Configuring Interfaces; Security Level Overview - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Interfaces
Configuring Interfaces
By default, all interfaces are enabled. For each interface, you must provide a name and a security level.
If you are using failover, do not use this procedure to name interfaces that you are reserving for failover
Note
and stateful failover communications. See
state links.
This section includes the following topics:
•
•
•
•
Security Level Overview
Each interface must have a security level from 0 (lowest) to 100 (highest). For example, you should
assign your most secure network, such as the inside host network, to level 100. While the outside
network connected to the Internet can be level 0. Other networks, such as DMZs can be in between. You
can assign interfaces to the same security level. See the
on the Same Security Level" section on page 6-8
For interfaces that are on different security levels, the level controls the following behavior:
•
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
6-6
Security Level Overview, page 6-6
Setting the Name and Security Level, page 6-7
Allowing Communication Between Interfaces on the Same Security Level, page 6-8
Turning Off and Turning On Interfaces, page 6-10
NAT—When hosts on a higher security interface (inside) access hosts on a lower security interface
(outside), you must configure Network Address Translation (NAT) for the inside hosts or
specifically configure the inside hosts to bypass NAT.
An inside host can communicate with the untranslated local address of the outside host without any
special configuration on the outside interface. However, you can also optionally perform NAT on the
outside network.
Inspection engines—Some inspection engines are dependent on the security level:
SMTP inspection engine—Applied only for inbound connections (from lower level to higher
–
level), which protects the SMTP servers on the higher security interface.
NetBIOS inspection engine—Applied only for outbound connections.
–
XDMCP inspection engine—The XDMCP server can be configured only on the outside
–
interface.
OraServ inspection engine—If a control connection for the OraServ port exists between a pair
–
of hosts, then only an inbound data connection is permitted through the FWSM.
Filtering—HTTP(S) and FTP filtering applies only for outbound connections (from a higher level
to a lower level).
TCP intercept—The TCP intercept feature only applies to hosts or servers on a higher security level.
See the
"Other Protection Features" section on page 1-6
This feature is configured using the emb_limit option in the nat and static commands.
Chapter 15, "Using Failover,"
"Allowing Communication Between Interfaces
for more information.
for more information about TCP intercept.
Chapter 6
Configuring Basic Settings
to configure the failover and
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
