User Guide
Page 10
... configuration and maintenance of the following: Services & Access Configure the router (r, w, z) Description Define network interfaces and settings, create command aliases, set the protocols the router will support, enable interfaces and network services, set of packets to view SNMP MIB statistics, ...secret, TACACS+ secret, DH shared secret, Router Authentication key, PPP authentication key, SSH private key © Copyright 2011 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Crypto Officer Services...
... configuration and maintenance of the following: Services & Access Configure the router (r, w, z) Description Define network interfaces and settings, create command aliases, set the protocols the router will support, enable interfaces and network services, set of packets to view SNMP MIB statistics, ...secret, TACACS+ secret, DH shared secret, Router Authentication key, PPP authentication key, SSH private key © Copyright 2011 Cisco Systems, Inc. 10 This document may be freely reproduced and distributed whole and intact including this Copyright Notice. Crypto Officer Services...
User Guide
Page 21
...Copyright Notice. all special characters except '?' Identification and authentication on the console port is entered when the Crypto Officer first engages the "enable" command. DRBG Known Answer Test HMAC-SHA-1 Known Answer Test SHA-1/256/512 Known Answer Test Triple-... config-register 0x0102 3. approved RNGs 3 Secure Operation The module meets all digits; no other than its default. © Copyright 2011 Cisco Systems, Inc. 21 This document may be 0x0102. The Crypto Officer must create the "enable" password for Users. The Crypto Officer shall...
...Copyright Notice. all special characters except '?' Identification and authentication on the console port is entered when the Crypto Officer first engages the "enable" command. DRBG Known Answer Test HMAC-SHA-1 Known Answer Test SHA-1/256/512 Known Answer Test Triple-... config-register 0x0102 3. approved RNGs 3 Secure Operation The module meets all digits; no other than its default. © Copyright 2011 Cisco Systems, Inc. 21 This document may be 0x0102. The Crypto Officer must create the "enable" password for Users. The Crypto Officer shall...
Installation Guide
Page 13
... Cisco 7600 Series Internet Router Software Configuration Guide • Cisco 7600 Series Internet Router Command Reference • Cisco 7600 Series Internet Router System Message Guide • Cisco 7600 Series Internet Router IOS Software Configuration Guide • Cisco 7600 Series Internet Router IOS Command Reference • Cisco ...from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: • http://www.cisco.com • http://www-china.cisco.com • http://www-europe.cisco.com OL-5079-04 Cisco 7609 ...
... Cisco 7600 Series Internet Router Software Configuration Guide • Cisco 7600 Series Internet Router Command Reference • Cisco 7600 Series Internet Router System Message Guide • Cisco 7600 Series Internet Router IOS Software Configuration Guide • Cisco 7600 Series Internet Router IOS Command Reference • Cisco ...from Cisco Systems. World Wide Web You can access the most current Cisco documentation on the World Wide Web at the following sites: • http://www.cisco.com • http://www-china.cisco.com • http://www-europe.cisco.com OL-5079-04 Cisco 7609 ...
Installation Guide
Page 68
... installation is complete, refer to the Cisco 7600 Series Internet Router Software Configuration Guide, the Cisco 7600 Series Internet Router IOS Software Configuration Guide, the Cisco 7600 Series Internet Router Command Reference, or the Cisco 7600 Series Internet Router IOS Command Reference publications to troubleshoot the software. If the FAN Cisco 7609 Internet Router Installation Guide 4-2 OL-5079...
... installation is complete, refer to the Cisco 7600 Series Internet Router Software Configuration Guide, the Cisco 7600 Series Internet Router IOS Software Configuration Guide, the Cisco 7600 Series Internet Router Command Reference, or the Cisco 7600 Series Internet Router IOS Command Reference publications to troubleshoot the software. If the FAN Cisco 7609 Internet Router Installation Guide 4-2 OL-5079...
Installation Guide
Page 73
... and resolve the problem OL-5079-04 Cisco 7609 Internet Router Installation Guide 4-7 Refer to the Cisco 7600 Series Internet Router Software Configuration Guide, the Cisco 7600 Series Internet Router IOS Software Configuration Guide, the Cisco 7600 Series Internet Router Command Reference or the Cisco 7600 Series Internet Router IOS Command Reference publications to configure or enable the...
... and resolve the problem OL-5079-04 Cisco 7609 Internet Router Installation Guide 4-7 Refer to the Cisco 7600 Series Internet Router Software Configuration Guide, the Cisco 7600 Series Internet Router IOS Software Configuration Guide, the Cisco 7600 Series Internet Router Command Reference or the Cisco 7600 Series Internet Router IOS Command Reference publications to configure or enable the...
Configuration Guide
Page 2
... Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are trademarks; Any use of their respective owners. All other countries. Any examples, command display output, and figures included in this... document or website are the property of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R) Any Internet Protocol (IP...
... Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are trademarks; Any use of their respective owners. All other countries. Any examples, command display output, and figures included in this... document or website are the property of the word partner does not imply a partnership relationship between Cisco and any other company. (1002R) Any Internet Protocol (IP...
Configuration Guide
Page 9
... Priority 9-7 Filtering PIM Register Messages 9-7 Configuring PIM Message Intervals 9-8 For More Information About Multicast Routing 9-8 10 C H A P T E R Configuring IPv6 10-1 IPv6-Enabled Commands 10-1 Configuring IPv6 on an Interface 10-2 Configuring a Dual IP Stack on an Interface 10-4 Configuring IPv6 Duplicate Address Detection 10-4 Configuring IPv6 Default and... 10-7 Configuring the Neighbor Reachable Time 10-7 Configuring Router Advertisement Messages 10-8 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM ix
... Priority 9-7 Filtering PIM Register Messages 9-7 Configuring PIM Message Intervals 9-8 For More Information About Multicast Routing 9-8 10 C H A P T E R Configuring IPv6 10-1 IPv6-Enabled Commands 10-1 Configuring IPv6 on an Interface 10-2 Configuring a Dual IP Stack on an Interface 10-4 Configuring IPv6 Duplicate Address Detection 10-4 Configuring IPv6 Default and... 10-7 Configuring the Neighbor Reachable Time 10-7 Configuring Router Advertisement Messages 10-8 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM ix
Configuration Guide
Page 14
... NAT Session (Xlate) Creation 16-13 NAT and PAT Global Pool Usage 16-14 NAT and Same Security Level Interfaces 16-14 Order of NAT Commands Used to Match Real Addresses 16-15 Maximum Number of NAT Statements 16-15 Mapped Address Guidelines 16-15 DNS and NAT 16-16 Configuring... PAT and HTTP 17-3 Authenticating Directly with the FWSM 17-3 Enabling Network Access Authentication 17-3 Configuring Custom Login Prompts 17-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xiv OL-20748-01
... NAT Session (Xlate) Creation 16-13 NAT and PAT Global Pool Usage 16-14 NAT and Same Security Level Interfaces 16-14 Order of NAT Commands Used to Match Real Addresses 16-15 Maximum Number of NAT Statements 16-15 Mapped Address Guidelines 16-15 DNS and NAT 16-16 Configuring... PAT and HTTP 17-3 Authenticating Directly with the FWSM 17-3 Enabling Network Access Authentication 17-3 Configuring Custom Login Prompts 17-5 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xiv OL-20748-01
Configuration Guide
Page 18
... Map for Additional Inspection Control 22-26 FTP Inspection 22-30 FTP Inspection Overview 22-30 Using the strict Option 22-30 The request-command deny Command 22-31 Configuring FTP Inspection 22-32 Verifying and Monitoring FTP Inspection 22-34 GTP Inspection 22-35 GTP Inspection Overview 22-35 GTP...22-47 H.323 Inspection Overview 22-48 How H.323 Works 22-48 Limitations and Restrictions 22-49 Topologies Requiring H.225 Configuration 22-50 H.225 Map Commands 22-50 xviii Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01
... Map for Additional Inspection Control 22-26 FTP Inspection 22-30 FTP Inspection Overview 22-30 Using the strict Option 22-30 The request-command deny Command 22-31 Configuring FTP Inspection 22-32 Verifying and Monitoring FTP Inspection 22-34 GTP Inspection 22-35 GTP Inspection Overview 22-35 GTP...22-47 H.323 Inspection Overview 22-48 How H.323 Works 22-48 Limitations and Restrictions 22-49 Topologies Requiring H.225 Configuration 22-50 H.225 Map Commands 22-50 xviii Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01
Configuration Guide
Page 21
...Privileged EXEC Mode 23-13 Configuring Authentication for the Enable Command 23-13 Authenticating Users Using the Login Command 23-13 Configuring Command Authorization 23-14 Command Authorization Overview 23-14 Configuring Local Command Authorization 23-15 Configuring TACACS+ Command Authorization 23-18 Configuring Command Accounting 23-22 Viewing the Current Logged-In User 23... 24-18 Configuring Auto Update Support 24-18 Configuring Communication with an Auto Update Server 24-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxi
...Privileged EXEC Mode 23-13 Configuring Authentication for the Enable Command 23-13 Authenticating Users Using the Login Command 23-13 Configuring Command Authorization 23-14 Command Authorization Overview 23-14 Configuring Local Command Authorization 23-15 Configuring TACACS+ Command Authorization 23-18 Configuring Command Accounting 23-22 Viewing the Current Logged-In User 23... 24-18 Configuring Auto Update Support 24-18 Configuring Communication with an Auto Update Server 24-18 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxi
Configuration Guide
Page 24
... Configuration (Example 8) B-27 The Secondary FWSM Configuration (Example 8) B-30 Switch Configuration (Example 8) B-30 C A P P E N D I X Using the Command-Line Interface C-1 Firewall Mode and Security Context Mode C-1 Command Modes and Prompts C-2 Syntax Formatting C-3 Abbreviating Commands C-3 Command-Line Editing C-3 xxiv Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01
... Configuration (Example 8) B-27 The Secondary FWSM Configuration (Example 8) B-30 Switch Configuration (Example 8) B-30 C A P P E N D I X Using the Command-Line Interface C-1 Firewall Mode and Security Context Mode C-1 Command Modes and Prompts C-2 Syntax Formatting C-3 Abbreviating Commands C-3 Command-Line Editing C-3 xxiv Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01
Configuration Guide
Page 25
... I X GLOSSARY INDEX Command Completion C-3 Command Help C-4 Filtering show Command Output C-4 Command Output Paging C-5 Adding Comments C-5 Text Configuration Files C-6 How Commands Correspond with Lines in the Text File C-6 Command-Specific Configuration Mode Commands C-6 Automatic Text Entries C-6 Line Order C-7 Commands Not Included in the Text Configuration C-7 Passwords C-7 Multiple Security Context Files C-7 Mapping MIBs to CLI Commands D-1 Addresses, Protocols, ...20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxv
... I X GLOSSARY INDEX Command Completion C-3 Command Help C-4 Filtering show Command Output C-4 Command Output Paging C-5 Adding Comments C-5 Text Configuration Files C-6 How Commands Correspond with Lines in the Text File C-6 Command-Specific Configuration Mode Commands C-6 Automatic Text Entries C-6 Line Order C-7 Commands Not Included in the Text Configuration C-7 Passwords C-7 Multiple Security Context Files C-7 Mapping MIBs to CLI Commands D-1 Addresses, Protocols, ...20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM xxv
Configuration Guide
Page 27
... less common scenarios. ASDM includes configuration wizards to find additional information on the Catalyst 6500 switch and the Cisco 7600 router, using the command-line interface. FWSM protects your network from unauthorized use the following sections: • Audience, page xxvii ...describes only the most common configuration scenarios. Document Conventions The FWSM command syntax descriptions use . This preface includes the following conventions: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, a...
... less common scenarios. ASDM includes configuration wizards to find additional information on the Catalyst 6500 switch and the Cisco 7600 router, using the command-line interface. FWSM protects your network from unauthorized use the following sections: • Audience, page xxvii ...describes only the most common configuration scenarios. Document Conventions The FWSM command syntax descriptions use . This preface includes the following conventions: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM, a...
Configuration Guide
Page 28
... an example because it is not available on modes, prompts, and syntax, see the following URL: http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html For more information, see Appendix C "Using the Command-Line Interface." For information on your platform. Related Documentation FWSM documentation is at the following documentation: • Catalyst...
... an example because it is not available on modes, prompts, and syntax, see the following URL: http://www.cisco.com/en/US/products/ps6121/tsd_products_support_series_home.html For more information, see Appendix C "Using the Command-Line Interface." For information on your platform. Related Documentation FWSM documentation is at the following documentation: • Catalyst...
Configuration Guide
Page 38
...can restore the previous behavior, so that are built as a result of Remote Create Instance RemoteCreationInstance RPC messages. The following command was introduced: service reset connection marked-for deletion, it will send a reset packet. Table 1-1 New Features for FWSM Version... are not sent by default. Management Features Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-2 OL-20748-01 The following command was modified: hostname primary_hostname [secondary secondary_hostname]. NAT/PAT Global Pool This feature...
...can restore the previous behavior, so that are built as a result of Remote Create Instance RemoteCreationInstance RPC messages. The following command was introduced: service reset connection marked-for deletion, it will send a reset packet. Table 1-1 New Features for FWSM Version... are not sent by default. Management Features Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-2 OL-20748-01 The following command was modified: hostname primary_hostname [secondary secondary_hostname]. NAT/PAT Global Pool This feature...
Configuration Guide
Page 39
...management-only Teardown Syslog Enhancement New syslogs were added for when a connection is not part of generating crash information. The following command was introduced: logging names. The following topics: • Permitting or Denying Traffic with Access Lists, page 1-4 • ...• Protecting from IP Fragments, page 1-4 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-3 No commands were modified. You can share a single management VLAN across Mode multiple contexts. The FWSM ...
...management-only Teardown Syslog Enhancement New syslogs were added for when a connection is not part of generating crash information. The following command was introduced: logging names. The following topics: • Permitting or Denying Traffic with Access Lists, page 1-4 • ...• Protecting from IP Fragments, page 1-4 OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 1-3 No commands were modified. You can share a single management VLAN across Mode multiple contexts. The FWSM ...
Configuration Guide
Page 48
...Internal Interface" section on page A-1 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the following command: Router> show module command shows six ports for the FWSM; See the "Switch Hardware and Software Compatibility" ...section on page 2-8 for more information. To disable this feature, enter the following command: Router(config)# no monitor session servicemodule Verifying the Module Installation To verify that the switch acknowledges the FWSM and has ...
...Internal Interface" section on page A-1 for more information. Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the following command: Router> show module command shows six ports for the FWSM; See the "Switch Hardware and Software Compatibility" ...section on page 2-8 for more information. To disable this feature, enter the following command: Router(config)# no monitor session servicemodule Verifying the Module Installation To verify that the switch acknowledges the FWSM and has ...
Configuration Guide
Page 49
...VLANs to the switch before you can create a group for failover and stateful communications to a switch port. Assigning VLANs to the FWSM In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM; Assign the primary VLAN to the FWSM.... To assign VLANs to the FWSM, perform the following steps: Step 1 To assign VLANs to a firewall group, enter the following command: Router(config)# firewall vlan-group firewall_group vlan_range The firewall_group argument is possible that VLANs in the 1020-1100 range might already be one or more...
...VLANs to the switch before you can create a group for failover and stateful communications to a switch port. Assigning VLANs to the FWSM In Cisco IOS software, create up to 16 firewall VLAN groups, and then assign the groups to the FWSM; Assign the primary VLAN to the FWSM.... To assign VLANs to the FWSM, perform the following steps: Step 1 To assign VLANs to a firewall group, enter the following command: Router(config)# firewall vlan-group firewall_group vlan_range The firewall_group argument is possible that VLANs in the 1020-1100 range might already be one or more...
Configuration Guide
Page 50
... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using this procedure, then those VLANs are brought administratively up on the FWSM even if they were configured to be shut down , enter the following commands at the FWSM CLI: interface ...(n-x) Separate numbers or ranges by commas. For example, enter the following numbers: 5,7-10 The following is sample output from the show firewall module command, which shows all VLAN groups: Router# show firewall module Module Vlan-groups 5 50,52 8 51,52 Adding Switched Virtual Interfaces to the MSFC...
... Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using this procedure, then those VLANs are brought administratively up on the FWSM even if they were configured to be shut down , enter the following commands at the FWSM CLI: interface ...(n-x) Separate numbers or ranges by commas. For example, enter the following numbers: 5,7-10 The following is sample output from the show firewall module command, which shows all VLAN groups: Router# show firewall module Module Vlan-groups 5 50,52 8 51,52 Adding Switched Virtual Interfaces to the MSFC...
Configuration Guide
Page 53
...context requires a unique VLAN on the MSFC, enter the following command: Router(config-if)# ip address address mask To enable the interface, enter the following command: Router(config-if)# no shutdown OL-20748-01 The following command: Router(config)# interface vlan vlan_number To set the IP address... (See Figure 2-3). Figure 2-3 Multiple SVIs in routed mode so you to add more than one SVI to the FWSM, enter the following command: Router(config)# firewall multiple-vlan-interfaces To add a VLAN interface to the MSFC, enter the following example shows a typical configuration with multiple...
...context requires a unique VLAN on the MSFC, enter the following command: Router(config-if)# ip address address mask To enable the interface, enter the following command: Router(config-if)# no shutdown OL-20748-01 The following command: Router(config)# interface vlan vlan_number To set the IP address... (See Figure 2-3). Figure 2-3 Multiple SVIs in routed mode so you to add more than one SVI to the FWSM, enter the following command: Router(config)# firewall multiple-vlan-interfaces To add a VLAN interface to the MSFC, enter the following example shows a typical configuration with multiple...