use of the nameif command and associates VLAN 100 as the outside interface and sets the interface with a security level of 0. It also defines VLAN 200 as the inside interface. It specifies VLAN 300 as the dmz interface. In all cases, the use of the ip address command is used to add an IP address to each interface.

Configure A Default Route
A default route may also need to be added. In the example in Figure , a default route is created, pointing to the VLAN 100 interface of the MSFC.

It may also be necessary to create static routes. Multiple context mode does not support dynamic routing, so static routes must be used to reach any networks to which the FWSM is not directly connected, such as when a router is between the destination network and the FWSM.

Static routes might be appropriate in single context mode if:

  • The network uses a routing protocol other than RIP or OSPF.
  • The network is small and static routes can be easily managed.
  • The traffic or CPU overhead associated with routing protocols is to be avoided.

Configure the FWSM access-lists
The administrator needs to create ACLs to allow outbound as well as inbound traffic because the FWSM, unlike the security appliances, denies all inbound and outbound connections that are not explicitly permitted by ACLs . Explicit access rules need to be configured using the access-list command and attached to the appropriate interface using the access-group command to allow traffic to pass through that interface. Traffic that has been permitted into an interface can exit through any other interface. Return traffic matching the session information is permitted without an explicit ACL.