Chapter 5
Configuring the Firewall Mode
The following steps describe how data moves through the FWSM (see
1.
2.
3.
4.
5.
An Outside User Attempts to Access an Inside Host
Figure 5-4
Figure 5-4
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.
The FWSM receives the packet and because it is a new session, the FWSM verifies that the packet
is allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the FWSM first classifies the packet according to either a unique
interface or a unique destination address associated with a context; the destination address is
associated by matching an address translation in a context. In this case, the interface is unique; the
web server IP address does not have a current address translation.
The FWSM then records that a session is established and forwards the packet out of the DMZ
interface.
When the DMZ web server responds to the request, the packet goes through the fast path, which lets
the packet bypass the many lookups associated with a new connection.
The FWSM forwards the packet to the inside user.
shows an outside user attempting to access the inside network.
Outside to Inside
www.example.com
Outside
209.165.201.2
FWSM
10.1.2.1
10.1.1.1
Inside
User
10.1.2.27
DMZ
Routed Mode Overview
Figure
5-3):
5-5