Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note

Catalyst 6500 Series and Cisco 7600
Series Firewall Services Module

Installation and Configuration Note
Release 1.1(2)
March 2003
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
Text Part Number: 78-14450-02

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:
• Turn the television or radio antenna until the interference stops.
• Move the equipment to one side or the other of the television or radio.
• Move the equipment farther away from the television or radio.
• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and
iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ
Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing,
ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered
trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0502R)
Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note
Copyright © 2002-2003, Cisco Systems, Inc.
All rights reserved.
Copyright Notices
Third-party software used under license accompanies the Cisco Firewall Service Module Software release 1.1(2). One or more of the following notices may apply in
connection with the license and use of such third-party software.
GNU General Public License
The Catalyst 6500 and Cisco 7600 Series Firewall Service Module contains software covered under the GNU Public License (listed below). If you would like to obtain the
source for the modified GPL code in the Firewall Service Module, please send a request to fwsm_sw_req@Cisco.com.
License Text
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your
freedom to share and change free software—to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation’s
software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License
instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies
of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new
free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain
responsibilities for you if you distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they,
too, receive or can get the source code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the
software.
Also, for each author’s protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by
someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original
authors’ reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent
licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General
Public License. The “Program,” below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under
copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter,
translation is included without limitation in the term “modification”.) Each licensee is addressed as “you.”
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and
the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that
is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish
on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give
any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work
under the terms of Section 1 above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at
no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to
print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users
may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not
normally print such an announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered
independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions
for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution
of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution
medium does not bring the other work under the scope of this License.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided
that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution,
a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software
interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution
and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code
for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special
exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel,
and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same
place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or
distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this
License will not have their licenses terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative
works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you
indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or
modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not
responsible for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether
by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so
as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For
example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way
you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is
intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole
purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions
to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the
Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries
not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the
present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the
option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version
number of this License, you may choose any version ever published by the Free Software Foundation.
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software
which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the
two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM
“AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU
ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO
MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL,
SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT
LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. END OF TERMS AND CONDITIONS.
C O N T E N T S
Audience xiii
Organization xiii
Conventions xiv
Safety Overview xv
Related Documentation xvii
Obtaining Documentation xviii

Cisco.com xviii
Documentation CD-ROM xviii
Ordering Documentation xix
Documentation Feedback xix
Obtaining Technical Assistance xix
Cisco.com xix
Technical Assistance Center xx
Cisco TAC Website xx
Cisco TAC Escalation Center xxi
Obtaining Additional Publications and Information xxi
CHAPTER 1 Overview 1-1
Before You Begin 1-2
Understanding How the Firewall Services Module Works 1-3

Multiple Firewall Services Module Configuration 1-5
Redundancy Failover 1-5
Feature Set 1-8
Specifications and System Limitations 1-9
Front Panel Description 1-11

STATUS LED 1-11
SHUTDOWN Button 1-12
Hardware Specifications 1-12
CHAPTER 2 Installing the Firewall Services Module 2-1
System Requirements 2-1

Memory and Storage Requirements 2-1
Software Requirements 2-1
78-14450-02 vii
Contents
Hardware Requirements 2-2
Required Tools 2-2
Installing and Removing the Module 2-2

Slot Assignments 2-3
Removing a Module 2-3
Installing a Module 2-4
Verifying the Installation 2-11
Using the CLI 2-12
CHAPTER 3 Getting Started 3-1
Configuration Overview 3-1

Configuring the Switch Interface 3-3
Cisco IOS Software 3-3
Catalyst Operating System Software 3-4
Sessioning into the Module 3-5
Sessioning into the Maintenance Partition 3-5
Sessioning into the Application Partition 3-6
Configuring the Module 3-7
Saving the Configuration 3-8
Using PDM 3-8

PDM Overview 3-9
PDM Restrictions 3-9
Platform and Browser Requirements 3-9
Setting Up the Module for PDM 3-9
Upgrading the PDM 3-10
Starting PDM 3-11
CHAPTER 4 Configuring Firewall Services 4-1
Configuring Firewall Failover 4-1

Setting up a Single-Chassis Configuration 4-1
Setting Up a Dual-Chassis Configuration 4-3
Configuring Failover 4-4
Using SNMP 4-7
MIB Support 4-8
SNMP Traps 4-8
Receiving Requests and Sending Syslog Traps 4-9
Compiling Cisco Syslog MIB Files 4-9
Using the Firewall and Memory Pool MIBs 4-10
Viewing Failover Status 4-10
viii 78-14450-02
Contents
Verifying Memory Usage 4-11

Viewing the Connection Count 4-12
Viewing System Buffer Usage 4-13
Using the ipAddrTable 4-15
SNMP Usage Notes 4-15
Configuring OSPF Routing Support 4-15
Enabling OSPF 4-17
Configuring OSPF Interface Parameters 4-17
Configuring OSPF Area Parameters 4-18
Configuring OSPF NSSA 4-19
Configuring Route Summarization Between OSPF Areas 4-20
Configuring Route Summarization when Redistributing Routes into OSPF 4-20
Creating Virtual Links 4-21
Generating a Default Route 4-21
Changing the OSPF Administrative Distances 4-22
Configuring Route Calculation Timers 4-22
Logging Neighbors Going Up or Down 4-22
Changing the LSA Group Pacing 4-23
Original LSA Behavior 4-23
LSA Group Pacing with Multiple Timers 4-23
Blocking OSPF LSA Flooding 4-24
Ignoring MOSPF LSA Packets 4-25
Displaying OSPF Update Packet Pacing 4-26
Area Border Router Type 3 LSA Filtering 4-26
Configuring ABR Type 3 LSA Filtering 4-26
Monitoring and Maintaining OSPF 4-27
Configuring IPSec for Management 4-28
CHAPTER 5 Administering the Firewall Services Module 5-1
Administering the Software Images 5-1

Quick Software Upgrade 5-2
Logging into the Application Software 5-3
Logging into the Maintenance Software 5-3
Upgrading Software Images 5-4
Upgrading the Application Software 5-5
Upgrading the Maintenance Software 5-8
Changing and Recovering Passwords 5-10
Changing the Application Partition Passwords 5-11
Changing the Maintenance Partition Passwords 5-11
78-14450-02 ix
Contents
Recovering the Application Partition Passwords 5-12

Recovering the Maintenance Partition Passwords 5-13
Resetting the Firewall Services Module 5-13
Resetting the Module with Cisco IOS Software 5-14
Resetting the Module with Catalyst Operating System Software 5-14
Troubleshooting the Firewall Services Module 5-15
APPENDIX A Firewall Services Module and PIX Commands A-1
APPENDIX B Command Reference B-1
APPENDIX C System Messages C-1
System Log Messages C-2
System Message Log Differences C-4
Failover Messages C-5
Connection Messages C-10

FTP and URL C-16
HTTP C-18
ICMP C-18
Routing Messages C-19
H.225 C-21
H.245 C-22
H.323 C-22
IP Fragmentation C-23
SIP C-23
Skinny C-24
RSH C-24
RTSP C-24
SMTP C-24
TCP C-25
UDP C-27
SSH C-28
Telnet C-30
AAA and ACL C-30

User Management C-34
Configuration C-35
FWSM Management C-36
PDM C-38
x 78-14450-02
Contents
Stateful Failover C-39
Memory and Resource Allocation C-41
SNMP C-42
DHCP C-43
VPN C-43
Internet Protocol Routing C-45
OSPF C-46
Shun C-51
78-14450-02 xi
Contents
xii 78-14450-02
Preface
This preface describes who should read the Catalyst 6500 Series and 7600 Series Firewall Services
Module Installation and Configuration Note, how it is organized, and its document conventions.
Note Except where specifically differentiated, the term “Catalyst 6500 series switches” includes the Catalyst
6500 series switches and the Cisco 7600 Series Internet Router.
This publication does not contain the instructions to install the Catalyst 6500 series switch or Cisco 7600
Series Internet Router chassis. For information on installing the switch chassis, refer to the Catalyst 6500
Series Installation Guide or the Catalyst 7600 Series Internet Router Installation Guide.
Note For translations of the warnings in this publication, see the “Safety Overview” section on page xv.
Audience
Only trained and qualified service personnel (as defined in IEC 60950 and AS/NZS3260) should install,
replace, or service the equipment described in this publication.
Organization
This publication is organized as follows:
Chapter Title Description

Chapter 1 Overview Presents an overview of the Catalyst 6500 Series
Firewall services module (FWSM).
Chapter 2 Installing the Firewall Describes how to install the FWSM hardware.
Services Module
Chapter 3 Getting Started Describes how to configure the FWSM.
Chapter 4 Configuring Firewall Describes how to configure firewall services on the
Services FWSM.
78-14450-02 xiii
Preface
Conventions
Chapter Title Description

Chapter 5 Administering the Describes how to administer and troubleshoot the
Firewall Services FWSM.
Module
Appendix A Firewall Services Describes the differences between the FWSM and PIX.
Module and PIX
Commands
Appendix B Command Reference Describes the FWSM commands.
Appendix C System Messages Lists and describes the system messages for the FWSM.
Conventions
This publication uses the following conventions:
Convention Description
boldface font Commands, command options and keywords are in
boldface.
italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional.
{x|y|z} Alternative keywords are grouped in braces and
separated by vertical bars.
[x|y|z] Optional alternative keywords are grouped in brackets
and separated by vertical bars.
string A nonquoted set of characters. Do not use quotation
marks around the string or the string will include the
quotation marks.
screen font Terminal sessions and information the system displays
are in screen font.
boldface screen Information you must enter is in boldface screen font.
font
italic screen font Arguments for which you supply values are in italic
screen font.
^ The symbol ^ represents the key labeled Control—for
example, the key combination ^D in a screen display
means hold down the Control key while you press the D
key.
< > Nonprinting characters, such as passwords are in angle
brackets.
Notes use the following conventions:
Note Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
xiv 78-14450-02
Preface
Safety Overview
Tips use the following conventions:
Tip Means the following information will help you solve a problem. The tips information might not be
troubleshooting or even an action, but it could be useful information, similar to a Timesaver.
Cautions use the following conventions:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Safety Overview
Safety warnings appear throughout this publication in procedures that, if performed incorrectly, may
harm you. A warning symbol precedes each warning statement.
Warning This warning symbol means danger. You are in a situation that could cause bodily injury.
Before you work on any equipment, be aware of the hazards involved with electrical
circuitry and be familiar with standard practices for preventing accidents. To see
translations of the warnings that appear in this publication, refer to the Regulatory
Compliance and Safety Information document that accompanied this device.
Warning WaarschuwingDit waarschuwingssymbool betekent gevaar. U verkeert in een situatie

die lichamelijk letsel kan veroorzaken. Voordat u aan enige apparatuur gaat werken,
dient u zich bewust te zijn van de bij elektrische schakelingen betrokken risico's en
dient u op de hoogte te zijn van standaard maatregelen om ongelukken te voorkomen.
Voor vertalingen van de waarschuwingen die in deze publicatie verschijnen, kunt u het
document Regulatory Compliance and Safety Information (Informatie over naleving van
veiligheids- en andere voorschriften) raadplegen dat bij dit toestel is ingesloten.
Warning VaroitusTämä varoitusmerkki merkitsee vaaraa. Olet tilanteessa, joka voi johtaa
ruumiinvammaan. Ennen kuin työskentelet minkään laitteiston parissa, ota selvää
sähkökytkentöihin liittyvistä vaaroista ja tavanomaisista onnettomuuksien
ehkäisykeinoista. Tässä julkaisussa esiintyvien varoitusten käännökset löydät laitteen
mukana olevasta Regulatory Compliance and Safety Information -kirjasesta (määräysten
noudattaminen ja tietoa turvallisuudesta).
Warning AttentionCe symbole d'avertissement indique un danger. Vous vous trouvez dans une
situation pouvant causer des blessures ou des dommages corporels. Avant de travailler
sur un équipement, soyez conscient des dangers posés par les circuits électriques et
familiarisez-vous avec les procédures couramment utilisées pour éviter les accidents.
Pour prendre connaissance des traductions d’avertissements figurant dans cette
publication, consultez le document Regulatory Compliance and Safety Information
(Conformité aux règlements et consignes de sécurité) qui accompagne cet appareil.
78-14450-02 xv
Preface
Safety Overview
Warning WarnungDieses Warnsymbol bedeutet Gefahr. Sie befinden sich in einer Situation, die
zu einer Körperverletzung führen könnte. Bevor Sie mit der Arbeit an irgendeinem Gerät
beginnen, seien Sie sich der mit elektrischen Stromkreisen verbundenen Gefahren und
der Standardpraktiken zur Vermeidung von Unfällen bewußt. Übersetzungen der in
dieser Veröffentlichung enthaltenen Warnhinweise finden Sie im Dokument Regulatory
Compliance and Safety Information (Informationen zu behördlichen Vorschriften und
Sicherheit), das zusammen mit diesem Gerät geliefert wurde.
Warning AvvertenzaQuesto simbolo di avvertenza indica un pericolo. La situazione potrebbe

causare infortuni alle persone. Prima di lavorare su qualsiasi apparecchiatura, occorre
conoscere i pericoli relativi ai circuiti elettrici ed essere al corrente delle pratiche
standard per la prevenzione di incidenti. La traduzione delle avvertenze riportate in
questa pubblicazione si trova nel documento Regulatory Compliance and Safety
Information (Conformità alle norme e informazioni sulla sicurezza) che accompagna
questo dispositivo.
Warning AdvarselDette varselsymbolet betyr fare. Du befinner deg i en situasjon som kan føre til
personskade. Før du utfører arbeid på utstyr, må du vare oppmerksom på de
faremomentene som elektriske kretser innebærer, samt gjøre deg kjent med vanlig
praksis når det gjelder å unngå ulykker. Hvis du vil se oversettelser av deadvarslene som
finnes i denne publikasjonen, kan du se i dokumentet Regulatory Compliance and Safety
Information (Overholdelse av forskrifter og sikkerhetsinformasjon) som ble levert med
denne enheten.
Warning AvisoEste símbolo de aviso indica perigo. Encontra-se numa situação que lhe poderá
causar danos físicos. Antes de começar a trabalhar com qualquer equipamento,
familiarize-se com os perigos relacionados com circuitos eléctricos, e com quaisquer
práticas comuns que possam prevenir possíveis acidentes. Para ver as traduções dos
avisos que constam desta publicação, consulte o documento Regulatory Compliance and
Safety Information (Informação de Segurança e Disposições Reguladoras) que
acompanha este dispositivo.
Warning ¡Advertencia!Este símbolo de aviso significa peligro. Existe riesgo para su integridad
física. Antes de manipular cualquier equipo, considerar los riesgos que entraña la
corriente eléctrica y familiarizarse con los procedimientos estándar de prevención de
accidentes. Para ver una traducción de las advertencias que aparecen en esta
publicación, consultar el documento titulado Regulatory Compliance and Safety
Information (Información sobre seguridad y conformidad con las disposiciones
reglamentarias) que se acompaña con este dispositivo.
xvi 78-14450-02
Preface
Related Documentation
Warning Varning!Denna varningssymbol signalerar fara. Du befinner dig i en situation som kan
leda till personskada. Innan du utför arbete på någon utrustning måste du varamedveten
om farorna med elkretsar och känna till vanligt förfarande för att förebygga skador. Se
förklaringar av de varningar som förkommer i denna publikation i dokumentet Regulatory
Compliance and Safety Information (Efterrättelse av föreskrifter och
säkerhetsinformation), vilket medföljer denna anordning.
Related Documentation
For more detailed installation and configuration information, refer to the following publications:
• For additional information about the Catalyst 6500 and Cisco 7600 Series Firewall Services
Module, refer to the Release Notes for Catalyst 6500 and Cisco 7600 Series Firewall Services
Module Software Release 1.1.
• For additional information about Catalyst 6500 series switches and command-line interface (CLI)
commands, refer to the following:
– Site Preparation and Safety Guide
– Regulatory Compliance and Safety Information for the Catalyst 6500 Series and Cisco 7600
series Switches
– Catalyst 6500 Series Switch Installation Guide
– Catalyst 6500 Series Switch Quick Software Configuration Guide
– Catalyst 6500 Series Switch Module Installation Guide
– Catalyst 6500 Series Switch Software Configuration Guide
– Catalyst 6500 Series Switch Command Reference
– Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide
– Catalyst 6500 Series Switch Cisco IOS Command Reference
– ATM Software Configuration and Command Reference—Catalyst 5000 Family and
Catalyst 6500 Series Switches
– System Message Guide—Catalyst 6500 Series, 5000 Family, 4000 Family, 2926G Series,
2948G, and 2980G Switches
– For information about MIBs, refer to this URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
– Release Notes for Catalyst 6500 Series Switches and Cisco 7600 Internet Router for Cisco IOS
Release 12.1(13)E
– Cisco IOS Configuration Guides and Command References—Use these publications to help
you configure the Cisco IOS software that runs on the MSFC and on the MSM and ATM
modules.
– For detailed hardware configuration and maintenance procedures, refer to the Catalyst 6500
Family Module Installation Guide.
• The following documents are available for the Catalyst 6500 family switches running
Catalyst operating system software:
– Release Notes for Catalyst 6000 Family Software Release 7.x
78-14450-02 xvii
Preface
Obtaining Documentation
– Catalyst 6500 Series Switch Documentation Map

– Catalyst 6500 Series Switch Configuration Guide (7.5)
– Catalyst 6500 Series Switch Command Reference (7.5)
– System Message Guide—Catalyst 6500 Series Switches (7.5)
• For additional information about the PIX software, refer to the following:
– Cisco PIX Firewall Release Notes Version 6.1(1)
– Cisco PIX Device Manager Installation Guide, Version 2.1
– Cisco PIX 501 Firewall Quick Start Guide
– Cisco PIX Firewall Hardware Installation Guide
– Cisco PIX Device Manager Installation Guide
– Cisco PIX Firewall and VPN Configuration Guide
– Cisco PIX Firewall Command Reference
– Cisco PIX Firewall System Log Messages
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical
resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
International Cisco web sites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM
package, which may have shipped with your product. The Documentation CD-ROM is updated monthly
and may be more current than printed documentation. The CD-ROM package is available as a single unit
or through an annual subscription.
Registered Cisco.com users can order the Documentation CD-ROM (product number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
xviii 78-14450-02
Preface
Obtaining Technical Assistance
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
• Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from
the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
• Registered Cisco.com users can order the Documentation CD-ROM (Customer Order Number
DOC-CONDOCCD=) through the online Subscription Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere
in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click
Feedback at the top of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit your comments by mail by using the response card behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.

Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) Website, as a
starting point for all technical assistance. Customers and partners can obtain online documentation,
troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users
have complete access to the technical support resources on the Cisco TAC website, including TAC tools
and utilities.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information,
networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
• Streamline business processes and improve productivity
• Resolve technical issues with online support
78-14450-02 xix
Preface
• Download and test software packages

• Order Cisco learning materials and merchandise
• Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL:
Technical Assistance Center

The Cisco TAC is available to all customers who need technical assistance with a Cisco product,
technology, or solution. Two levels of support are available: the Cisco TAC website and the Cisco TAC
Escalation Center. The avenue of support that you choose depends on the priority of the problem and the
conditions stated in service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
• Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities,
product installation, or basic product configuration.
• Priority level 3 (P3)—Your network performance is degraded. Network functionality is noticeably
impaired, but most business operations continue.
• Priority level 2 (P2)—Your production network is severely degraded, affecting significant aspects
of business operations. No workaround is available.
• Priority level 1 (P1)—Your production network is down, and a critical impact to business operations
will occur if service is not restored quickly. No workaround is available.
Cisco TAC Website

You can use the Cisco TAC website to resolve P3 and P4 issues yourself, saving both cost and time. The
site provides around-the-clock access to online tools, knowledge bases, and software. To access the
Cisco TAC website, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have complete access to
the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website
require a Cisco.com login ID and password. If you have a valid service contract but do not have a login
ID or password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco
TAC website, you can open a case online at this URL:
http://www.cisco.com/en/US/support/index.html
If you have Internet access, we recommend that you open P3 and P4 cases through the Cisco TAC
website so that you can describe the situation in your own words and attach any necessary files.
xx 78-14450-02
Preface
Obtaining Additional Publications and Information
Cisco TAC Escalation Center

The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These
classifications are assigned when severe network degradation significantly impacts business operations.
When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer
automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the level of Cisco support
services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network
Supported Accounts (NSA). When you call the center, please have available your service agreement
number and your product serial number.

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• The Cisco Product Catalog describes the networking products offered by Cisco Systems as well as
ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
• Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new
and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking
Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design
Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
http://www.ciscopress.com
• Packet magazine is the Cisco monthly periodical that provides industry professionals with the latest
information about the field of networking. You can access Packet magazine at this URL:
http://www.cisco.com/en/US/about/ac123/ac114/about_cisco_packet_magazine.html
• iQ Magazine is the Cisco monthly periodical that provides business leaders and decision makers
with the latest information about the networking industry. You can access iQ Magazine at this URL:
http://business.cisco.com/prod/tree.taf%3fasset_id=44699&public_view=true&kbns=1.html
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in the design, development, and operation of public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
• Training—Cisco offers world-class networking training, with current offerings in network training
listed at this URL:
http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html
78-14450-02 xxi
Preface
xxii 78-14450-02
C H A P T E R 1
Overview
This chapter describes the Catalyst 6500 Series Firewall Services Module, how it operates, and how to
manage it. This chapter contains these sections:
• Before You Begin, page 1-2
• Understanding How the Firewall Services Module Works, page 1-3
• Feature Set, page 1-8
• Specifications and System Limitations, page 1-9
• Front Panel Description, page 1-11
• Hardware Specifications, page 1-12
78-14450-02 1-1
Chapter 1 Overview
Before You Begin
Before You Begin

To help you get started using the Firewall Services Module, refer to this roadmap:
Getting Started with the Firewall Services Module
Yes
Is the Catalyst 6500 Information about the module
switch installed on Release Notes for in this release
your network? Catalyst 6500
Begin to Series Firewall
install Overview
Services Module
No the FWSM Software Release
1.1
Installing the Hardware
Configuring the module
Catalyst 6500
Configuring Firewall Services
Series Firewall
Install and Series Module
configure Installation and
the FWSM Administering the module
Configuration Note
If you need information about

installing the Catalist 6500
Series switch, refer to the
following documentation. Starting the PIX Device
Manager
User Guide for the
Configure PIX Device
and use Manager Command Reference
the PIX
Device
Manager System Messages For all PIX commands
used by the module, refer
to the PIX Software
This guide is part of the online help for the PIX Device. Documentation
Catalyst 6000 To access the online help, point your web browser at the
Family FWSM and click on the Help link in the upper right of the screen. Release
Notes
Installation Getting the latest
Guide PIX Firewall software
documentation
Installation
Catalyst 6500 Guide
Release Software Quick
Notes Configuration Configuration
Guide Guide Configuration
Getting the latest Guide
software information
ATM Command
Configuration Reference System
Guide and Message
Command Guide
Reference
Troubleshooting
Tips
79685
Note The Firewall Services Module uses many of the same commands as the PIX application software.
Table A-1 lists the PIX commands used by the module.
Table A-2 lists the Cisco IOS commands for the module.
Table A-4 lists the new commands specific to the module. These commands are described in
Appendix B, “Command Reference.”
Table A-5 lists the PIX commands that were changed for the module.
Table A-6 lists the PIX commands that are not used by the module.
Table A-7 lists the PIX commands used by the module and their PIX version.
1-2 78-14450-02
Chapter 1 Overview
Understanding How the Firewall Services Module Works

Firewalls protect an internal (inside) network, such as a data center, from unauthorized access by users
on an external (outside) network, such as the public Internet.
Note The term inside refers to networks or network resources protected by the firewall. The term outside refers
to networks not protected by the firewall.
You also can protect one or more networks, known as demilitarized zones (DMZs). DMZs are those
portions of the network that contain resources that you may want to allow access to for specified users.
Access to a DMZ is usually more restricted than access to the outside network, but less restricted than
access to the inside network.
A DMZ allows you to protect your network resources that need to be accessed by users on the public
Internet, for example, mail servers or web servers. By placing them in a DMZ, you obtain some
protection without jeopardizing the resources on your internal network.
Connections between the inside and outside and DMZ networks are controlled by the module through
the firewall using a network-modeled protection scheme based upon a configuration and security policy.
By implementing a security policy, you can ensure that all traffic from the protected networks only
passes through the firewall to the unprotected network. You also can control who accesses the networks
and with which services. Features on the module allow you to control how your security policy is used.
The security policy determines the security level, which allows you to isolate networks that are assigned
the same security level from each other. To route traffic between different networks, you assign each
network a different security level. A lower security level provides less protection for the interface than
a higher security level. The security levels to your networks can range from 0 to 100.
All interfaces connecting the inside, outside, and DMZ networks through the module are virtual and
logical Layer 3 interfaces consisting of a VLAN, an IP address, and a security level. The module
supports 100 firewall interfaces. All traffic between these VLANs is protected and controlled. Because
the module supports multiple interfaces, you can create one or more DMZ networks.
The Firewall Services Module is a fabric-enabled module that connects to both the Catalyst 6500 bus
and the Switch Fabric Module if one is present. A Switch Fabric Module is not required for the Firewall
Services Module to function.
The module has a 6-Gbps dot1q EtherChannel connection to the backplane where the hosts of the various
security zones are connected to ports on the Catalyst 6500 chassis.
The module can be configured in a multiple, failover, or redundant configuration.
Figure 1-1 shows a firewall configuration. The Multilayer Switch Feature Card (MSFC) is used as a
router on the network inside the firewall. The MSFC is connected to only one of the controlled firewall
interfaces. All other router interfaces configured on the MSFC are considered to be the same security
level as the interface to which the MSFC is connected. For example, traffic between VLAN 201 and
VLAN 202 is routed directly.
78-14450-02 1-3
Chapter 1 Overview
Figure 1-1 Firewall Services Module Configuration
Router 1
Internet
209.165.201.2/24
Outside (0)
(VLAN200)
Catalyst 209.165.201.1 (VLAN102)
(VLAN101) 6500
Router 2 DMZ (10) DMZ (20) Router 3
192.2.1.1 192.1.1.1
192.2.1.3 192.1.1.2
FWSM
10.1.1.2/8
20.1.1.1/8 30.1.1.1/8
INSIDE (100) Network

(VLAN100) 10.1.1.2/8
Web and FTP printer
server
MSFC
10.1.1.3/8 10.1.1.4/8
10.2.1.1/8 10.3.1.1/8
77115
(VLAN201) (VLAN202)
These sections describe firewall configuration and failover:

• Multiple Firewall Services Module Configuration, page 1-5
• Redundancy Failover, page 1-5
1-4 78-14450-02
Chapter 1 Overview
Multiple Firewall Services Module Configuration

Figure 1-2 shows multiple modules that are located in the same switch, and how they can operate
independently. You can have up to four FWSMs installed in the same switch. The network requirements
and topology determine the configuration.
Figure 1-2 Multiple Firewall Services Module Configuration
MSFC
Catalyst
6500
Inside
Inside
4100
100
DMZ1 101
DMZ1 4101
DMZ1 4102 DMZ2 4102
Inside 100 Inside 4100
77116
6 Gig (dot1q) 6 Gig (dot1q)

EtherChannel FWSM FWSM EtherChannel
In a multiple-module configuration, the following conditions apply:

• Modules cannot share the same firewall interface definition. Separate VLANs must be defined for
each module.
• Multiple modules in the same chassis do not share loads or synchronize states among each other
unless they are configured as active or standby modules.
• Two modules in the same chassis or two modules that are in separate chassis can be configured to
maintain firewall protection in case either module fails. When one module (active) fails, another
(standby) immediately takes its place.
Redundancy Failover
The failover configuration has these features:
• A dedicated logical interface is created for failover communication. No failover cable is required in
this configuration as is required in the PIX configuration.
78-14450-02 1-5
Chapter 1 Overview
Note You must add the dedicated logical VLAN to the VLAN group using the firewall
vlan-group command and activate the dedicated VLAN using the VLAN [X] state active
command.
• All firewall interfaces between the active module and standby module are separated from each other
in Layer 2. The interfaces on the active module must be present on the standby module and the trunk
must be configured to pass all VLANs.
• Both the active module and the standby module have corresponding interfaces in the same VLAN.
• When the active module fails, the switchover to the standby module is transparent to other nodes in
the network. After switchover, all interfaces on the new active module have the IP addresses and the
MAC addresses of the interfaces of the failed module.
The module can be configured to use stateful failover as shown in Figure 1-3. Stateful failover allows
you to maintain the operating state for the connection during the failover from the primary module to the
standby module.
Figure 1-3 Stateful Failover Configuration
MSFC
Catalyst
6500
Failover
DMZ2 102
Outside 200 DMZ1 101

Inside 100
79827

EtherChannel EtherChannel
FWSM FWSM
When a failover occurs, each module changes its state. The new active module begins accepting traffic.
The new standby module assumes the failover IP and MAC addresses of the module that was previously
the active module. Because network devices do not detect a change in these addresses, there are no ARP
entries changed nor is there a time out anywhere on the network.
Be sure that both modules have the same software version, VLAN configuration, Flash memory, and
RAM; if not, the configuration copied to the standby module will not work. After you configure the
primary module and provide the failover link, the primary module automatically copies the configuration
over to the standby module.
1-6 78-14450-02
Chapter 1 Overview
Note We recommend that you separate the failover and logical update interfaces into separate links. Packets
on the failover link are tagged with a higher priority for QOS. Because stateful traffic can be high in
volume, the advantages of prioritizing failover traffic are lost by keeping both the failover link and
failover LAN interfaces the same.
Figure 1-4 shows two modules located in separate chassis: one module is designated as the active module
and the other module is designated as the standby module.
Figure 1-4 Multiple-Module Configuration in a Network
MSFC MSFC
Catalyst Catalyst
6500 6500
Inside
100
6 Gig (dot1q)
Outside EtherChannel
Failover
Failover
VLAN200 (optional)
DMZ2
VLAN102
DMZ1
VLAN101
Inside
VLAN100
FWSM FWSM
active standby
In this multiple-module configuration, the following conditions apply: 77118
• A dedicated logical interface is created for failover communication. No failover cable is required in
this configuration as is required in the PIX configuration.
• All firewall interfaces between the active module and the standby module are separated from each
other by Layer 2 requiring at least a 1-Gigabit link between them. Performance is limited to the link
throughput. For better performance, we recommend that you provide up to a 6-Gigabit IEEE 802.1q
EtherChannel link.
• Both of the switches have an identical definition of the firewall interfaces on the MSFC.
• There is a dedicated failover interface between the active module and the standby module used for
the stateful failover. This interface synchronizes the states between the active module and the
standby module.
78-14450-02 1-7
Chapter 1 Overview
Feature Set
Feature Set
The Firewall Services Module (FWSM) is a high performance firewall used on the Catalyst 6500 series
switch and Cisco 7600 series router. The FWSM can occupy a single slot in the Catalyst 6500 series and
Cisco 7600 series chassis or two slots in a redundant configuration. Two modules can also reside in
separate chassis in a failover configuration.
The Firewall Services Module provides the following features:
• Switch fabric compatibility.
• Interface configuration that can be done through both the native Cisco IOS command-line interface
and the module command-line interface.
• PIX 6.0-based feature set and some 6.2 features.
• LAN failover active or standby (both intra- or inter-chassis).
• Dynamic routing, Open Shortest Path First protocol (OSPF) (the module maintains its own OSPF
tables), and Routing Information Protocol (RIP).
• IPSec for management only.
• Command authorization.
• Object grouping.
• URL filtering enhancement—The module checks the outgoing URL requests with the policy defined
on a Websense, Windows NT, or UNIX-based server. The module either permits or denies the
connection depending on the response from the server, which matches a request against a list of
website characteristics that are considered inappropriate for business use.
• Support for PIX 6.0 application inspection which ensures the secure use of applications and
services. Application inspection rules are configured using the fixup command, which is why
application inspection is called “fixup.”
Note Throughout this document, the term “fixup” applies to application inspection and
configuring the application inspection process or application inspection rules.
• Support for Lightweight Directory Access Protocol (LDAP) or Input [buffer] Limiting Scheme
(ILS) fixup for NetMeeting.
• Security—Cisco firewalls provide the latest in security technology, ranging from stateful inspection
firewalls to content-filtering capabilities that help protect your network environment from future
attacks. Another security feature is the Adaptive Security Algorithm (ASA), which maintains the
firewalled areas between the networks controlled by the firewall.
The stateful, connection-oriented ASA creates session flows based on source and destination
addresses, TCP sequence numbers (which are non-predictable), port numbers, and additional TCP
flags. You can control all inbound and outbound traffic by applying security policies to each
connection table entry.
• Reliability—Cisco firewalls provide adaptable security services for operation-critical network
environments by using the integrated stateful failover capabilities within the module. Network
traffic can be sent automatically to a hot standby module in the event of a failure, while maintaining
concurrent connections with automated state synchronization between the primary module and the
standby module.
1-8 78-14450-02
Chapter 1 Overview
Specifications and System Limitations
• Network Address Translation (NAT) and Port Address Translation (PAT)—Cisco firewalls provide
NAT and PAT services that conceal IP addresses of internal networks and expand network address
space for internal networks.
• Denial-of-service (DoS) attack prevention—Cisco firewalls protect the firewall and networks
behind them from attempts to gain access, which can bring a network to a halt.
• Cisco PIX Device Manager (PDM) 2.1 support—PDM is a browser-based Java applet you can use
to configure the Firewall Services Module.
– PDM must be downloaded and installed for the Firewall Services Module release 1.1. Refer to
the “Upgrading the PDM” section on page 3-10 of the Catalyst 6500 Series and Cisco 7600
Series Firewall Services Module Installation and Configuration Note for download and
installation information.
– The Firewall Services Module 1.1(2) software release is shipped with a preinstalled PDM 2.1
image. You can download the image from CCO to upgrade PDM if necessary.
When the Firewall Services Module software is the platform, PDM will display modified screens
for features not supported by the module. To use the PDM to configure the module, refer to the Cisco
PIX Device Manager Installation Guide, Version 2.1.
The following PIX firewall features are not supported by the module:
• Virtual private networks (VPN) (The module supports IPSec VPN only for management purposes.)
• Intrusion detection system (IDS) syslog messages.
• Cisco Secure Policy Manager (CSPM)
• Conduits
• DHCP (Dynamic Host Configuration Protocol) client

Table 1 lists the specifications and system limitations of the FWSM.
Table 1 FWSM Specifications and System Limitations
Specification Type Specification Names Description

Physical Attributes Modules per switch Maximum of four modules per switch.
If you are using failover, you can still only have four modules
per switch even if two of them are in standby mode.
Memory • 1 GB RAM.
• 128 MB Flash memory.
Bandwidth CEF256 line card with a 6-Gbps path to the Switch Fabric
Module (if present) or the 32-Gbps shared bus.
Feature Limits Filtering servers 16 Websense Enterprise filtering servers.
Managed System Resources IPSec management 5 connections.
connections, concurrent
78-14450-02 1-9
Chapter 1 Overview
Table 1 FWSM Specifications and System Limitations (continued)

1 2
TCP or UDP connections 999,900 connections.
between any two hosts, 100K connections per second.
including connections between
one host and multiple other
hosts, concurrent and rate
Fixup connections, rate 10,000 per second.
PC based fixup connections, 10K per second.
rate
Host connections, concurrent 256K
3
SSH management 5 connections.
System messages, rate 20K per second.
Telnet management 5 connections.
NAT translations, concurrent 256K.
Fixed System Resources NAT statements 1K statements.
High-performance firewall 5 GBps (aggregated).
Concurrent connections. 1 million
Packets-per-second. 3 million pps
New connections per second for 7K
HTTP, DNS, and enhanced
Simple Mail Transfer Protocol
(SMTP).
VLAN interfaces (no physical 100
interfaces on the module).
Static NAT statements 1K statements.
Global statements 1K statements.
Shun statements 2K statements. The FWSM supports at most 2000 shuns - that
number is contigent upon finite hardware resources and
cannot be increased.
Alias statements 1K statements.
User authentication sessions, 5K sessions.
concurrent
User authorization sessions, 150K sessions.
concurrent
Maximum 15 sessions per user.
4
ARP table entries, concurrent 64K entries.
Route table entries, concurrent 32K entries.
Packet reassembly, concurrent 30,000 fragments.
Rules Filter Rules, Fixup and Filter 3K rules and statements.
statements combined.
1-10 78-14450-02
Chapter 1 Overview
Front Panel Description
Table 1 FWSM Specifications and System Limitations (continued)

Established CLI Rules 1K rules.
Established data 1K implicit rules used by TCP and UDP fixups to allow back
channels.
3K statements.
AAA Rules 3K rules. 1K rules for authentication, 1K rules for
authorization, and 1K rules for accounting.
ICMP5, Telnet, SSH, and 1K rules.
HTTP6 Rules
ACEs 72K ACEs (best case).
1. Transmission Control Protocol
2. User Datagram Protocol
3. Secure Shell
4. Address Resolution Protocol
5. Internet Control Message Protocol
6. HyperText Transfer Protocol
Front Panel Description

The front panel includes a STATUS LED and SHUTDOWN button. (See Figure 1-5)
Figure 1-5 Firewall Services Module Front Panel
WS-SVC-FWM-1
S
U
AT
ST
73755
SHUTDOWN
FIREWALL SERVICES MODULE
STATUS LED SHUTDOWN button
These sections describe the front panel components:

• STATUS LED, page 1-11
• SHUTDOWN Button, page 1-12
STATUS LED
The STATUS LED indicates the operating states of the module. Table 1-2 describes the LED operation.
Table 1-2 STATUS LED Description
Color Description
Green All diagnostic tests pass. The module is operational.
Red A diagnostic other than an individual port test failed.
78-14450-02 1-11
Chapter 1 Overview
Hardware Specifications
Table 1-2 STATUS LED Description (continued)
Color Description
Orange Indicates one of three conditions:
• The module is running through its boot and self-test diagnostic sequence.
• The module is disabled.
• The module is in the shutdown state.
Off The module power is off.
SHUTDOWN Button
Caution Do not remove the module from the switch until the module has shut down completely and the STATUS
LED is orange or off. You can damage the module if you remove it from the switch before it completely
shuts down.
To avoid corrupting the compact Flash memory, you must correctly shut down the module before you
remove it from the chassis or disconnect the power. This shutdown procedure is initiated normally by
commands entered at the supervisor engine CLI prompt or the module CLI prompt.
If the module fails to respond to these commands properly, you must use the SHUTDOWN button on the
front panel to initiate the shutdown procedure. Use a small pointed object (such as a paper clip) to push
the button.
The shutdown procedure may require several minutes. The STATUS LED turns orange when the module
shuts down.
Hardware Specifications
Table 1-3 describes the specifications for the module.
Table 1-3 Specifications
Specification Description
Dimensions (H x W x D) 1.18 x 15.51 x 16.34 in. (30 x 394 x 415 mm)
Weight Minimum: 3 lb (1.36 kg)
Maximum: 5 lb (2.27 kg)
Environmental conditions:
Operating temperature 32 to 104° F (0 to 40° C)
Nonoperating temperature –40 to 167° F (–40 to 75° C)
Humidity 10 to 90%, noncondensing
1-12 78-14450-02
C H A P T E R 2
Installing the Firewall Services Module
This chapter describes how to install the Firewall Services Module including the software and hardware
requirements.
This chapter contains these sections:
• System Requirements, page 2-1
• Required Tools, page 2-2
• Installing and Removing the Module, page 2-2
• Using the CLI, page 2-12
System Requirements
This section describes the software and hardware requirements for the module:
• Memory and Storage Requirements, page 2-1
• Software Requirements, page 2-1
• Hardware Requirements, page 2-2
Memory and Storage Requirements

There are no additional memory or storage requirements for this module. The module contains the
following memory:
• 1 GB RAM
• 128 MB compact Flash
Software Requirements
Table 2-1 lists the Firewall Services Module software versions supported by the Catalyst operating
system and the Cisco IOS software.
78-14450-02 2-1
Chapter 2 Installing the Firewall Services Module
Required Tools
Table 2-1 Firewall Services Module Software Compatibility
Firewall Services Module Software Catalyst OS Software Cisco IOS Software

Application Image Maintenance Image
1.1(1) 1.1(1) 7.5 12.1(13)E with Supervisor Engine 2 and an MSFC 2
1.1(2) 1.1(2) 7.5 with a Supervisor 12.1(13)E with a Supervisor Engine 2 and an MSFC 2
Engine 1a, and an
MSFC 2 or a
Supervisor Engine2
and an MSFC 2.
Hardware Requirements
The Cisco IOS software and Catalyst operating system, require a Catalyst 6500 series switch or Cisco
7600 series switch with a Supervisor Engine 1a (Catalyst operating system only) and an MSFC 2, or a
Supervisor Engine 2(Catalyst operating system and Cisco IOS) and an MSFC 2. The module is
supported on the Supervisor Engine with Cisco IOS software and the Catalyst operating system software.
Note Before installing the module, you must install the Catalyst 6500 series switch chassis and at least one
supervisor engine. For information on installing the switch chassis, refer to the Catalyst 6000 Family
Installation Guide.
Required Tools
These tools are required to install the module in the Catalyst 6500 series switches:
• Flat-blade screwdriver
• Phillips-head screwdriver
• Wrist strap or other grounding device
• Antistatic mat or antistatic foam
Whenever you handle the module, always use a wrist strap or other grounding device to prevent
electrostatic discharge (ESD).
Installing and Removing the Module

Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do not directly
touch the backplane with your hand or any metal tool, or you could shock yourself.
All Catalyst 6500 series switches support hot swapping, which allows you to install, remove, replace,
and rearrange modules without turning off the system power. For more information on removing the
module from a switch, see the “Removing a Module” section on page 2-3.
2-2 78-14450-02
When the system detects that a module has been installed or removed, the system automatically runs
diagnostic and discovery routines, acknowledges the presence or absence of the module, and resumes
system operation.
This section describes how to install and verify the operation of the Firewall Services Module in the
Catalyst 6500 series switches and contains the following sections:
• Slot Assignments, page 9
• Removing a Module, page 2-3
• Installing a Module, page 2-4
• Verifying the Installation, page 2-11
Slot Assignments
The Catalyst 6006 and 6506 switch chassis have six slots, the Catalyst 6009 and 6509 switch chassis
have nine slots, and the Catalyst 6513 switch chassis has thirteen slots.
Note The Catalyst 6509-NEB switch has vertical slots, which are numbered 1 to 9 from right to left. Install
the modules with the component side facing to the right.
Each slot is used as follows:

• Slot 1 is reserved for the supervisor engine.
• Slot 2 can be used for a redundant supervisor engine in case the supervisor engine in slot 1 fails.
• If a redundant supervisor engine is not required, slots 2 through 6 on the 6-slot chassis, (slots 2
through 9 on the 9-slot chassis, and slots 2 through 13 on the 13-slot chassis) are available for
switching modules, such as the Firewall Services Module.
• The empty slots require filler plates, which are blank switching-module carriers, to maintain
consistent airflow through the switch chassis.
Removing a Module
This section describes how to remove an existing module from a chassis slot.
Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do
not directly touch the backplane with your hand or any metal tool, or you could shock
yourself.
Warning Before you install, operate, or service the system, read the Site Preparation and Safety
Guide. This guide contains important safety information you should know before working
with the system.
Warning Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not
stare into beams or view directly with optical instruments.
78-14450-02 2-3
To remove a supervisor engine or module from the chassis, perform these steps:
Step 1 Disconnect any network interface cables attached to the supervisor engine or module.
Step 2 Verify that the captive installation screws on all of the modules in the chassis are tight.
This step ensures that the space created by the removed module is maintained.
Note If the captive installation screws are loose, the electromagnetic interference (EMI)
gaskets on the installed modules will push the modules toward the open slot,
reducing the opening size and making it difficult to install the replacement module.
Step 3 Loosen the two captive installation screws on the supervisor engine or module.
Step 4 Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the
following set of substeps:
Horizontal slots
a. Place your thumbs on the left and right ejector levers, and simultaneously rotate the levers outward
to unseat the module from the backplane connector.
b. Grasp the front edge of the module and slide the module part of the way out of the slot. Place your
other hand under the module to support the weight of the module. Do not touch the module circuitry.
Vertical slots
a. Place your thumbs on the ejector levers located at the top and bottom of the module, and
simultaneously rotate the levers outward to unseat the module from the backplane connector.
b. Grasp the edges of the module, and slide the module straight out of the slot. Do not touch the module
circuitry.
Step 5 Place the module on an antistatic mat or antistatic foam, or immediately reinstall it in another slot.
Step 6 If the slot is to remain empty, install a module filler plate to keep dust out of the chassis and to maintain
proper airflow through the chassis.
Warning Blank faceplates (filler panels) serve three important functions: they prevent exposure
to hazardous voltages and currents inside the chassis; they contain electromagnetic
interference (EMI) that might disrupt other equipment; and they direct the flow of cooling
air through the chassis. Do not operate the system unless all cards and faceplates are in
place.
Installing a Module
This section describes how to install modules in the Catalyst 6500 series switches.
Caution To prevent ESD damage, handle modules by the carrier edges only.
2-4 78-14450-02
Warning During this procedure, wear grounding wrist straps to avoid ESD damage to the card. Do
not directly touch the backplane with your hand or any metal tool, or you could shock
yourself.
Warning Invisible laser radiation may be emitted from disconnected fibers or connectors. Do not
stare into beams or view directly with optical instruments.
Warning Before you install, operate, or service the system, read the Site Preparation and Safety
Guide. This guide contains important safety information you should know before working
with the system.
To install a supervisor engine or module in the chassis, perform these steps:
Step 1 Choose a slot for the supervisor engine or module.

Step 2 Verify that there is enough clearance to accommodate any interface equipment that you will connect
directly to the supervisor engine or module ports. If possible, place modules between empty slots that
contain only module filler plates.
Step 3 Verify that the captive installation screws are tightened on all modules installed in the chassis.
This action ensures that the EMI gaskets on all modules are fully compressed in order to maximize the
opening space for the new module or the replacement module.
Note If the captive installation screws are loose, the EMI gaskets on the installed
modules will push adjacent modules toward the open slot, reducing the opening
size and making it difficult to install the replacement module.
Step 4 Remove the module filler plate by removing the two Phillips pan-head screws from the filler plate. To
remove a module, refer to “Removing a Module” section on page 2-3.
Step 5 Fully open both ejector levers on the new or replacement module. (See Figure 2-1.)
78-14450-02 2-5
Figure 2-1 Positioning the Module in a Horizontal Slot Chassis
Insert module
between slot guides EMI gasket
4
4
5 5
6
6
WS-X6K-SUP2-2GE
T
1 AT
US
ST
EM
NS
OL
E
R
M
GM
SE
T 100%
Switch Load
ST SY CO PW RE CONSOLE
PORT PORT 1
MODE PORT 2
CONSOLE
SUPERVISOR2 PCMCIA EJECT
1%
WS-X6K-SUP2-2GE
T
2 AT
US
ST
EM
NS
OL
E
R
M
GM
SE
T 100%
Switch Load
PORT PORT 1
MODE PORT 2
CONSOLE
1%
FAN
STATUS 5
WS-SVC-FWM-1
S
TU
STA
SHUTDOWN
85912
EMI gasket o
o
INPUT FAN OUTPUT

OK OK FAIL
INPUT FAN OUTPUT
OK OK FAIL
WS-SVC-FWM-1
US
AT
ST
FIREWALL SERVICE
S MODULE
Ejector lever fully

extended
Step 6 Depending on the orientation of the slots in the chassis (horizontal or vertical), perform one of the
following sets of substeps:
Horizontal slots
a. Position the supervisor engine or module in the slot. (See Figure 2-1.) Make sure that you align the
sides of the module carrier with the slot guides on each side of the slot.
b. Carefully slide the supervisor engine or module into the slot until the EMI gasket along the top edge
of the module makes contact with the module in the slot above it and both ejector levers have closed
to approximately 45 degrees with respect to the module faceplate. (See Figure 2-2.)
2-6 78-14450-02
Figure 2-2 Clearing the EMI Gasket in a Horizontal Slot Chassis
WS-X6K-SUP2-2GE
T
1 AT
US
ST
EM
NS
O
LE
R
M
G
M
SE
T 100%
Switch Load
PORT PORT 1
PORT 2
MODE
CONSOLE
1%
WS-X6K-SUP2-2GE
NK
LI NK
LI
T
LE M
2 AT
US
ST
EM
NS
O
R
M
G
SE
T 100%
Switch Load
PORT PORT 1
PORT 2
MODE
CONSOLE
1%
NK
LI NK
LI
Press down
4
Press down
FAN WS-SVC-FWM-1
STATUS 5 US
AT
ST

24 PORT 100FX
SHUTDOWN
4
4
WS-SVC-FW
M-1
5 5 US
1mm Gap between the module
AT
ST
EMI gasket and the
FIREWALL SER
VICES MODULE
module above it
6
85913
6
c. Using the thumb and forefinger of each hand, grasp the two ejector levers and press down to create
a small (0.040 inch [1 mm]) gap between the module’s EMI gasket and the module above it. (See
Figure 2-2.)
Caution Do not press down too hard on the levers. They will bend and be damaged.
d. While pressing down, simultaneously close the left and right ejector levers to fully seat the
supervisor engine or module in the backplane connector. The ejector levers are fully closed when
they are flush with the module faceplate. (See Figure 2-3.)
78-14450-02 2-7
Figure 2-3 Ejector Lever Closure in a Horizontal Slot Chassis
WS-X6K-SUP2-2GE
T
1 AT
US
ST
EM
NS
O
LE
R
M
G
M
SE
T 100%
Switch Load
PORT PORT 1
PORT 2
MODE
CONSOLE
1%
WS-X6K-SUP2-2GE
NK
LI NK
LI
T
LE M
2 AT
US
ST
EM
NS
O
R
M
G
SE
T 100%
Switch Load
PORT PORT 1
PORT 2
MODE
CONSOLE
1%
NK
LI NK
LI
WS-SVC-FWM-1
FAN
US
STATUS 5 ST
AT
SHUTDOWN
85914
Ejector levers flush
with module faceplate
Note Failure to fully seat the module in the backplane connector can result in error
messages.
e. Tighten the two captive installation screws on the supervisor engine or module.
Note Make sure the ejector levers are fully closed before tightening the captive
installation screws.
Vertical slots
a. Position the supervisor engine or switching module in the slot. (See Figure 2-4.) Make sure that you
align the sides of the switching-module carrier with the slot guides on the top and bottom of the slot.
2-8 78-14450-02
Figure 2-4 Positioning the Module in a Vertical Slot Chassis
Ejector lever fully

extended
WS-SVC-FWM-1
FAN
STATUS
SUPERVISOR2
WS-X6K-SUP2-2GE
SUPERVISOR2
WS-X6K-SUP2-2GE
ST
AT
STA
U
STA
TUS
TU
S
SYS
S
SY
TEM NS
STE
CO
M
CO
OLE MG
NS
PW
OL
PW
R
E
R
RE
MG
MT
SET
RE
MT
SE
T
CONSOLE
CONSOLE
CONSOLE
CONSOLE
MODE
PORT
MODE
PORT
WS-SVC-FWM-1
ST
AT
US
PCMCIA
PCMCIA
EJECT
EJECT
100%
100%
1%
1%
Switch
Switch
Load
EMI
Load
PORT 1
PORT 1
gasket
PORT 2
PORT 2
SHUTDOWN
EMI
gasket
o
o
INPUT FAN OUTPUT

OK OK FAIL
INPUT FAN OUTPUT
OK OK FAIL
Insert module
between slot guides
6
3
85917
b. Carefully slide the supervisor engine or module into the slot until the EMI gasket along the right
edge of the module makes contact with the module in the slot adjacent to it and both ejector levers
have closed to approximately 45 degrees in relation to the faceplate. (See Figure 2-5.)
c. Using the thumb and forefinger of each hand, grasp the two ejector levers and exert a slight pressure
to the left, deflecting the module approximately 0.040 inches (1 mm) to create a small gap between
the module’s EMI gasket and the module adjacent to it. (See Figure 2-5.)
78-14450-02 2-9
Figure 2-5 Clearing the EMI Gasket in a Vertical Slot Chassis
Gap between the module

EMI gasket and the
module above it
1mm
WS-SVC-FWM-1
ST
AT
U
S
FAN
STATUS
SUPERVISOR2
WS-X6K-SUP2-2GE
SUPERVISOR2
WS-X6K-SUP2-2GE
WS-SVC-FWM-1
STA
STA
TUS
TU
SYS
S
ST
SY
TEM NS
AT
STE
US
CO
M
CO
OLE MG
NS
PW
OL
PW
R
E
R
RE
MG
MT
SET
RE
MT
SE
T
CONSOLE
CONSOLE
CONSOLE
CONSOLE
MODE
PORT
MODE
PORT
Press left
PCMCIA
PCMCIA
EJECT
EJECT
100%
100%
1%
1%
Switch
Switch
Load
Load
PORT 1
PORT 1
Press left
SHUTDOWN
PORT 2
PORT 2
85916
o
o
INPUT FAN OUTPUT

OK OK FAIL
INPUT FAN OUTPUT
OK OK FAIL
Caution Do not exert too much pressure on the ejector levers. They will bend and be damaged.
d. While pressing on the ejector levers, simultaneously close them to fully seat the supervisor engine
or module in the backplane connector. The ejector levers are fully closed when they are flush with
the module faceplate. (See Figure 2-6.)
2-10 78-14450-02
Figure 2-6 Ejector Lever Closure in a Vertical Slot Chassis
FAN
STATUS
SUPERVISOR2
WS-SVC-FWM-1
WS-X6K-SUP2-2GE
SUPERVISOR2
WS-X6K-SUP2-2GE
ST
STA
AT
ST
TU
US
AT
S
SY
US
ST
SY
EM
ST
CO
EM
NS
CO
O
NS
LE
PW
O
LE
PW
R
M
R
G
RE
M
M
G
T
SE
RE
M
T
T
SE
T
CONSOLE
CONSOLE
CONSOLE
CONSOLE
MODE
PORT
MODE
PORT
PCMCIA
PCMCIA
EJECT
EJECT
100%
100%
1%
1%
Switch
Switch
Load
Load
PORT 1
PORT 1
SHUTDOWN
PORT 2
PORT 2
85915
All ejector levers flush
with module faceplate
e. Tighten the two captive installation screws on the module.
Note Make sure the ejector levers are fully closed before tightening the captive
installation screws.
Verifying the Installation

This section describes how to verify the module installation.
To verify that the system acknowledges the new module and has brought it online, enter the show
module [mod-num | all] command.
This example shows the output of the show module command on the Catalyst 6500 series switch:
Router# show module
Mod Slot Ports Module-Type Model Sub Status
--- ---- ----- ------------------------- ------------------- --- ------
1 1 2 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes ok
15 1 1 Multilayer Switch Feature WS-F6K-MSFC no ok
2 2 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok
4 4 2 Intrusion Detection Syste WS-X6381-IDS no ok
6 6 8 1000BaseX Ethernet WS-X6408-GBIC no ok
78-14450-02 2-11
Using the CLI
This example shows the output of the show module command on the Cisco 7600 series Internet Router:
Router> show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAD0444099Y
2 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD03475619
3 2 Intrusion Detection System WS-X6381-IDS SAD04250KV5
4 6 Firewall Module WS-SVC-FWM-1 SAD062302U4
When the module initially boots, by default it runs a partial memory test. To perform a full memory test,
enter the hw-module module module_number reset device:partition mem-test-full command. This
command is specific to Cisco IOS software and is not available in Catalyst operating system software.
A full memory test takes more time to complete than a partial memory test depending on the memory
size. Table 2-2 lists the memory test time and approximate boot time for a long memory test.
Table 2-2 Memory Test Duration
Memory Size Boot Time

1 GB 6 minutes
This example shows how to do a full memory test for module 5:

Router(config)# hw-module module 5 reset mem-test-full
Using the CLI

The software interface for the module is the Cisco IOS and the Catalyst operating system command-line
interface accessed through a Telnet connection to the switch or through the switch console interface.
Refer to the Catalyst 6500 Series Operating system Software Configuration Guide and the Catalyst 6500
Series Software Configuration Guide for details.
To understand the Cisco IOS command-line interface and Cisco IOS command modes, refer to
Chapter 2, “Command-Line Interfaces,” in the Catalyst 6500 Series IOS Software Configuration Guide.
To understand the Catalyst operating system command-line interface and Catalyst operating system
command modes, refer to Chapter 2, “Command-Line Interfaces,” in the Catalyst 6500 Series
Configuration Guide.
Unless your switch is located in a fully trusted environment, we recommend that you configure the
module through a Telnet connection using Secure Shell (SSH) encryption.
You can session into the module from the switch console and configure the firewall. Session is a Telnet
interface through the Ethernet out-of-band channel (EOBC) of the switch backplane.
You can also make a Telnet connection into the module from a specified host and on a specific interface.
Telnet support for this host should be configured or enabled from the module console.
Console output is redirected to all active Telnet sessions. When no Telnet session is available, the output
is saved to a buffer. The buffer output can be subsequently examined when you make a Telnet connection
into the module.
2-12 78-14450-02
Using the CLI
The module application software is similar to the Cisco PIX firewall software. This publication describes
only the commands unique to the Firewall Services Module. For information about the PIX commands,
refer to the PIX documentation at the following URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/index.htm
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/index.htm
78-14450-02 2-13
Using the CLI
2-14 78-14450-02
C H A P T E R 3
Getting Started
This chapter describes how to begin configuring the Firewall Services Module from the CLI and contains
these sections:
• Configuration Overview, page 3-1
• Saving the Configuration, page 3-8
• Using PDM, page 3-8
Configuration Overview
This section describes the Firewall Services Module configuration and contains these sections:
• Configuring the Switch Interface, page 3-3
• Sessioning into the Module, page 3-5
• Configuring the Module, page 3-7
The Firewall Services Module can be used in a variety of topologies depending on the needs of your
network. For example, in a data center you may want to provide access control or segregate your security
domains. The security domain can be a collection of servers with the same security level. Within that
domain, multiple subnets or server farms can exist.
When you configure the Firewall Services Module to function on the perimeter of the network, the
module can provide access control to the inside network as a whole, or segregate multiple security zones
through VLAN interfaces of different security levels. The security zones can be either in the same
network or can define the boundaries of multiple customer networks.
You can configure secure VLANs with both the Cisco IOS and Catalyst operating system software. The
secure VLAN information is passed from the switch operating system software to the firewall module
when it boots up and comes online. The module accepts traffic on the secure VLANs only after the
firewall interfaces are configured on the module corresponding to the secure VLANs defined on the
switch. The firewall software should not receive traffic on VLANs unknown to the firewall module or
on the secure VLANs without having corresponding firewall interfaces.
When the firewall module comes online, the Network Management Processor (NMP) sends an SCP
message that provides the secure VLANs that are defined for that particular firewall module.
If a VLAN is active and is displayed as a secure VLAN on one of the modules through the NMP CLIs,
the information about the new active VLAN is sent to the Firewall Services Module.
The secure VLAN interface (SVI) is a Layer 3 secure VLAN interface between the module and the router
on the supervisor engine, which allows them to communicate with each other.
78-14450-02 3-1
Chapter 3 Getting Started
One SVI is configured between each Firewall Services Module in the chassis and the supervisor engine
module router. With software releases prior to Cisco IOS Release 12.2(14)SY and Catalyst operating
system software version 7.6(1), only one SVI can exist between a given Firewall Services Module and
the router on the supervisor engine.
Multiple VLAN interfaces are supported in Cisco IOS Release 12.2(14)SY with the firewall
multiple-vlan-interfaces command and in the Catalyst operating system software version 7.6(1) with
the set firewall multiple-vlan-interfaces {enable|disable} command.
Note To prevent traffic from bypassing the firewall, policy-routing may be required when enabling support for
multiple VLAN interfaces on the switch.
The Firewall Services Module configuration has the following characteristics:

• Each firewall interface is a Layer 3 interface.
• Each firewall interface has a fixed VLAN.
• The switch MSFC is used as a router connected to the module interfaces (SVI).
• The module views all networks (or subnetworks) beyond an interface as belonging to the same
security level.
• Traffic from all of the non-firewall VLANs in the switch (those not recognized by the module) is
routed through the MSFC without being stopped by the firewall.
You can configure the module in various situations by selecting the firewall features that meet the
requirements of a particular network. Figure 3-1 shows a typical firewall configuration.
Figure 3-1 Firewall Configuration
DMZ17 DMZ18
inside outside
6K-MSFC
DMZ11
79633
3-2 78-14450-02
Configuring the Switch Interface

This section describes the basic configuration steps performed on the switch and the Firewall Services
Module.
Cisco IOS Software

To set up the configuration on the switch using the Cisco IOS CLI, follow these general tasks:
:
Command Purpose
Step 1 Router# configure terminal Enters VLAN configuration mode.
Step 2 Router(config)# vlan vlan_number Creates VLANs.
Step 3 Router(config)# interface vlan vlan_number Defines a controlled VLAN (SVI) on the MSFC (route
processor).
Note You must configure a controlled VLAN (SVI) on the
MSFC or you will be unable to configure VLANs on
the module.
Step 4 Router(config)# firewall Create multiple VLAN interfaces on the switch.
multiple-vlan-interfaces
Step 5 Router(config)# firewall vlan-group Creates a firewall group of controlled VLANs.
firewall_group vlan_range
Step 6 Router(config) firewall module module number Attaches the VLAN and firewall group to the slot where the
vlan-group firewall_group module is located.
Step 7 Router(config)# end Updates the VLAN database and returns to privileged EXEC
or mode.
Router(vlan)# exit
Step 8 Router#show firewall vlan-group Displays the firewall VLAN groups.
Step 9 Router#show firewall module Displays the module configuration.
Step 10 Router#show interface vlan vlan_number Displays the interface configuration.
Note To prevent trunks from carrying firewall VLANs, enter this command:
switchport trunk allowed vlan {add | except | none | remove} vlan1, [, vlan [, vlan [,...]]]}
This example shows how to configure the switch interface:

Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# vlan 55
Router(config-vlan)# vlan 56
Router(config-vlan)# vlan 57
Router(config-vlan)# exit
Router(config)# firewall vlan-group 50 55-57
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall module 8 vlan-group 50-51
Router(config)# int vlan 55
Router(config-if)# ip address 55.1.1.1 255.255.255.0
Router(config-if)# no shut
Router(config-if)# end
Router# show firewall vlan-group
78-14450-02 3-3
Group vlans
----- ------
50 55-57
51 70-85
Router# show firewall module
Module Vlan-groups
8 50,51,
Router# show int vlan 55
Vlan55 is up, line protocol is up
Hardware is EtherSVI, address is 0008.20de.45ca (bia 0008.20de.45ca)
Internet address is 55.1.1.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type:ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:08, output hang never
Last clearing of "show interface" counters never
Input queue:0/75/0/0 (size/max/drops/flushes); Total output drops:0
Queueing strategy:fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched:ucast:196 pkt, 13328 bytes - mcast:4 pkt, 256 bytes
L3 in Switched:ucast:0 pkt, 0 bytes - mcast:0 pkt, 0 bytes mcast
L3 out Switched:ucast:0 pkt, 0 bytes
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
4 packets output, 256 bytes, 0 underruns
0 output errors, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
Router#
Catalyst Operating System Software

To set up the configuration on the switch for the Firewall Services Module using the Catalyst operating
system CLI, you must be in the proper VLAN Trunking Protocol (VTP) mode to create VLANs (server,
transparent, or off modes all work) and then follow these general tasks:
:
Command Purpose
Step 1 Console> enable Enters the switch configuration mode.
Step 2 Console>(enable) set vlan vlan-number Create the VLAN.
Step 3 Console>(enable) set vlan vlan_list Specifies firewall VLANs and maps them to the module.
firewall-vlan module
Step 4 set firewall multiple-vlan-interfaces Create multiple VLAN interfaces on the switch.
{enable|disable}
Step 5 Console> show vlan firewall-vlan module-number Displays the range of VLANs specified for the module.
Step 6 Console> session 15 (Optional) Accesses the MSFC (using the session 15 or
session 16 command) enabling you to create the appropriate
VLAN interfaces if desirable.
This example shows how to configure the switch interface:

Console>(enable) enable
Console>(enable) set vlan 7, 11-15, 19-20 firewall-vlan 8
3-4 78-14450-02
Console> show vlan firewall-vlan 8

Console> show vlan fire 8
Secured vlans by firewall module 8:
7 11-15,19-20
Console>(enable) set vlan 8
Sessioning into the Module

You can log into the module’s maintenance partition or application partition.
Sessioning into the Maintenance Partition

To log into the module’s maintenance partition, perform these steps:
Step 1 Telnet or log into the Catalyst 6500 series switch.

Step 2 At the CLI prompt, session into the maintenance software by entering this command:
Cisco IOS:
Router# session slot number processor 1
The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote
prompt to end the session Trying 127.0.0.81 ... Open
Cisco Maintenance image
Note The processor should always be set at 1.
Catalyst Operating System:

Console> session module
Step 3 At the login prompt, enter root.

Step 4 Enter the password for the account at the password prompt:
Password: cisco
Note If you have not changed the password from the factory-set default, a warning message is displayed. To
change the password from the default, see the “Changing and Recovering Passwords” section on
page 5-11 for more information.
Step 5 If the module does not boot into the maintenance partition, reset the module by entering the following
command:
Cisco IOS:
Router# hw-module module slot_number reset cf:1

Console(enable)> reset module-number [boot device:partition]
Router# reboot
78-14450-02 3-5
Sessioning into the Application Partition

To log into the module’s application partition, perform these steps:
Step 1 Telnet or log into the Catalyst 6500 series switch.

Step 2 At the CLI prompt, session into the application software by entering this command:
Cisco IOS:
Router# session slot 8 processor 1
The default escape character is Ctrl-^, then x. You can also type 'exit'
at the remote
FWSM passwd:
Welcome to the FWSM firewall
Type help or '?' for a list of available commands.
FWSM>
Note The processor should always be set at 1.

Console (enable)# session module
Step 3 If the module does not boot into the application partition, reset the module by entering the following
command:
Cisco IOS:
Router# session slot module processor processor

Console (enable)# reset module cf:4
Step 4 At the login prompt, enter your user name.

Step 5 Enter the password for the account at the password prompt:
Password: password
Note If you have not changed the password from the factory-set default, a warning message is displayed. To
change the password from the default, see the “Changing and Recovering Passwords” section on
page 5-11 for more information.
3-6 78-14450-02
Configuring the Module

To set up the configuration on the module, perform this task:
Command Purpose
Step 1 FWSM(config)# hostname name Defines the host name in the command line prompt.
Step 2 FWSM(config)# nameif vlan_number if_name Specifies the interface name.
security_level
Step 3 FWSM(config)# ip address if_name ip_address mask Defines a local address for each interface.
Step 4 FWSM(config)# access-list acl_ID [deny | permit] Defines an access list. Refer to Appendix B, “Command
protocol {source_addr | local_addr} {source_mask | Reference” and the “access-list” section on page B-2 and
local_mask} operator port {destination_addr |
remote_addr} {destination_mask | remote_mask}
the “access-list (ospf)” section on page B-7.
operator port
Step 5 FWSM(config)# access-group acl_ID in interface Defines access groups.
interface_name
Step 6 FWSM(config)# icmp permit any outside Allows connectivity testing between the switch and the
FWSM(config)# icmp permit any inside FWSM.
Step 7 FWSM(config)# show nameif Displays the configured interfaces.
Step 8 FWSM(config)# show ip Displays the configured IP addresses.
Step 9 FWSM(config)# show access-l Displays the configured access lists.
Note To allow traffic to flow from one interface to another, you must explicitly define an access list and map
that access list to the appropriate interface. Unlike the PIX firewall, traffic from high-security level
interfaces is not allowed to flow freely to an interface with a lower security level. By default, access lists
are defined as deny any any.
This example shows how to configure the module:

FWSM(config)# hostname FWSM
FWSM(config)# nameif 55 outside 0
FWSM(config)# nameif 56 inside 100
FWSM(config)# ip address inside 10.1.1.1 255.255.255.0
FWSM(config)# ip address outside 55.1.1.2 255.255.255.0
FWSM(config)# access-list 1 permit ip any any
FWSM(config)# access-group 1 in interface inside
FWSM(config)# show nameif
nameif vlan55 inside security100
nameif vlan56 outside security0
FWSM(config)# show ip
System IP Addresses:
ip address inside 10.1.1.1 255.255.255.0
ip address outside 55.1.1.2 255.255.255.0
ip address eobc 127.0.0.61 255.255.255.0
Current IP Addresses:
ip address outside 55.1.1.2 255.255.255.0
ip address eobc 127.0.0.61 255.255.255.0
FWSM(config)# show access-list
access-list 1; 1 elements
access-list 1 permit ip any any (hitcnt=0)
78-14450-02 3-7
Saving the Configuration
FWSM(config)# show access-group

access-group 1 in interface inside
FWSM(config)#
Saving the Configuration

To save your configuration, use one of the following methods:
• Store the configuration in Flash memory using the write memory command. You also can restore a
configuration from Flash memory using the configure memory command.
• Store the configuration on a TFTP server using the tftp-server command to initially specify a host
and the write net command to store the configuration.
To display your configuration, use one of the following methods:
• To list the stored configuration, use the show configuration command.
• To list the running configuration, use the write terminal command or show running command.
Using PDM
Cisco PIX Device Manager (PDM) is a single-device graphical user interface (GUI) application that you
can use to manage your Firewall Services Module. For detailed information about PDM, refer to the
Cisco PIX Device Manager Installation Guide, Version 2.1.
Note PDM must be downloaded and installed for the Firewall Services Module release 1.1. You can download
the image from CCO to upgrade PDM. Refer to “Upgrading the PDM” section on page 3-10 for
download and installation information.
Note The Firewall Services Module 1.1(2) software release is shipped with a preinstalled PDM 2.1 image. You
can download the image from CCO to upgrade PDM if necessary. Refer to “Upgrading the PDM” section
on page 3-10 for download and installation information.
Note Be sure that you have configured the firewall VLAN (SVI) on the MSFC and that the module is
recognized by the switch. Refer to “Configuring the Switch Interface” section on page 3-3 for more
information.
These sections describe the PDM and how to use it with your Firewall Services Module:
• PDM Overview, page 3-9
• PDM Restrictions, page 3-9
• Platform and Browser Requirements, page 3-9
• Setting Up the Module for PDM, page 3-9
• Upgrading the PDM, page 3-10
• Starting PDM, page 3-11
3-8 78-14450-02
Using PDM
PDM Overview
PDM is a signed Java applet that uses certificates and HTTP over SSL (HTTPS) to securely transmit all
information between PDM and the Firewall Services Module. PDM performs the following functions:
• Configures your module without using the module CLI. You do not need to know the CLI commands
to use PDM.
• Monitors the module with real-time graphs and data, including connection and throughput
information. (You can also view up to five days of historical data.)
• Monitors and configures modules individually. You can point your browser to different modules and
administer them from a single workstation.
PDM Restrictions
These commands specific to the module are not supported by PDM 2.1:
• Any OSPF configuration commands; they are ignored but not changed by PDM.
• Any VPN configuration commands; they are ignored but not changed by PDM.
Refer to the PDM 2.1 release notes for the complete list of unsupported commands. The release notes
are located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmrn21/pdmrn21.htm
Note When running PDM 2.1 on the module, the Startup Wizard and VPN Wizard are not available.
Platform and Browser Requirements

PDM is supported on the following platforms and browsers:
• Windows 2000, Windows NT 4.0, Windows 98, Windows ME, Windows XP Internet Explorer 5.0
or higher, or Netscape Navigator 4.51 or 4.7x, and at least 128 MB RAM
• Sun workstation with Solaris 2.6 or higher with Netscape Navigator 4.51 or 4.7x
• Red Hat Linux 7.0 or higher with Netscape Navigator 4.7x and at least 64 MB RAM
For details about PDM and its operation, refer to the Cisco PIX Device Manager Installation Guide,
Version 2.1.
The installation guide is located at the following URL:
http://cio.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_21/pdmig/index.htm
Setting Up the Module for PDM

Before you do this procedure, make sure you have installed the Firewall Services Module into the switch
and you have completed the basic configuration described earlier in this chapter. Refer to the
“Configuration Overview” section on page 3-1.
To set up the module to use the PDM application, follow these steps:
78-14450-02 3-9
Using PDM
Step 1 Log into the Catalyst 6500 series switch where the Firewall Services Module is installed.
Step 2 Enter the enable mode, and then enter the configuration mode.
Step 3 Create a secure VLAN group by entering:
Cisco IOS:
Router# firewall vlan-group VLAN-group vlan-interfaces
Catalyst Operating System

Console>(enable) set vlan vlan-range firewall-vlan module-number
Step 4 Map the secure VLAN group to the module by entering:

Cisco IOS only:
Router# firewall module module-number vlan-group VLAN-group
Step 5 Telnet to the module and enter the enable mode, and then enter the configuration mode.
Step 6 Run the setup CLI and follow the instructions as follows:
Router># enable
Password:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# firewall vlan-group 5 10,20,50-51
Router(config)# firewall module 3 vlan-group 5
Router(config)# exit
Router# telnet 192.168.1.1
Trying 192.168.1.1 ... Open
FWSM passwd:
Welcome to the FWSM firewall
Type help or '?' for a list of available commands.

FWSM# enable
Password:
FWSM# configure terminal
FWSM(config)# setup
Pre-configure FWSM Firewall now through interactive prompts [yes]?
To complete this setup, follow the instructions that appear on the terminal.
Upgrading the PDM

To install or upgrade PDM on the module, enter this command:
copy tftp://location/pathname flash:pdm
This example shows how to install or upgrade PDM on the module:

FWSM# copy tftp://10.1.1.1/pdm-211.bin flash:pdm
10.1.1.1 is the location of the TFTP server and the PDM image.
Verify that PDM was downloaded to the module.
3-10 78-14450-02
Using PDM
Starting PDM
To start PDM use the HTTP secure (https) command and enter the following address:
https://IP address of FWSM
This example shows how to start PDM:

https://192.168.1.1
192.168.1.1 is the IP address of one of the VLAN interfaces on the module.

You can now use the PDM 2.1 application to configure your Firewall Services Module. Access the PDM
online help to use the application.
78-14450-02 3-11
Using PDM
3-12 78-14450-02
C H A P T E R 4
Configuring Firewall Services
This chapter describes how to configure firewall services and contains these sections:
• Configuring Firewall Failover, page 4-1
• Using SNMP, page 4-7
• Configuring OSPF Routing Support, page 4-15
• Configuring IPSec for Management, page 4-28
Configuring Firewall Failover

Failover uses two modules that must have identical configurations. You can configure the modules in the
following ways:
• An intra-switch failover where two or more firewall modules are in a single chassis.
• An inter-switch failover with a firewall module in each of two chassis.
Note Refer to the “Configuring Failover” section on page 4-4 section for a detailed firewall failover
configuration description.
This section describes how to configure failover on the Firewall Services Module:
• Setting up a Single-Chassis Configuration, page 4-1
• Setting Up a Dual-Chassis Configuration, page 4-3
• Configuring Failover, page 4-4
Setting up a Single-Chassis Configuration

To set up failover on a single chassis, install two firewall modules on the same chassis and assign the
same firewall VLAN group to both modules.
78-14450-02 4-1
Chapter 4 Configuring Firewall Services
Figure 4-1 Failover Single Chassis Configuration
MSFC
Catalyst
6500
Failover
DMZ2 102
Outside 200 DMZ1 101

Inside 100
79827
FWSM FWSM
To configure failover in a single chassis, perform this task:
Command Purpose
Step 1 Router(config)# firewall vlan-group group-name Assigns VLANs to a VLAN group.
vlan-group
Step 2 Router(config)# firewall module slot vlan-group Assigns the VLAN group to the primary module.
group-name
Step 3 Router(config)# failover lan interface if_name Configures the failover interface on the secondary
module.
Step 4 Router(config)# firewall module slot vlan-group Assigns the VLAN group to the secondary module.
group-name
This example shows how to configure failover in a single chassis:

Router(config)# firewall vlan-group 10 10,20,30,40,50
Router(config)# failover lan interface 1
4-2 78-14450-02
Setting Up a Dual-Chassis Configuration

To set up failover across two chassis, install a firewall module in each chassis and assign the same
firewall VLAN group to both modules.
To set up a dual-chassis configuration, perform this task:
Command Purpose
Step 1 Router1(config)# firewall vlan-group group-name Configures the same set of firewall VLANs on both
vlan-group chassis.
Step 2 Router2(config)# firewall module slot vlan-group Provides a trunk connecting the two chassis, carrying
group-name all the firewall VLANs.
Figure 4-2 shows a dual-chassis configuration.
Figure 4-2 Dual-Chassis Failover Configuration
MSFC MSFC
Catalyst Catalyst
6500 6500
Inside
100
6 Gig (dot1q)
Outside EtherChannel
Failover
Failover
VLAN200 (optional)
DMZ2
VLAN102
DMZ1
VLAN101
Inside
VLAN100
FWSM FWSM
77118
active standby
This example shows how to configure failover in two chassis:

Router1(config)# firewall vlan-group 10 10,20,30,40
Router1(config)# firewall module 4 vlan-group 10
Router2(config)# firewall vlan-group 20 10,20,30,40
Router2(config)# firewall module 5 vlan-group 20
78-14450-02 4-3
Configuring Failover
For a failover configuration, both firewall modules need to have the same RAM and Flash memory size
and be running the same software version.
To configure failover, follow these steps:
Step 1 Set up one module as the primary with a firewall configuration without failover.
Note Do not add a firewall configuration on the secondary module because a configuration set on the
secondary module is not synchronized to the active module. This configuration is cleared during the
configuration synchronization from the active module.
Step 2 Create a dedicated logical interface (VLAN) for failover communication using the nameif vlan_id
if_name security_level command.
Note You must add the dedicated logical VLAN to the VLAN group using the firewall vlan-group command
and activate the dedicated VLAN using the VLAN [X] state active command.
Step 3 Configure the module as primary using the failover lan unit primary command.
Step 4 Define the failover interface using the failover lan interface if_name command.
Step 5 Specify the IP address for the primary failover interface using the ip address if_name ip_addr [mask]
command.
This is the IP address used by the primary module on failover interface
Step 6 Assign the IP addresses for all of the interfaces using the ip address if_name ip_address [mask]
command.
Step 7 Specify the failover IP address for the secondary failover interface using the failover ip address if_name
ip_addr command.
This is the IP address used by the secondary module on failover interface.
Step 8 Assign the failover IP addresses for all of the interfaces using the failover ip address if_name ip_addr
command.
This command specifies the IP address used by the standby module on other firewall interfaces. The
client hosts are not expected to use this IP address to communicate to the module.
Step 9 Enable failover on the primary module using the failover command.
Step 10 Store the failover configuration on the primary module in the Flash using the write memory command.
Note This command is required to ensure that the module comes back online with the failover configuration
after a reload (or after a failure recovery).
Step 11 When the primary module becomes the active module (use the show failover command to see the status),
start the failover configuration on the secondary module.
Step 12 The secondary module should not have a firewall configuration. If you need to clear the configuration
on the secondary module, use the clear configure all command.
4-4 78-14450-02
Step 13 Enter the same set of failover commands on the secondary module, repeating Step 2 through Step 7.
However, in Step 3 use the failover lan unit secondary command for the secondary module.
The primary and the secondary module should have the identical failover configuration, except for the
failover LAN module configuration as primary and secondary.
Note Make sure both primary and secondary modules have the identical definition for the failover interface.
Step 14 Use the ping command to check the connectivity between the primary and secondary module on the
failover interface.
Enter the icmp permit 0 0 if_name command to configure the failover interface to allow the ping to go
through the firewall.
Step 15 Save the failover configuration on Flash using the write memory command.
The secondary module should detect the primary module and then switch to standby. The firewall
configuration is synchronized from the active module to the standby module.
Warning Configuration replication is not performed from the standby module to the active module.
Configurations are no longer synchronized.
Step 16 Enable failover on the secondary module using the failover command.
Step 17 To enable stateful failover, configure a dedicated interface for stateful failover using the failover link
if_name command, which allows the state information to synchronize.
These examples show how to configure failover on a pair of Firewall Services Modules.
The modules are located in two different switches. A dedicated VLAN (vlan 4000) is created for the
failover protocol. The following conditions apply:
• Most of the configuration is performed on the primary module.
• The primary module is designated using the failover lan unit primary command.
• Shortly after the failover command is entered, the primary module becomes active.
• On the secondary module, only one interface is named using the nameif command. Use the interface
that is dedicated to the failover protocol.
• The same IP address is assigned to the dedicated failover interface that you assigned to the primary
unit (in this example: 10.40.40.1).
78-14450-02 4-5
• The same address is assigned that you used on the primary unit with the failover ip address
command. (in this example: 10.40.40.2).
This example shows how to configure the primary module:
FWSM(config)# show vlan
30, 40, 4000
FWSM(config)#
FWSM(config)# fail lan unit pri
FWSM(config)# nameif 4000 fover 50
FWSM(config)# nameif 30 outside 0
FWSM(config)# nameif 40 inside 100
FWSM(config)# ip address fover 10.40.40.1 255.255.255.0
FWSM(config)# ip address inside 10.2.1.1 255.255.255.0
FWSM(config)# ip address outside 10.11.1.2 255.255.255.0
FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0
FWSM(config)# fail ip address inside 10.2.1.2 255.255.255.0
FWSM(config)# fail ip address outside 10.11.1.3 255.255.255.0
FWSM(config)# fail lan int fover
FWSM(config)# logg on
FWSM(config)# logg monitor 7
FWSM(config)# logg con 7
111008: User 'enable_15' executed the 'logging con 7' command.
FWSM(config)# no logg mess 111008
FWSM(config)# no logg mess 111009
FWSM(config)# fail
105002: (Primary) Enabling failover.
FWSM(config)#
No Response from Mate. Switching to Active
You can begin to configure the standby module at this time:

Sync Process Start
Sync Process End
709004: (Primary) End Configuration Replication (ACT)
105003: (Primary) Monitoring on interface 2 waiting
105003: (Primary) Monitoring on interface 1 waiting
105004: (Primary) Monitoring on interface 2 normal
105004: (Primary) Monitoring on interface 1 normal
302010: 0 in use, 0 most used
302010: 0 in use, 0 most used
This example shows how to configure the standby or secondary module:

FWSM(config)# fail lan unit sec
FWSM(config)# nameif 4000 fover 50
FWSM(config)# ip address fover 10.40.40.1 255.255.255.0
FWSM(config)# fail ip address fover 10.40.40.2 255.255.255.0
FWSM(config)# fail lan int fover
FWSM(config)# fail
FWSM(config)# logg on
FWSM(config)# logg mon 7
FWSM(config)# logg con 7
FWSM(config)# 111008: User 'enable_15' executed the 'logging con 7' command.
Detected an Active mate. Switching to Standby
Switching to Standby.
FWSM(config)#
Beginning configuration replication from mate.
This unit is in syncing state. 'failover' command will not be effective at this time
End configuration replication from mate.
709006: (Secondary) End Configuration Replication (STB)
Access Rules Download Complete: Memory Utilization < 1%
4-6 78-14450-02
Using SNMP
105003: (Secondary) Monitoring on interface 2 waiting

105003: (Secondary) Monitoring on interface 1 waiting
105004: (Secondary) Monitoring on interface 2 normal
105004: (Secondary) Monitoring on interface 1 normal
This example shows how to monitor the failover status on the primary and secondary modules:
Primary module:
FWSM(config)# show fail
Failover On
Failover unit Primary
Failover LAN Interface fover
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Primary - Active
Active time: 29925 (sec)
Interface outside (10.11.1.2): Normal
Interface inside (10.2.1.1): Normal
Other host: Secondary - Standby
Stateful Failover Logical Update Statistics

Link : Unconfigured.
Secondary module:
FWSM(config)# show fail
Failover On
Failover unit Secondary
Failover LAN Interface fover
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: Secondary - Standby
Other host: Primary - Active
Stateful Failover Logical Update Statistics

Link : Unconfigured.
FWSM(config)#
Using SNMP
You can monitor system events on the Firewall Services Module by using SNMP. You can read SNMP
events, but information on the module cannot be changed with SNMP.
Use CiscoWorks for Windows or any other SNMP V1, MIB-II-compliant browser to receive SNMP traps
and browse a MIB. SNMP traps occur at UDP port 162.
Note The Firewall Services Module does not support browsing of the Cisco syslog MIB.
78-14450-02 4-7
Using SNMP
You can browse the System and Interface groups of MIB-II. Browsing an MIB is different from sending
traps. Browsing involves doing an snmpget or snmpwalk of the MIB tree from the management station
to determine values.
This section describes how to use SNMP on the Firewall Services Module:
• MIB Support, page 4-8
• SNMP Traps, page 4-8
• Compiling Cisco Syslog MIB Files, page 4-9
• Using the Firewall and Memory Pool MIBs, page 4-10
• SNMP Usage Notes, page 4-15
MIB Support
The Firewall Services Module supports the Cisco Firewall MIB and Cisco Memory Pool MIB.
The Firewall Services Module does not support the following in the Cisco Firewall MIB:
• cfwSecurityNotification NOTIFICATION-TYPE
• cfwContentInspectNotification NOTIFICATION-TYPE
• cfwConnNotification NOTIFICATION-TYPE
• cfwAccessNotification NOTIFICATION-TYPE
• cfwAuthNotification NOTIFICATION-TYPE
• cfwGenericNotification NOTIFICATION-TYPE
SNMP Traps
Traps are unsolicited “comments” from the managed device to the management station for specific
events, such as link up, link down, and syslog event generation.
The snmp-server command causes the Firewall Services Module to send SNMP traps so that the module
can be monitored remotely. Use the snmp-server host command to specify which systems receive the
SNMP traps.
An SNMP object ID (OID) for the module displays in SNMP event traps sent from the module. The
Firewall Services Module provides the system OID in SNMP event traps and SNMP
mib-2.system.sysObjectID equal to the (1.3.6.1.4.1.9.1.227) original PIX firewall OID.
The module responds to an SNMP request from a management station and then the module sends an
event notification trap.
The Firewall Services Module SNMP traps available to an SNMP management station are as follows:
• Generic traps:
– Link up and link down (VLAN connected to the interface or not)
– Cold start
– Authentication failure (mismatched community string)
• Security-related events are sent through the Cisco Syslog MIB:
– Global access denied
4-8 78-14450-02
Using SNMP
– Failover syslog messages

– syslog messages
Receiving Requests and Sending Syslog Traps

To receive requests and send traps from the Firewall Services Module to an SNMP management station,
follow these steps:
Step 1 Identify the IP address of the SNMP management station by using the snmp-server host command.
Step 2 Set the snmp-server options for location, contact, and the community password as required.
You do not need to do further configuration if you only want to send the cold start, link up, and link down
generic traps, and you only want to receive SNMP requests.
Step 3 Add an snmp-server enable traps command statement to the configuration.
Step 4 Set the logging level with the logging history command:
logging history debugging
We recommend that you use the debugging level during initial setup and during testing. After setup, set
the level from debugging to a lower value.
The logging history command sets the severity level for SNMP syslog messages.
Step 5 Start sending syslog traps to the management station using the logging on command.
Step 6 To disable sending syslog traps, use the no logging on command or the no snmp-server enable traps
command.
Compiling Cisco Syslog MIB Files

To receive security and failover SNMP traps from the Firewall Services Module, compile the Cisco SMI
MIB and the Cisco syslog MIB into your SNMP management application. If you do not compile the
Cisco syslog MIB into your application, you receive only traps for link up or down, firewall cold start,
and authentication failure.
To obtain the Cisco MIB files go to the following URLs:
• http://www.cisco.com/public/mibs/v2/CISCO-FIREWALL-MIB.my
• ftp://ftp.cisco.com/pub/mibs/v2/CISCO-FIREWALL-MIB.my
• http://www.cisco.com/public/mibs/v2/CISCO-MEMORY-POOL-MIB.my
• ftp://ftp.cisco.com/pub/mibs/v2/CISCO-MEMORY-POOL-MIB.my
• http://www.cisco.com/public/mibs/v2/CISCO-SMI.my
• ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SMI.my
• http://www.cisco.com/public/mibs/v2/CISCO-SYSLOG-MIB.my
• ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SYSLOG-MIB.my
To compile Cisco syslog MIB files into your browser using CiscoWorks for Windows (SNMPc), follow
these steps:
78-14450-02 4-9
Using SNMP
Step 1 Obtain the Cisco syslog MIB files.

Step 2 Start SNMPc.
Step 3 Select Config>Compile MIB.
Step 4 Scroll to the bottom of the list, and select the last entry.
Step 5 Click Add.
Step 6 Find the Cisco syslog MIB files.
Note With certain applications, only files with a .mib extension may show in the file selection window of the
SNMPc. The Cisco syslog MIB files with the .my extension shown. In this case, you should manually
change the .my extension to a .mib extension.
Step 7 Select CISCO-FIREWALL-MIB.my (CISCO-FIREWALL-MIB.mib) and click OK.

Step 9 Click Add.
Step 10 Locate the CISCO-MEMORY-POOL-MIB.my (CISCO-MEMORY-POOL-MIB.mib) file and click OK.
Step 11 Scroll to the bottom of the list, and click the last entry.
Step 12 Click Add.
Step 13 Locate the CISCO-SMI.my (CISCO-SMI.mib) file and click OK.
Step 15 Click Add.
Step 16 Locate the CISCO-SYSLOG-MIB.my (CISCO-SYSLOG-MIB.mib) file and click OK.
Step 17 Click Load All.
Step 18 Restart SNMPc if there are no errors. If there are errors, check your configuration.
Using the Firewall and Memory Pool MIBs

You can poll failover and system status using the Cisco Firewall and Memory Pool MIBs. With the MIB
tables, you can view failover status, memory usage, connection count, and system buffer usage.
Viewing Failover Status

The Cisco Firewall MIB cfsHardwareStatusTable indicates whether failover is enabled, and which
module is active. The Cisco Firewall MIB indicates failover status in two rows in the
cfwHardwareStatusTable object. From the Firewall Services Module command line, you can view
failover status using the show failover command. You can access the object table from the following
path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoFirewallMIB.
ciscoFirewallMIBObjects.cfwSystem.cfwStatus.cfwHardwareStatusTable
Table 4-1 lists which objects provide failover information.
4-10 78-14450-02
Using SNMP
Table 4-1 Failover Status Objects
Object Object Type Row 1: Returned if Row 1: Returned if Failover Row 2: Returned if Failover
Failover is Disabled is Enabled is Enabled
cfwHardwareType (table Hardware 6 (primary 6 (primary module) 7 (secondary module)
index) module)1
cfwHardwareInformation SnmpAdminString blank blank blank
cfwHardwareStatusValue HardwareStatus 0 (not used) active or 9 (active module) active or 9 (active module)
or standby or 10 (standby or standby or 10 (standby
module) module)
cfwHardwareStatusDetail SnmpAdminString Failover Off blank blank
1. The type of returned values are shown in parentheses.
In the HP OpenView Browse MIB application’s MIB values window, if failover is disabled, a sample
MIB query displays the following information:
cfwHardwareInformation.6:
cfwHardwareInformation.7 :
cfwHardwareStatusValue.6 :0
cfwHardwareStatusValue.7 :0
cfwHardwareStatusDetail.6 :Failover Off
cfwHardwareStatusDetail.7 :Failover Off
In this list, the table index, cfwHardwareType, appears as either .6 or .7 appended to the end of each of
the subsequent objects. The cfwHardwareInformation field is blank, the cfwHardwareStatusValue is 0,
and the cfwHardwareStatusDetail contains Failover Off, which indicates the failover status.
When failover is enabled, a sample MIB query displays the following information:
cfwHardwareStatusValue.6 : active
cfwHardwareStatusValue.7 : standby
cfwHardwareStatusDetail.6 :
cfwHardwareStatusDetail.7 :
In this list, only the cfwHardwareStatusValue contains either active or standby values to indicate the
status of each module.
Verifying Memory Usage

You can determine how much free memory is available with the Cisco Memory Pool MIB. From the
Firewall Services Module command line, use the show memory command to view the memory usage.
The following is sample output from the show memory command:
Router(config)# show memory
16777216 bytes total, 5595136 bytes free
You can access the MIB objects from the following path:
.iso.org.dod.internet.private.enterprises.cisco.ciscoMgmt.ciscoMemoryPoolMIB.
ciscoMemoryPoolObjects.ciscoMemoryPoolTable
Table 4-2 lists which objects provide memory usage information.
78-14450-02 4-11
Using SNMP
Table 4-2 Memory Usage Objects
Object Object Type Returned Value

ciscoMemoryPoolType CiscoMemoryPoolTypes 1 (processor memory)
(table index)
ciscoMemoryPoolName DisplayString Firewall Services Module system memory
ciscoMemoryPoolAlternate Integer32 0 (no alternate memory pool)
ciscoMemoryPoolValid TruthValue true (the values of the remaining objects are valid)
ciscoMemoryPoolUsed Gauge32 integer (number of bytes currently in use—the total bytes

minus the free bytes)
ciscoMemoryPoolFree Gauge32 integer (number of bytes currently free)
iscoMemoryPoolLargestFree Gauge32 0 (information not available)
In the HP OpenView Browse MIB application’s MIB values window, a sample MIB query displays the
following information:
ciscoMemoryPoolName.1 :FWSM system memory
ciscoMemoryPoolAlternate.1 :0
ciscoMemoryPoolValid.1 :true
ciscoMemoryPoolUsed.1 :12312576
ciscoMemoryPoolFree.1 :54796288
ciscoMemoryPoolLargestFree.1 :0
In this list, the table index, ciscoMemoryPoolName, appears as the .1 value at the end of each subsequent
object value. The ciscoMemoryPoolUsed object lists the number of bytes currently in use (12312576)
and the ciscoMemoryPoolFree object lists the number of bytes currently free (54796288). The other
objects always list the values described in Table 4-2.
Viewing the Connection Count

You can view the number of connections in use from the cfwConnectionStatTable in the Cisco Firewall
MIB. From the Firewall Services Module command line, enter the show conn command to view the
connection count. The following is sample output from the show connection command:
show connection count
15 in use
The cfwConnectionStatTable object table can be accessed from the following path:
ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwConnectionStatTable
Table 4-3 lists which objects provide connection count information.
4-12 78-14450-02
Using SNMP
Table 4-3 Connection Count Objects
Object Object Type Row 1: Returned Value Row 2: Returned Value

cfwConnectionStatService Service 40 (IP protocol) 40 (IP protocol)
(Table index)
cfwConnectionStatType ConnectionStat 6 (current connections in use) 7 (high)
(Table index)
cfwConnectionStatDescription SnmpAdminString number of connections highest number of connections
currently in use by the entire in
firewall use at any one time since
system startup
cfwConnectionStatCount Counter32 0 (not used) 0 (not used)
cfwConnectionStatValue Gauge32 integer (in use number) 0 (not used)
In the HP OpenView Browse MIB application’s MIB values window, a sample MIB query displays the
cfwConnectionStatDescription.40.6 :number of connections currently in use by the entire
firewall
cfwConnectionStatDescription.40.7 :highest number of connections in use at any one time
since system startup
cfwConnectionStatCount.40.6 :0
cfwConnectionStatCount.40.7 :0
cfwConnectionStatValue.40.6 :15
cfwConnectionStatValue.40.7 :15
In this list, the table index, cfwConnectionStatService, appears as the .40 appended to each subsequent
object. The table index, cfwConnectionStatType, appears as either .6 to indicate the number of
connections in use or as .7 to indicate the most used number of connections. The
cfwConnectionStatValue object lists the connection count. The cfwConnectionStatCount object always
returns 0 (zero).
Viewing System Buffer Usage

You can view the system buffer usage from the Cisco Firewall MIB in multiple rows of the
cfwBufferStatsTable. The system buffer usage provides an early warning that the Firewall Services
Module is reaching its capacity limit. On the command line, enter the show blocks command to view
this information. The following is sample output from the show blocks command to demonstrate how
cfwBufferStatsTable is populated:
show blocks
SIZE MAX LOW CNT
4 1600 1600 1600
80 100 97 97
256 80 79 79
1550 780 402 404
65536 8 8 8
You can view cfwBufferStatsTable at the following path:

ciscoFirewallMIBObjects.cfwSystem.cfwStatistics.cfwBufferStatsTable
Table 4-4 lists the objects required to view the system block usage.
78-14450-02 4-13
Using SNMP
Table 4-4 System Block Usage Objects
Next Row: Returned

First Row: Returned Next Row: Returned Value
Object Object Type Value Value
cfwBufferStatSize Unsigned32 integer (SIZE value; integer (SIZE value; for integer (SIZE value;
(Table index) for example, 4 for a example, 4 for a 4-byte for example, 4 for a
4-byte block) block) 4-byte block)
cfwBufferStatType ResourceStatistics 3 (MAX) 5 (LOW) 8 (CNT)
(Table index)
cfwBufferStatInfor SnmpAdminString maximumnumber of fewest integer byte current number of
mation allocated integer byte blocks available since available integer byte
blocks (integer is the system startup (integer blocks (integer is the
number of bytes in a is the number of bytes in number of bytes in a
block) a block) block)
cfwBufferStatValue Gauge32 integer (MAX integer (LOW number) (CNT number)
number) integer
Note The three rows repeat for every block size listed in the output of the show blocks command.
In the HP OpenView Browse MIB application’s MIB values window a sample MIB query displays the
cfwBufferStatInformation.4.3 :maximum number of allocated 4 byte blocks
cfwBufferStatInformation.4.5 :fewest 4 byte blocks available since system startup
cfwBufferStatInformation.4.8 :current number of available 4 byte blocks
cfwBufferStatInformation.80.5 fewest 80 byte blocks available since system startup
cfwBufferStatValue.4.3: 1600
In this list, the first table index, cfwBufferStatSize, appears as first number appended to the end of each
object, such as .4 or .256. The other table index, cfwBufferStatType, appears as .3, .5, or .8 after the first
index. For each block size, the cfwBufferStatInformation object identifies the type of value and the
cfwBufferStatValue object identifies the number of bytes for each value.
4-14 78-14450-02
Configuring OSPF Routing Support
Using the ipAddrTable

When you use the SNMP ipAddrTable entry, all interfaces must have unique addresses. If interfaces have
not been assigned IP addresses, their IP addresses are all set to 127.0.0.1 by default. Duplicate IP
addresses cause the SNMP management station to loop indefinitely. If this situation occurs, assign each
interface a different address. For example, you can set one address to 127.0.0.1, another to 127.0.0.2,
and so on.
SNMP uses a sequence of GetNext operations to traverse the MIB tree. Each GetNext request is based
on the result of the previous request. If two consecutive interfaces have the same IP 127.0.0.1 (table
index), the GetNext function returns 127.0.0.1, which is correct. However, when SNMP generates the
next GetNext request using the same result (127.0.0.1), the request is identical to the previous one, which
causes the management station to loop infinitely. For example:
GetNext(ip.ipAddrTable.ipAddrEntry.ipAdEntAddr.127.0.0.1)
With SNMP, the MIB table index must be unique for the agent to identify a row from the MIB table. The
table index for ip.ipAddrTable is the module interface IP address, which requires that the IP address is
unique. The SNMP agent might become confused and may return information of another interface (row),
which has the same IP (index).
SNMP Usage Notes

The following notes apply:
• The MIB-II ifEntry.ifAdminStatus object returns 1 if the interface is accessible. The object returns
2 if you administratively shut down the interface using the shutdown option of the interface
command.
• The SNMP ifOutUcastPkts object now correctly returns the outbound packet count.
• Syslog messages generated by the SNMP module specify the interface name instead of an interface
number.
• The ifSpeed option is not supported and will always return a zero.

The Firewall Services Module can run two processes of Open Shortest Path First (OSPF) protocol
simultaneously. Each of the OSPF processes runs on a different set of interfaces. RIP cannot be enabled
on any of the same interfaces as the interfaces that OSPF is enabled on.
Redistribution between the two OSPF processes is supported. Redistribution between RIP and OSPF is
not supported in the current release. Static and connected routes configured on OSPF-enabled interfaces
on the Firewall Services Module can also be redistributed into the OSPF process. For further information
on how to configure OSPF redistribution on the Firewall Services Module, refer to the “Configuring IP
Routing Protocol-Independent Features” section in the Cisco IOS IP and IP Routing Configuration
Guide.
OSPF is not supported in topologies where the same router or networks are connected to two different
interfaces of the Firewall Services Module. OSPF does not handle the address translations configured
between interfaces. Care should be taken in the network design to not advertise private addresses into
the global networks. Use separate OSPF processes or use filtering mechanisms.
78-14450-02 4-15
OSPF allows the module to maintain its own routing table. The OSPF protocol provides the following
features for the module:
• Support of intra-area, interarea, and external (type I and Type II) routes.
• Support of a virtual link being configured on or through the module.
• OSPF link-state advertisement (LSA) flooding.
• Authentication to OSPF packets (both password and MD5 authentication).
• Support for configuring the module as a designated router or a backup designated router. The
module also can be set up as an area border router, however, the ability to configure the module as
an autonomous system boundary router is limited to default information only (for example, injecting
a default route).
• Support for stub areas and not-so-stubby-area (NSSA).
• Area boundary router type-3 LSA filtering.
• Advertisement of static and global address translations.
This section describes how to use OSPF on the Firewall Services Module:
• Enabling OSPF, page 4-17
• Configuring OSPF Interface Parameters, page 4-17
• Configuring OSPF Area Parameters, page 4-18
• Configuring OSPF NSSA, page 4-19
• Configuring Route Summarization Between OSPF Areas, page 4-20
• Configuring Route Summarization when Redistributing Routes into OSPF, page 4-20
• Creating Virtual Links, page 4-21
• Generating a Default Route, page 4-21
• Changing the OSPF Administrative Distances, page 4-22
• Configuring Route Calculation Timers, page 4-22
• Logging Neighbors Going Up or Down, page 4-22
• Changing the LSA Group Pacing, page 4-23
• Blocking OSPF LSA Flooding, page 4-24
• Ignoring MOSPF LSA Packets, page 4-25
• Displaying OSPF Update Packet Pacing, page 4-26
• Area Border Router Type 3 LSA Filtering, page 4-26
• Monitoring and Maintaining OSPF, page 4-27
4-16 78-14450-02
Enabling OSPF
As with other routing protocols, to enable OSPF you need to create an OSPF routing process, specify
the range of IP addresses to be associated with the routing process, and assign area IDs to be associated
with that range of IP addresses. To enable OSPF, perform this task, beginning in global configuration
mode:
Command Purpose
Step 1 FWSM(config)# router ospf process-id Enables OSPF routing, which places you in router
configuration mode.
Step 2 FWSM(config-router)# network ip-address mask area Defines an interface on which OSPF runs and defines
area-id the area ID for that interface.
This example shows how to enable OSPF:

FWSM(config)# router ospf 2
FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0
Configuring OSPF Interface Parameters

Cisco OSPF implementation allows you to alter some interface-specific OSPF parameters as necessary.
You are not required to alter any of these parameters, but some interface parameters must be consistent
across all routers in an attached network. You configure the parameters by using the ospf hello-interval,
ospf dead-interval, and ospf authentication-key interface configuration commands. Be sure that if you
do configure any of these parameters, the configurations for all routers on your network have compatible
values.
To specify interface parameters for your network, perform this task in interface configuration mode:
Command Purpose
Step 1 FWSM(config)# interface interface_name Specifies the OSPF interface.
Step 2 FWSM(config-interface)# ospf cost cost Explicitly specifies the cost of sending a packet on an
OSPF interface.
Step 3 FWSM(config-interface)# ospf retransmit-interval Specifies the number of seconds between link-state
seconds advertisement (LSA) retransmissions for adjacencies
belonging to an OSPF interface.
Step 4 FWSM(config-interface)# ospf transmit-delay Sets the estimated number of seconds required to send a
seconds link-state update packet on an OSPF interface.
Step 5 FWSM(config-interface)# ospf priority Sets priority to help determine the OSPF designated
number-value router for a network.
Step 6 FWSM(config-interface)# ospf hello-interval Specifies the length of time between the hello packets
seconds that the Cisco IOS software sends on an OSPF interface.
Step 7 FWSM(config-interface)# ospf dead-interval Sets the number of seconds that a device must wait
seconds before it declares a neighbor OSPF router down because
it has not received a hello packet.
Step 8 FWSM(config-interface)# ospf authentication-key Assigns a password to be used by neighboring OSPF
key routers on a network segment that is using the OSPF
simple password authentication.
78-14450-02 4-17
Command Purpose
Step 9 FWSM(config-interface)# ospf message-digest-key Enables OSPF MD5 authentication. The values for the
key-id md5 key key-id and key arguments must match values specified for
other neighbors on a network segment.
Step 10 FWSM(config-interface)# ospf authentication Specifies the authentication type for an interface.
[message-digest | null]
Step 11 FWSM(config-interface)# show ip ospf Displays the OSPF configuration.
This example shows how to configure the OSPF interfaces:

FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0
FWSM(config-router)# interface inside
FWSM(config-interface)# ospf cost 20
FWSM(config-interface)# ospf retransmit-interval 15
FWSM(config-interface)# ospf transmit-delay 10
FWSM(config-interface)# ospf priority 20
FWSM(config-interface)# ospf hello-interval 10
FWSM(config-interface)# ospf dead-interval 40
FWSM(config-interface)# ospf authentication-key cisco
FWSM(config-interface)# ospf message-digest-key 1 md5 cisco
FWSM(config-interface)# ospf authentication message-digest
FWSM(config-interface)# exit
FWSM(config)# show ip ospf
Routing Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2

Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 5. Checksum Sum 0x 26da6
Number of opaque AS LSA 0. Checksum Sum 0x 0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
Area BACKBONE(0)
Number of interfaces in this area is 1
Area has no authentication
SPF algorithm executed 2 times
Area ranges are
Number of LSA 5. Checksum Sum 0x 209a3
Number of opaque link LSA 0. Checksum Sum 0x 0
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
Configuring OSPF Area Parameters

You can configure several area parameters using Cisco OSPF software. These area parameters (shown
in the following task table) include authentication, defining stub areas, and assigning specific costs to
the default summary route. Authentication provides password-based protection against unauthorized
access to an area.
Stub areas are areas into which information on external routes is not sent. Instead, there is a default
external route generated by the area border router, into the stub area for destinations outside the
autonomous system. To take advantage of the OSPF stub area support, default routing must be used in
4-18 78-14450-02
the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the
no-summary keyword of the area stub router configuration command on the area border router to prevent
it from sending summary link advertisement (LSAs type 3) into the stub area.
To specify an area parameter for your network, perform this task in router configuration mode:
Command Purpose
Step 1 FWSM(config-router)# area area-id authentication Enables authentication for an OSPF area.
Step 2 FWSM(config-router)# area area-id authentication Enables MD5 authentication for an OSPF area.
message-digest
Step 3 FWSM(config-router)# area area-id stub Defines an area to be a stub area.
[no-summary]
Step 4 FWSM(config-router)# area area-id default-cost Assigns a specific cost to the default summary route used
cost for the stub area.
This example shows how to configure the OSPF area parameters:

FWSM(config-router)# area 0 authentication
FWSM(config-router)# area 0 authentication message-digest
FWSM(config-router)# area 17 stub
FWSM(config-router)# area 17 default-cost 20
Configuring OSPF NSSA

The OSPF implementation of NSSA is similar to OSPF stub area. NSSA does not flood type 5 external
LSAs from the core into the area, but it can import autonomous system external routes in a limited way
within the area.
NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These
type 7 LSAs are translated into type 5 LSAs by NSSA area border routers, which are flooded throughout
the whole routing domain. Summarization and filtering are supported during the translation.
You can simplify administration if you are an Internet service provider (ISP) or a network administrator
that must connect a central site using OSPF to a remote site that is using a different routing protocol
using NSSA.
Before the implementation of NSSA, the connection between the corporate site border router and the
remote router could not be run as OSPF stub area because routes for the remote site could not be
redistributed into stub area, and two routing protocols needed to be maintained. A simple protocol such
as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the
remote connection by defining the area between the corporate router and the remote router as an NSSA.
To specify area parameters as needed to configure OSPF NSSA, perform this task in router configuration
mode:
Command Purpose
FWSM(config-router)# area area-id nssa Defines an NSSA area.
[no-redistribution] [default-information-originate]
This example shows how to define an NSSA area:

FWSM(config-router)# area 17 nssa
78-14450-02 4-19
To control summarization and filtering of type 7 LSAs into type 5 LSAs, perform this task in router
configuration mode on the area border router:
Command Purpose
FWSM(config-router)# summary address prefix mask Controls the summarization and filtering during the translation.
[not advertise] [tag tag]
This example shows how to control summarization and filtering:

FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0
Before you use this feature, consider these guidelines:

• You can set a type 7 default route that can be used to reach external destinations. When configured,
the router generates a type 7 default into the NSSA or the NSSA area boundary router.
• Every router within the same area must agree that the area is NSSA; otherwise, the routers will not
be able to communicate.
Configuring Route Summarization Between OSPF Areas

Route summarization is the consolidation of advertised addresses. This feature causes a single summary
route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router will
advertise networks in one area into another area. If the network numbers in an area are assigned in a way
such that they are contiguous, you can configure the area boundary router to advertise a summary route
that covers all the individual networks within the area that fall into the specified range.
To specify an address range, perform this task in router configuration mode:
.
Command Purpose
FWSM(config-router)# area area-id range ip-address Specifies an address range for which a single route will be
mask [advertise | not-advertise] advertised.
This example shows how to configure route summarization between OSPF areas:
FWSM(config-router)# area 17 range 12.1.0.0 255.255.0.0
Configuring Route Summarization when Redistributing Routes into OSPF

When routes from other protocols are redistributed into OSPF, each route is advertised individually in
an external LSA. However, you can configure the Cisco IOS software to advertise a single route for all
the redistributed routes that are covered by a specified network address and mask. This configuration
decreases the size of the OSPF link-state database.
To configure the software advertisement on one summary route for all redistributed routes covered by a
network address and mask, perform this task in router configuration mode:
Command Purpose
FWSM(config-router)# summary-address {{ip-address Specifies an address and mask that covers redistributed routes,
mask}| {prefix mask}} [not-advertise] [tag tag] so that only one summary route is advertised. Use the optional
not-advertise keyword to filter out a set of routes.
4-20 78-14450-02
This example shows how to configure route summarization when redistributing routes into OSPF:
FWSM(config-router)# summary-address 12.1.0.0 255.255.0.0
Creating Virtual Links

With OSPF all areas must be connected to a backbone area. If there is a break in backbone continuity,
or the backbone is purposefully partitioned, you can establish a virtual link. The two end points of a
virtual link are area border routers. The virtual link must be configured in both routers. The configuration
information in each router consists of the other virtual end point (the other area border router) and the
nonbackbone area that the two routers have in common (called the transit area). Virtual links cannot be
configured through stub areas.
To establish a virtual link, follow this task in router configuration mode:
.
Command Purpose
FWSM(config-router)# area area-id virtual-link Establishes a virtual link.
router-id [authentication [message-digest | null]]
[hello-interval seconds][retransmit-interval
seconds] [transmit-delay seconds] [dead-interval
seconds] [[authentication-key key] |
[message-digest-key key-id md5 key]]
This example shows how to create virtual links:

FWSM(config-router)# area 16 virtual-link 1.1.1.1
To display information about virtual links, use the show ip ospf virtual-links EXEC command.
To display the router ID of an OSPF router, use the show ip ospf EXEC command
Generating a Default Route

You can force an autonomous system boundary router to generate a default route into an OSPF routing
domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the
router automatically becomes an autonomous system boundary router. However, an autonomous system
boundary router does not by default generate a default route into the OSPF routing domain.
To force the autonomous system boundary router to generate a default route, perform this task in router
configuration mode:
Command Purpose
FWSM(config-router)# default-information originate Forces the autonomous system boundary router to generate a
[always] [metric metric-value] [metric-type default route into the OSPF routing domain.
type-value] [route-map map-name]
This example shows how to generate a default route:

FWSM(config-router)# default-information originate always
78-14450-02 4-21
Changing the OSPF Administrative Distances

An administrative distance is a rating of the trustworthiness of a routing information source, such as an
individual router or a group of routers. An administrative distance numerically is an integer from 0 to
255. In general, the higher the value, the lower the trust rating. An administrative distance of 255 means
the routing information source cannot be trusted and should be ignored.
OSPF uses three different administrative distances: intra-area, interarea, and external. Routes within an
area are intra-area; routes to another area are interarea; and routes from another routing domain learned
through redistribution are external. The default distance for each type of route is 110.
To change any of the OSPF distance values, perform this task in router configuration mode:
Command Purpose
FWSM(config-router)# distance ospf {[intra-area Changes the OSPF distance values.
dist1] [inter-area dist2] [external dist3]}
This example shows how to change the OSPF administrative distance:

FWSM(config-router)# distance intra-ares 90 inter-area 95 external 100
Configuring Route Calculation Timers

You can configure the delay time between when OSPF receives a topology change and when it starts a
shortest path first (SPF) calculation. You also can configure the hold time between two consecutive SPF
calculations. To configure the route calculation time, perform this task in router configuration mode:
Command Purpose
FWSM(config-router)# timers spf spf-delay Configures route calculation timers.
spf-holdtime
This example shows how to configure route calculation timers:

FWSM(config-router)# timers spf 10 120
Logging Neighbors Going Up or Down

By default, the system sends a syslog message when an OSPF neighbor goes up or down.
Configure this command if you want to know about OSPF neighbors going up or down without turning
on the debug ip ospf adjacency EXEC command. The log-adj-changes router configuration command
provides a higher level view of the peer relationship with less output. Configure log-adj-changes detail
if you want to see messages for each state change.
If you turned off this feature and want to restore it, perform this task in router configuration mode:
Command Purpose
FWSM(config-router)# log-adj-changes [detail] Sends syslog message when an OSPF neighbor goes up or
down.
4-22 78-14450-02
This example shows how to log neighbors:

FWSM(config-router)# log-adj-changes detail
Changing the LSA Group Pacing

The OSPF LSA group pacing feature allows the router to group OSPF LSAs and pace the refreshing,
check summing, and aging functions. Group pacing results in more efficient use of the router.
The router groups OSPF LSAs and paces these functions so that sudden increases in CPU usage and
network resources are avoided. This feature is most beneficial to large OSPF networks.
OSPF LSA group pacing is enabled by default. The default group pacing interval for refreshing, check
summing, and aging usually is appropriate, and you need not configure this feature.
Original LSA Behavior

Each OSPF LSA has an age, which indicates whether the LSA is still valid. When the LSA reaches the
maximum age (1 hour), it is discarded. During the aging process, the originating router sends a refresh
packet every 30 minutes to refresh the LSA. Refresh packets are sent to keep the LSA from expiring,
whether there has been a change in the network topology or not. Check summing is performed on all
LSAs every 10 minutes. The router keeps track of LSAs it generates and LSAs it receives from other
routers. The router refreshes LSAs it generated; it ages the LSAs it received from other routers.
Before the LSA group pacing feature was introduced, the Cisco IOS software would perform refreshing
on a single timer, and check summing and aging on another timer. In the case of refreshing, for example,
the software would scan the whole database every 30 minutes, refreshing every LSA the router
generated, regardless of how old it was.
Figure 4-3 shows all the LSAs being refreshed at the same time. This process wasted CPU resources
because only a small portion of the database needed to be refreshed. A large OSPF database (several
thousand LSAs) might have thousands of LSAs with different ages. Refreshing on a single timer resulted
in the age of all LSAs becoming synchronized, which resulted in increased CPU processing at once. A
large number of LSAs might cause a sudden increase of network traffic, consuming a large amount of
network resources in a short period of time.
Figure 4-3 OSPF LSAs on a Single Timer Without Group Pacing
All LSAs refreshed, 120 external LSAs on Ethernet need three packets
30 minutes 30 minutes 30 minutes É

10341
Prior to pacing, all LSAs refreshed at once
LSA Group Pacing with Multiple Timers

This problem is solved by configuring each LSA to have its own timer. Each LSA gets refreshed when
it is 30 minutes old, independent of other LSAs, so the CPU is used only when necessary. However, LSAs
being refreshed at frequent, random intervals would require many packets for the few refreshed LSAs
the router must send out, which would be inefficient use of bandwidth.
78-14450-02 4-23
Therefore, the router delays the LSA refresh function for an interval of time instead of performing it
when the individual timers are reached. The accumulated LSAs constitute a group, which is then
refreshed and sent out in one packet or more. The refresh packets are paced as are the check summing
and aging. The pacing interval is configurable; it defaults to 4 minutes, which is randomized to further
avoid synchronization.
Figure 4-4 shows refresh packets. The first timeline shows individual LSA timers; the second timeline
shows individual LSA timers with group pacing.
Figure 4-4 OSPF LSAs on Individual Timers with Group Pacing
Without group pacing, LSAs need to be refreshed frequently

and at random intervals. Individual LSA timers require many
refresh packets that contain few LSAs.
Individual LSA timers
20 LSAs, 1 packet
37 LSAs, 1 packet
15 LSAs, 1 packet
4 min 4 min 4 min É

10471
Individual LSA timers with group pacing
The group pacing interval is inversely proportional to the number of LSAs the router is refreshing, check
summing, and aging. For example, if you have approximately 10,000 LSAs, decreasing the pacing
interval would benefit you. If you have a very small database (40 to 100 LSAs), increasing the pacing
interval to 10 to 20 minutes might benefit you slightly.
The default value of pacing between LSA groups is 240 seconds (4 minutes). The range is from 10
seconds to 1800 seconds (30 minutes). To change the LSA group pacing interval, perform this task in
router configuration mode:
Command Purpose
FWSM(config-router)# timers lsa-group-pacing seconds Changes the group pacing of LSAs.
The following example changes the OSPF pacing between LSA groups to 280 seconds:
FWSM(config-router)# timers lsa-group-pacing 280
FWSM(config-router)# interface inside
Blocking OSPF LSA Flooding

By default, OSPF floods new LSAs over all interfaces in the same area, except the interface on which
the LSA arrives. Some redundancy is desirable, because it ensures substantial flooding. However, too
much redundancy can waste bandwidth and might destabilize the network due to excessive link and CPU
usage in certain topologies, such as a fully meshed topology.
4-24 78-14450-02
You can block OSPF flooding of LSAs two ways, depending on the type of networks:
• On broadcast, nonbroadcast, and point-to-point networks, you can block flooding over specified
OSPF interfaces.
• On point-to-multipoint networks, you can block flooding to a specified neighbor.
On broadcast, nonbroadcast, and point-to-point networks, to prevent flooding of OSPF LSAs, perform
this task in interface configuration mode:
Command Purpose
FWSM(config-if)# ospf database-filter all out Blocks the flooding of OSPF LSA packets to the interface.
On point-to-multipoint networks, to prevent flooding of OSPF LSAs, perform this task in router
configuration mode:
Command Purpose
FWSM(config-router)# neighbor ip-address Blocks the flooding of OSPF LSA packets to the specified
database-filter all out neighbor.
Ignoring MOSPF LSA Packets

Cisco routers do not support LSA type 6 Multicast OSPF (MOSPF). If the routers receive these packets,
they generate syslog messages. If the router is receiving many MOSPF packets, you might want to
configure the router to ignore the packets, which prevent a large number of syslog messages. To
configure the router to ignore these packets, perform this task in router configuration mode:
Command Purpose
FWSM(config-router)# ignore lsa mospf Prevents the router from generating syslog messages when it
receives MOSPF LSA packets.
The following example shows how to prevent flooding of OSPF LSAs to broadcast, nonbroadcast, or
point-to-point networks reachable through Ethernet interface 0:
FWSM(config-router)# router ospf 2
FWSM(config-router)# ignore lsa mospf
FWSM(config-interface)# ospf database-filter all out
FWSM(config-interface)# router ospf 2
FWSM(config)# show ip ospf flood-list inside
Interface inside, Queue length 0
The following example shows how to prevent flooding of OSPF LSAs to point-to-multipoint networks
to the neighbor at IP address 1.2.3.4:
FWSM(config-router)# router ospf 109
FWSM(config-router)# neighbor 1.2.3.4 database-filter all out
78-14450-02 4-25
Displaying OSPF Update Packet Pacing

The former OSPF implementation for sending update packets was not efficient. Some update packets
were getting lost in situations where the link was slow, a neighbor could not receive the updates quickly
enough, or the router was out of buffer space. For example, packets might be dropped if either of the
following topologies existed:
• A fast router was connected to a slower router over a point-to-point link.
• During flooding, several neighbors sent updates to a single router at the same time.
OSPF update packets are now automatically paced so they are not sent less than 33 milliseconds apart.
Pacing is also added between resends to increase efficiency and minimize lost retransmissions. You also
can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update
and retransmission packets are sent more efficiently.
There are no configuration tasks for this feature; it occurs automatically. To observe OSPF packet pacing
by displaying a list of LSAs waiting to be flooded over a specified interface, perform this task in EXEC
mode:
Command Purpose
Router# show ip ospf flood-list interface-type Displays a list of LSAs waiting to be flooded over an interface.
interface-number
Area Border Router Type 3 LSA Filtering

The area border router Type 3 LSA filtering feature extends the capability of an area border router that
is running the OSPF protocol to filter type 3 LSAs between different OSPF areas. This feature allows
only specified prefixes to be sent from one area to another area and restricts all other prefixes. This type
of area filtering can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of
the same OSPF areas at the same time. This feature is supported by the addition of the area filter-list
command.
The OSPF ABR Type 3 LSA filtering feature provides improved control of route distribution between
OSPF areas.
Only Type 3 LSAs that originate from an area border router are filtered.
Configuring ABR Type 3 LSA Filtering

To filter interarea routes into a specified area, perform this task beginning in router configuration mode:
Command Purpose
Step 1 FWSM(config)#router ospf Enables OSPF routing, which places you in router configuration
process-id mode.
Step 2 FWSM(config-router)#area Configures the router to filter interarea routes into the specified
area-id filter-list prefix name area.
in
Step 3 FWSM(config-router)#ip Creates a prefix list with the name specified for the list name
prefix-list list-name [seq argument.
seq-value] deny | permit
network/len [ge ge-value] [le
le-value]
4-26 78-14450-02
To filter interarea routes out of a specified area, perform the following task beginning in router
configuration mode:
Command Purpose
Step 1 FWSM(config)#router ospf Enables OSPF routing, which places you in router configuration
process-id mode.
Step 2 FWSM(config-router)#area Configures the router to filter interarea routes out of the specified
area-id filter-list prefix name area.
out
Step 3 FWSM(config-router)#ip Creates a prefix list with the name specified for the list-name
prefix-list name [seq argument.
seq-value] deny | permit
network/len [ge ge-value] [le
le-value]
Monitoring and Maintaining OSPF

You can display specific statistics such as the contents of IP routing tables, caches, and databases.
Information provided can be used to determine resource utilization and solve network problems. You can
also display information about node reachability and discover the routing path that your device packets
are taking through the network.
To display various routing statistics, perform one of these tasks in EXEC mode, as needed:
Command Purpose
FWSM# show ip ospf [process-id] Displays general information about OSPF routing processes.
FWSM# show ip ospf border-routers Displays the internal OSPF routing table entries to the area
FWSM# show ip ospf [process-id [area-id]] database border router and autonomous system border router.
FWSM# show ip ospf [process-id [area-id]] database
[database-summary]
[router][self-originate]
[router][adv-router [ip-address]]
[router] [link-state-id]
[network][link-state-id]
[summary] [link-state-id]
[asbr-summary][link-state-id]
[external] [link-state-id]
[nssa-external][link-state-id]
[opaque-link][link-state-id]
[opaque-area][link-state-id]
78-14450-02 4-27
Configuring IPSec for Management
Command Purpose
FWSM# show ip ospf [process-id [area-id]] database Displays lists of information related to the OSPF database.
[opaque-as] [link-state-id]
FWSM# show ip ospf flood-list interface Displays a list of LSAs waiting to be flooded over an interface
interface-type (to observe OSPF packet pacing).
FWSM# show ip ospf interface [interface-type Displays OSPF-related interface information.
interface-number]
FWSM# show ip ospf neighbor [interface-name] Displays OSPF neighbor information on a per-interface basis.
[neighbor-id] detail
FWSM# show ip ospf request-list [neighbor] [interface] Displays a list of all LSAs requested by a router.
[interface-neighbor]
FWSM# show ip ospf retransmission-list [neighbor] Displays a list of all LSAs waiting to be resent.
[interface] [interface-neighbor]
FWSM# show ip ospf [process-id] summary-address Displays a list of all summary address redistribution
information configured under an OSPF process.
FWSM# show ip ospf virtual-links Displays OSPF-related virtual links information.
To restart an OSPF process, perform this task in configuration mode:
Command Purpose
FWSM(config)# clear ip ospf pid {process | Clears redistribution based on the OSPF routing process ID.
redistribution | counters [neighbor
[neighbor-interface] [neighbor-id]]}

Internet Protocol Security (IPSec) provides security for transmission of sensitive information over
unprotected networks such as the Internet. IPSec operates at the network layer, protecting and
authenticating IP packets between participating IPSec devices (peers), such as Firewall Services
Modules.
IPSec provides the following optional network security services. A local security policy determines the
use of one or more of these services:
• Data Confidentiality—The IPSec sender can encrypt packets before transmitting them across a
network.
• Data Integrity—The IPSec receiver can authenticate packets sent by the IPSec sender to ensure that
the data has not been altered during transmission.
• Data Origin Authentication—The IPSec receiver can authenticate the source of the IPSec packets
sent. This service is dependent upon the data integrity service.
• Anti-Replay—The IPSec receiver can detect and reject replayed packets.
Note The term data authentication indicates data-integrity and data-origin authentication. Within this
document, the term also includes antireplay services, unless otherwise specified.
IPSec provides controlled tunnels between two peers, such as two Firewall Services Modules. These
tunnels are sets of security associations that are established between two remote IPSec peers (modules).
You define which packets are considered sensitive and should be sent through these controlled tunnels,
4-28 78-14450-02
and you define the parameters that should be used to protect these sensitive packets by specifying the
characteristics of these tunnels. When the IPSec peer sees a sensitive packet, it sets up the appropriate
controlled tunnel and sends the packet through the tunnel to the remote peer.
For detailed information about IPSec, refer to the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/ipsec/index.htm
The following steps describe a minimal IPSec configuration where the IPSec security associations are
established through Internet Key Exchange (IKE).
To configure IPSec with IKE for the module, perform this task:
Command Purpose
Step 1 FWSM(config)# access-list access-list-module Creates an access list to define the traffic to protect.
{deny | permit} ip source source-netmask
destination destination-netmask
Step 2 FWSM(config)# crypto ipsec transform-set Configures a transform set that defines how the traffic
transform-set-module transform1 [transform2, will be protected. You can configure multiple transform
transform3]
sets, and then specify one or more of these transform sets
in a crypto map entry in Step 6.
Step 3 FWSM(config)# crypto map map-module seq-num Creates a crypto map entry in IPSec ISAKMP mode.
ipsec-isakmp
Step 4 FWSM(config)# crypto map map-module seq-num match Assigns an access list to a crypto map entry.
address access-list-module
Step 5 FWSM(config)# crypto map map-module seq-num set Specifies the peer to which the IPSec-protected traffic
peer ip-address can be forwarded.The security association is set up with
the peer having an IP address of 192.168.1.100. Specify
multiple peers by repeating this command.
Step 6 FWSM(config)# crypto map map-module seq-num set Specifies which transform sets are allowed for this crypto
transform-set transform-set-module1 map entry. Lists multiple transform sets in order of
[transform-set-module2, transform-set-module6]
priority (highest priority first). You can specify up to six
transform sets.
Step 7 FWSM(config)# crypto map map-module seq-num set (Optional) Specifies a security association lifetime for
security-association lifetime {seconds seconds | the crypto map entry, if you want the security
kilobytes kilobytes}
associations for this entry to be negotiated using different
IPSec security association lifetimes other than the global
lifetimes.
Step 8 FWSM(config)# crypto map map-module seq-num set (Optional) Specifies that IPSec should require perfect
pfs [group1 | group2] forward secrecy (PFS) when requesting new security
associations for this crypto map entry, or should require
PFS in requests received from the peer.
Step 9 FWSM(config)# crypto dynamic-map (Optional) Assigns an access list to a dynamic crypto
dynamic-map-module dynamic-seq-num match address map entry, which determines which traffic should be
access-list-module
protected and which traffic should not protected.
Step 10 FWSM(config)# crypto dynamic-map (Optional) Specifies the peer to which the
dynamic-map-module dynamic-seq-num set peer IPSec-protected traffic can be forwarded. This is rarely
ip-address
configured in dynamic crypto map entries because
dynamic crypto map entries are often used for unknown
peers.
78-14450-02 4-29
Command Purpose
Step 11 FWSM(config)# crypto dynamic-map Specifies which transform sets are allowed for this
dynamic-map-module dynamic-seq-num set dynamic crypto map entry. Lists multiple transform sets
transform-set transform-set-module1,
[transform-set-module2, transform-set-module9]
in order of priority (highest priority first).
Step 12 FWSM(config)# crypto dynamic-map (Optional) Specifies a security association lifetime for
dynamic-map-module dynamic-seq-num set the dynamic crypto map entry, if you want the security
security-association lifetime {seconds seconds |
kilobytes kilobytes}
associations for this entry to be negotiated using different
IPSec security association lifetimes other than the global
lifetimes.
Step 13 FWSM(config)# crypto dynamic-map (Optional) Specifies that IPSec should request PFS when
dynamic-map-module dynamic-seq-num set pfs requesting new security associations for this dynamic
[group1 | group2]
crypto map entry, or should demand PFS in requests
received from the peer.
Step 14 FWSM(config)# crypto map map-module seq-num Adds the dynamic crypto map set into a static crypto map
ipsec-isakmp dynamic dynamic-map-module set. Be sure to set the crypto map entries referencing
dynamic maps to be the lowest-priority entries (highest
sequence numbers) in a crypto map set.
Step 15 FWSM(config)# crypto map map-module interface Applies a crypto map set to an interface on which the
interface-module IPSec traffic will be evaluated.
Step 16 FWSM# sysopt connection permit-ipsec Specifies that IPSec traffic be implicitly trusted
(permitted).
In the Firewall Services Module, VPN and IPSec are available only for management purposes. You
cannot establish IPSec tunnels across the firewall; any tunnel initiated by a VPN client on another switch
should terminate at the Firewall Services Module. The CLI commands you use to configure IPSec for
management have not changed from PIX except for those listed in Table A-6 on page A-5. Refer to the
PIX documentation for details about configuring IPSec.
4-30 78-14450-02
C H A P T E R 5
Administering the Firewall Services Module
This chapter describe how to administer the Firewall Services Module and contains these sections:
• Administering the Software Images, page 5-1
• Changing and Recovering Passwords, page 5-11
• Resetting the Firewall Services Module, page 5-14
• Troubleshooting the Firewall Services Module, page 5-16
Administering the Software Images

Five partitions on the compact Flash contain the following information:
• Maintenance partition (MP) (cf:1) contains the maintenance image. You use the maintenance
partition to upgrade or install all application images, reset the application image password, and
display the crash dump information.
• Network configuration partition (cf:2) contains the network configuration of the maintenance
image.
• Crash dump partition (cf:3) is used to store the crash dump information.
• Application partitions (APs) (cf:4 and cf:5) store the firewall image and configuration.
You can have two application images stored in Flash. One image in partition 4 and one in partition
5. Depending on which partition you want to boot, you can use cf:4 or cf:5 in the boot device
module module_number partition_number command. For example:
Router(config)# boot device module 3 cf:5
Router(config)# boot device module 4 cf:4
The configurations related to that image is stored in the same partition as the image.
If the module’s application partition gets corrupted, the maintenance partition can be used to recover
the application configuration. The network configuration partition stores the network parameters for
the maintenance partition.
When the application image fails, a log is created in the crash dump partition, which contains all
failure-related information. You can use this log later for debugging using the show crashdump CLI
command from both the maintenance partition and the application partition, if the application
partition recovers without a problem on restart.
You can also upgrade the application from the maintenance partition. You can clear the enable
password for the module from the maintenance partition CLI.
78-14450-02 5-1
Chapter 5 Administering the Firewall Services Module
This section contains the various administrative tasks you can perform using the software images:
• Quick Software Upgrade, page 5-2
• Logging into the Application Software, page 5-3
• Logging into the Maintenance Software, page 5-3
• Upgrading Software Images, page 5-5
Quick Software Upgrade
Caution Upgrading the software image is a disaster recovery process. The procedure erases the flash or nvram of
the firewall services module. Ensure that your configuration has been backed up so that you can restore
it after the software upgrade.
To quickly upgrade the Firewall Services Module software image, follow these steps:
Step 1 Make the new software image available on a TFTP server, or make the MSFC a TFTP server by using
this command:
msfc(config)# tftp-server bootflash:image name
Step 2 If the MSFC is the TFTP server, make sure you have a VLAN interface on the MSFC reachable from the
module. For example:
a. On the MSFC, enter these commands:
router(config)# interface Vlan30
router(config)# description to_fwsm_vlan_30
router(config)# ip address 10.20.30.2 255.255.255.0
router(config)# no ip redirects
b. On the module, enter these commands:

nameif vlan30 inside security100
...
c. From the module make sure that you can ping the MSFC, by entering this command:
FWSM# ping 10.20.30.2
10.20.30.2 response received -- 0ms
Step 3 From the module enter the copy tftp flash command:
FWSM# copy tftp flash
Address or name of remote host [127.0.0.1]? 10.20.30.2
Source file name [cdisk]? c6svc-fwm-k9.1-1-0-207.bin
copying tftp://10.20.30.2/c6svc-fwm-k9.1-1-0-207.bin to flash:image
[yes|no|again]?yes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The output shows the MSFC as the TFTP server.

Step 4 Reload the module by entering this command:
FWSM# reload
5-2 78-14450-02
Proceed with reload? [confirm]
Logging into the Application Software

The application software has one user level. Use the enable command in the EXEC mode to log into the
application partition.
Refer to the “Changing and Recovering Passwords” section on page 5-11 if you need to change or
recover passwords.
To log into the Firewall Services Module, follow these steps:
Step 1 Log into the Catalyst 6500 series switch using the Telnet connection or the console port connection.
Step 2 At the CLI prompt, establish a console session with the module using the session slot slot_number
processor 1 command:
Cisco IOS:

Console> session 8
Step 3 If the module does not boot into the application partition, reset the module with the following command:
Cisco IOS:

Console(enable)> reboot
Logging into the Maintenance Software

The maintenance software has two user levels with different access privileges:
• root—Allows you to configure the network partition parameters, upgrade the software images on
the application partitions, change the guest account password, and enable or disable the guest
account.
The default password is cisco.
• guest— Allows you to configure the network partition parameters and show crash dump
information.
78-14450-02 5-3
The default password is cisco.

Refer to the “Changing and Recovering Passwords” section on page 5-11 if you need to change or
recover passwords.
5-4 78-14450-02
To log into the Firewall Services Module maintenance partition, follow these steps:
Step 1 Log into the Catalyst 6500 series switch using the Telnet connection or the console port connection.
Step 2 At the CLI prompt, establish a console session with the module using the Cisco IOS session slot
slot_number processor 1 command or the Catalyst operating system session mod command.
Cisco IOS:

Console> session 8
Step 3 At the Maintenance software login prompt, enter root to log in as the root user or guest to log in as a
guest user.
login: root
Step 4 At the password prompt, enter the password for the account. The default password for both accounts is
cisco.
Password:
After a successful login, the command line prompt appears as follows:

Maintenance image version: 1.1(0.3)
root@localhost#
Step 5 If the module does not boot into the maintenance partition, reset the module with the following
commands:
Cisco IOS:

Console(enable)> reboot
Upgrading Software Images

You can upgrade both the application software and the maintenance software. To upgrade the application
software, see the “Upgrading the Application Software” section on page 5-6. To upgrade the
maintenance software, see the “Upgrading the Maintenance Software” section on page 5-9.
The entire application and maintenance partitions are stored on the FTP or TFTP server. The images are
downloaded and extracted to the application or maintenance partition depending on which image is being
upgraded.
78-14450-02 5-5
To upgrade the application partition, change the boot sequence to boot the module from the maintenance
partition. The maintenance partition downloads and installs the application image. The supervisor
engine must be executing the run-time image to provide network access to the maintenance partition.
Set the boot sequence for the module using the supervisor engine CLI commands. As the maintenance
partition boots, it determines the application type. If the network parameters are already configured, you
can directly download the new image. If network parameters are not set, you need to manually configure
them.
When you specify the target device and partition number for upgrading the application partition,
software recognition checks are made to ensure that you do not upgrade the maintenance partition.
Before starting the upgrade process, you will need these software images:
• The application image for the module.
• The maintenance partition image for the module.
A TFTP and FTP server are required to copy the images. The TFTP server should be connected to the
switch and the port connecting to the TFTP server should be included in VLAN 1 on the switch.
Another TFTP server is required in the network. This TFTP server must be reachable from the module
when the module image is booted up.
Upgrading the Application Software

To upgrade the application software image you must first copy the firewall software image to a directory
accessible to FTP, and then log in to the switch through the console port or through a Telnet session.
To upgrade the application partition software, perform these tasks:
Command Purpose
Step 1 Cisco IOS: Reboots the module into the maintenance partition.
Router# hw-module module
slot_number reset cf:1

Console>(enable) reset
module-number boot cf:1
Step 2 Cisco IOS: Establishes a console session with the module.
Router# session slot slot_number
processor 1

Console>(enable) session module
Step 3 login:root At the login prompt, logs into the root account of the module.
Step 4 root@localhost# ip address ip Assigns an IP address and a default gateway to the maintenance
_address netmask partition.
root@localhost# ip gateway Because the module maintenance partition can only use VLAN
ip_address 1 on the switch, use the IP addresses and gateway for VLAN 1.
The FTP server is reachable after the IP parameters are
specified.
5-6 78-14450-02
Command Purpose
Step 5 root@localhost# show ip Displays the current settings. If the parameters are not correct,
use the commands described in Step 4. The module image
should be available on the FTP server reachable through
VLAN 1.
Step 6 root@localhost# ping ip_address Pings the FTP server to verify if the configuration is correct.
Step 7 root@localhost# upgrade ftp_url Upgrades the application image from the appropriate directory
cf:x on the FTP server that is reachable from the module.
The ftp_url values contain the following options:
• The username to log in to the FTP server.
The command prompts for the password. Enter the
password for the username you are using to log in to the
FTP server.
• ftp_url is the IP address of the FTP server and the complete
path of the file on the FTP server.
Note If the FTP server does not allow anonymous users, use
the following syntax for the ftp-url value:
ftp://user@host/absolute-path/filename.
Enter your password when prompted.

• cf:x is the partition where the image must be copied on the
compact Flash. Use partitions cf:4 or cf:5 for this step.
Step 8 Follow the screen prompts during the upgrade.
The image is copied from the FTP server to the compact Flash.
The upgrade command also ensures that the configuration on
the corresponding application partition is backed up and
restored at the end of the upgrade operation.
Step 9 Router# logout Logs out of the maintenance software.
Step 10 Cisco IOS: Resets the module into the application partition.

This example shows how to upgrade the Firewall Services Module application software:
Router# hw-module module 9 reset cf:1
Device BOOT variable for reset = cf:1

Warning:Device list is not verified.
Proceed with reload of module? [confirm] y

% reset issued for module 9
Router#
00:16:06:%SNMP-5-MODULETRAP:Module 9 [Down] Trap
00:16:06:SP:The PC in slot 9 is shutting down. Please wait ...
00:16:21:SP:PC shutdown completed for module 9
78-14450-02 5-7
00:16:21:%C6KPWR-SP-4-DISABLED:power to module in slot 9 set off (admin

request)
00:16:24:SP:Resetting module 9 ...
00:16:24:%C6KPWR-SP-4-ENABLED:power to module in slot 9 set on
00:18:21:%SNMP-5-MODULETRAP:Module 9 [Up] Trap
00:18:21:%DIAG-SP-6-BYPASS:Module 9:Online Diagnostics is Bypassed
00:18:21:%OIR-SP-6-INSCARD:Card inserted in slot 9, interfaces are now
online
Router# session slot 9 proc 1
The default escape character is Ctrl-^, then x.

You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.91 ... Open
login:root
Password:
Maintenance image version: 1.1(0.3)
root@localhost.cisco.com# upgrade
ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin cf:4
Downloading the image. This may take several minutes...

ftp://user:password@address/tftpboot/c6svc-fwm-k9.1-1-0-170.bin (5919K)
/tmp/upgrade.gz [########################] 5919K | 821.24K/s
6061947 bytes transferred in 7.38 sec (821.23k/sec)
Upgrade file ftp://ftp://user:password@address/tftpboot/user/c6svc-fwm-k9.1-1-0-170.bin

.gz is downloaded.
Upgrading will wipe out the contents on the hard disk.
Do you want to proceed installing it [y|N]:y
Proceeding with upgrade. Please do not interrupt.

If the upgrade is interrupted or fails, boot into
Maintenance image again and restart upgrade.
Proceeding with image upgrade.
Backing up FWSM configuration.
Restoring FWSM configuration.
Application image upgrade complete. You can boot the image now.
Partition upgraded successfully.
root@hostname.cisco.com# logout
[Connection to 127.0.0.91 closed by foreign host]
Router# hw-module module 9 reset
Device BOOT variable for reset =


Router#
5-8 78-14450-02

request)
online
The module is now upgraded and ready for further firewall configuration. You can do further application
partition upgrades from the module console, by entering the command:
copy tftp://tftp_ip/file_name flash:
Upgrading the Maintenance Software

To upgrade the maintenance software image, you must first copy the module maintenance software
image to a directory accessible to TFTP, and then log into the switch through the console port or through
a Telnet session.
Note If you have changed the passwords for the root and guest accounts of the maintenance partition, they will
be retained across upgrades.
To upgrade the maintenance partition software, perform these tasks:
Command Purpose
Step 1 Cisco IOS: Reboots the module into the application partition.

module-number cf:4
Step 2 Cisco IOS: Establishes a console session with the module. Enter cisco at
Router# session slot slot_number the password prompt.
processor 1

Console>(enable) session module
78-14450-02 5-9
Command Purpose
Step 3 FWSM# upgrade-mp ftp_url Upgrades the maintenance partition from the appropriate
tftp-path directory on the TFTP server that is reachable from the module.
The tftp_url values contain the following:
• Username is the username to log in to the TFTP server.
• The command prompts for the password. Enter the
password for the username you are using to log in to the
TFTP server.
• tftp_url is the IP address of the TFTP server and the
complete path of the file on the TFTP server.
Note If the TFTP server does not allow anonymous users, use
the following syntax for ftp_url value:
tftp://absolute-path/filename.
Enter your password when prompted.

Follow the screen prompts during the upgrade.
The image is copied from the TFTP server to the compact Flash.
The upgrade command also ensures that the configuration on
the corresponding maintenance partition is backed up and
restored at the end of the upgrade operation.
Step 4 Router# logout Logs out of the application software.
Step 5 Cisco IOS: Resets the module in the maintenance partition.

Step 6 root@localhost# show ip (Optional) Verifies the initial configuration after the
maintenance software comes back online after the module is
reset and you log into the maintenance software’s root account.
Step 7 Cisco IOS: (Optional) Resets the module in the application partition.You
Router# hw-module module can reset the module in either cf:4 or cf:5.
slot_number reset cf:x

module-number boot cf:x
This example shows how to upgrade the module maintenance software:



5-10 78-14450-02
Changing and Recovering Passwords
Router#
request)
online
Router# session slot 9 proc 1
The default escape character is Ctrl-^, then x.

You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.91 ... Open
fwsm# upgrade-mp
Source file name []? mp-1.0.1-bin.gz
copying upgrade-mp tftp://10.1.1.1/tftpboot/mp.1-1-0-3.bin.gz to flash
[yes|no|again]? y
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Received 7700916 bytes.
Maintenance partition upgraded.


Router#
request)
online
Router#

You can change and recover passwords using a Telnet connection to the module and CLI.
To change the password, use a Telnet connection to the module, and then use the passwd or
passwd-guest commands to change the password.
78-14450-02 5-11
Note New passwords must be at least six characters in length, and may include uppercase and lowercase
letters, numbers, and punctuation marks.
Note If the Firewall Services Module application image password is lost, you can clear the password by
booting into the maintenance image. If the module maintenance image passwords are lost for the root or
guest account, you can clear both passwords by booting into the application image.
This section describes how to change passwords on the module:

• Changing the Application Partition Passwords, page 5-12
• Changing the Maintenance Partition Passwords, page 5-12
• Recovering the Application Partition Passwords, page 5-13
• Recovering the Maintenance Partition Passwords, page 5-14
Changing the Application Partition Passwords

To change the application partition password, follow these steps while you are logged in to the account
application account. Enter the passwd command with a password, for example:
FWSM# passwd freedom
If you do not enter a password, you receive the following result:

FWSM# passwd
Not enough arguments.
Usage: passwd <password> encrypted
Changing the Maintenance Partition Passwords

To change the password, follow these steps while you are logged in to the root account on the
maintenance software partition. The passwd command is available for the maintenance partition’s root
and guest account.
Step 1 Enter this command:

root@localhost# passwd
Step 2 Enter the new password:

Changing password for user root
New password:
Step 3 Enter the new password again:

Retype new password:
passwd: all authentication tokens updated successfully
5-12 78-14450-02
This example shows how to set the password for the root account:
root@localhost# passwd
Changing password for user root
New password:
To change the password for the guest account, enter the password-guest command. This command is
available from the maintenance partition root account only.

root@localhost# passwd-guest
Step 2 Enter the new password:

Changing password for user guest
New password:
Step 3 Enter the new password again:

This example shows how to set the password for the guest account:
root@localhost# passwd-guest
Changing password for user guest
New password:
Recovering the Application Partition Passwords

If you have forgotten or lost the passwords for either the module application or maintenance software,
they can be reset to the default values. Clearing the password resets the Telnet password to cisco and
clears the enable password. To reset an application image password, follow these steps:

root@localhost# clear passwd cf:partition_number
partition_number refers to the number of the application or maintenance partition where you are
resetting the password.
Note If you are resetting the application password, you must be logged into the maintenance partition. If you
are changing the maintenance partition password, you must be logged into the application partition.
Step 2 Follow the screen prompts during the operation.

Do you wish to erase the passwords? [yn] y
The following lines will be removed from the configuration:
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
Do you want to remove the commands listed above from the configuration?
78-14450-02 5-13
Resetting the Firewall Services Module
[yn] y
Passwords and aaa commands have been erased.
This example shows how to clear the password for the module application software on partition 4 of the
compact flash:
root@localhost# clear passwd cf:4
Do you wish to erase the passwords? [yn] y
The following lines will be removed from the configuration:
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
Do you want to remove the commands listed above from the configuration?
[yn] y
Passwords and aaa commands have been erased.
Recovering the Maintenance Partition Passwords

If you have forgotten or lost the passwords for either the module application or maintenance software,
they can be reset to the default values. Clearing the password resets the Telnet password to cisco and
clears the enable password.
Note If you are resetting the maintenance partition password, you must be logged into the application
partition.
To reset a maintenance image password, enter this command:

fwsm# clear mp-passwd
This example shows how to clear the password for the module maintenance software on partition cf:1 of
the compact Flash:
root@localhost# clear mp-passwd
Passwords for 'root' and 'guest' accounts cleared successfully.

If you cannot reach the module through the CLI or an external Telnet session, enter the reset command
to reset and reboot the module. The reset process requires several minutes.
When the module initially boots, by default it runs a partial memory test. To perform a full memory test,
use the mem-test-full keyword in the hw-module module module_number reset device:partition
mem-test-full command.
Note This command is specific to Cisco IOS software and is not available in Catalyst operating system
software.
A full memory test takes more time to complete than a partial memory test depending on the memory
size. Table 2-2 on page 2-12 lists the memory and approximate boot time for a long memory test.
5-14 78-14450-02
This section describes how to reset the module:

Resetting the Module with Cisco IOS Software, page 5-15
Resetting the Module with Catalyst Operating System Software, page 5-15
Resetting the Module with Cisco IOS Software

To reset the module from the CLI, perform this task in privileged mode:
Command Purpose
hw-module module mod_num reset Resets the module. The device:partition variable is the string for the
[device:partition] [mem-test-full] boot device, for example, cf: designates the compact Flash and x is the
number for the partition on each device.
Note For the boot device, you can specify cf:4 or cf:5 for the application image or cf:1 for the maintenance
image.
This example shows how to reset the module, installed in slot 9, from the CLI:
Router# hw-mod mod 9 reset

Router#
To reboot the module from the application software, perform this task while you are sessioned into the
root account on the module in the privileged mode:
Command Purpose
reboot or reload Reboots the module.
This example shows how to reboot the module:

Router# reload
Resetting the Module with Catalyst Operating System Software

To reset the module from the CLI, perform this task in privileged mode:
Command Purpose
reset module_number [boot device:partition] Resets the module. The device:partition variable is the string for the
boot device, for example, cf: designates the compact Flash and x is the
number for the partition on each device.
78-14450-02 5-15
Troubleshooting the Firewall Services Module
Note For the boot device, you can specify cf:4 or cf:5 for the application image or cf:1 for the maintenance
image. The default boot partition for the module is cf:4.
This example shows how to reset the module, installed in slot 9, from the from the application partition:
Router# reset mod 9

Router#
To reboot the module from the application software, perform this task while you are sessioned into the
root account on the module in the privileged mode:
Command Purpose
reboot Reboots the module.
This example shows how to reboot the module:

FWSM# reboot

This section provides troubleshooting information for the Firewall Services Module.
Symptom You cannot connect to the module.
Possible Cause The initial configuration is incorrect or not configured.
Recommended Action Perform a show module command and check that the status is OK.
Symptom When a reset command is entered from the supervisor engine CLI, the system always boots
into the maintenance image.
Possible Cause If the boot device is configured in the supervisor engine as cf:1, when you enter a
reset module command the system always boots to the maintenance image.
Recommended Action Override the configured boot device in the supervisor engine by entering the
boot string during reset. In Cisco IOS software, to boot to the application image, enter the
hw-module mod 9 reset cf:4 (or cf:5) command.
5-16 78-14450-02
Symptom You are unable to log into the maintenance image with the same password for the module
application image.
Possible Cause The module application image and the maintenance image have different password
databases. Any password change performed in the module application image does not change the
maintenance image passwords and vice versa.
Recommended Action Use the maintenance image password.
Symptom You lost your password for the maintenance image and want to recover it.
Possible Cause The maintenance image does not support resetting passwords from the switch.
Upgrading the maintenance image retains the password for root and guest across the upgrades.
Recommended Action Refer to “Changing and Recovering Passwords” section on page 5-11.
78-14450-02 5-17
5-18 78-14450-02
A P P E N D I X A
Firewall Services Module and PIX Commands
This appendix describes additions, changes, and differences between the Firewall Services Module and
the PIX application commands.
The tables in this appendix describe the following commands:
• Commands that support the maintenance software (Table A-1 on page A-1).
• Cisco IOS commands that support the Firewall Services Module (Table A-2 on page A-3).
• Catalyst operating system commands that support the Firewall Services Module (Table A-3 on page
A-3).
• New commands specific to the module (Table A-4 on page A-3).
These commands are described in Appendix B, “Command Reference.”
• PIX commands that were changed for the module (Table A-5 on page A-5).
• PIX commands that are not used by the module (Table A-6 on page A-5).
• PIX commands used by the module and their PIX version (Table A-7 on page A-7).
For detailed information about the PIX software commands, refer to the PIX documentation listed
in the “Related Documentation” section on page xvii.
The module also supports CLI commands for the supervisor engine, which are described in more detail
in the Catalyst 6500 Series Command Reference.
Table A-1 Administrative Commands Supporting the Maintenance Software
Command Description
clear ip Clears the network configuration for the interface.
clear log upgrade Clears the application image upgrade log file. This
command is available only in the maintenance
image.
clear password Clears and resets the password.
disable-guest Disables the guest account from the maintenance
image. This command is available only for the root
account. The guest account is enabled by default.
enable-guest Enables the guest account from the maintenance
image root account. This command is available only
for the root account. The guest account is enabled by
default.
78-14450-02 A-1
Appendix A Firewall Services Module and PIX Commands
Table A-1 Administrative Commands Supporting the Maintenance Software (continued)
Command Description
? Displays a list of top-level commands or additional
information for an individual command.
ip Sets the IP parameters. This command is available
from the application and maintenance image and the
guest account in the maintenance image.
ip address ip-address netmask Specifies the IP address and subnet for a node on the
network.
ip broadcast broadcast-address Specifies the IP broadcast address for a node on the
network.
ip domain domain-name Specifies the domain name.
ip gateway gateway-address Specifies the default IP gateway.
ip host hostname Specifies an IP host name.
ip nameserver [name-server1] [name-server2] Specifies the IP name server used to resolve network
[name-server3] names into network addresses.
logout Logs you out of the shell from the maintenance
image and the guest account from the maintenance
image.
passwd Sets the password for the current user from the root
account.
passwd-guest Sets the password for the guest account from the
maintenance image. This command is available only
for the root account.
ping hostname | IP address Sends five ICMP echo-request packets to another
node on the network. To configure ping, you can
also use the command without arguments.
show Displays the system parameters from the
maintenance and guest account from the
maintenance image.
show images Lists the images that are installed in the module
application partitions.
show ip Displays current IP configuration.
show log upgrade Displays the application image upgrade log.
show version Displays the module maintenance image version,
daughter card information, and module application
image version.
show crashdump Displays the contents of the crashdump partition.
The partition is populated when the module
application software crashes.
upgrade [ftp-url] [device:partition-num] Upgrades the maintenance image from the specified
location, when the module is booted into the
application image. This command is also available
from the guest account in the maintenance image.
A-2 78-14450-02
Table A-2 Cisco IOS Commands for the Firewall Services Module
Command Description
firewall module module_number vlan-group Attaches the VLAN and firewall group to the slot
firewall_group where the module is located.
firewall vlan-group firewall_group vlan_range Creates a firewall group of controlled VLANs.
interface vlan vlan_number Defines a controlled VLAN (SVI) on the MSFC
(route processor).
Note You must configure a controlled VLAN
(SVI) on the MSFC or you will be unable
to configure VLANs on the module.
show firewall module Displays the module configuration.
show firewall vlan-group Displays the firewall VLAN group.
show interface vlan vlan_number Displays the interface configuration.
show firewall module Displays the module configuration.
vlan vlan_number Creates VLANs on the switch.
Table A-3 Catalyst Operating System Commands for the Firewall Services Module
Command Descriptions
set vlan vlan-range firewall-vlan module Sets the specified VLAN range as secure VLANs
on the firewall module.
clear vlan vlan-range firewall-vlan module Clears the specified VLANs from the secure
VLANs for a given firewall module.
show vlan firewall-vlan module Displays the current secure VLANs for a given
firewall module.
Table A-4 New Firewall Services Module Commands
Command
access-list id deny | permit {any | ip mask}
area area id authentication areadefault-cost
area area id authentication message-digest
area area id cost
area area id filter-list prefix module [in | out]
area area id nssa [no-redistribution] [default-information-originate]
area area id range prefix mask [advertise | not-advertise]
area area id stub [no-summary]
area area id virtual-link router id [ authentication [message-digest | null]] [hello-interval seconds]
[retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds [[authentication-key
key]| [message-digest-key key id md5 key]]
console-output (clear and show)
default-information originate [ metric value | metric-type { 1 | 2 } | route-map map ]
distance [intra-area d1] [inter-area d2] [external d3]
78-14450-02 A-3
Table A-4 New Firewall Services Module Commands (continued)
Command
ip prefix-list list-module [seq seq-value] {deny | permit network/length}[ge ge-value] [le le-value]
ip prefix-list sequence-number
logging rate-limit num [interval] message syslog_id
logging rate-limit num [interval] level syslog_level
show logging rate-limit
clear logging rate-limit
match [interface | route-type | metric | ip address | ip next-hop | ip route-source]
moduleif vlan_id [if_module] [security_level]
network prefix mask area area id
ospf cost cost
ospf retransmit-interval seconds
ospf transmit-delay seconds
ospf priority number ospf hello-interval seconds
ospf dead-interval seconds
ospf authentication-key key
ospf message-digest-key keyed md5 key
ospf authentication [message-digest | null]
redistribute { ospf id | static | connect } [{match { internal | external extern-type } metric
metric-value | metric-type metric-type [internal | external] tag tag-value | subnets }] route-map map
value
route-map map-tag [permit | deny] [seq-num]
router ospf asystem id
set metric [+ | -] metric-value
set metric-type type-1 | type-2 | internal | external
set ip next-hop ip-addres> [ip-address...]
show ip ospf
show ip ospf border-routers
show ip ospf database [router][network][external]
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-link
summary-address addr mask [not-advertise] [tag tag]
timers lsa-group-pacing value
timers spf
upgrade-mp
A-4 78-14450-02
Table A-5 PIX Commands Changed for the Firewall Services Module
Command
aaa authentication [supervisor | enable | telnet | ssh | http] console group_tag
fragment size database-limit [interface]
The default fragment size was changed from 200 for PIX to1 for the FWSM. By default, fragmentation
is disabled on the FWSM.
icmp permit | deny [host] src_addr [src_mask] [type] int_name By default, ICMP is set to off in the
FWSM.
interface hardware_id [hardware_speed] [shutdown]
show interface
nameif hardware_id ifname security_level
New syntax is nameif vlan_id if_name security_level. Refer to nameif vlan_number if_name
security_level in Appendix B, “Command Reference”
route if_module ip_address netmask gateway_ip [metric]
Table A-6 PIX Commands Not Used by the Firewall Services Module
Command
apply [(if_name)] list_ID outgoing_src | outgoing_dest
clear apply
show apply [(if_name)] [list_ID outgoing_src | outgoing_dest]
failover rsa key
clock set hh:mm:ss month day year
clock set hh:mm:ss day month year
show clock
conduit permit | deny protocol global_ip global_mask [operator port [port]] foreign_ip
foreign_mask [operator port [port]]
configure floppy
dhcpd auto_config [client_ifx_name ]
dhcpd option {150 | 66}
eeprom update
show eeprom
flashfs downgrade {4.x | 5.0 | 5.1}
filter activex port local_ip mask foreign_ip mask
filter java port [-port] local_ip mask foreign_ip mask
ip address if_name dhcp [setroute]
78-14450-02 A-5
Table A-6 PIX Commands Not Used by the Firewall Services Module (continued)
Command
ip audit attack [action [alarm] [drop] [reset]]
show ip audit attack
ip audit info [action [alarm] [drop] [reset]]
show ip audit info
ip audit interface if_module audit_module
show ip audit interface
ip audit name audit_name attack [action [alarm] [drop] [reset]]
show ip audit name [module [info | attack]]
ip audit name audit_name info [action [alarm] [drop] [reset]]
show ip audit name
ip audit module audit_module info [action [alarm] [drop] [reset]]
show ip audit module
ip audit signature signature_number disable
show ip audit signature [signature_number]
clear ip audit [module | signature | interface | attack | info]
outbound list_ID permit | deny ip_address [netmask [port[-port]] [protocol]
outbound list_ID except ip_address [netmask [port[-port]] [protocol]
clear outbound
show outbound
session enable
show session
sysopt uauth allow-http-cache
sysopt connection permit-pptp
sysopt connection permit-l2tp
vpdn enable if_name
vpdn group module accept dialin pptp | l2tp
vpdn group module l2tp tunnel hello hello_timeout
vpdn group group_module ppp authentication pap | chap | mschap
vpdn group group_module ppp encryption mppe 40 | 128 | auto [required]
vpdn group group_module client configuration address local address_pool_module
vpdn group group_module client configuration dns dns_server_ip1 [dns_server_ip2]
vpdn group group_module client configuration wins wins_server_ip1 [wins_server_ip2]
vpdn group group_module client authentication aaa aaa_server_group
vpdn group group_module client authentication local
vpdn group group_module client accounting aaa_server_group
vpdn usermodule usermodule password password
vpdn group group_module pptp echo echo_timeout
show vpdn tunnel [l2tp | pptp] [id tunnel_id | packets | state | summary | transport]
show vpdn usermodule [usermodule]
show vpdn session [l2tp | pptp] [id session_id | packets | state | window]
show vpdn pppinterface [id intf_id]
clear vpdn [group | usermodule | tunnel [all | [id tunnel_id]]]
write floppy
A-6 78-14450-02
Table A-7 lists the PIX commands used by the module and their PIX version. Commands that were
changed from PIX for the module are described in Appendix B, “Command Reference.” For detailed
information about the PIX software commands, refer to the PIX documentation located at these URLs:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/
Table A-7 PIX Commands and Versions
Command PIX Version

aaa 6.0
aaa proxy-limit 6.2
aaa-server 6.0
access-group 6.0
arp 6.0
auth-prompt 6.0
ca-authorization 6.2
ca generate rsa key 6.0
clear console-output, page B-12 6.0
clear logging rate-limit, page B-13 6.0
default-information originate, page B-14 6.0
clear pager, page B-15 6.0
configure 6.0
console-output 6.0
copy tftp flash 6.0
nameif, page B-23 6.0
debug 6.0
dhcpd 6.0
disable 6.0
distance, page B-15 6.0
enable 6.0
enable password 6.0
established 6.0
exit 6.0
failover 6.2
failover lan interface 6.0
failover unit 6.0
filter 6.0
firewall module, page B-16 6.0
firewall vlan-group, page B-17 6.0
fixup protocol 6.2
78-14450-02 A-7
Table A-7 PIX Commands and Versions (continued)
Command PIX Version

floodguard 6.0
fragment 6.0
global 6.0
help 6.0
hostname 6.0
http 6.0
icmp 6.0
interface, page B-18 6.0
ip address 6.0
ip local pool 6.0
isakmp policy 6.0
kill 6.0
local-host (clear and show) 6.0
logging 6.0
logging rate-limit, page B-20 6.0
mtu 6.0
nameif, page B-23 6.0
name/ names 6.0
nat 6.0
object-group 6.2
pager 6.0
passwd 6.0
pdm 6.0
perfmon 6.0
ping 6.0
quit 6.0
reload 6.0
rip 6.0
route, page B-28 6.0
service 6.0
show 6.0
show apply 6.0
show blocks/ clear blocks 6.0
show checksum 6.0
show conn 6.0
show console-output, page B-35 6.0
A-8 78-14450-02
Table A-7 PIX Commands and Versions (continued)
Command PIX Version

show crashdump, page B-36 6.0
show firewall module, page B-37 6.0
show firewall vlan-group, page B-38 6.0
show history 6.0
show interface, page B-39 6.0
show logging rate-limit, page B-42 6.0
show memory 6.0
show pager 6.0
show processes 6.0
show sprom 6.0
show tech-support 6.0
show uauth 6.0
show version 6.0
show xlate 6.0
shun 6.0
snmp-server 6.0
ssh 6.0
static 6.0
syslog 6.0
sysopt 6.0
telnet 6.0
terminal 6.0
tftp-server 6.0
timeout 6.0
uauth (clear and show) 6.0
url-cache 6.2
url-server 6.0
virtual 6.0
who 6.0
write 6.0
xlate (clear and show) 6.0
78-14450-02 A-9
A-10 78-14450-02
A P P E N D I X B
Command Reference
This appendix describes the Firewall Services Module commands that are unique to this module and the
commands that have been changed from the PIX command implementation for use with the Firewall
Services Module.
For detailed information about the PIX software commands, refer to the PIX documentation located at
these URLs:
Command Command
access-list, page B-2 route-map, page B-30
access-list (ospf), page B-7 set metric, page B-32
area, page B-8 set metric-type, page B-33
clear console-output, page B-11 show console-output, page B-34
clear logging rate-limit, page B-12 show crashdump, page B-35
default-information originate, page B-13 show firewall module, page B-36
distance, page B-14 show firewall vlan-group, page B-37
firewall module, page B-15 show interface, page B-38
firewall vlan-group, page B-16 show ip ospf, page B-39
interface, page B-17 show logging rate-limit, page B-41
ip prefix-list, page B-18 show vlan, page B-42
logging rate-limit, page B-19 summary-address, page B-43
match, page B-21 timers lsa-group-pacing, page B-44
nameif, page B-22 timers spf, page B-45
network, page B-23 upgrade-mp, page B-46
ospf, page B-24
redistribute, page B-26
route, page B-28
router ospf, page B-29
78-14450-02 B-1
Appendix B Command Reference
access-list
access-list
To configure access rules, use the access-list command. Use the no form of this command to remove
access rules from the configuration.
Note The configuration options for the access-lists in module are the same as those supported in PIX 6.0.
module also supports access rules configuration using the object group command as supported in
PIX 6.2.
Note Every interface on the module requires you to explicitly define access lists. By default access lists are
defined as deny any any.
access-list acl_ID deny | permit { protocol | object-group protocol_obj_grp_id }

{host source_addr | local_addr | source_addr | local_addr source_mask | local_mask |
object-group network_obj_grp_id } { [ operator port [ port ] | object-group service_obj_grp_id
] } {host destination_addr | remote_addr | destination_addr | remote _addr destination_mask |
remote_mask | object-group network_obj_grp_id { [ operator port [ port ] | object-group
service_obj_grp_id ] }
no access-list acl_ID deny | permit { protocol | object-group protocol_obj_grp_id }

{host source_addr | local_addr | source_addr | local_addr source_mask | local_mask |
object-group network_obj_grp_id } { [ operator port [ port ] | object-group service_obj_grp_id
] } {host destination_addr | remote_addr | destination_addr | remote _addr destination_mask |
remote_mask | object-group network_obj_grp_id { [ operator port [ port ] | object-group
service_obj_grp_id ] }
access-list acl_ID deny | permit icmp { host source_addr | local_addr | source_addr | local_addr
source_mask | local_mask | object-group network_obj_grp_id }{ host destination_addr |
remote_addr | destination_addr | remote_addr destination_mask | remote_mask | object-group
network_obj_grp_id }{ [ icmp_type | object-group icmp_type_obj_grp_id] }
no access-list acl_ID deny | permit icmp { host source_addr | local_addr | source_addr |

local_addr source_mask | local_mask | object-group network_obj_grp_id }{ host
destination_addr | remote_addr | destination_addr | remote_addr destination_mask | remote_mask
| object-group network_obj_grp_id }{ [ icmp_type | object-group icmp_type_obj_grp_id] }
clear access-list [acl_ID]
show access-list [acl_ID]
B-2 78-14450-02
access-list
Syntax Description acl_ID Name of an access list. You can use either a name or number.
deny (Optional) Used with the access-list command to not allow a packet to
traverse the PIX firewall. By default, the PIX firewall denies all inbound or
outbound packets unless you specifically permit access.
When used with a crypto map command statement, deny does not select a
packet for IPSec protection. The deny option prevents traffic from being
protected by IPSec in the context of that particular crypto map entry. In other
words, it does not allow the policy as specified in the crypto map command
statements to be applied to this traffic.
permit Used with the access-list command to select a packet to traverse the PIX
firewall. By default, PIX firewall denies all inbound or outbound packets
unless you specifically permit access.
When used with a crypto map command statement, permit selects a packet
for IPSec protection. The permit option causes all IP traffic that matches the
specified conditions to be protected by IPSec using the policy described by
the corresponding crypto map command statements.
permit icmp Used with the access-list command to allow an ICMP packet to traverse the
PIX firewall. By default, PIX firewall denies all inbound or outbound
packets unless you specifically permit access.
When used with a crypto map command statement, permit selects a packet
for IPSec protection. The permit option causes all IP traffic that matches the
specified conditions to be protected by IPSec using the policy described by
the corresponding crypto map command statements.
protocol Name or number of an IP protocol. This value can be one of the keywords
icmp, ip, tcp, or udp, or an integer in the range 1 to 254 representing an IP
protocol number. To match any Internet protocol, including ICMP, TCP, and
UDP, use the keyword ip.
object-group Identifies the object group.
protocol_obj_grp_id Identification of the object group.
host Identifies the host.
source_addr Address of the network or host from which the packet is being sent. Use this
field when an access-list command statement is used in conjunction with an
access-list command statement, or with the aaa match access-list command
and the aaa authorization command.
local_addr Address of the network or host local to the PIX firewall. Specify a
local_addr when the access-list command statement is used in conjunction
with a crypto access-list command statement, a nat 0 access-list command
statement, or a vpngroup split-tunnel command statement. The local_addr
is the address after NAT has been performed.
source_mask Netmask bits (mask) to be applied to source_addr, if the source address is
for a network mask.
local_mask Netmask bits (mask) to be applied to local_addr, if the local address is a
network mask.
network_obj_grp_id Name of the network object group containing a group of hosts and networks
78-14450-02 B-3
access-list
operator A comparison operand that allows you to specify a port or a port range. Use
without an operator and port to indicate all ports; for example:
access-list acl_out permit tcp any host 209.165.201.1
Use eq and a port to permit or deny access to only that port. For example,
use eq ftp to permit or deny access only to FTP:
access-list acl_out deny tcp any host 209.165.201.1 eq ftp
Use lt and a port to permit or deny access to all ports less than the port you
specify. For example, use lt 1024 to permit or deny access to the well known
ports (1 to 1024):
access-list acl_dmz1 permit tcp any host 192.168.1.1 lt 1025
Use gt and a port to permit or deny access to all ports greater than the port
you specify. For example, use gt 42 to permit or deny ports 43 to 65535:
access-list acl_dmz1 deny udp any host 192.168.1.2 gt 42
Use neq and a port to permit or deny access to every port except the ports
that you specify. For example, use neq 10 to permit or deny ports 1-9 and 11
to 65535:
access-list acl_dmz1 deny tcp any host 192.168.1.3 neq 10
Use range and a port range to permit or deny access to only those ports
named in the range. For example, use range 10 to 1024 to permit or deny
access only to ports 10 through 1024. All other ports are unaffected. The use
of port ranges can dramatically increase the number of IPSec tunnels. For
example, if a port range of 5000 to 65535 is specified for a highly dynamic
protocol, up to 60,535 tunnels can be created.
access-list acl_dmz1 deny tcp any host 192.168.1.4 range 21 1024
port Service you permit or deny access to. Specify services by the port that
handles it, such as smtp for port 25, www for port 80, and so on. You can
specify ports by either a literal name or a number in the range of 1 to 65535.
You can view valid port numbers online at the following website:
http://www.isi.edu/in-notes/iana/assignments/port-numbers.
You can also specify numbers.
service_obj_grp_id Name of the port object group containing a group of services
destination_addr IP address of the network or host to which the packet is being sent. Specify
a destination_addr when the access-list command statement is used in
conjunction with an access-list command statement, or with the aaa match
access-list command and the aaa authorization command. For inbound
connections, destination_addr is the address after NAT has been performed.
For outbound connections, destination_addr is the address before NAT has
been performed.
destination_mask Netmask bits (mask) to be applied to destination_addr, if the destination
address is a network mask.
remote_addr IP address of the network or host remote to the firewall. Specify a
remote_addr when the access-list command statement is used in conjunction
with a crypto access-list command statement, a nat 0 access-list command
statement, or a vpngroup split-tunnel command statement.
B-4 78-14450-02
access-list
remote_mask Netmask bits (mask) to be applied to remote_addr, if the remote address is

a network mask.
icmp_type [Non-IPSec use only]—Permit or deny access to ICMP message types. Omit
this option to mean all ICMP types.
ICMP message types are not supported for use with IPSec when the
access-list command is used in conjunction with the crypto map command.
The icmp_type is ignored.
icmp_type_obj_grp_id Name of the port object group containing a group of ICMP message types.
Defaults This command has no default settings.
Command Modes Privileged mode.
Command History Release Modification

1.1(1) This command is the same as the PIX 6.0 command with the addition
of object grouping support from the PIX 6.2 command and other
implementation-related changes as noted in the usage guidelines.
Usage Guidelines The access list behavior on the module differs from that on PIX 6.0 as follows:
• By default all traffic is denied through the module. Explicit access rules need to be configured using
the access-list command and attached to the appropriate interface using the access-list command to
allow traffic to pass through that interface.
• The module does not support the outbound, conduit and apply configuration commands that are
supported in PIX.
• The access lists used in the module are compiled by the software and loaded into a supervisor engine
for subsequent lookup. Each time an access rule is added using any of the following commands a
short delay occurs before a new compilation is begins to catch any additional configurations: filter,
fixup, icmp, telnet, ssh, access-list, established, aaa authentication, aaa authorization and aaa
accounting
After the compilation begins, it may take some time for the new rule set to be downloaded to the
hardware. In the interim, the old access rule set is applied to the incoming traffic. After successfully
download the new set is used to determine access permissions.
• During compilation, if the compilation process runs out of resources, an error message is printed on
the console when the access lists configured on the module are different from those currently being
used in the hardware. To synchronize the configuration, remove the newly added rules that began
the compilation and add fewer rules.
• Access rules with port ranges have a negative impact on the total number of access rules that the
module can support. You should avoid configuring access rules with large port ranges.
78-14450-02 B-5
access-list
Examples This example shows how to define an access list allowing any host to access server 121.23.65.12 using
Telnet:
FWSM(config)# access-list in_acl permit tcp any host 121.23.65.12 eq 23
For further examples, refer to the Configuration Guide for the Cisco Secure PIX Firewall Version 6.
For examples on using access-lists with the object group command, refer to the Cisco PIX Firewall and
VPN Configuration Guide Version 6.2.
Related Commands access-list (PIX 6.0)

object-group
B-6 78-14450-02
access-list (ospf)
access-list (ospf)
To configure access rules, use the access list (ospf) command. Use the no form of this command to
remove access rules from the configuration.
access-list id deny | permit {any | ip mask}
[no] access-list id deny | permit {any | ip mask}
Syntax Description id Sets the access list identification.

deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
any Used as an abbreviation for an IP address of 0.0.0.0 and a mask of
255.255.255.0.
ip mask Sets the IP address and mask for the network.

1.1(1) This command was introduced.
Usage Guidelines This access list syntax is used only in the context of OSPF. Access lists created with this syntax are then
used for defining route maps to be applied to redistributed routes. An access list containing any access
elements defined using the command syntax cannot be applied to an interface using the access-list
command.
Examples This example shows how to create an access list:

FWSM(config)# access-list ospf1 permit 10.2.0.0 255.255.255.0.0
FWSM(config)# show access-list
access-list ospf1; 1 elements
access-list ospf1 permit 10.2.0.0 255.255.255.0 (hitcnt=0)
Related Commands match

route-map
78-14450-02 B-7
area
area
To specify an area name in the router configuration submode, use the area command.
area area id authentication
area area id authentication message-digest
area area id default-cost cost
area area id filter-list prefix name [in | out]
area area id nssa [no-redistribution] [default-information-originate]
area area id range prefix mask [advertise | not-advertise]
area area id stub [no-summary]
area area id virtual-link router id [authentication [message-digest | null]] [hello-interval

seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds
[[authentication-key key]| [message-digest-key key id md5 key]]
Syntax Description area id Specifies the ID of an area.

authentication Enables cleartext authentication for this area.
message-digest Specifies MD5 authentication.
default-cost cost Assigns a default cost to the default summary route used for the stub
area.
filter-list prefix name Specifies a filter list and assign a filter list name.
in | out (Optional) Specifies that a list is enabled or disabled.
nssa Specifies the area is for NSSA.
no-redistribution (Optional) Specifies there is no area redistribution.
default-information-originate (Optional) Specifies the default information generated from this area.
range prefix mask Specifies an address range for which a single summary LSA is
generated from this area.
advertise (Optional) Specifies that an LSA is advertised.
not-advertise (Optional) Specifies LSA is not advertised.
stub Defines the area as a stub.
no-summary (Optional) Specifies that summary (type 3) LSAs are not generated
into this area.
virtual-link Creates a virtual link.
router id Specifies the router ID for the virtual link.
null Specifies no authentication.
hello-interval seconds (Optional) Specifies the time between hello messages.
retransmit-interval (Optional) Specifies the time between hello message retransmissions.
transmit-delay (Optional) Specifies the delay between hello message
retransmissions.
B-8 78-14450-02
area
dead-interval (Optional) Sets the time to wait for hello messages before declaring
a neighbor down.
authentication-key Assigns a password used by neighbors on a network segment using
simple (cleartext) password authentication.
key Used between the client and server for encrypting data between them,
the key must be the same on both the client and server systems. You
can use up to 127 alphanumeric characters which are case-sensitive.
This key has the same value of a TACACS+ server. Any characters
entered past 127 are ignored. You cannot use spaces in the key, but
you can use other special characters. If you do not specify a key,
encryption does not occur.
message-digest-key keyed md5 Specifies a key ID and value for an interface using MD5
key authentication.
Command Modes Router configuration submode.

Examples The following example mandates authentication for areas 0 and 36.0.0.0 of OSPF routing process 201.
Authentication keys are also provided.
Router(config)# interface ethernet 0
ip address 131.119.251.201 255.255.255.0
ip ospf authentication-key adcdefgh
!
ip address 36.56.0.201 255.255.0.0
ip ospf authentication-key ijklmnop
!
Router(config)# router ospf 201
network 36.0.0.0 0.255.255.255 area 36.0.0.0
network 131.119.0.0 0.0.255.255 area 0
area 36.0.0.0 authentication
area 0 authentication
The following example assigns a default cost of 20 to stub network 36.0.0.0:

ip address 36.56.0.201 255.255.0.0
!
network 36.0.0.0 0.255.255.255 area 36.0.0.0
area 36.0.0.0 stub
area 36.0.0.0 default-cost 20
The following example filters prefixes that are sent from all other areas to area 1:
Router(config)# area 1 filter-list prefix-list AREA_1 in
78-14450-02 B-9
area
The following example specifies one summary route to be advertised by the ABR to other areas for all
subnets on network 36.0.0.0 and for all hosts on network 192.42.110.0:
ip address 192.42.110.201 255.255.255.0
!
ip address 192.42.120.201 255.255.255.0
!
network 192.42.110.0 0.0.0.255 area 0
area 36.0.0.0 range 36.0.0.0 255.0.0.0
area 0 range 192.42.110.0 255.255.0.0
The following example establishes a virtual link with default values for all optional parameters:
network 36.0.0.0 0.255.255.255 area 36.0.0.0
area 36.0.0.0 virtual-link 36.3.4.5
The following example establishes a virtual link with MD5 authentication:

network 36.0.0.0 0.255.255.255 area 36.0.0.0
area 36.0.0.0 virtual-link 36.3.4.5 message-digest-key 3 md5 sa5721bk47
For further examples refer to the Cisco IOS Configuration Guides and Command References.
B-10 78-14450-02
clear console-output
To clear the contents of the message buffer, use the clear console-output command.

Examples This example shows how to clear the message buffer.

Router(config)# clear console-output
Related Commands show console-output
78-14450-02 B-11

To clear the log rate, use the clear logging rate-limit command.

Examples This example shows how to clear the logging rate.

Router(config)# clear logging rate-limit
Related Commands logging rate-limit

B-12 78-14450-02
default-information originate
default-information originate
To control the redistribution of a default route, use the default-information originate command.
default-information originate [always] [metric value | metric-type {1 | 2} | [route-map map]
Syntax Description always (Optional) Specifies that a default gateway must be advertised even
if it is not present in the routing table.
metric value (Optional) Specifies the number of hops to the gateway. You an
obtain the hop information by using the traceroute command or by
asking your WAN administrator.
metric-type (Optional) Specifies the metric type.
1 (Optional) Specifies metric type 1.
2 (Optional) Specifies metric type 2.
route-map (Optional) Specifies a route map.
map (Optional) Route map ID.

Examples This example shows how to control the redistribution of a default route:
Router(config)# default-information originate
78-14450-02 B-13
distance
distance
To define OSPF administrative distances based on route type, use the distance command. To restore the
default value, use the no form of this command.
distance [intra-area dist1] [inter-area dist2] [external dist3]
no distance
Syntax Description intra-area dist1 (Optional) Sets the distance for all routes within an area.
intra-area dist2 (Optional) Sets the distance for all routes from one area to another
area.
external dist3 (Optional) Sets the distance for routes from other routing domains
learned by redistribution.
Defaults dist1, dist2, and dist3 values are 110.

Examples The following example changes the external distance to 200, making it less reliable:
Router A Configuration
Router(config)# redistribute ospf 2 subnet
Router(config)# distance external 200
Router B Configuration
Router(config)# distance external 200
Related Commands area
B-14 78-14450-02
firewall module
firewall module
To attach a group of controlled VLANs to a module, use the firewall module command.
firewall module module_number vlan-group firewall_group
Syntax Description module_number Specifies the module to attach the VLAN group.
vlan-group Specifies a VLAN group
firewall_group Names the VLAN group.

Examples This example shows how to attach a VLAN group to a module:

Router(config)# firewall 6 vlan-group 20
Related Commands firewall vlan-group
78-14450-02 B-15
firewall vlan-group
firewall vlan-group
To configure a group of controlled VLANs, use the firewall vlan-group command.
firewall vlan-group firewall_group vlan_range
Syntax Description firewall_group Names the VLAN group.

vlan_range Lists the VLANs in the group.

Examples This example shows how to configure a group of controlled VLANs:

Router(config)# firewall vlan-group 20 8, 10-15
Related Commands firewall module
B-16 78-14450-02
interface
interface
To enter the interface configuration submode to enter OSPF commands or the shutdown command, use
the interface command.
interface interface-name
Syntax Description interface-name Specifies a perimeter interface on the firewall.

1.1(1) This command was modified from the PIX version command.
Examples This example shows how to enter the interface configuration submode:
Router(config)# interface sweden
Related Commands show interface
78-14450-02 B-17
ip prefix-list
ip prefix-list
To configure a prefix list, use the ip prefix-list command.
ip prefix-list list-name [seq seq-value] {deny | permit network/length} [ge ge-value] [le le-value
no ip prefix-list list-name [seq seq-value] {deny | permit network/length} [ge ge-value] [le
le-value]
Syntax Description list-name Specifies the prefix list.

seq seq-value (Optional) Specifies a sequence name.
deny (Optional) Denies access if the conditions of the command are not
met.
permit (Optional) Selects a packet to travel through the firewall.
network/length (Optional) Specifies the network from which the packet originated,
or the packets length.
ge ge-value (Optional) Specifies a generation number.
le le-value (Optional) Specifies the packets length.

Examples This example shows how to deny the default route 0.0.0.0/0:
Router(config)# ip prefix-list abc deny 0.0.0.0/0
This example shows how to permit the prefix 35.0.0.0/8:

Router(config)# ip prefix-list abc permit 35.0.0.0/8
For further examples refer to the Cisco IOS Configuration Guides and Command References.
B-18 78-14450-02
logging rate-limit
logging rate-limit
To rate limit the number of syslogs generated from the module, use the logging rate-limit command. To
remove access lists from the configuration, use the no form of this command.
logging rate-limit num [interval] message syslog_id
no logging rate-limit num [interval] message syslog_id
logging rate-limit num [interval] level syslog_level
no logging rate-limit num [interval] level syslog_level
Syntax Description num Specifies the syslog limit number.

interval (Optional) Specifies the time interval in seconds over which the
syslogs should be limited to the num instances.
message syslog_id Specifies the syslog ID of the message being rate limited.
level syslog_level Sets the syslog level.

Examples These examples show how to set up logging rate limits:

• If you want to see only 10 message per second for syslog id 106023, use the following command:
logging rate-limit 10 1 message 106023
Because the [interval] is optional and defaults to 1 second, you can specify:
logging rate-limit 10 message 106023
• If you want to limit all the syslogs in level 3 to be generated only 5 times per second, use the
following command:
logging rate-limit 5 level 3
78-14450-02 B-19
logging rate-limit
• Precedence in setting up logging determines the result of the command action as follows:
– The logging rate-limit message command forms an exception for the logging rate-limit level
command if the level is defined. For example:
All syslogs other than 106023 in level 1 will be generated at the maximum 5 times per second.
106023 will be generated up to 10 times per second.
– If you set up a configuration in this order:
no logging rate-limit 10 message 106023
The configuration will be equivalent to only the following:

If you set up a configuration in this order:

no logging rate-limit 5 level 1
This configuration is equivalent to the following:

– To rate limit syslogs from more than 1 level, use the level version of the command multiple
times:
logging rate-limit 5 2 level 4
The last 1 in the configuration limits the rate of all syslogs in level 4 to 5 in 2 second intervals.
B-20 78-14450-02
match
match
To define route matching criteria for a route map, use the no form of this command. To disable matching,
use the no form of this command.
match [interface | route-type | metric | ip address | ip next-hop | ip route-source]
[no] match [interface | route-type | metric | ip address | ip next-hop | ip route-source]
Syntax Description interface (Optional) Specifies an interface.

metric (Optional) Specifies the number of hops to the gateway. You can
obtain the hop information by using the traceroute command or by
asking your WAN administrator.
ip address (Optional) Specifies the IP address to match.
ip next-hop (Optional) Specifies that the next IP address is matched.
ip route-source (Optional) Specifies that the match is to the route source IP address.
Command Modes Route-map configuration submode.

1.1(1) The no form of this command was introduced.
Examples This example shows how create a route map that can be used to redistribute internal routes:
Router(config-route-map)# route-map name
Router(config-route-map)# match route-type internal
Related Commands set

route-map
78-14450-02 B-21
nameif
nameif
To assign a name to an interface, use the nameif command. To remove the interface name, use the no
form of this command.
nameif vlan_number if_name security_level
no nameif vlan_number [if_name] [security_level]
Syntax Description vlan_number Specifies a VLAN.

if_name Specifies the perimeter interface name.
security_level Indicates the security level for the perimeter interface. Range is from
1 to 99.

Usage Guidelines Specifies the perimeter interface VLAN, name, and security level on an interface.
Examples This example shows how to assign a name to an interface:

Router(config)# nameif vlan 10 inside security 100
B-22 78-14450-02
network
network
To define the interfaces on which OSPF runs and to define the area ID for those interfaces, use the
network area router command. To disable OSPF routing for interfaces defined with the address
wildcard-mask pair, use the no form of this command.
network ip-address wildcard-mask area area id
no network ip-address wildcard-mask area area id
Syntax Description ip-address Specifies the IP address.

wildcard-mask Specifies the IP address type mask that includes “don’t care” bits.
area area id (Optional) Specifies an area that is to be associated with the OSPF
address range. It can be specified as either a decimal value or as an
IP address. If you intend to associate areas with IP subnets, you can
specify a subnet address as the area ID.

Examples This example shows how to initialize the OSPF routing process 109, and defines four OSPF areas:
10.9.50.0, 2, 3, and 0. Areas 10.9.50.0, 2, and 3 mask specific address ranges, while area 0 enables OSPF
for all other networks.
Router(config)# ip address 131.108.20.1 255.255.255.0
Router(config-router)# network 131.108.20.0 0.0.0.255 area 10.9.50.0
Router(config-router)# network 131.108.0.0 0.0.255.255 area 2
Router(config-router)# network 0.0.0.0 255.255.255.255 area 0:
78-14450-02 B-23
ospf
ospf
To configure OSPF use the ospf commands.
ospf authentication-key key
ospf authentication [message-digest | null]
ospf cost cost
ospf dead-interval seconds
ospf hello-interval seconds
ospf message-digest-key keyed md5 key
ospf priority number
ospf retransmit-interval seconds
ospf transmit-delay seconds
Syntax Description authentication-key Assigns a password used by neighbors on a network segment using
simple (cleartext) password authentication.
key The key is used between the client and server for encrypting data
between them, the key must be the same on both the client and server
systems. You can use up to 127 alphanumeric characters which are
case-sensitive. This key has the same value of a TACACS+ server.
Any characters entered past 127 are ignored. You cannot use spaces
in the key, but you can use other special characters. If you do not
specify a key, encryption does not occur.
authentication Specifies authentication.
[message-digest | null] (Optional) Specifies the authentication type for an interface as either
cleartext, message digest, or no authentication.
cost cost Specifies the cost of sending a packet on an OSPF interface.
dead-interval seconds Sets the time to wait for hello messages before declaring a neighbor
down.
message-digest-key keyed Specifies a key ID and value for an interface using MD5
md5 key authentication.
priority number Sets the priority of the OSPF router for DR (designated router) or
BDR (backup designated router) election.
ospf hello-interval seconds Sets a delay value in seconds between hello messages.
retransmit-interval seconds Specifies a delay between LSA retransmissions.
transmit-delay Specifies the estimated time taken to transmit an LSA on an OSPF
interface.
B-24 78-14450-02
ospf
Command Modes Interface configuration submode.

Examples The following example sets the interface cost value to 65:
Router(config)# ospf cost 65
The following example sets the interval between hello packets to 15 seconds:
Router(config)# ospf hello-interval 15
The following example sets a new key 19 with the password 8ry4222:
Router(config)# ospf message-digest-key 19 md5 8ry4222
For further examples, refer to the corresponding ip ospf commands in Cisco IOS Configuration Guides
and Command References.
Related Commands router ospf
78-14450-02 B-25
redistribute
redistribute
To enable redistribution of static or connected routes or routes form another OSPF process, use the
redistribute command. To remove redistribution from the configuration, use the no form of this
command.
redistribute {ospf id | static | connect} [{match {internal | external extern-type} metric

metric-value | metric-type metric-type [internal | external] tag tag-value | subnets}]
route-map map value
[no] redistribute {ospf id | static | connect} [{match { internal | external extern-type} metric
metric-value | metric-type metric-type [internal | external] tag tag-value | subnets}]
route-map map value
Syntax Description ospf id Specifies the OSPF routing process from which routes are to be
distributed.
static Redistributes static routes.
connect Redistributes connected routes.
match (Optional) Specifies the criteria by which OSPF routes are
redistributed into other routing domains.
internal (Optional) Specifies routes that are internal to a specific autonomous
system.
external 1 Specifies routes that are external to the autonomous system, but are
imported into OSPF as Type 1 external route.
external 2 Specifies routes that are external to the autonomous system, but are
imported into OSPF as Type 2 external route.
metric metric-value (Optional) Specifies the metric for the redistributed route. If a value
is not specified for this option, and no value is specified using the
default-metric command, the default metric value is 0. In the case of
OSPF, the default metric is 20. Use a value consistent with the
destination protocol.
metric-type metric-type (Optional) Specifies the external link type associated with the default
route advertised into the OSPF routing domain. It can be one of two
values:
• Type 1 external route
• Type 2 external route
tag tag-value (Optional) Specifies the 32-bit decimal value attached to each
external route. This is values is not used by OSPF itself. It may be
used to communicate information between Autonomous System
Boundary Routers (ASBRs). If none is specified, then the remote
autonomous system number is used for routes from Border Gateway
Protocol (BGP) and Exterior Gateway Protocol (EGP); for other
protocols, zero (0) is used.
B-26 78-14450-02
redistribute
subnets (Optional) Specifies the redistribution of routes into OSPF, the scope
of redistribution for the specified protocol.
route-map map value (Optional) Specifies a route map that should be interrogated to filter
the importation of routes from this source routing protocol to the
current routing protocol. If not specified, all routes are redistributed.
If this keyword is specified, but no route map tags are listed, no routes
will be imported.
Defaults Metric value is 0 or 20 depending upon the destination protocol.

Examples This example shows how to specify a network 172.16.0.0 that will appear as an external link-state
advertisement (LSA) in OSPF 1 with a cost of 100 (the cost is preserved):
Router(config)# ip address inside 172.16.0.1 255.0.0.0

Router(config)# interface inside
Router(config)# ospf cost 100
Router(config)# ip address outside 10.0.0.1 255.0.0.0

Router(config)# interface outside
Router(config)# ip address 10.0.0.1 255.0.0.0

78-14450-02 B-27
route
route
To define a static or default route for an interface, use the route command.
route if_name ip_address netmask gateway_ip [metric]
[no] route [if_name ip_address [mask gateway]]
Syntax Description if_nam Specifies the perimeter interface name.

ip_address Specifies the network IP address. Use 0.0.0.0 to specify a default
route. The 0.0.0.0 IP address can be abbreviated as 0.
netmask Specifies a network mask to apply to the ip_address. Use 0.0.0.0 to
specify a default route. The 0.0.0.0 netmask can be abbreviated as 0.
gateway_ip Specifies the IP address of the gateway router (the next hop address
for this route.
metric (Optional) Specifies the number of hops to the gateway_ip. If you are
not sure, enter 1. Your network administrator can supply this
information or you can use a traceroute command to obtain the
number of hops.
Defaults Netmask value is 255.255.255.0.

Metric value is 1.

Examples This example shows how to configure a route on the interface “inside” for the network 10.2.2.0/24 with
next hop 10.2.1.5:
FWSM(config)# route inside 10.2.2.0 255.255.255.0 10.2.1.5
FWSM(config)# show route
S 0.0.0.0 0.0.0.0 [0/0] via 10.6.13.1, dmz
C 10.2.1.0 255.255.255.0 is directly connected, inside
S 10.2.2.0 255.255.255.0 [1/0] via 10.2.1.5, inside
C 10.3.1.0 255.255.255.0 is directly connected, outside
C 10.6.13.0 255.255.255.0 is directly connected, dmz
C 127.0.0.0 255.255.255.0 is directly connected, eobc
Related Commands show route
B-28 78-14450-02
router ospf
router ospf
To create or configure an OSPF routing process, use the router ospf command. To remove the routing
process from the configuration, use the no form of this command.
router ospf autonomous-system id
no router ospf autonomous-system id
Syntax Description autonomous-systemid Specifies the autonomous system configured for routing.

Examples This example shows how to create and OSPF routing process:
Related Commands ospf

network
78-14450-02 B-29
route-map
route-map
To create a route map, use the route-map command. To remove a route map from the configuration, use
the no form of this command.
route-map map-tag [permit | deny] [seq-num]]
[no] route-map map-tag [permit | deny] [seq-num]]
Syntax Description map-tag Defines a meaningful name for the route map. The redistribute
router configuration command uses this name to reference this
route map. Multiple route maps may share the same map tag name.
permit (Optional) Specifies the match criteria are met for this route map.
When this keyword is specified, the route is redistributed as
controlled by the set actions. In the case of policy routing, the packet
is policy routed. If the match criteria are not met, and this keyword is
specified, the next route map with the same map tag is tested. If a
route passes none of the match criteria for the set of route maps
sharing the same name, it is not redistributed by that set.
deny (Optional) Specifies the match criteria are met for the route map.
When the deny keyword is specified, the route is not redistributed. In
the case of policy routing, the packet is not policy routed, and no
further route maps sharing the same map tag name will be examined.
If the packet is not policy routed, the normal forwarding algorithm is
used.
seq-num (Optional) The number that indicates the position a new route map
occupies in the list of route maps already configured with the same
name. If the no form of this command is used, the position of the
route map should be deleted.
Defaults Permit is the default.

Examples This example shows how to create a route map:

FWSM# route-map disco permit
FWSM# show route-map
route-map disco permit 10
B-30 78-14450-02
route-map
Related Commands match

set
78-14450-02 B-31
set metric
set metric
To define the actions taken on routes that match the criteria defined for a route map, use the set metric
command. To disable metric criteria, use the no form of this command.
set metric [+ | -] metric-value
[no] set metric [+ | -] metric-value
Syntax Description +|- (Optional) Specifies a positive or negative metric.

metric-value Specifies a metric value.

Examples This example shows how to set the metric value for the routing protocol to 100:
Router(config-route-map)# route-map set-metric
Router(config)# set metric 100
Note We recommend that you consult your Cisco technical support representative before changing the default
value. For further information, refer to the Cisco IOS Configuration Guide and Command Reference.
Related Commands set metric-type
B-32 78-14450-02
set metric-type
set metric-type
To specify a metric type for a route map, use the set metric-type command.
set metric-type type-1 | type-2
[no] set metric-type type-1 | type-2
Syntax Description type-1 Specifies the open Shortest Path First (OSPF) external Type 1 metric.
type-2 Specifies the OSPF external Type 2 metric

Examples This example shows how to set the metric type of the destination protocol to OSPF external Type 1:
Router(config-route-map)# route-map map-type
Router(config-route-map)# set metric-type type-1:
Related Commands set metric
78-14450-02 B-33
show console-output
show console-output
To view the contents of the message buffer, use the show console-output command.
show console-output [start_message_number-end_message_number]
Syntax Description start_message_number Specifies the starting serial number of the message to be displayed.
end_message_number Specifies the end serial number of the message to be displayed.

Usage Guidelines Messages appearing on the console are redirected to all active Telnet sessions.When no Telnet session
is available, the output is saved to a buffer. The buffer output can be subsequently examined when you
Telnet to the module application software partition. Individual messages are numbered.
Examples This example shows how to display the buffer output:

FWSM# show console-output
Message #1 :Initializing debugger......:
Message #2 :Found PCI card in slot:1 bus:2 dev:9 (vendor:0x8086 deviceid:0x1001)
Message #4 :Found PCI card in slot:3 bus:1 dev:6 (vendor:0x1014 deviceid:0x1e8)
Message #5 :Ignoring PCI card in slot:3 (vendor:0x1014 deviceid:0x1e8)
Related Commands clear console-output
B-34 78-14450-02
show crashdump
show crashdump
To display the contents of the crashdump partition, use the show crashdump command.
show crashdump

Examples This example shows how to display the contents of the crashdump partition:
Router(config)# show crashdump
78-14450-02 B-35
show firewall module

To display the module configuration, use the show firewall module command.

Examples This example shows how to display the module configuration:

Router(config)# show firewall module
B-36 78-14450-02
show firewall vlan-group

To display the configured firewall VLAN groups, use the show firewall command.

Examples This example shows how to display the configured firewall VLAN groups:
Router(config)# show firewall 20
78-14450-02 B-37
show interface
show interface
To show all of the VLANs configured, use the show interface command.
show interface [interface name] stats
Syntax Description interface_name Specifies the perimeter interface name.

stats Displays the interface state and counters.

Usage Guidelines If VLANs are not configured on the MSFC, you will not be able to define any new VLAN interfaces on
the Firewall Services Module.
Examples This example shows how to display the firewall VLANs configured on all interfaces:
Router(config)# show interface domino
Related Commands interface
B-38 78-14450-02
show ip ospf
show ip ospf
To show the OSPF configuration, use the show ip ospf command.
show ip ospf border-routers
show ip ospf database [router][network][external]
show ip ospf interface
show ip ospf neighbor
show ip ospf request-list
show ip ospf retransmission-list
show ip ospf summary-address
show ip ospf virtual-link
Syntax Description border-routers Displays the internal OSPF routing table entries to an area border
router and autonomous system boundary router.
database Displays lists of information related to the OSPF database, for a
[router][network][external] specific router, for network LSAs or external LSAs.
interface Displays the information on the interfaces for which OSPF is
enabled.
neighbor Displays the OSPF-neighbor information on a per-interface basis.
request-list Displays a list of all LSAs requested by a router.
retransmission-list Displays a list of all LSAs waiting to be resent.
summary-address Displays a list of all summary address redistribution information
configured under an OSPF process.
virtual-link Displays parameters and the current state of OSPF virtual links.

78-14450-02 B-39
show ip ospf
Examples This example shows how to show the IP OSPF configuration:

Router(config)# show ip ospf border routers
Routing Process "ospf 201" with ID 192.42.110.200 Supports only single TOS(TOS0) route It
is an area border and autonomous system boundary router Redistributing External Routes
from, igrp 200 with metric mapped to 2, includes subnets in redistribution
ip with metric mapped to 2
igrp 2 with metric mapped to 100
igrp 32 with metric mapped to 1
Number of areas in this router is 3
Area 192.42.110.0
Number of interfaces in this area is 1
Area has simple password authentication
SPF algorithm executed 6 times
For further examples, refer to the Cisco IOS Configuration Guides and Command References.
Related Commands ospf
B-40 78-14450-02

To display the logging rate, use the show logging rate-limit command.
Defaults This command has no default settings

Examples This example shows how to display the logging rate:

Router(config)# show logging rate limit
Related Commands clear logging rate-limit

logging rate-limit
78-14450-02 B-41
show vlan
show vlan
To display the list of VLANs assigned to the module through the configuration on the supervisor route
process MSFC, use the show vlan command.
show vlan
Defaults This command has no default settings

Examples This example shows how to display the VLANs assigned to the module:
Router(config)# show vlan
10, 33, 100,
B-42 78-14450-02
summary-address
summary-address
To create aggregate addresses for external routes, use the summary-address command. To disable
aggregate addressing for external routes, use the no form of this command.
summary-address addr mask [not-advertise] [tag tag]
[no] summary-address addr mask [not-advertise] [tag tag]
Syntax Description addr The summary address designated for a range of addresses.
mask The IP subnet mask used for the summary route.
not-advertise (Optional) Suppresses routes that match the specified address/mask
pair.
tag tag (Optional) Specifies a tag value that can be used as a match value for
controlling redistribution through route maps.

Examples This example shows the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so
on. Only the address 10.1.0.0 is advertised in an external link-state advertisement.
Router(config)# summary-address 10.1.0.0 255.255.0.0
78-14450-02 B-43
timers lsa-group-pacing
timers lsa-group-pacing
To change the interval at which OSPF link-state advertisements (LSAs) are collected into a group and
refreshed, checksummed, or aged, use the timers lsa-group-pacing configuration command. To restore
the default value, use the no form of this command.
timers lsa-group-pacing seconds
no timers lsa-group-pacing
Syntax Description seconds Specifies the umber of seconds in the interval at which LSAs are
grouped and refreshed, checksummed, or aged. The range is from 10
to 1800 seconds.
Defaults 240 seconds

Usage Guidelines
Examples This example shows how to change the OSPF pacing between LSA groups to 60 seconds:
Router(config-router)# timers lsa-group-pacing 60
B-44 78-14450-02
timers spf
timers spf
To configure the delay time between when OSPF receives a topology change and when it starts a shortest
path first (SPF) calculation, use the timers spf command. To configure the hold time between two
consecutive SPF calculations, use the timers spf router configuration command. To return to the default
timer values, use the no form of this command.
timers spf spf-delay spf-holdtime
no timers spf spf-delay spf-holdtime
Syntax Description spf-delay Specifies the delay time (in seconds) between when OSPF receives a
topology change and when it starts an SPF calculation. It can be an
integer from 0 to 65535. A value of 0 means that there is no delay;
that is, the SPF calculation is started immediately.
spf-holdtime Specifies the minimum time (in seconds) between two consecutive
SPF calculations. It can be an integer from 0 to 65535 seconds. A
value of 0 means that there is no delay; that is, two SPF calculations
can be done, one immediately after the other.
Defaults Delay time is 5 seconds.

Minimum time is 10 seconds.

Examples This example shows how to change the delay to 10 seconds and the hold time to 20 seconds:
Router(config)# timers spf 10 20
78-14450-02 B-45
upgrade-mp
upgrade-mp
To upgrade the maintenance software image, use the upgrade-mp command.
upgrade-mp tftp[:[[//location] [/tftp_pathname]]]
Syntax Description tftp Specifies a download of the maintenance software image through
TFTP and install the image to the maintenance partition.
//location Specifies the location of the TFTP server.
/tftp_pathname This TFTP server must be reachable from the module when the
module image is booted up. The pathname can include any directory
names in addition to the actual last component of the path to the file
on the server.
Usage Guidelines The upgrade-mp command lets you download a maintenance software image through TFTP. The image
is downloaded, installed to the compact Flash and available on the next module reload (reboot).
If the command is used without the location or pathname optional parameters, then the location and
filename are obtained from the user interactively through a series of questions similar to those presented
by Cisco IOS software. If you only enter a colon (:), parameters are taken from the tftp-server command
settings. If other optional parameters are supplied, then these values would be used in place of the
corresponding tftp-server command setting. Supplying any of the optional parameters, such as a colon
and anything after it, causes the command to run without prompting for user input.
The location is an IP address that the firewall can reach. The pathname can include any directory names
besides the actual last component of the path to the file on the server. The pathname cannot contain
spaces. If a directory name has spaces, set the directory in the TFTP server instead of in the upgrade-mp
command.
If your TFTP server has been configured to point to a directory on the system from which you are
downloading the image, you need only use the IP address of the system and the image filename.
For example, the command causes the TFTP server to receive the command and determine the actual file
location from its root directory information:
Router(config)# upgrade-mp tftp://10.1.1.5/mp.1-1-0-3.bin.gz
The server then downloads the TFTP image to the module.
Examples This example causes the module to prompt you for the filename and location before you start the TFTP
download:
Router(config)# upgrade-mp
Source file name [cdisk]? mp.1-1-0-3.bin.gz
copying tftp://10.1.1.5/mp.1-1-0-3.bin.gz to flash
[yes|no|again]? yes
!!!!!!!!!!!!!!!!!!!!!!!
Received 1695744 bytes.
Maintenance partition upgraded.
B-46 78-14450-02
upgrade-mp
To set the filename and location specified in the tftp-server command, save memory, and then download
the image to Flash memory, use these commands:
Router(config)# tftp-server outside 10.1.1.5 mp.1-1-0-3.bin.gz
Warning: 'outside' interface has a low security level (0).
write memory
Building configuration...
Cryptochecksum: 017c452b d54be501 8620ba48 490f7e99
[OK]
Router(config)# upgrade-mp tftp:
copying tftp://10.1.1.5/mp.1-1-0-3.bin.gz to flash
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
To override the information in the tftp-server command and specify alternate information about the
filename and location, use this command:
To specify all information, if you have not set the tftp-server command, use this command:
78-14450-02 B-47
upgrade-mp
B-48 78-14450-02
A P P E N D I X C
System Messages
This appendix provides the list of system log messages supported in the Firewall Services Module. The
module functions similarly to the PIX firewall application software. Refer to the System Log Messages
for the Cisco Secure PIX Firewall Version 6.0 documentation for information about the system message
logs. The messages are listed by type and by message code within each type.
This appendix includes the following sections:
• System Log Messages, page C-2
• System Message Log Differences, page C-4
• Failover Messages, page C-5
• Connection Messages, page C-10
• SSH, page C-28
• Telnet, page C-30
• AAA and ACL, page C-30
• User Management, page C-34
• Configuration, page C-35
• FWSM Management, page C-36
• PDM, page C-38
• Stateful Failover, page C-39
• Memory and Resource Allocation, page C-41
• SNMP, page C-42
• DHCP, page C-43
• VPN, page C-43
• Internet Protocol Routing, page C-45
• OSPF, page C-46
• Shun, page C-51
Note The messages shown in this appendix apply to Firewall Services Module version 1.1(1) and higher.
When a number is skipped from a sequence, for example, 106019, the message is no longer in the
firewall code.
78-14450-02 C-1
Appendix C System Messages
System Log Messages
You can configure the module system software to send these messages to the output location of your
choice. For example, you can specify that log messages be sent to the console, to any Telnet session
actively connected to the module console, or to a logging server elsewhere on the network.
The module provides three output locations for sending syslog messages: the console, a host running a
syslog server, and an SNMP management station. If you send messages to a host, they are sent using
either UDP or TCP. The host must have a program (known as a server) called syslogd.
The syslog server runs a Windows NT-based system that accepts TCP and UDP system log messages.
The syslog server provides time-stamped syslog messages, accepts messages on alternate ports, and in
TCP mode stops the firewall traffic if the server log disk is full or the server goes down.
System Log Messages

System log messages received at a syslog server begin with a percent sign (%) and are structured as
follows:
%FWSM-Level-Message_number: Message_text
• FWSM identifies the message facility code for messages generated by the Firewall Services Module.
• Level reflects the severity of the condition described by the message. The lower the number, the
more severe the condition. Table C-1 lists the severity levels. Logging is set to level 3 (error) by
default.
Table C-1 Log Message Security Levels
Level Number Level Keyword Description

0 emergency System unusable
1 alert Immediate action needed
2 critical Critical condition
3 error Error condition
4 warning Warning condition
5 notification Normal but significant condition
6 informational Informational message only
7 debugging Appears during debugging only
• Message_number is the numeric code that uniquely identifies the message.

• Message_text is a text string describing the condition. This portion of the message sometimes
includes IP addresses, port numbers, or usernames. Table C-2 lists the variable fields and the type
of information in them.
Table C-2 Variable Fields in Syslog Messages
Variable Type of Information

chars Text string (for example, a username).
dec Decimal number.
dest_addr Destination address.
C-2 78-14450-02
System Log Messages
Table C-2 Variable Fields in Syslog Messages (continued)
Variable Type of Information

faddr Foreign IP address, an address of a host typically
on a lower security level interface in a network
beyond the outside router.
fport Foreign port number.
gaddr Global IP address, an address on a lower security
level interface.
hex Hexadecimal number.
interface_name, int_name Interface name.
interface_number Use the show nameif command to determine
which interface is being described in a message
containing this variable. For example:
show nameif
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif token0 outside security20
nameif ethernet2 inside security30
In this example, ethernet0 would appear in a

syslog message as interface 0, ethernet1 would be
interface 1, token0 would be interface 2, and
ethernet2 would be interface 3.
laddr Local IP address, an address on a higher security
level interface.
lport Local port number.
octal Octal number.
ip_addr/ip_address IP address (for example, 192.168.1.2).
ip_mask IP mask (for example 255.255.255.0)
port Port number.
reason Message string
return_code Return code.
src_addr Source address.
time Duration, in the format hh:mm:ss.
TCP_flags TCP flag values.
Note Syslog messages received at the module serial console contain only the code portion of the message.
When you view the message description the severity level is provided.
78-14450-02 C-3
System Message Log Differences
System Message Log Differences

The module provides the following differences to the system message logging of the PIX firewall
software:
• Syslog level changes for the module to reduce the number of syslog entries per connection from 4
to 2 at Info(6) level:
– Portmapped translation built (305001) changed from Info (6) to Debug(7)
– Translation built (305002) changed from Info (6) to Debug(7)
– Teardown translation (305003) changed from Info (6) to Debug(7)
– Teardown portmap translation (305004) changed from Info (6) to Debug(7)
• Syslog level changes for consistency purposes:
– PreAllocate H323 UDP Connection (302004) changed from Info(6) to Debug(7)
– Built H245 Connection (302003) changed from Info (6) to Debug(7)
– PreAllocate H225 Connection (302012) changed from Info(6) to Debug(7)
– PreAllocate SIP Secondary Channel (607001) changed from Info(6) to Debug(7)
– PreAllocate Skinny Secondary Channel (608001) changed from Info(6) to Debug(7)
– PreAllocate RTSP UDP Connection (314001) changed from Info(6) to Debug(7)
• Syslog changes for Deny By Access Group (106023) Warning(4):
– After a threshold has been reached, you can generate syslog only if the connection gets dropped
for a specific access control rule n number of times (n is a global configurable item).
– After a threshold has been reached, you can generate syslog once every t seconds with the ACL
rule parameter that is getting hit (t is a global configurable item).
– Deny Inbound (106010) changed from Error (3) to Info(4).
• Syslog messages generated by network processes are based on the interface. You can configure the
module to either drop a new connection when the threshold is reached through that interface or allow
the new connection without generating a syslog message.
C-4 78-14450-02
Failover Messages
Failover Messages
This section contains the messages generated by a failover configuration.
Error Message %FWSM-1-103001: (Primary) No response from other firewall (reason code
= code).
Explanation This message indicates that the primary module is unable to communicate with the
secondary module over the failover cable. (Primary) can also be listed as (Secondary) for the
secondary module.
Recommended Action Verify that the secondary module has the exact same hardware, software version
level, and configuration as the primary module.
Error Message %FWSM-1-103002: (Primary) Other firewall network interface

interface_name OK.
Explanation This message indicates that the primary module detected that the network interface on
the secondary module is acceptable. (Primary) can also be listed as (Secondary) for the secondary
module.
Recommended Action None required.
Error Message %FWSM-1-103003: (Primary) Other firewall network interface

interface_name failed.
Explanation This message indicates that the primary module detects a bad network interface on the
secondary module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Check the network connections on the secondary module, and check the
network hub connection. If necessary, replace the failed network interface.
Error Message %FWSM-1-103004: (Primary) Other firewall reports this firewall failed.
Explanation This message indicates that the primary module receives a message from the secondary
module indicating that the primary has failed. (Primary) can also be listed as (Secondary) for the
secondary module.
Recommended Action Verify the status of the primary module.
Error Message %FWSM-1-103005: (Primary) Other firewall reporting failure.
Explanation This message indicates that the secondary module reports a failure to the primary
module. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Verify the status of the secondary module.
78-14450-02 C-5
Failover Messages
Error Message %FWSM-1-104001: (Primary) Switching to ACTIVE (cause: reason).

%FWSM-1-104002: (Primary) Switching to STNDBY (cause: reason).
Explanation Both instances are failover messages. These messages are logged when you force the
failover module pair to switch roles. You can force the failover module pair to switch roles by either
entering the failover active command on the secondary module or the no failover active command
on the primary module. (Primary) can also be listed as (Secondary) for the secondary module.
Possible values for the reason variable are as follows:
– State check
– Bad or incomplete configuration
– Interface check, mate is healthier
– The other module wants to be standby
– In failed state, cannot be active
– Switch to failed state
Recommended Action If the message occurs because of manual intervention, no action is required.
Otherwise, use the cause reported by the secondary module to verify the status of both modules of
the pair.
Error Message %FWSM-1-104003: (Primary) Switching to FAILED.
Explanation This message indicates that the primary module fails.
Recommended Action Check the system log messages for the primary module for an indication of the
nature of the problem (see message %FWSM-1-104001:). (Primary) can also be listed as (Secondary)
for the secondary module.
Error Message %FWSM-1-104004: (Primary) Switching to OK.
Explanation This message indicates that a previously failed module now reports that it is operating
again. (Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-105001: (Primary) Disabling failover.
Explanation This message indicates that you entered the no failover command on the console.
(Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-105002: (Primary) Enabling failover.
Explanation This message indicates that you entered the failover command with no arguments on the
console, after having previously disabled failover. (Primary) can also be listed as (Secondary) for the
secondary module.
C-6 78-14450-02
Failover Messages
Error Message %FWSM-1-105003: (Primary) Monitoring on interface int_name waiting
Explanation The firewall is testing the specified network interface with the other module of the
failover pair.
Recommended Action None required. The firewall monitors its network interfaces frequently during
normal operations.
Error Message %FWSM-1-105004: (Primary) Monitoring on interface int_name normal
Explanation The test of the specified network interface was successful. (Primary) can also be listed
as (Secondary) for the secondary module.
Error Message %FWSM-1-105005: (Primary) Lost Failover communications with mate on

interface int_name.
Explanation This message indicates that this module of the failover pair can no longer communicate
with the other module of the pair. (Primary) can also be listed as (Secondary) for the secondary
module.
Recommended Action Verify that the network connected to the specified interface is functioning
correctly.
Error Message %FWSM-1-105006: (Primary) Link status 'Up' on interface int_name.

%FWSM-1-105007: (Primary) Link status 'Down' on interface int_name.
Explanation Both instances are failover messages. These messages report the results of monitoring
the link status of the specified interface. (Primary) can also be listed as (Secondary) for the secondary
module.
Recommended Action If the link status is down, verify that the network connected to the specified
interface is operating correctly.
Error Message %FWSM-1-105008: (Primary) Testing interface int_name.
Explanation This message indicates that the firewall tested a specified network interface. This testing
is performed only if the firewall fails to receive a message from the standby module on that interface
after the expected interval. (Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-105009: (Primary) Testing on interface int_name result.
Recommended Action This message reports the result (either Passed or Failed. Allocation is required
if the result is Passed. If the result is Failed, you should check to be sure the network cable is properly
connected to both failover modules and that the network itself is functioning correctly, and verify the
status of the standby module.
78-14450-02 C-7
Failover Messages
Error Message %FWSM-3-105010: (Primary) Failover message block alloc failed
Explanation Block memory has been depleted. This is a transient message and the firewall should
recover. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Use the show blocks command to monitor the current block memory.
Error Message %FWSM-1-105011: (Primary) Failover cable communication failure
Explanation The failover cable is not permitting communication between the primary and secondary
modules. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Ensure that the cable is properly connected.
Error Message %FWSM-1-105020: (Primary) Incomplete/slow config replication
Explanation When a failover occurs, the active firewall detects a partial configuration in memory.
This situation is caused by an interruption in the replication service. (Primary) can also be listed as
(Secondary) for the secondary module.
Recommended Action Once the failover is detected by the firewall, the firewall automatically reloads
itself and loads the configuration from Flash and resynchronizes with another firewall. If failovers
happen continuously, check the failover configuration and make sure both firewalls can communicate
with each other.
Error Message %FWSM-1-105038: (Primary) Interface count mismatch
Explanation Failover initially verifies that the number of interfaces configured on the primary and
secondary modules are the same. This message indicates that after the verification that the numbers
are not the same. Failover cannot be enabled until both primary and secondary modules have the same
number of interfaces. (Primary) can also be listed as (Secondary) for the secondary module.
Recommended Action Check the VLAN configuration on the primary and secondary modules. Check
for any nameif command failure on the primary module. (Primary) can also be listed as (Secondary)
for the secondary module. Once these configurations are verified and corrected, type failover on the
primary module to enable failover again.
Error Message %FWSM-1-105039: (Primary) Unable to verify the Interface count with
mate. Failover may be disabled in mate.
Explanation Failover initially verifies that the number of interfaces configured on the primary and
secondary modules are the same. This message indicates that the primary module is not able to verify
the number interfaces configured on the secondary module. This indicates that the primary module
is not able communicate with the secondary module over the failover interface. (Primary) can also
be listed as (Secondary) for the secondary module.
Recommended Action Verify the failover VLAN, interface configuration and status on the primary and
secondary modules. Make sure the secondary module is running the firewall application and failover
is enabled. (Primary) can also be listed as (Secondary) for the secondary module.
C-8 78-14450-02
Failover Messages
Error Message %FWSM-1-105040: (Primary) Mate failover version is not compatible.
Explanation The primary and secondary module should run the same failover software version to act
as a failover pair. This message indicates that the secondary module’s failover software version is not
compatible with the primary module. Failover would be disabled on the primary module. (Primary)
can also be listed as (Secondary) for the secondary module.
Recommended Action Maintain consistent software versions between the primary and secondary
modules to enable failover.
Error Message %FWSM-1-105041: (Primary) nameif command failed. Number of interfaces

is not consistent with mate.
Explanation This message indicates that during a configuration sync from the secondary to the
primary module the nameif command has failed in the primary module. The nameif command,
defines the firewall interfaces in the Firewall Services Module. If this command fails during
synchronization, the result is that the interfaces are inconsistent across the failover modules. To avoid
this situation, failover is disabled. (Primary) can also be listed as (Secondary) for the secondary
module.
Recommended Action Correct the reason why nameif failed, and then enable failover.
Error Message %FWSM-1-105042: (Primary) Failover interface OK
Explanation Interface used to send failover messages to the secondary module is functioning.
(Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-105043: (Primary) Failover interface failed
Explanation Interface used to send failover messages to the secondary module failed. The active
module remains as active and the standby module remains as standby. There will not be any failure
detection or switchover activity until the failover interface becomes normal. (Primary) can also be
listed as (Secondary) for the secondary module.
Recommended Action Verify the VLAN and interface configuration of the failover interface is primary
and secondary.
78-14450-02 C-9
Connection Messages
Connection Messages
This section contains connection messages and the messages specific to the following message types:
• FTP and URL
• Routing Messages
• ICMP
• RSH
• RSH
• SMTP
• ICMP
Error Message %FWSM-2-106002: protocol Connection denied by outbound list list_ID

src laddr dest faddr
Explanation This message indicates that the specified connection failed because of an outbound deny
command statement. The protocol variable can be ICMP, TCP, or UDP.
Recommended Action Use the show outbound command to check outbound lists.
Error Message %FWSM-4-106010: Deny inbound protocol src

interface_name:dest_address/dest_port dst
interface_name:source_address/source_port
Explanation This is a connection-related message. This message is logged if an inbound connection

is denied by your security policy.
Error Message Modify the security policy if traffic should be permitted. If the message occurs at regular
intervals, contact the remote peer administrator.
Error Message %FWSM-7-106011: Deny inbound (No xlate) chars
Explanation This message indicates that a packet was sent to the same interface that it arrived on. This
usually indicates that a security breach is occurring. When the module receives a packet, it tries to
establish a translation slot based on the security policy you set with the access-list commands, and
your routing policy set with the route command.
When the module polls both policies, the module allows the packet to flow from the higher priority
network to a lower priority network, if it is consistent with the security policy. If a packet comes from
a lower priority network and the security policy does not allow it, the module routes the packet back
to the same interface.
To provide access from an interface with a higher security to a lower security, use the nat and global
commands. For example, use the nat command to allow internal users access to external servers, to
allow the internal users to access perimeter servers, and to allow perimeter users access to external
servers.
C-10 78-14450-02
Connection Messages
To provide access from an interface with a lower security level to a higher security level, use the
static and access-list commands. For example, use the static and access-list commands to let
external users to access internal servers, external users to access perimeter servers, or perimeter
servers to access internal servers.
Recommended Action Fix your configuration to reflect your security policy for handling these attack
events.
Error Message %FWSM-2-106016: Deny IP spoof from (IP_addr) to IP_addr on interface

int_name.
Explanation This message indicates that the module discards a packet with an invalid source address.
Invalid sources addresses are those addresses belong to the following:
– Loopback network (127.0.0.0)
– Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
– The destination host (land.c)
If a sysopt connection enforce subnet is enabled, the module discards those packets with an invalid
source subnet preventing them from traversing the firewall and then logs this message.
To further spoof-packet detection, use the access-list command to configure the firewall to discard
packets with source addresses belonging to the internal network.
Recommended Action Determine if an external user is trying to compromise the protected network.
Check for incorrectly configured clients.
Error Message %FWSM-2-106017: Deny IP due to Land Attack from IP_addr to IP_addr
Explanation This message indicates that the module received a packet with the IP source address
equal to the IP destination and the destination port equal to the source port. This indicates a spoofed
packet that is designed to attack systems. This attack is referred to as a land attack. If this message
persists, an attack may be in progress. The packet does not provide enough information to determine
where the attack originates.
Recommended Action None.
Error Message %FWSM-2-106020: Deny IP teardrop fragment (size = num, offset = num)
from IP_addr to IP_addr
Explanation The firewall discarded an IP packet with a teardrop signature containing either a small
offset or fragment overlapping. This is a hostile event to circumvent the module or an intrusion
detection system.
Recommended Action Contact the remote peer administrator or escalate this issue according to your
security policy.
78-14450-02 C-11
Connection Messages
Error Message %FWSM-1-106021: Deny protocol reverse path check from src_addr to
dest_addr on interface int_name
Explanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse

Path Forwarding, also known as reverse route lookup, detected a packet that does not have a source
address represented by a route and assumes it to be part of an attack on your module.
This message indicates that you have enabled Unicast Reverse Path Forwarding with the ip verify
reverse-path command. This feature works on packets sent to an interface; if it is configured on the
outside, then the module checks packets arriving from the outside. The following conditions apply:
– The module looks up a route based on the src_addr. If an entry is not found and a route is not
defined, then this syslog message appears and the connection is dropped.
– If there is a route, the module checks which interface it corresponds to. If the packet arrived on
another interface, then it is a spoof or there is an asymmetric routing environment. The firewall
does not support asymmetric routing (where there is more than one path to a destination).
– If configured on an internal interface, the module checks static route command statements or
RIP and if the source address is not found, then an internal user is spoofing their address.
Recommended Action An attack is in progress. With this feature enabled, no user action is required.
The module repels the attack.
Error Message %FWSM-3-201002: Too many connections on static|xlate gaddr! econns

nconns
Explanation This message indicates that the maximum number of connections to the specified static
address has been exceeded. The econns variable is the maximum number of embryonic connections
and nconns is the maximum number of connections permitted for the static or translate (xlate).
Recommended Action Use the show static command to check the limit imposed on connections to a
static address. The limit is configurable.
Error Message %FWSM-2-201003: Embryonic limit exceeded neconns/elimit for

faddr/fport (gaddr) laddr/lport on interface int_name
Explanation This message indicates that the maximum number of embryonic connections from the
specified foreign address through the specified static global address to the specified local address has
been exceeded. When the limit on embryonic connections is reached, the module attempts to accept
them anyway, but puts a time limit on the connections. This allows some connections to succeed even
if the module is very busy. The neconns variable lists the number of embryonic connections received
and the limit variable lists the maximum number of embryonic connections specified in the static or
nat command. This message indicates a more serious overload than indicated in message 201002.
The overload could be caused by SYN attacks, or by a very heavy load of legitimate traffic.
Recommended Action Use the show static command to check the limit imposed on embryonic
connections to a static address.
Error Message %FWSM-3-407002: Embryonic limit neconns/elimit for through connections
Explanation This message provides information about connections through the firewall. This message
indicates that the number of connections from a specified foreign address over a specified global
address to the specified local address exceeds the maximum embryonic limit for that static. The
C-12 78-14450-02
Connection Messages
module attempts to accept the connection if it can allocate memory for that connection. It proxies on
behalf of local host and sends a SYN_ACK packet to the foreign host. The module retains pertinent
state information, drops the packet, and waits for the client’s acknowledgment.
Recommended Action The traffic may be legitimate, or this message might indicate that a denial of
service (DoS) attack is in progress. Check the source address to determine where the packets are
coming from and whether it is a valid host.
Error Message %FWSM-3-202001: Out of address translation slots!
Explanation This message indicates that the module has no more address translation slots available.
Recommended Action Check the size of the global pool compared to the number of inside network
clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of translates and
connections. This message may also be caused by insufficient memory; reduce the amount of
memory usage, or purchase additional memory.
Error Message %FWSM-3-202005: Non-embryonic in embryonic list faddr/fport

laddr/lport
Explanation This message indicates that a connection object (xlate) is in the wrong list.
Recommended Action Contact your customer support representative.
Error Message %FWSM-3-208005: (function:line_num) FWSM clear command return

return_code
Explanation The module received a non-zero value (an internal error) when attempting to clear the
configuration in Flash memory. The message includes the reporting subroutine’s filename and line
number.
Recommended Action For performance reasons, the end host should be configured to not inject IP
fragments. This message probably occurred because of NFS. Set the read and write size to be the
interface MTU for NFS.
Error Message %FWSM-6-305001:Portmapped translation built for gaddr IP_addr/port

laddr IP_addr/port
Explanation This message indicates that a translate (xlate) is created for outbound traffic using a PAT
global address. This message applies to UDP, TCP, and ICMP packets.
Error Message %FWSM-6-305002:Translation built for gaddr IP_addr to laddr IP_addr
Explanation This message indicates that a translate (xlate) is created for outbound traffic using a
global address, or for either outbound or inbound traffic using a static address.
78-14450-02 C-13
Connection Messages
Error Message %FWSM-6-305003:Teardown translation for global IP_addr local IP_addr
Explanation This message indicates that the firewall clears a dynamically allocated translation after
the translate timeout expires.
Error Message %FWSM-6-305004:Teardown portmap translation for global IP_addr/port

local IP_addr/port
Explanation This message indicates that a port-mapped translation (PAT xlate) no longer in use has
been reclaimed.
Error Message %FWSM-3-305005: No translation group found for protocol.
Explanation This message indicates that a NAT and global command cannot be found for a protocol.
The protocol can be TCP, UDP, or ICMP.
Recommended Action This message can be either an internal error or an error in the configuration.
Error Message %FWSM-3-305006: Regular translation creation failed for protocol src
int_name:IP_addr/port dst int_name:IP_addr/port
Explanation A protocol (UDP, TCP, or ICMP) failed to create a translation through the module. This
message appears as a fix to caveat CSCdr0063, which requested that the module not allow packets
destined to network or broadcast addresses. The module provides this checking for addresses that are
explicitly identified with static command statements. With the change, for inbound traffic, the
module denies translations for a destined IP address identified as a network or broadcast address.
The module uses the global IP and mask from configured static command statements to differ regular
IP addresses from network or broadcast IP addresses. If the global IP address is a valid network
address with a matching network mask, then the module will not create a translate (xlate) for network
or broadcast IP addresses with inbound packets.
Recommended Action This message can be either an internal error or an error in the configuration.
Error Message %FWSM-6-305007: Orphan IP IP_addr on interface interface_name
Explanation This message indicates that after the module attempts to translate an address that it
cannot find in any of its global pools it assumes that the address has been deleted and drops the
request.
C-14 78-14450-02
Connection Messages
Error Message %FWSM-6-609001: Built local-host int_name:ip_addr
Explanation A network state container is reserved for the host IP address connected to the interface
name. This is an informational message.
Error Message %FWSM-6-609002: Teardown local-host int_name:ip_addr duration hh:mm:ss
Explanation A network state container for the host IP address connected to interface name is removed.
This is an informational message.
Error Message %FWSM-3-305008: Free unallocated global IP address.
Explanation This message indicates an inconsistency condition when trying to free an unallocated
global IP address back to the address pool. This abnormal condition may occur if the module is
running a stateful failover setup and some of the internal states are momentarily out of sync between
the active and standby module. This condition is not catastrophic and the module will recover
automatically.
Recommended Action Report this condition to Cisco technical support if you continue to see this
message.
Error Message %FWSM-4-307004: Telnet session limit exceeded. Connection request from
IP_addr on interface int_name.
Explanation This message indicates that the maximum number of Telnet connections to the module
is exceeded. The module denies an attempt to connect to its Telnet port from the specified IP address
on the specified network.
Error Message %FWSM-4-308002: static gaddr1 laddr1 netmask mask1 overlapped with
gaddr2 laddr2
Explanation This message indicates that the IP addresses in one or more static command statements
overlap. gaddr is the global address, which is the address on the lower security interface and laddr is
the local address, which is the address on the higher security level interface.
Recommended Action Use the show static command to view the static command statements in your
configuration and fix the commands that overlap. The most common overlap occurs if you specify a
network address, such as 10.1.1.0, and in another static command statement specify a host within that
range such as 10.1.1.5.
78-14450-02 C-15
Connection Messages
Error Message %FWSM-4-500004: Invalid transport field for protocol=protocol, from

src_addr/src_port to dest_addr/dest_port
Explanation This message indicates there is an invalid transport number, in which the source or
destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP.
Recommended Action If these messages persist, contact the peer’s administrator.
FTP and URL
Error Message %FWSM-3-201005: FTP data connection failed for IP_addr
Explanation This message indicates that the module is unable to allocate a structure to track the data
connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage, or purchase additional memory.
Error Message %FWSM-6-303002: src_addr Stored|Retrieved dest_addr: nat_addrs
Explanation This message indicates that the specified host successfully stores or retrieves data from
the specified FTP site. This message is used by the module manager to generate reports.
Error Message %FWSM-5-304001: user src_addr Accessed JAVA URL|URL dest_addr: url.
Explanation This message indicates that the specified host successfully accesses the specified URL.
This message is used by the module manager to generate reports.
Error Message %FWSM-5-304002: Access denied URL chars SRC IP_addr DEST IP_addr: chars
Explanation This message indicates that access from the source address failed.
Error Message %FWSM-3-304003: URL Server IP_addr timed out URL string
Explanation This message indicates that access from the URL server failed.
Error Message %FWSM-6-304004: URL Server IP_addr request failed URL chars
Explanation This message indicates that a Websense server request fails.
C-16 78-14450-02
Connection Messages
Error Message %FWSM-7-304005: URL Server IP_addr request pending URL chars
Explanation This message indicates that a Websense server request is pending.
Error Message %FWSM-3-304006: URL Server IP_addr not responding
Explanation The Websense server is unavailable for access, and the module attempts to either try to
access the same server if it is the only server installed or another server if there is more than one.
Error Message %FWSM-2-304007: URL Server IP_addr not responding, ENTERING ALLOW
mode.
Explanation This message indicates that when you use the allow option of the filter command the
Websense servers are not responding. The module allows all Web requests to continue without
filtering while the servers are not available.
Error Message %FWSM-2-304008: LEAVING ALLOW mode, URL Server is up.
Explanation This message indicates that when you use the allow option of the filter command that
the module received a response message from a Websense server that previously was not responding.
With this response message, the module exits the allow mode and enables the URL filtering feature
again.
Error Message %FWSM-4-406001: FTP port command low port: laddr, port to gaddr on
interface int_number
Explanation This message indicates the port is not responding.
Error Message %FWSM-4-406002: FTP port command different address: laddr to gaddr on
interface int_number
Explanation This message indicates the interface address is incorrect.
78-14450-02 C-17
Connection Messages
HTTP
Error Message %FWSM-6-605001: HTTP daemon interface int_name: Connection denied from
IP_addr
Explanation This message indicates that an HTTP connection to the module was denied.
Error Message %FWSM-6-605002: HTTP daemon connection limit exceeded
Explanation This message indicates that the number of HTTP connections to the module for Cisco
Secure PDM was exceeded.
Error Message %FWSM-6-605003: HTTP daemon: Login failed from IP_addr for user
"user_id"
Explanation This message indicates that Cisco Secure PDM login to the module failed.
ICMP
Error Message %FWSM-6-106010: Deny inbound icmp src outside: IP_addr dst inside:
IP_addr (type dec, code dec)
Explanation This message indicates that an inbound connection is denied by your security policy.
Explanation This message indicates that the module discards an inbound ICMP Echo Request packet
with a destination address that corresponds to a PAT global address. It is discarded because the
inbound packet cannot specify which PAT host should receive the packet.
Error Message %FWSM-3-106014: Deny inbound icmp src interface name: IP_addr dst
interface name: IP_addr (type dec, code dec)
Explanation This message indicates that the module denies any inbound ICMP packet access. By
default, all ICMP packets are denied access unless specifically permitted using the icmp permit
icmp command.
C-18 78-14450-02
Connection Messages
Error Message %FWSM-2-106018: ICMP packet type ICMP_type denied by outbound list
list_ID src laddr dest faddr
Explanation This message indicates that the outgoing ICMP packets with a specified ICMP type from
a local host to a foreign host is denied by the outbound list.
Error Message %FWSM-3-313001: Denied ICMP type=icmp_type, code=type_code from

IP_addr on interface int_name
Explanation When using the icmp command with an access list, if the first matched entry is a permit
entry, ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry
is not matched, the module discards the ICMP packet and generates this syslog message. The icmp
command enables or disables pinging to an interface. With pinging disabled, the module cannot be
detected on the network. This feature is also referred to as configurable proxy pinging.
Recommended Action Contact the peer’s administrator.
Error Message %FWSM-3-313003: Invalid destination, ICMP-packet-description, on

interface-name interface. Original IP payload, packet-description
Explanation The destination for the ICMP error message is different from the source of the IP packet
that generated the ICMP error message.
Recommended Action If the message occurs frequently, this could be an active network probe, an
attempt to use the ICMP error message as a covert channel, or an IP host that is not operating
properly. Contact the administrator of the host that originated the ICMP error message.
Error Message %FWSM-6-602101: PMTU-D packet packet_length bytes greater than

effective mtu mtu_value dest_addr=dest_ip, src_addr=source_ip, prot=protocol
Explanation This message occurs when the module sends an ICMP destination unreachable message
and when fragmentation is needed, but the don’t-fragment bit is set.
Recommended Action Ensure that the data is sent correctly.
Routing Messages
This section contains the messages generated by the router configuration.
78-14450-02 C-19
Connection Messages
Error Message %FWSM-1-107001: RIP auth failed from IP_addr: version=vers, type=type,
mode=mode, sequence=seq on interface int_name
Explanation This is an alert log message. The module received a RIP reply message with bad
authentication. This could be due to an incorrectly configured router or the module or it could be a
unsuccessful attempt to attack the module’s routing table.
Recommended Action This may be an attack and should be monitored. If you are not familiar with the
source IP address listed in this message, change your RIP authentication keys between trusted
entities. An attacker may be trying to deduce the existing keys.
Error Message %FWSM-1-107002: RIP pkt failed from IP_addr: version=vers on interface
int_name
Explanation This is an alert message. This message indicates a router bug, a packet with non-RFC
values inside, or malformed entries. This situation should not happen and may be an attempt to
exploit the firewall module’s routing table.
Recommended Action This may be an attack and should be monitored. The packet has passed
authentication, if enabled, and bad data is in the packet. The situation should be monitored and the
keys should be changed if there are any doubts as to the originator of the packets.
Error Message %FWSM-6-110001: No route to dest_addr from src_addr
Explanation This message indicates a route lookup failure. A packet is looking for a destination IP
address, which is not in the routing table.
Recommended Action Check the routing table and make sure there is a route to the destination.
Error Message %FWSM-3-110002: No ARP for host IP_addr
Explanation This is a routing message. This message indicates that the module cannot resolve the
address of a host on one of its immediately connected networks. This usually occurs if the specified
host does not exist or is not reachable on the network. The module expects it to be on, for example,
if the host’s address is incorrectly subnetted.
Recommended Action Check the ARP table and ensure the host is available. If necessary, add a static
ARP statement with the arp command or set the arp timeout value lower so that the ARP table will
refresh sooner.
Check that the host’s IP address is appropriate to the network topology and your subnet scheme.
Verify that the host is reachable by pinging it from another host. Use the show arp command to
display the module’s ARP table.The module minimally must be able to resolve the addresses of its
SNMP server, routers, and syslog host.
C-20 78-14450-02
Connection Messages
Error Message %FWSM-6-312001: RIP hdr failed from IP_addr: cmd=cmd, version=vers
domain=name on interface int_name
Explanation The module received a RIP message with an operation code other than reply, the message
has a version number different than what is expected on this interface, and the routing domain entry
was non-zero.
Recommended Action This message is informational, but may also indicate that another RIP device is
not configured correctly to communicate with the module.
H.225
Error Message %FWSM-4-405101: Unable to Pre-allocate H225 Call Signalling Connection

for faddr faddr[/fport] to laddr laddr[/lport]
Explanation The module failed to allocate RAM system memory while starting a connection or has
no memory available.
Recommended Action If this message occurs periodically, it can be ignored. If it repeats frequently,
contact customer support. Also, check the size of the global pool compared to the number of inside
network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval of
translates and connections. This message might be caused by insufficient memory; reduce the amount
of memory usage, or purchase additional memory.
Error Message %FWSM-4-405104: H225 message received from faddr/fport to laddr/lport

before SETUP
Explanation This message indicates that an H.225 message is received out of order. The H.225
message was received before the initial SETUP message, which is not allowed. The module has to
receive an initial SETUP message for that H.225 call-signaling channel before accepting any other
H.225 messages.
Error Message %FWSM-4-405103: H225 message from faddr/fport to laddr/lport contains

bad protocol discriminator
Explanation This message indicates that the message has incorrect protocol information.
78-14450-02 C-21
Connection Messages
H.245
Error Message %FWSM-7-302003: Built H245 connection for faddr faddr/fport laddr
laddr/lport
Recommended Action This message indicates that an H.245 connection is started from a foreign
address to a local address. This message only occurs if the module detects the use of an Intel Internet
phone. The foreign port (fport) only displays on connections from outside the module. The local port
value (lport) only appears on connections started on an internal port.
Error Message %FWSM-4-405102: Unable to Pre-allocate H245 Connection for faddr

faddr[/fport] to laddr laddr[/lport]
Explanation The module failed to allocate RAM system memory while starting a connection or has
no memory available.
contact customer technical support. Also, check the size of the global pool compared to the number
of inside network clients. A PAT address may be necessary. Alternatively, shorten the timeout interval
of translates and connections. This message may also be caused by insufficient memory; reduce the
amount of memory usage, or purchase additional memory.
H.323
Error Message %FWSM-7-302004: Pre-allocate H323 UDP backconnection for faddr

faddr/fport to laddr laddr/lport
Explanation This message indicates that an H.323 UDP back-connection is preallocated to a foreign
address from a local address. This message is only generated if the module detects the use of an Intel
Internet phone. The foreign port (fport) only displays on connections from outside the module. The
local port value (lport) only appears on connections started on an internal interface.
Error Message %FWSM-4-405103: H323 RAS message AdmissionConfirm received from %I/%d
to %I/%d without an AdmissionRequest
C-22 78-14450-02
Connection Messages
IP Fragmentation
Error Message %FWSM-4-209003: Fragment database limit of bytes exceeded: src =

IP_addr, dest = IP_addr, proto = protocol, id = ID
Explanation Too many IP fragments are currently awaiting reassembly. By default, the maximum
number of fragments is 1 (refer to the fragment command in the Cisco PIX Firewall Command
Reference for more information). The firewall limits the number of IP fragments that can be
concurrently reassembled. This restriction prevents memory depletion at the firewall under abnormal
network conditions. In general, fragmented traffic should be a small percentage of the total traffic
mix. A noticeable exception is in a network environment with NFS over UDP; if this type of traffic
is relayed through the firewall, consider using NFS over TCP instead.
Refer to sysopt connection tcpmss bytes command in the Cisco PIX Firewall Command Reference
for more information.
Refer to the sysopt connection tcpmss bytes command page in Chapter 5 of the Configuration Guide
for the Cisco Secure Firewall Version 5.3 for more information.
Recommended Action If this message persists, a DoS (denial of service) attack might be in progress.
Contact the remote peer’s administrator or upstream provider.
Error Message %FWSM-4-209004: Invalid IP fragment, size = bytes exceeds maximum size
= bytes: An IP fragment is malformed.
Explanation The total size of the reassembled IP packet exceeds the maximum possible size of 65,535
bytes.
Recommended Action A possible intrusion event may be in progress. If this message persists, contact
the remote peer’s administrator or upstream provider.
Error Message %FWSM-4-209005: Discard IP fragment set with more than number elements:
src = Too many elements are in a fragment set.
Explanation The module disallows any IP packet that is fragmented into more than 24 fragments.
Recommended Action A possible intrusion event may be in progress. If the message persists, contact
the remote peer’s administrator or upstream provider. You can change the number of fragments per
packet by using the fragment chain xxx int_name command.
SIP
Error Message %FWSM-7-607001: Pre-allocate SIP conn_type secondary channel for

outside-interface:address/port to inside-interface:address from sip_message
message
Explanation This message indicates that the fixup SIP preallocated a SIP connection after inspecting
a SIP message.
78-14450-02 C-23
Connection Messages
Skinny
Error Message %FWSM-7-608001: Pre-allocate Skinny conn_type secondary channel for

outside-interface:address to inside-interface:address/port from skinny_message
message
Explanation This message indicates that the fixup skinny preallocated a Skinny connection after
inspecting a Skinny message.
RSH
Error Message %FWSM-3-201005: FTP data connection failed for IP_addr
Explanation This message indicates that the module cannot allocate a structure to track the data
connection for FTP because of insufficient memory.
Recommended Action Reduce the amount of memory usage, or purchase additional memory.
RTSP
Error Message %FWSM-7-314001: Pre-allocate RTSP UDP back connection for faddr
faddr/fport to laddr laddr/lport
Explanation This message indicates that the module is unable to allocate and RTSP connection.
SMTP
Error Message %FWSM-2-108002: SMTP replaced chars: out src_addr in laddr data: chars
Explanation This is generated by the fixup protocol smtp command. This message indicates that the
module replaces an invalid character in an e-mail address with a space.
C-24 78-14450-02
Connection Messages
TCP
Error Message %FWSM-2-106001: Inbound TCP connection denied from IP_addr/port to

IP_addr/port flags TCP_flags on interface int_name
Explanation This message indicates that an attempt to connect to an inside address is denied by your
security policy. Possible TCP_flags values correspond to the flags in the TCP header that were
present when the connection was denied. For example, a TCP packet arrived for which no connection
state exists in the module, and it was dropped. The TCP_flags in this packet are FIN,ACK.
The TCP_flags are as follows:
• ACK—The acknowledgment number was received.
• FIN—Data was sent.
• PSH—The receiver passed data to the application.
• RST—The connection was reset.
• SYN—Sequence numbers were synchronized to start a connection.
• URG—The urgent pointer was declared valid.
Error Message %FWSM-6-106015: Deny TCP (no connection) from IP_addr/port to

IP_addr/port flags flags on interface int_name.
Explanation This message indicates that the module discards a TCP packet that has no associated
connection in the module module’s connection table. The module looks for a SYN flag in the packet,
which indicates a request to establish a new connection. If the SYN flag is not set, and there is not
an existing connection, the module discards the packet.
Recommended Action The action is required unless the module receives a large volume of these invalid
TCP packets. If this is the case, trace the packets to the source and determine the reason these packets
were sent.
Error Message %FWSM-3-201009: TCP connection limit of limit-count for host

host-address on interface exceeded
Explanation This message indicates that the maximum number of connections to the specified static
address was exceeded. The limit-count variable is the maximum of connections permitted for the host
specified by the host-address variable.
Recommended Action Use the show static and show nat commands to check the limit imposed on
connections to an address. The limit is configurable.
78-14450-02 C-25
Connection Messages
Error Message %FWSM-6-302001: Built inbound|outbound TCP connection id for faddr

faddr/fport gaddr gaddr/gport laddr laddr/lport (username)
Explanation Explanation This is a connection-related message. This message reports that an

authenticated inbound or outbound TCP connection was started to foreign address faddr using the
global address gaddr from local address laddr. If the connection required authentication, the
username is reported in the last field of the message.
Error Message %FWSM-6-302002: Teardown TCP connection id for

interface:real-address/real-port to interface:real-address/real-port duration
hh:mm:ss bytes bytes [reason] [(user)]
Explanation A TCP connection between two hosts was deleted.

connection id is an unique identifier.
interface, real-address, real-port identify the actual sockets.
duration is the lifetime of the connection.
bytes bytes is the data transfer of the connection.
user is the AAA name of the user.
The reason variable presents the action that causes the connection to terminate. Set the reason
variable to one of the TCP termination reasons listed in Table 0-3.
Table 0-3 TCP Termination Reasons
Reason Description
Reset-I Reset was from the inside.
Reset-O Reset was from the outside.
TCP FINs Normal close down sequence.
FIN Timeout Force termination after 15 seconds awaiting last ACK
SYN Timeout Force termination after two minutes awaiting three-way handshake completion.
Xlate Clear Command-line removal.
Deny Terminate by application inspection.
SYN Control Back channel initiation from wrong side.
Uauth Deny Deny by URL filter.
Unknown Catch-all error.
C-26 78-14450-02
Connection Messages
Error Message %FWSM-6-302009: Rebuilt TCP connection id for faddr faddr/fport gaddr
gaddr/gport laddr laddr/lport
Explanation This message appears after a TCP connection is rebuilt after a failover. A sync packet is
not sent to the other module. The faddr IP address is the foreign host, the gaddr IP address is a global
address on the lower security level interface, and the laddr IP address is the local IP address behind
the module on the higher security level interface.
Error Message %FWSM-6-302010: conns in use, conns most used
Explanation This message appears after a TCP connection restarts. conns is the number of
connections.
Error Message %FWSM-7-302013: Built {inbound|outbound} TCP connection id for

interface:real-address/real-port (mapped-address/mapped-port) to
interface:real-address/real-port (mapped-address/mapped-port) [(user)]
Explanation A TCP connection slot between two hosts was created. If inbound is specified, then the
original control connection was initiated from the outside.
Error Message %FWSM-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from
src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name
Explanation This message indicates that a header length in TCP is incorrect. Some operating systems
do not handle TCP RSTs (resets) correctly when responding to a connection request to a disabled
socket. If a client tries to connect to an FTP server outside the module and FTP is not listening, then
the server sends an RST. Some operating systems send incorrect TCP header lengths, which causes
this problem. UDP uses ICMP port unreachable messages.
The TCP header length may indicate that it is larger than the packet length resulting in a negative
number of bytes being transferred. A negative number is displayed by syslog as an unsigned number
making it appear far larger than would be normal; for example, showing 4 GB transferred in 1 second.
Recommended Action None required. This message should occur infrequently.
UDP
Error Message %FWSM-2-106006: Deny inbound UDP from faddr/fport to laddr/lport on

interface int_name.
Explanation This message indicates that an inbound UDP packet is denied by your security policy.
78-14450-02 C-27
SSH
Error Message %FWSM-2-106007: Deny inbound UDP from faddr/fport to laddr/lport due
to DNS flag.
Explanation This message indicates that a UDP packet containing a DNS query or response is denied.
The flag variable is either Response or Query.
Recommended Action If the inside port number is 53, the inside host probably is set up as a caching
name server. Add an access-list command statement to permit traffic on UDP port 53. If the outside
port number is 53, a DNS server was probably too slow to respond, and the query was answered by
another server.
Error Message %FWSM-7-302015: Built {inbound|outbound} UDP connection id for

interface:real-address/real-port (mapped-address/mapped-port) to
interface:real-address/real-port (mapped-address/mapped-port) [(user)]
Explanation A UDP connection slot between two hosts was deleted. If inbound is specified, then the
original control connection is initiated from the outside.
Error Message %FWSM-7-302016: Teardown UDP connection id for

interface:real-address/real-port to interface:real-address/real-port duration
hh:mm:ss bytes bytes [(user)]
Explanation A UDP connection slot between two hosts was deleted.
SSH
Error Message %FWSM-3-315001: Denied SSH session from IP_addr on interface int_name
Explanation This message indicates that the module denies an attempt to connect to the SSH port
from the specified IP address on the specified network interface.
Recommended Action From the console, enter the show ssh command to verify that the module is
configured to permit SSH access from the host or network.
C-28 78-14450-02
SSH
Error Message %FWSM-6-315002: Permitted SSH session from IP_addr on interface

int_name for user "user_id"
Explanation This message indicates that an SSH session starts. The ip_addr is the address of the host
with the SSH client. The int_name is the interface through which the SSH session is started. The
user_ID is the username to which the client is accessing. Use the ssh show sessions command to view
the status of SSH sessions.
Explanation None required.
Error Message %FWSM-6-315003: SSH login session failed from IP_addr on (num attempts)
on interface int_name by user "user_id"
Explanation This message appears after an incorrect user ID or password were entered a certain
number of times for the same connection. Up to three attempts are allowed to log into a SSH console
session. The ip_addr is the address of the host with the SSH client. The int_name, is the interface
through which the SSH session is started. The user_ID is the username that the client is attempting
to access.
Recommended Action If this message appears infrequently, no action is required. If this message
appears frequently, it can indicate an attack. Inform the user to verify their username and password.
Error Message %FWSM-3-315004: Fail to establish SSH session because FWSM RSA host
key retrieval failed.
Explanation This message indicates that the module cannot find the module’s RSA host key, which is
required for establishing an SSH session. The firewall host key may be absent because no module
host key has been generated or because the license for this module does not allow DES or 3DES.
Recommended Action From the console, enter the show ca mypubkey rsa command to verify that
module’s RSA host key is present. If not, also enter the show version command to check whether the
module’s license allows DES or 3DES.
Error Message %FWSM-4-315005: SSH session limit exceeded. Connection request from
IP_addr on interface int_name
Explanation This message indicates that the maximum number of SSH connections to the module is
exceeded. The module denies any attempt to connect to its SSH port from the specified IP address on
the specified network.
78-14450-02 C-29
Telnet
Error Message %FWSM-6-315011: SSH session from IP_addr on interface int_name for user
"user_id" terminated normally
%FWSM-6-315011: SSH session from IP_addr on interface int_name for user "user_id"
disconnected by SSH server, reason: "text"
Explanation This message appears after an SSH session completes. If you enter quit or exit, this
message displays terminated normally. If the session disconnected for another reason, the text
describes the reason.
Telnet
Error Message %FWSM-6-307001: Denied Telnet login session from IP_addr on interface
int_name.
Explanation This message indicates that the module denies an attempt to connect to the Telnet port
from the specified IP address on the inside network.
Recommended Action From the console, enter the show telnet command to verify that the module is
configured to permit Telnet access from that host or network.
Error Message %FWSM-6-307002: Permitted Telnet login session from IP_addr
Explanation This message logs a successful Telnet connection to the module.
Error Message %FWSM-6-307003: telnet login session failed from IP_addr (num
attempts) on interface int_name.
Explanation This message indicates that an incorrect Telnet password was entered a number of times
for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Recommended Action Verify the password and try again.
AAA and ACL

Error Message %FWSM-4-106019: IP packet from src_addr to dest_addr, protocol
protocol received from interface int_name deny by access-group acl_ID
Explanation This message indicates that an IP packet is denied by the parameters you specified.
C-30 78-14450-02
AAA and ACL
Error Message %FWSM-6-109001: Auth start for user ùsername' from laddr/lport to
faddr/fport
Explanation This message indicates that the module is configured for AAA and detects an
authentication request by the specified user.
Error Message %FWSM-6-109002: Auth from laddr/lport to faddr/fport failed (server

IP_addr failed) on interface int_name.
Explanation This message indicates that an authentication request fails because the specified
authentication server cannot be contacted by the module.
Recommended Action Check to be sure the authentication daemon is running on the specified
authentication server.
Error Message %FWSM-6-109003: Auth from laddr to faddr/fport failed (all servers
failed) on interface int_name.
Explanation This message indicates that no authentication server can be found.
Recommended Action Ping the authentication servers from the module. Make sure the daemons are
running.
Error Message %FWSM-6-109005: Authentication succeeded for user ùser' from

laddr/lport to faddr/fport on interface int_name.
Explanation This message indicates that the specified authentication request succeeds.
Error Message %FWSM-6-109006: Authentication failed for user ùser' from laddr/lport
to faddr/fport on interface int_name.
Explanation This message indicates that the specified authentication request fails, possibly because
of a wrong password.
Error Message %FWSM-6-109007: Authorization permitted for user ùser' from

laddr/lport to faddr/fport on interface int_name.
Explanation This message indicates that the specified authorization request succeeds.
78-14450-02 C-31
AAA and ACL
Error Message %FWSM-6-109008: Authorization denied for user ùser' from faddr/fport
to laddr/lport on interface int_name.
Explanation This message indicates that you are not authorized to access the specified address,
possibly because of a wrong password.
Error Message %FWSM-3-109010: Auth from laddr/lport to faddr/fport failed (too many
pending auths) on interface int_name.
Explanation This message indicates that an authentication request cannot be processed because the
server has too many requests pending.
Recommended Action Check to see if the authentication server is too slow to respond to authentication
requests. Enable floodguard with the floodguard enable command.
Error Message %FWSM-2-109011: Authen Session Start: user 'user', sid session_num
Explanation An authentication session started between the host and the module and has not yet
completed.
Error Message %FWSM-5-109012: Authen Session End: user 'user', sid session_num,
elapsed num seconds
Explanation The authentication cache has timed out. Users will need to reauthenticate on their next
connection. You can change the duration of this timer with the timeout uauth command.
Error Message %FWSM-3-109013: User must authenticate before using this service
Explanation The user must be authenticated before using the service.
Recommended Action Authenticate using FTP, Telnet, or HTTP before using the service.
Error Message %FWSM-6-109015: Authorization denied (acl=acl_ID) for user 'username'

from src_addr/src_port to dest_addr/dest_port on interface int_name
Explanation The access list check failed; either it matched a deny, or it matched nothing, such as an
implicit deny. The connection was denied by the user access list, which was defined per the AAA
authorization policy on Cisco Secure ACS.
C-32 78-14450-02
AAA and ACL
Error Message %FWSM-3-109016: Downloaded authorization access-list acl_ID not found

for user 'username'
Explanation The AAA authorization access-list command statement ID defined on the remote AAA
server has not been configured on the module. This error can occur if you configure the AAA server
before configuring the module.
Recommended Action Use the same access-list command statement ID on the module as you specified
on the AAA server.
Error Message %FWSM-3-302302: ACL = deny; no sa created
Explanation Proxy mismatches. Proxy hosts for the negotiated SA correspond to a deny access-list
command policy.
Recommended Action Check the access-list command statement in the configuration. Contact the
administrator for the peer.
Error Message %FWSM-7-701001: alloc_user() out of Tcp_user objects
Explanation This message indicates that the user authentication rate is too high for the module to
handle new AAA requests.
Recommended Action Enable floodguard with the floodguard enable command.
Error Message %FWSM-4-106023: Deny protocol src [inbound-interface]:[src_address /

src_port] dst outbound-interface:dst_address / dst_port [type {type}, code {code}]
by access_group access-list-name
Explanation An IP packet was denied by the access list.
Recommended Action Change permission of access list if a permit policy is desired. If messages
persist from the same source address, messages could indicate a foot-printing or port-scanning
attempt. Contact the remote host administrator.
Error Message %FWSM-6-610101: Authorization failed: Cmd: cmd_string Cmdtype:

command_modifier
Explanation Command authorization failed for the specified command.
Error Message %FWSM-6-611101: User authentication succeeded: Uname: username
Explanation User authentication when accessing the module succeeded.
78-14450-02 C-33
User Management
Error Message %FWSM-6-611102: User authentication failed: Uname: username
Explanation User authentication failed when attempting to access the module.
Error Message %FWSM-5-611103: User logged out: Uname: username
Explanation The specified user logged out.
User Management
Error Message %FWSM-5-111008: User 'user' executed the 'cmd' command.
Explanation This message indicates that a command change to the configuration has been made.
Error Message %FWSM-5-501101: User transitioning priv level
Explanation The privilege level of a command was changed.
Error Message %FWSM-5-502101: New user added to local dbase: Uname: username Priv:
priv_lvl Encpass: encrypted_paswd
Explanation A new user was added to the local database.
Error Message %FWSM-5-502102: User deleted from local dbase: Uname: username Priv:
priv_lvl Encpass: encrypted_paswd
Explanation A user was deleted from the local database.
Error Message %FWSM-5-502103: User priv level changed: Uname: username From:
old_priv_lvl To: new_priv_lvl
Explanation The privilege level you changed.
C-34 78-14450-02
Configuration
Configuration
Error Message %FWSM-5-111001: Begin configuration: IP_addr writing to device
Explanation This message indicates that you entered the write command to store your configuration
on a device (either floppy, Flash memory, TFTP, the failover standby module, or the console
terminal). The IP address indicates whether the login was made at the console port through Telnet
connection.
Error Message %FWSM-6-199005: FWSM Startup begin
Explanation This message indicates that the module starts up.
Error Message %FWSM-1-709003: (Primary) Beginning configuration replication:

Receiving from mate.
Explanation This message indicates that the active module starts replicating its configuration to the
standby module. (Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-709004: (Primary) End Configuration Replication (ACT)
Explanation This message indicates that the active module completes replicating its configuration on
the standby module. (Primary) can also be listed as (Secondary) for the secondary module.
Error Message %FWSM-1-709005: (Primary) Beginning configuration replication:

Receiving from mate.
Explanation This message indicates that the standby module received the first part of the
configuration replication from the active module. (Primary) can also be listed as (Secondary) for the
secondary module.
Error Message %FWSM-1-709006: (Primary) End Configuration Replication (STB)
Explanation This message indicates that the standby module completes replicating a configuration
sent by the active module. (Primary) can also be listed as (Secondary) for the secondary module.
78-14450-02 C-35
FWSM Management
Error Message %FWSM-2-709007: Configuration replication failed for command

command_name
Explanation This message indicates that the standby module cannot complete replicating a
configuration sent by the active module. The command that caused the failure displays at the end of
the message.
Recommended Action Write down the command name and contact customer technical support.
FWSM Management
Error Message %FWSM-5-111003: IP_addr Erase configuration
Explanation This message indicates that you erased the contents of Flash memory, either by entering
the write erase command at the console, or by clicking OK to clear Flash memory. The IP address
indicates whether the login was made at the console port through Telnet connection.
Recommended Action After erasing the configuration, you must reconfigure the module and save the
new configuration. Alternatively, you can restore information from a configuration that was
previously saved, either on floppy or on a TFTP server elsewhere on the network.
Error Message %FWSM-5-111004: IP_addr end configuration: [FAILED]|[OK]
Explanation This message indicates that you entered the config floppy/memory/ network command
or the write floppy/memory/network/standby command. The IP_addr indicates whether the login
was made at the console port through Telnet connection.
Recommended Action No action is required if the message ends with OK. If the message indicates a
failure, try to fix the problem. For example, if writing to a floppy, ensure that the floppy is not write
protected; if writing to a TFTP server, ensure that the server is up.
Error Message %FWSM-5-111005: IP_addr end configuration: OK
Explanation This message indicates that you exited configuration mode. The IP address indicates
whether the login was made at the console port through Telnet connection.
Error Message %FWSM-5-111006: Console Login from user at IP_addr
Explanation This message indicates that you connected to the module. If authentication is enabled,
the username is reported; otherwise, the string nobody appears. The IP address indicates whether the
login was made at the console port through Telnet connection.
C-36 78-14450-02
FWSM Management
Error Message %FWSM-5-111007: Begin configuration: IP_addr reading from device.
Explanation This message indicates that you enter the reload or configure command to read in a
configuration. The device text can be floppy, memory, net, standby, or terminal. The IP address
indicates whether the login was made at the console port through Telnet connection.
Error Message %FWSM-7-111009:User user_name executed cmd:command
Explanation This syslog message is for accounting purposes. You entered a command that does not
modify the configuration.
Error Message %FWSM-2-112001:FWSM clear finished.
Explanation This message indicates that a request to clear the module configuration has finished. The
source file and line number are identified.
Error Message %FWSM-5-199001: FWSM reload command executed from IP_addr.
Explanation This message indicates the address of the host initiating a module reboot with the reload
command.
Error Message %FWSM-6-199002: FWSM startup completed. Beginning operation.
Explanation This message indicates that after the module finishes its initial boot and Flash memory
reading sequence, and is ready to begin operating normally.
Error Message %FWSM-6-307002: Permitted Telnet login session from IP_addr
Explanation This message indicates a successful Telnet connection to the module.
Error Message %FWSM-6-307003: telnet login session failed from IP_addr (num
attempts) on interface int_name.
Explanation This message indicates that an incorrect Telnet password was entered a number of times
for the same connection. Up to three attempts are allowed to log into a console Telnet session.
Recommended Action Verify the password and try again.
78-14450-02 C-37
PDM
Error Message %FWSM-6-308001: FWSM console enable password incorrect for num tries
(from IP_addr).
Explanation This message indicates the number of times you incorrectly typed the password to enter
privileged mode. The maximum is three attempts.
Recommended Action The privileged mode password is not necessarily the same as the password for
Telnet access to the module. Verify the password and try again.
Error Message %FWSM-3-309001: Denied manager connection from IP_addr.
Explanation This message indicates that the Firewall Manager denies an attempt to connect to its
Telnet port from the specified IP address on the inside network.
Error Message %FWSM-6-309002: Permitted manager connection from IP_addr.
Explanation This message indicates a successful connection.
Error Message %FWSM-4-309004: Manager session limit exceeded. Connection request

from IP_addr on interface int_name
Explanation This message indicates that the maximum number of module management connections
has been exceeded. The module denies an attempt to connect to its management port from the
specified IP address on the specified network.
PDM
Error Message %FWSM-6-606001: PDM session number num from IP_addr started
Explanation This message indicates that a PDM session has been started.
Error Message %FWSM-6-606002: PDM session number num from IP_addr ended
Explanation This message indicates that a PDM session has ended.
C-38 78-14450-02
Stateful Failover
Stateful Failover
Error Message %FWSM-3-210001: LU SW_Module_Name error = error_code
Explanation This message indicates that a stateful failover error occurred.
Recommended Action If this error persists after traffic lessens through the module, report this error to
customer support.
Error Message %FWSM-3-210002: LU allocate block (size) failed.
Explanation Stateful failover could not allocate a block of memory to transmit stateful information to
the standby module.
Recommended Action Check the failover interface to make sure its transmit is normal using the show
interface command. Also, check the current block of memory using the show block command. If
current available count is 0 within any of the blocks of memory, then reload the module software to
recover the lost blocks of memory.
Error Message %FWSM-3-210003: Unknown LU Object ID
Explanation Stateful failover received an unsupported Logical Update object and was unable to
process it. This situation could be caused by corrupted memory, LAN transmissions, and other
events.
Recommended Action If you see this error infrequently, then no action is required. If this error occurs
frequently, check the stateful failover link LAN connection. If the error was not caused by a faulty
failover link LAN connection, determine if an external user is trying to compromise the protected
network. Check for incorrectly configured clients.
Error Message %FWSM-3-210005: LU allocate connection failed
Explanation Stateful failover cannot allocate a new connection on the standby module. This may be
caused by little or no RAM memory available within the module.
Recommended Action Check the available memory using the show mem command to make sure the
module has free memory in the system. If there is no available memory, add more physical memory
to the module.
Error Message %FWSM-3-210006: LU look NAT for IP_addr failed
Explanation Stateful failover was unable to locate an NAT group for the IP address on the standby
module. The active and standby modules probably are out of synchronization.
Recommended Action Enter the write standby command on the active module to synchronize system
memory with the standby module.
78-14450-02 C-39
Stateful Failover
Error Message %FWSM-3-210007: LU allocate xlate failed
Explanation Stateful failover failed to allocate an translation slot (xlate) record.
Recommended Action Check the available memory using the show mem command to make sure that
the module has free memory in the system. If the memory has been used up, you may need to add
more physical memory.
Error Message %FWSM-3-210008: LU no xlate for laddr/l_port faddr/f_port
Explanation Unable to find an translation slot (xlate) record for a stateful failover connection; unable
to process the connection information.
Recommended Action Enter the write standby command on the active module to synchronize system
memory between the active and standby modules.
Error Message %FWSM-3-210010: LU make UDP connection for faddr:f_port laddr:l_port

failed
Explanation Stateful failover was unable to allocate a new record for a UDP connection.
Recommended Action Check the available memory with the show memory command to make sure
that the module has free memory in the system. If the memory has been used up, you may need to
add more physical memory.
Error Message %FWSM-3-210020: LU PAT port port_number reserve failed
Explanation Stateful failover is unable to allocate a specific PAT address which is in use.
Recommended Action If this error reappears frequently, enter the write standby command on the
active module to synchronize system memory between the active and standby modules.
Error Message %FWSM-3-210021: LU create static xlate global_IP ifc int_name failed
Explanation Stateful failover is unable to create a translation slot (xlate).
Recommended Action If this error reappears frequently, use the write standby command on the active
module to synchronize system memory between the active and standby modules.
Error Message %FWSM-6-210022: LU missed number updates
Explanation Stateful failover assigns a sequence number for each record sent to the standby module.
When a received record sequence number is out of sequence with the last updated record, the
information in between is assumed lost and this error message is sent.
Recommended Action Unless there are LAN interruptions, check the available memory on both
modules to ensure there is enough memory to process the stateful information. Use the show failover
command to monitor the quality of stateful information updates.
C-40 78-14450-02
Memory and Resource Allocation
Error Message %FWSM-6-311001: LU loading standby start
Explanation This message indicates that stateful failover update information was sent to the standby
module.
Error Message %FWSM-6-311002: LU loading standby end
Explanation This message indicates that stateful failover update information is done being sent to the
standby module.
Error Message %FWSM-6-311003: LU recv thread up
Explanation This message indicates that an update acknowledgment has been received from the
standby module.
Error Message %FWSM-6-311004: LU xmit thread up
Explanation This message indicates that a stateful failover update is transmitted to the standby
module.
Memory and Resource Allocation

This section contains the messages generated by memory and resources.
Error Message %FWSM-3-211001: Memory allocation Error
Explanation Failed to allocate RAM system memory.
contact customer technical support.
Error Message %FWSM-2-211003: CPU Utilization for number_seconds seconds =

cpu_utilization
Explanation CPU utilization exceeds 100 percent. The utilization time in seconds (number_seconds)
and the percentage of CPU usage (cpu_utilization). This is a value greater than 100 percent.
Recommended Action Report this error to customer technical support.
78-14450-02 C-41
SNMP
SNMP
This section contains the messages generated by SNMP.
Error Message %FWSM-3-212001: Unable to open SNMP channel (UDP port udp_port) on
interface interface_name, error code = code
Explanation This message indicates that the module cannot receive SNMP requests destined for the
module from SNMP management stations located on this interface. This does not affect the SNMP
traffic passing through the module through any interface.
Recommended Action An error code of -1 indicates that the module could not open the SNMP
transport for the interface, and once the module reclaims some of its resources when traffic is lighter,
use the snmp-server host command for that interface again.
Error Message %FWSM-3-212002: Unable to open SNMP trap channel (UDP port udp_port)
on interface interface_name, error code = code
Explanation This message indicates that the module will not be able to send its SNMP traps from the
module to SNMP management stations located on this interface. This does not affect the SNMP
traffic passing through the module through any interface.
An error code of -1 indicates that module could not open the SNMP trap transport for the interface
An error code of -2 indicates that module could not bind the SNMP trap transport for the interface.
Recommended Action After the module reclaims some of its resources when traffic is lighter, enter the
snmp-server host command for that interface again.
Error Message %FWSM-3-212003: Unable to receive an SNMP request on interface

interface_name, error code = code, will try again.
Explanation This message indicates that of an internal error for an interface was received.
Recommended Action None required. The module SNMP agent will wait for the next SNMP request.
Error Message %FWSM-3-212004: Unable to send an SNMP response to IP Address IP_addr

Port port interface interface_name, error code = code
Explanation This message indicates that of an internal error occurred in sending an SNMP response
from the module to the specified host on the specified interface.
C-42 78-14450-02
DHCP
Error Message %FWSM-3-212005: incoming SNMP request (number bytes) on interface

int_name exceeds data buffer size, discarding this SNMP request.
Explanation This message indicates that the length of the incoming SNMP request, which is destined
for the module, exceeds the size of the internal data buffer (512 bytes) used for storing the request
during internal processing; therefore, the module cannot process this request. This does not affect the
SNMP traffic passing through the module through any interface.
Recommended Action Configure the SNMP management station to resend the request with a shorter
length, for example, instead of querying multiple MIB variables in one request, try querying only one
MIB variable in a request. You may need to modify the configuration of the SNMP manager software.
DHCP
Error Message %FWSM-6-604103: DHCP daemon interface int_name: address granted
MAC_addr (IP_addr)
Explanation The module DHCP server granted an IP address to an external client.
Error Message %FWSM-6-604104: DHCP daemon interface int_name: address released
Explanation An external client released an IP address back to the module DHCP server.
VPN
Error Message %FWSM-4-402101: decaps: rec'd IPSEC packet has invalid spi for
destaddr=IP_addr, prot=protocol, spi=spi
Explanation Received an IPSec packet that specifies that the SPI does not exist in the server address
database. This situation may be a temporary condition due to slight differences in aging of server
addresses between the IPSec peers, or it may be because the local server addresses have been cleared.
It may also be because of incorrect packets sent by the IPSec peer. This message might also indicate
an attack.
Recommended Action The peer may not acknowledge that the local SAs have been cleared. If a new
connection is established from the local router, the two peers may then reestablish successfully.
Otherwise, if the problem occurs for more than a brief period, either attempt to establish a new
connection or contact the peer’s administrator.
78-14450-02 C-43
VPN
Error Message %FWSM-4-402102: decapsulate: packet missing packet_type,

destadr=dest_addr, actual prot=protocol
Explanation Received IPSec packet is missing an expected AH or ESP header. The peer is sending
packets that do not match the negotiated security policy. This may be an attack. The packet type is
either AH or ESP.
Recommended Action Contact the peer’s administrator.
Error Message %FWSM-4-402103: identity doesn't match negotiated identity (ip)

dest_addr= IP_addr, src_addr= IP_addr, prot= protocol, (ident) local=IP_addr,
remote=IP_addr, local_proxy=IP_addr/IP_addr/port/port,
remote_proxy=IP_addr/IP_addr/port/port
Explanation An unencapsulated IPSec packet does not match the negotiated identity. The peer is
sending other traffic through this security association. This situation may be due to a security
association selection error by the peer. This situation may be a hostile event.
Recommended Action Contact the peer’s administrator to compare policy settings.
Error Message %FWSM-4-402106: Rec'd packet not an IPSEC packet (ip) dest_addr=
IP_addr, src_addr= IP_addr, prot= protocol
Explanation Received packet matched the crypto map ACL, but it is not IPSec-encapsulated. IPSec
Peer is sending unencapsulated packets. This situation may occur because of a policy setup error on
the peer. This may also be a hostile event.
Recommended Action Contact the peer’s administrator to compare policy settings.
Error Message %FWSM-4-404101: ISAKMP: Failed to allocate address for client from pool
pool_id
Explanation The Internet Security Association and Key Management Protocol (ISAKMP), failed to
allocate an IP address for the VPN client from the pool you specified with the ip local pool command.
Recommended Action Enter the ip local pool command to specify additional IP addresses for the pool.
Error Message %FWSM-6-602102: Adjusting IPSec tunnel mtu
Explanation The MTU for an IPSec tunnel is adjusted from path MTU discovery.
Recommended Action Check the MTU of the IPSec tunnels. If an affected MTU is smaller than
normal, check intermediate links.
Error Message %FWSM-6-602301: sa created
Explanation A new security association was created.
Recommended Action Informational message only.
C-44 78-14450-02
Internet Protocol Routing
Error Message %FWSM-6-602302: deleting sa
Explanation A security association was deleted.
Recommended Action Informational message only.
Error Message %FWSM-7-702301: lifetime expiring
Explanation A security association lifetime has expired.
Recommended Action Debugging message only.
Error Message %FWSM-7-702303: sa_request
Explanation IPSec has requested internet key exchange (IKE) for new security associations.
Recommended Action Debugging message only.
Internet Protocol Routing

Error Message %FWSM-1-106012: Deny IP from IP_address to IP_address, IP options hex.
Explanation This is a packet integrity check message. An IP packet was seen with IP options. Because
IP options are considered a security risk, the packet was discarded.
Contact the remote host system administrator to determine the problem. Check the local site for loose
source routing or strict source routing.
Error Message %FWSM-3-317001: No memory available for limit_slow
Explanation The requested operation failed because of a low memory condition.
Recommended Action Reduce other system activity to ease memory demands. If conditions warrant,
upgrade to a larger memory configuration.
Error Message %FWSM-3-317003: IP routing table creation failure - reason
Explanation An internal software error occurred, which prevented the creation of new IP routing
table.
Recommended Action Copy the message exactly as it appears, and report it to your technical support
representative.
78-14450-02 C-45
OSPF
Error Message %FWSM-3-317004: IP routing table limit warning
Explanation The number of routes in the named IP routing table has reached the configured warning
limit.
Recommended Action Reduce the number of routes in the table.
Error Message %FWSM-3-317005: IP routing table limit exceeded - reason, ip_address

ip_mask
Explanation Further routes will be added to the table.
Recommended Action Reduce the number of routes in the table, or reconfigure the limit.
Error Message %FWSM-4-408001: IP route counter negative - reason, ip_address

Attempt: number
Explanation Attempt to decrement IP route counter into negative value failed.
Recommended Action Enter the clear ip route * command to reset the route counter. If the message
continues to appear consistently, copy the messages exactly as they appear, and report it to your
technical support representative.
OSPF
Error Message %FWSM-3-318002: Flagged as being an ABR without a backbone area
Explanation The router was flagged as an area border router without a backbone area configured in
the router.
Recommended Action Restart the OSPF process.
Error Message %FWSM-6-613001: Checksum Failure in database in area ospf_complain

Link State Id ip_address Old Checksum old_checksum New Checksum new_checksum
Explanation OSPF has detected a checksum error in the database due to memory corruption.
Recommended Action Restart the OSPF process.
Error Message %FWSM-4-409001: Database scanner: external LSA ip_address ip_mask is

lost, reinstalls
Explanation The software detected an unexpected condition. The router will take corrective action
and continue.
C-46 78-14450-02
OSPF
Error Message %FWSM-4-409002: db_free: external LSA ip_address ip_mask
Explanation An internal software error occurred.
Error Message %FWSM-4-409003: Received invalid packet: reason from ip_address,

int_name
Explanation An invalid OSPF packet was received. Details are included in the error message. The
cause might be a incorrect OSPF configuration or an internal error in the sender.
Recommended Action Check the OSPF configuration of the receiver and the sender configuration for
inconsistency.
Error Message %FWSM-3-318003: Reached unknown state in neighbor state machine
Explanation An internal software error occurred.
Error Message %FWSM-4-409004: Received reason from unknown neighbor ip_address
Explanation The OSPF hello, database description, or database request packet was received, but the
router could not identify the sender.
Recommended Action This situation should correct itself.
Error Message %FWSM-4-409005: Invalid length number in OSPF packet from ip_address
(ID ip_address), int_name
Explanation The system received an OSPF packet with a filed length of less than normal header size
or inconsistent with the size of the IP packet in which it arrived. This indicates a configuration error
in the sender of the packet.
Recommended Action From a neighboring address, locate the problem router and reboot it.
Error Message %FWSM-4-409006: Invalid lsa: reason Type number, LSID ip_address from
ip_address, ip_address, int_name
Explanation The router received an LSA with an invalid LSA type. The cause is either memory
corruption or unexpected behavior on a router.
Recommended Action From a neighboring address, locate the problem router and reboot it. To
determine what is causing this problem, contact your Cisco technical support representative for
assistance.
78-14450-02 C-47
OSPF
Error Message %FWSM-4-409007: Found LSA with the same host bit set but using
different mask LSA ID ip_address ip_mask New: Destination ip_address ip_mask
Explanation An internal software error occurred
Recommended Action To determine what is causing this problem, contact your Cisco technical support
representative for assistance.
Error Message %FWSM-4-409008: Found generating default LSA with non-zero mask LSA
type : number Mask : ip_address metric : number area : name
Explanation The router tried to generate a default LSA with the wrong mask and possibly wrong
metric due to an internal software error
Error Message %FWSM-4-409009: OSPF process number cannot start. There must be at
least one \up\ IP interface, for OSPF to use as router ID
Explanation OSPF failed while attempting to allocate a router ID from the IP address of one of its
interfaces.
Recommended Action Make sure that there is at least one interface that is up and has a valid IP address.
If there are multiple OSPF processes running on the router, each requires a unique router ID. You
must have enough interfaces up so that each of them can obtain a router ID.
Error Message %FWSM-4-409010: Virtual link information found in non-backbone area:

area_name
Explanation An internal error occurred.
Error Message %FWSM-3-318004: area area_name lsid ip_address mask ip_address adv
ip_address type number
Explanation OSPF has a problem locating the LSA, which could lead to a memory leak.
Error Message %FWSM-3-318005: lsid ip_address adv ip_address type number gateway
ip_address metric number network ip_address mask ip_address protocol number attr
number net-metric number
Explanation OSPF has a problem locating the LSA.
C-48 78-14450-02
OSPF
Error Message OSPF found inconsistency between its database and IP routing table
Error Message %FWSM-6-613002: interface interface_name has zero bandwidth
Explanation The interface reports its bandwidth as zero.
Error Message %FWSM-3-318006: if string if_state number
Error Message %FWSM-5-503001: Process number, Nbr ip_address on int_name from name
to name, reason
Explanation An OSPF neighbor has changed its state. The message describes the change and the
reason for it. This message appears only if the log-adjacency-changes command is configured for
the OSPF process.
Error Message %FWSM-6-613003: ip_address ip_mask changed from area areaname to area
areaname
Explanation An OSPF configuration change has caused a network range to change areas
Recommended Action Reconfigure OSPF with the correct network range.
Error Message %FWSM-3-318007: OSPF is enabled on string during idb initialization
78-14450-02 C-49
OSPF
Error Message %FWSM-4-409011: OSPF detected duplicate router-id ip_address from

ip_address on interface interface_name
Explanation OSPF received a hello packet from a neighbor that has the same router ID as this routing
process. A full adjacency cannot be established.
Recommended Action OSPF router ID should be unique. Change the neighbors router ID.
Error Message %FWSM-4-409012: Detected router with duplicate router ID ip_address in

area area_name
Error Message %FWSM-4-409013: Detected router with duplicate router ID ip_address in

Type-4 LSA advertised by ip_address
Error Message %FWSM-3-318008: OSPF process number is changing router-id. Reconfigure

virtual link neighbors with our new router-id
Explanation OSPF process is being reset, and it is going to select a new router ID, which will bring
down all virtual links. To make the links work again, the virtual link configuration needs to be
changed on all virtual link neighbors.
Recommended Action Change virtual link configuration on all the virtual link neighbors, to reflect our
new router ID.
Error Message %FWSM-3-319001: Acknowledge for arp update for IP address dest_addr
not received (number).
Explanation The ARP process in the Firewall Services Module lost internal synchronization because
the system was overloaded.
Recommended Action No immediate action is required. The failure is only temporary. Check the
average load of the system and make sure it is not used beyond its capabilities.
Error Message %FWSM-3-319002: Acknowledge for route update for IP address dest_addr
not received (number).
Explanation The routing module in The Firewall Services Module lost internal synchronization
because the system was overloaded.
Recommended Action No immediate action required. The failure is only temporary. Check the average
load of the system and make sure it is not used beyond its capabilities.
C-50 78-14450-02
Shun
Error Message %FWSM-3-319003: Arp update for IP address dest_addr failed (number).
Explanation The ARP module in the Firewall Services Module lost internal synchronization because
the system was overloaded.
Error Message %FWSM-3-319004: Route update for IP address dest_addr failed (number).
Explanation The routing module in The Firewall Services Module lost internal synchronization
because the system was overloaded.
Shun
Error Message %FWSM-4-401001: Shuns cleared
Explanation The clear shun command was entered to remove existing shuns from memory.
Recommended Action None required. This message provides a record of shunning activity.
Error Message %FWSM-4-401002: Shun added: IP_addr IP_addr port port
Explanation A shun command was entered, where the first IP address is the shunned host. The other
addresses and ports are optional and are used to terminate the connection if available.
Error Message %FWSM-4-401003: Shun deleted: IP_addr
Explanation A single shunned host was removed from the shun database.
Error Message %FWSM-4-401004: Shunned packet: IP_addr ==> IP_addr on interface

int_name
Explanation A packet was dropped because the host defined by IP source is a host in the shun
database. A shunned host cannot pass traffic on the interface on which it is shunned. For example, an
external host on the Internet can be shunned on the outside interface.
Recommended Action None required. This message provides a record of the shunned hosts activity.
This message and the next message (%FWSM-4-401005) can be used to evaluate further risk
assessment concerning this host.
78-14450-02 C-51
Shun
Error Message %FWSM-4-401005: Shun add failed: unable to allocate resources for
IP_addr IP_addr port port
Explanation The module is out of memory; a shun could not be applied.
Recommended Action The Cisco Secure Intrusion Detection System should continue to attempt to
apply this rule. Attempt to reclaim memory and reapply shun manually, or wait for the Cisco Secure
Intrusion Detection System to do this process.
C-52 78-14450-02

Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module Installation and Configuration Note

Enviado por

Direitos autorais:

Formatos disponíveis

Catalyst 6500 Series and Cisco 7600

Series Firewall Services Module

Text Part Number: 78-14450-02

• Turn the television or radio antenna until the interference stops.

• Move the equipment farther away from the television or radio.

GNU General Public License

Copyright (C) 1989, 1991 Free Software Foundation, Inc.

59 Temple Place - Suite 330, Boston, MA 02111-1307, USA

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

Related Documentation xvii

Obtaining Documentation xviii

CHAPTER 1 Overview 1-1

Before You Begin 1-2

Understanding How the Firewall Services Module Works 1-3

Specifications and System Limitations 1-9

Front Panel Description 1-11

CHAPTER 2 Installing the Firewall Services Module 2-1

System Requirements 2-1

Hardware Requirements 2-2

Required Tools 2-2

Installing and Removing the Module 2-2

CHAPTER 3 Getting Started 3-1

Configuration Overview 3-1

Using PDM 3-8

CHAPTER 4 Configuring Firewall Services 4-1

Configuring Firewall Failover 4-1

Verifying Memory Usage 4-11

CHAPTER 5 Administering the Firewall Services Module 5-1

Administering the Software Images 5-1

Recovering the Application Partition Passwords 5-12

Troubleshooting the Firewall Services Module 5-15

APPENDIX A Firewall Services Module and PIX Commands A-1

APPENDIX B Command Reference B-1

APPENDIX C System Messages C-1

System Log Messages C-2

System Message Log Differences C-4

Failover Messages C-5

Connection Messages C-10

AAA and ACL C-30

FWSM Management C-36

Stateful Failover C-39

Memory and Resource Allocation C-41

Internet Protocol Routing C-45

Chapter Title Description

Chapter Title Description

Notes use the following conventions:

Tips use the following conventions:

Cautions use the following conventions:

Warning WaarschuwingDit waarschuwingssymbool betekent gevaar. U verkeert in een situatie

Warning AvvertenzaQuesto simbolo di avvertenza indica un pericolo. La situazione potrebbe

– Catalyst 6500 Series Switch Documentation Map

Obtaining Technical Assistance

• Download and test software packages

Technical Assistance Center

Cisco TAC Website

Cisco TAC Escalation Center

Obtaining Additional Publications and Information

Before You Begin

Getting Started with the Firewall Services Module

Configuring the module

If you need information about

Understanding How the Firewall Services Module Works