Cisco Catalyst 6500 Series Configuration Manual page 73

Chapter 4 Configuring the Firewall Mode
4.
5.
6.
An Outside User Attempts to Access an Inside Host
Figure 4-5
Figure 4-11 Outside to Inside
The steps below describe how data moves through the FWSM (see
1.
2.
3.
4.
OL-6392-01
If the destination MAC address is in its table, the FWSM forwards the packet out of the inside
interface on VLAN 200.
If the destination MAC address is not in the FWSM table, the FWSM attempts to discover the MAC
address by sending an ARP request and a ping. The first packet is dropped.
When the website responds to the request, the packet goes through the FWSM, and because the
session is already established, the packet bypasses the many lookups associated with a new
connection.
The FWSM forwards the packet to the outside user.
shows an outside user attempting to access a host on the inside network.
Host
Internet
Switch
209.165.201.2
VLAN 100
VLAN 200
A user on the outside network attempts to reach an inside host.
The FWSM receives the packet and, because it is a new session, it verifies if the packet is allowed
according to the terms of the security policy (ACLs, filters, AAA).
The packet is denied, and the FWSM drops the packet.
If the outside user is attempting to attack the inside network, the FWSM employs many technologies
to determine if a packet is valid for an already established session. See the
Features" section on page 1-6
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
FWSM
209.165.201.6
Host
209.165.201.3
for more information.
Firewall Mode Overview
Figure 4-5):
"Other Protection
4-15