Chapter 4
Configuring the Firewall Mode
The steps below describe how data moves through the FWSM (see
1.
2.
3.
4.
5.
6.
An Inside User Visits a Website on the DMZ
Figure 4-4
Figure 4-4
Source Addr Translation
OL-6392-01
A user on the outside network requests a web page from the DMZ website using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
The FWSM receives the packet, and because it is a new session, the FWSM verifies that the packet
is allowed according to the terms of the security policy (ACLs, filters, AAA).
For multiple context mode, the FWSM first classifies the packet according to either a unique VLAN
or a unique destination address. In this case, even if the VLAN is not unique, the classifier "knows"
that the DMZ web server address belongs to a certain context because of the NAT configuration.
The FWSM translates the destination address to the local address 10.1.1.3.
The FWSM then adds a session entry to the fast path and forwards the packet from the DMZ
interface.
When the DMZ website responds to the request, the packet goes through the FWSM and because
the session is already established, the packet bypasses the many lookups associated with a new
connection. The fast path performs NAT by translating the local source address to 209.165.201.3.
The FWSM forwards the packet to the outside user.
shows an inside user accessing the DMZ website.
Inside to DMZ
Switch
10.1.2.1
Inside
User
10.1.2.27
10.1.2.27
10.1.1.15
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Outside
209.165.201.2
FWSM
10.1.1.1
DMZ
Web Server
10.1.1.3
Firewall Mode Overview
Figure
4-3):
4-5