Cisco Catalyst 6500 Series Configuration Manual page 64

Firewall Mode Overview
The steps below describe how data moves through the FWSM (see
1.
2.
3.
4.
5.
6.
An Outside User Attempts to Access an Inside Host
Figure 4-5
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
4-6
A user on the inside network requests a web page from the DMZ website using the destination
address of 10.1.1.3.
Because the DMZ is a lower security interface, the inside user can use the untranslated local address
of the web server.
The FWSM receives the packet, and because it is a new session, the FWSM verifies that the packet
is allowed according to the terms of the security policy (ACLs, filters, AAA).
For multiple context mode, the FWSM first classifies the packet according to either a unique VLAN
or a unique destination address. In this case, the VLAN would be unique because the destination is
on a different interface in the same context.
The FWSM translates the local source address to the global address 10.1.1.15, which is on the DMZ
subnet.
The FWSM then records that a session is established and forwards the packet out of the DMZ
interface.
When the DMZ web server responds to the request, the packet goes through the fast path, which
allows the packet to bypass the many lookups associated with a new connection. The fast path
performs NAT by translating the global destination address to the local address of the user,
10.1.2.27.
The FWSM forwards the packet to the inside user.
shows an outside user attempting to access the inside network.
Chapter 4 Configuring the Firewall Mode
Figure 4-4):
OL-6392-01