Chapter 1
Introduction to the Firewall Services Module
For multiple context mode, if you place the MSFC behind the FWSM, you should only connect it to a
single context. If you connect the MSFC to multiple contexts, the MSFC will route between the contexts,
which might not be your intention. The typical scenario for multiple contexts is to use the MSFC in front
of all the contexts to route between the Internet and the switched networks (see
Figure 1-2
Admin
Context
Firewall Mode Overview
The FWSM runs in two different firewall modes:
•
•
In routed mode, the FWSM is considered to be a router hop in the network.
In transparent mode, the FWSM acts like a "bump in the wire," or a "stealth firewall," and is not
considered a router hop. The FWSM connects to the same network on its inside and outside interfaces.
You can configure up to eight pairs of interfaces (called bridge groups) to connect to eight different
networks, per context.
You might use a transparent firewall to simplify your network configuration. Transparent mode is also
useful if you want the firewall to be invisible to attackers. You can also use a transparent firewall for
traffic that would otherwise be blocked in routed mode. For example, a transparent firewall can allow
unsupported routing protocols.
In multiple context mode, you can choose the mode for each context independently, so some contexts
can run in transparent mode while others can run in routed mode.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
MSFC Placement with Multiple Contexts
Context A
VLAN 201
Admin
Inside
Network
Customer A
Routed
Transparent
Internet
VLAN 100
MSFC
VLAN 200
Context B
VLAN 202
VLAN 203
Inside
Customer B
Firewall Mode Overview
Figure
Context C
VLAN 204
Inside
Customer C
1-2).
1-7