Admin Context Configuration; How The Fwsm Classifies Packets; Valid Classifier Criteria - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 4
Configuring Security Contexts
Admin Context Configuration
The admin context is just like any other context, except that when a user logs in to the admin context,
then that user has system administrator rights and can access the system and all other contexts. The
admin context is not restricted in any way, and can be used as a regular context. However, because
logging into the admin context grants you administrator privileges over all contexts, you might need to
restrict access to the admin context to appropriate users. The admin context must reside on flash memory,
and not remotely.
If your system is already in multiple context mode, or if you convert from single mode, the admin context
is created automatically as a file on the internal flash memory called admin.cfg. This context is named
"admin." If you do not want to use admin.cfg as the admin context, you can change the admin context.
How the FWSM Classifies Packets
Each packet that enters the FWSM must be classified, so that the FWSM can determine to which context
to send a packet. The FWSM uses only one global MAC address across all interfaces. A single MAC
address is usually not a problem unless multiple contexts want to share an interface. A router cannot
direct packets to IP addresses on the same network if all IP addresses resolve to the same MAC address.
Moreover, the bridging table of the switch would constantly change as the MAC address moves from one
interface to another. The purpose of the security context classifier is to resolve this situation.
This section includes the following topics:
•
•
•
Valid Classifier Criteria
If only one context is associated with the ingress interface, the FWSM classifies the packet into that
context. In transparent firewall mode, unique interfaces for contexts are required, so this method is used
to classify packets at all times. The only exception in transparent mode is for a shared management
VLAN; for management traffic destined for an interface, the interface IP address is used for
classification.
If multiple contexts share an interface, then the classifier intercepts the packet and performs a destination
IP address lookup. All other fields are ignored; only the destination IP address is used. To use the
destination address for classification, the classifier must have knowledge about the subnets located
behind each security context. The classifier relies on active NAT sessions to determine the subnets in
each context. Active NAT sessions are created either by static commands, which create a permanent
session, or by active dynamic NAT sessions.
For example, the classifier gains knowledge about subnets 10.10.10.0, 10.20.10.0 and 10.30.10.0 when
the context administrators configure static commands in each context:
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Valid Classifier Criteria, page 4-3
Invalid Classifier Criteria, page 4-4
Classification Examples, page 4-5
Context A:
static (inside,shared) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
Context B:
static (inside,shared) 10.20.10.0 10.20.10.0 netmask 255.255.255.0
Context C:
Security Context Overview
4-3
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
