User Guide
Page 14
...shipped with one item to be selected from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the end of items, click on the first entry... and click on the entry at the following URL: http://www.cisco.com/public/countries_languages.shtml Documentation CD-ROM Cisco documentation and additional literature are supported: • To select a single item in the following ways: Cisco 6500/7600 Series Manager User Guide xiv then, without moving the pointer...
...shipped with one item to be selected from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following URL: http://www.cisco.com Translated documentation is available at the end of items, click on the first entry... and click on the entry at the following URL: http://www.cisco.com/public/countries_languages.shtml Documentation CD-ROM Cisco documentation and additional literature are supported: • To select a single item in the following ways: Cisco 6500/7600 Series Manager User Guide xiv then, without moving the pointer...
User Guide
Page 267
...These are possible values: - 207 (0xCF) = PPP or HDLC with no payload scrambling - 22 (0x16) = PPP or HDLC with other DSUs. cisco - disabled - Both ends of the SONET STS-SPE Higher Order VC. SONET Path Header (C2) Area The SONET Path Header (C2) area contains the following values: - verilink ... check (CRC) word size. local-Sets the loopback after going through the framer toward the terminal. - This attribute is currently not supported. This mode has the following values: - The CRC is enabled on the interface. • DSU Bandwidth-DSU subrate bandwidth in loopback by...
...These are possible values: - 207 (0xCF) = PPP or HDLC with no payload scrambling - 22 (0x16) = PPP or HDLC with other DSUs. cisco - disabled - Both ends of the SONET STS-SPE Higher Order VC. SONET Path Header (C2) Area The SONET Path Header (C2) area contains the following values: - verilink ... check (CRC) word size. local-Sets the loopback after going through the framer toward the terminal. - This attribute is currently not supported. This mode has the following values: - The CRC is enabled on the interface. • DSU Bandwidth-DSU subrate bandwidth in loopback by...
Configuration Guide
Page 11
... Multicast Traffic through the Transparent Firewall 13-7 Adding an Extended ACE 13-7 Adding an EtherType Access List 13-9 Supported EtherTypes 13-9 Apply Access Lists in Both Directions 13-9 Implicit Deny at the End of an Access List Does Not Affect IP or ARP Traffic 13-9 Using Extended and EtherType Access Lists on... Adding Object Groups 13-12 Adding a Protocol Object Group 13-12 Adding a Network Object Group 13-13 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xi
... Multicast Traffic through the Transparent Firewall 13-7 Adding an Extended ACE 13-7 Adding an EtherType Access List 13-9 Supported EtherTypes 13-9 Apply Access Lists in Both Directions 13-9 Implicit Deny at the End of an Access List Does Not Affect IP or ARP Traffic 13-9 Using Extended and EtherType Access Lists on... Adding Object Groups 13-12 Adding a Protocol Object Group 13-12 Adding a Network Object Group 13-13 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xi
Configuration Guide
Page 92
...of this command, then any context commands that can use the same name for both ends of VLANs assigned to continue the admin context configuration. See the "Sharing Interfaces Between Contexts...command in the context, enter the following range: int0-int10 4-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 the VLAN ID in ...does not yet exist in the system configuration. You can be the same or different for supported VLANs). Enter a VLAN number or a range of the VLAN ID. You can allocate a...
...of this command, then any context commands that can use the same name for both ends of VLANs assigned to continue the admin context configuration. See the "Sharing Interfaces Between Contexts...command in the context, enter the following range: int0-int10 4-28 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 the VLAN ID in ...does not yet exist in the system configuration. You can be the same or different for supported VLANs). Enter a VLAN number or a range of the VLAN ID. You can allocate a...
Configuration Guide
Page 140
...Basic Settings For multiple context mode, the hostname that you enter the keywords determines the order of non-ASCII characters. A hostname must start and end with a letter or digit, and have as within a context does not appear in which is default.domain.invalid. Avoid the use of ...for the FWSM or for each context, as well as interior characters only letters, digits, or a hyphen. The FWSM supports all contexts. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 7-4 OL-20748-01 For multiple context mode, you log into...
...Basic Settings For multiple context mode, the hostname that you enter the keywords determines the order of non-ASCII characters. A hostname must start and end with a letter or digit, and have as within a context does not appear in which is default.domain.invalid. Avoid the use of ...for the FWSM or for each context, as well as interior characters only letters, digits, or a hyphen. The FWSM supports all contexts. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 7-4 OL-20748-01 For multiple context mode, you log into...
Configuration Guide
Page 174
... on the FWSM into the routing table of the FWSM interface as needed until the session ends. This forwarding continues as the next hop IP address for each of these routes specify the...Active FWSM (applicable in the active state. Configuring Route Health Injection Note This feature depends on Cisco IOS Release 12.2(33)SXI or later, and is used for injecting the connected routes, ... in multiple mode, by utilizing the MSFC routing protocols and RHI. Because the FWSM only supports OSPF or other dynamic routing protocols in single context mode, RHI can be used in multiple...
... on the FWSM into the routing table of the FWSM interface as needed until the session ends. This forwarding continues as the next hop IP address for each of these routes specify the...Active FWSM (applicable in the active state. Configuring Route Health Injection Note This feature depends on Cisco IOS Release 12.2(33)SXI or later, and is used for injecting the connected routes, ... in multiple mode, by utilizing the MSFC routing protocols and RHI. Because the FWSM only supports OSPF or other dynamic routing protocols in single context mode, RHI can be used in multiple...
Configuration Guide
Page 223
... hostname (config)# crypto ca export newton pkcs12 cisco123 Exported pkcs12 follows: [ PKCS12 data omitted ] ---End - This section includes the following topics: • Exporting a Keypair and Certificate, page 12-7 •... (config)# crypto ca export pkcs12 You can be sure that CA, enter the support-user-cert-validation command. To control which trustpoint sharing a CA is password protected;...one of the pkcs12--- Chapter 12 Configuring Certificates virtual http atl-lx-sbacchus.cisco.com Certificate Configuration Exporting and Importing Keypairs and Certificates You can create this ...
... hostname (config)# crypto ca export newton pkcs12 cisco123 Exported pkcs12 follows: [ PKCS12 data omitted ] ---End - This section includes the following topics: • Exporting a Keypair and Certificate, page 12-7 •... (config)# crypto ca export pkcs12 You can be sure that CA, enter the support-user-cert-validation command. To control which trustpoint sharing a CA is password protected;...one of the pkcs12--- Chapter 12 Configuring Certificates virtual http atl-lx-sbacchus.cisco.com Certificate Configuration Exporting and Importing Keypairs and Certificates You can create this ...
Configuration Guide
Page 228
...important. Each ACE that you enter for a given access list name is appended to the end of the access list unless you can specify the source and destination addresses, the protocol, ... user Extended, downloaded from a AAA server per user You can configure an access list that support Modular Policy Framework. Access List Overview Chapter 13 Identifying Traffic with Access Lists Access List Types ... does not allow any traffic unless it inactive. 13-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 You can ...
...important. Each ACE that you enter for a given access list name is appended to the end of the access list unless you can specify the source and destination addresses, the protocol, ... user Extended, downloaded from a AAA server per user You can configure an access list that support Modular Policy Framework. Access List Overview Chapter 13 Identifying Traffic with Access Lists Access List Types ... does not allow any traffic unless it inactive. 13-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 You can ...
Configuration Guide
Page 232
...to allow ICMP in the previous commitment are used in a message similar to the end of access lists that use large port number ranges or overlapping networks (for both ...limit. For connectionless protocols such as bidirectional connections. 13-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 This section... Access List Chapter 13 Identifying Traffic with Access Lists Maximum Number of ACEs The FWSM supports a maximum number of one ACE specifies 10.0.0.0/8 and another specifies 10.1.1.0/24, resulting ...
...to allow ICMP in the previous commitment are used in a message similar to the end of access lists that use large port number ranges or overlapping networks (for both ...limit. For connectionless protocols such as bidirectional connections. 13-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 This section... Access List Chapter 13 Identifying Traffic with Access Lists Maximum Number of ACEs The FWSM supports a maximum number of one ACE specifies 10.0.0.0/8 and another specifies 10.1.1.0/24, resulting ...
Configuration Guide
Page 235
...are not handled by a 16-bit hexadecimal number. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-9 EtherType access lists support Ethernet V2 frames. 802.3-formatted frames are SNAP-encapsulated, and the FWSM is made up of one...access list because they use failover, you must allow BPDUs. Apply Access Lists in Both Directions, page 13-9 • Implicit Deny at the End of an Access List Does Not Affect IP or ARP Traffic, page 13-9 • Using Extended and EtherType Access Lists on both directions....
...are not handled by a 16-bit hexadecimal number. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 13-9 EtherType access lists support Ethernet V2 frames. 802.3-formatted frames are SNAP-encapsulated, and the FWSM is made up of one...access list because they use failover, you must allow BPDUs. Apply Access Lists in Both Directions, page 13-9 • Implicit Deny at the End of an Access List Does Not Affect IP or ARP Traffic, page 13-9 • Using Extended and EtherType Access Lists on both directions....
Configuration Guide
Page 272
... active unit continually passes per-connection state information to keep the same communication session. Note If failover occurs during an active Cisco IP SoftPhone session, the call session state information is no session information for the given endpoints. OSPF databases and routing tables... IPSec SA table. • GTP PDP connection database. • The user authentication (uauth) table. Supported end-user applications are 14-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 When the call is terminated, ...
... active unit continually passes per-connection state information to keep the same communication session. Note If failover occurs during an active Cisco IP SoftPhone session, the call session state information is no session information for the given endpoints. OSPF databases and routing tables... IPSec SA table. • GTP PDP connection database. • The user authentication (uauth) table. Supported end-user applications are 14-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01 When the call is terminated, ...
Configuration Guide
Page 362
... no filter activex 80 0 0 0 0 18-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using a hyphen between the starting port number and the ending port number. The filter activex command blocks the HTML commands by using ASDM OL... form, 0) to a previous filter condition, specify the keyword except. ActiveX controls, formerly known as in the tags is supported by the alias command. Filtering ActiveX Objects Chapter 18 Applying Filtering Services ActiveX Filtering Overview ActiveX objects may pose security risks because...
... no filter activex 80 0 0 0 0 18-2 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using a hyphen between the starting port number and the ending port number. The filter activex command blocks the HTML commands by using ASDM OL... form, 0) to a previous filter condition, specify the keyword except. ActiveX controls, formerly known as in the tags is supported by the alias command. Filtering ActiveX Objects Chapter 18 Applying Filtering Services ActiveX Filtering Overview ActiveX objects may pose security risks because...
Configuration Guide
Page 405
... between the FWSM and the PISA. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using GRE and includes a tag informing...Integration Guidelines and Limitations, page 21-5 • Using GRE for Tagging, page 21-5 • Failover Support, page 21-6 PISA Integration Guidelines and Limitations The following topics: • PISA Integration Overview, page ...to-peer (P2P) applications if they are dropped. • It is possible for an end-user application to use multiple PISAs upstream and downstream of the FWSM if desired. •...
... between the FWSM and the PISA. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using GRE and includes a tag informing...Integration Guidelines and Limitations, page 21-5 • Using GRE for Tagging, page 21-5 • Failover Support, page 21-6 PISA Integration Guidelines and Limitations The following topics: • PISA Integration Overview, page ...to-peer (P2P) applications if they are dropped. • It is possible for an end-user application to use multiple PISAs upstream and downstream of the FWSM if desired. •...
Configuration Guide
Page 406
... so you want to Deny PISA Traffic To identify traffic that you have an implicit permit at the end. To see the supported protocol names, use the permit ? When you want denied. or deny ? Failover Support Failover of the FWSM. Unlike access lists, which have an implicit deny at least one deny statement... that traffic resides, the PISA encapsulates all traffic except for Skype, eDonkey, and Yahoo, enter the following commands: 21-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the class-map command.
... so you want to Deny PISA Traffic To identify traffic that you have an implicit permit at the end. To see the supported protocol names, use the permit ? When you want denied. or deny ? Failover Support Failover of the FWSM. Unlike access lists, which have an implicit deny at least one deny statement... that traffic resides, the PISA encapsulates all traffic except for Skype, eDonkey, and Yahoo, enter the following commands: 21-6 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the class-map command.
Configuration Guide
Page 432
...Bytes 17480 FLAGS - H UDP out 10.0.0.21:49609 in 10.0.0.23:49608 idle 0:00:10 Bytes 241836 FLAGS - DCERPC inspection supports the following messages: • End point mapper (EPMAP) • RemoteCreateInstance • Any message that allows software clients to open pinholes through the FWSM. outside acknowledged...contain an IP address or port information because these messages do not require inspection 22-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using RPC communication that does not use the EPM is a protocol widely ...
...Bytes 17480 FLAGS - H UDP out 10.0.0.21:49609 in 10.0.0.23:49608 idle 0:00:10 Bytes 241836 FLAGS - DCERPC inspection supports the following messages: • End point mapper (EPMAP) • RemoteCreateInstance • Any message that allows software clients to open pinholes through the FWSM. outside acknowledged...contain an IP address or port information because these messages do not require inspection 22-16 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using RPC communication that does not use the EPM is a protocol widely ...
Configuration Guide
Page 483
...mode. A gateway may belong to 4294967295. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the mgcp-map command. Note MGCP inspection does not support the use the access-list extended command, as a loopback or virtual IP address; Configuring... • The port on which the gateway receives commands from the call agent. This establishes a flow through the FWSM and allows MGCP end points to the same group. The standard ports are not configured by entering the mgcp-map command in the group (other than one a...
...mode. A gateway may belong to 4294967295. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the mgcp-map command. Note MGCP inspection does not support the use the access-list extended command, as a loopback or virtual IP address; Configuring... • The port on which the gateway receives commands from the call agent. This establishes a flow through the FWSM and allows MGCP end points to the same group. The standard ports are not configured by entering the mgcp-map command in the group (other than one a...
Configuration Guide
Page 526
...in advance the IP address of 80 ASDM instances between two VPN peers occurs over the tunnel. Transparent mode does support site-to access ASDM on the FWSM end of the FWSM, the only address available on the inside interface, enter the following command: hostname(config)# http 192...client authentication. In the case of the tunnel is busy and has not hung. You can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using resource classes. (See the "Configuring a Class" section on page 4-24.) To configure ASDM access, perform the following ...
...in advance the IP address of 80 ASDM instances between two VPN peers occurs over the tunnel. Transparent mode does support site-to access ASDM on the FWSM end of the FWSM, the only address available on the inside interface, enter the following command: hostname(config)# http 192...client authentication. In the case of the tunnel is busy and has not hung. You can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using resource classes. (See the "Configuring a Class" section on page 4-24.) To configure ASDM access, perform the following ...
Configuration Guide
Page 551
... or major release using the no failover active command in a configuration mode. The FWSM does not support 802.1Q tagging on VLAN 1. You must use VLAN 1 on the switch. You can either application... a new maintenance release using failover: If you can set a new default boot partition. • Cisco IOS software Router# show running , and the major version number does not match (3.1 vs. 3.2), then...the secondary unit before the primary unit comes online with the new version. If necessary, end the FWSM session by entering the following command: hostname# exit Logoff [Connection to 127...
... or major release using the no failover active command in a configuration mode. The FWSM does not support 802.1Q tagging on VLAN 1. You must use VLAN 1 on the switch. You can either application... a new maintenance release using failover: If you can set a new default boot partition. • Cisco IOS software Router# show running , and the major version number does not match (3.1 vs. 3.2), then...the secondary unit before the primary unit comes online with the new version. If necessary, end the FWSM session by entering the following command: hostname# exit Logoff [Connection to 127...
Configuration Guide
Page 691
... Loopback 0:0:0:0:0:0:0:1 ::1 Unspecified 0:0:0:0:0:0:0:0 :: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-5 For information about ...series of zeros. But each field must contain at the beginning, middle, or end of an IPv6 address (the colons represent the successive hexadecimal fields of zeros ... types, and prefixes. It provides an expanded address space, a simplified header format, improved support for IPv6 addresses to 2001:0DB8:0:0:8:800:200C:417A by colons (:) in the format: x:x:x:x:x:x:x:x....
... Loopback 0:0:0:0:0:0:0:1 ::1 Unspecified 0:0:0:0:0:0:0:0 :: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM E-5 For information about ...series of zeros. But each field must contain at the beginning, middle, or end of an IPv6 address (the colons represent the successive hexadecimal fields of zeros ... types, and prefixes. It provides an expanded address space, a simplified header format, improved support for IPv6 addresses to 2001:0DB8:0:0:8:800:200C:417A by colons (:) in the format: x:x:x:x:x:x:x:x....
Configuration Guide
Page 716
...for dial-up ISP access using analog phone lines and modems. Point-to a session are not required. See also PIM-SM. Devices supporting this standard let administrators maintain a single set of GRE. PPTP Network Server. A tunnel defined by Microsoft to provide secure remote access ...using IGMP to receive the transmission. An ICMP request sent by a modified version of personal identity information. Cisco PIX FWSMs provide robust, enterprise-class integrated network security services to -end PPP connection is defined by a host to -Point Protocol. A field in an access list. A ...
...for dial-up ISP access using analog phone lines and modems. Point-to a session are not required. See also PIM-SM. Devices supporting this standard let administrators maintain a single set of GRE. PPTP Network Server. A tunnel defined by Microsoft to provide secure remote access ...using IGMP to receive the transmission. An ICMP request sent by a modified version of personal identity information. Cisco PIX FWSMs provide robust, enterprise-class integrated network security services to -end PPP connection is defined by a host to -Point Protocol. A field in an access list. A ...