4/24/13

Cisco ASA FWSM Intresting Features Configuration Examples

About Home Products Services Support Knowledge Base Downloads FAQ Contact us Blog

Cisco FWSM Intresting Configuration Examples

Table of Contents
1.1. 1.2. 1.3. 1.4. Cisco FWSM console cable installation. Cisco FWSM network processor FWSM "show np blocks" explained Credits

Cisco FWSM console cable installation.

There are a few reasons why a console cable may be required for accessing the FWSM In case you have locked yourself out of the FWSM and you need to do a password recovery In case there is a operating system failure and you need to intervene etc in any case its useful to access the device via console sometimes.Usually theFWSM can be accessed by issuing a command Session1 slot 1 where slot 1 is the FWSM from the Cisco CAT 6500 switch etc. Instructions on how to achieve that : Shutdown the FWSM from the Cisco CAT 6500 switch Then open the blade and insert the cable as show below Then insert the blade back and have the console cable protrude so you can plug it in the back of your PC

www.security-solutions.co.za/Cisco-FWSM-Intresting-Features-Configuration-Examples.html#_Toc299486266

1/5

4/24/13

Cisco ASA FWSM Intresting Features Configuration Examples

access-list wccp-traffic extended permit ip 192.168.1.0 255.255.255.0 any ! access-list wccp-destination extended permit ip host 192.168.1.10 any ! wccp web-cache redirect-list wccp-traffic group-list wccp-servers wccp interface inside web-cache redirect in

Cisco FWSM network processor

What is Cisco FWSM network processor? Very little has been written about the FWSM network processor the below is some information that I have found on Wikipedia describing that the FWSM has 4 processors, one central CPU (Pentium III 1 GHz processor) and 3 network processors (IBM 4GS3 PowerNP) The central CPU is responsible for fixups and for traffic sourced from and destined to the FWSM itself (mainly management traffic). The central CPU is also responsible for rule-base compilation. The rulebe base in converted (compiled) into configuration for the Network Processors, so the majority of the traffic is handled in dedicated hardware. The three Network Processors in the FWSM handle the majority of the traffic. Fast Path NP1 and NP2 handle the main traffic and have each three 1 Gigabit connections to the Backplane. The third NP sits above NP1 and NP2 and is the session manager As the rulebase is compiled into hardware, the FWSM has clear restrictions on the maximum number of Access Control Entries (ACE). The limitation is only reached with large and inefficient rulebases. The limit cannot be extended by memory upgrade as on PIX and ASA platforms.

www.security-solutions.co.za/Cisco-FWSM-Intresting-Features-Configuration-Examples.html#_Toc299486266

2/5

4/24/13

Cisco ASA FWSM Intresting Features Configuration Examples

NP1 and NP2 are the front line processors that are responsible for reading and analyzing all traffic initially. NP1 and NP2 are responsible for receiving packets from the switch across the backplane connection. NP1 and NP2 each have three 1 Gigabit connections which connect the FWSM to the backplane of the switch. Adding these all together gives you the 6 Gigabit link as identified in the FWSM datasheets. NP1 and NP2 are responsible for the following functions: - Perform per packet session lookup - Maintain connection table - Perform NAT/PAT - TCP checks - Handle reassembled IP packets (NP2 only) - TCP sequence number shift for "randomization" - Syn Cookies NP3 sits above NP1 and NP2. NP3 is also known as the session manager and performs the following functions: - Processes first packet in a flow - ACL checks - Translation creation - Embryonic/establish connection counts - TCP/UDP checksums - Per-flow offset calculation for TCP sequence number "randomization" - TCP intercept - IP reassembly NP3 talks to NP1 and NP2 as well as the CP. All packets that come to NP3 must first be processed by NP1 and NP2. The Control Point sits above NP3, and similarly only sees traffic that is forwarded via NP3. The Control Point is primarily responsible for performing Layer 7 fixups. For example, traffic that requires embedded NAT or command inspection. The CP is also responsible for handling traffic souced from or destined to the FWSM itself: - Syslogs - AAA (Radius/TACACS+) - URL filtering (Websense/N2H2) - Management traffic (telnet/SSH/HTTPS/SNMP) - Failover communictions - Routing protocols - Most Layer 7 fixups/inspections
www.security-solutions.co.za/Cisco-FWSM-Intresting-Features-Configuration-Examples.html#_Toc299486266 3/5

4/24/13

Cisco ASA FWSM Intresting Features Configuration Examples

FWSM "show np blocks" explained

T h e" s h o wn pb l o c k s "o u t p u t sm e a s u r e st h es t a t eo ft h et h r e en e t w o r k p r o c e s s o r sa g a i n s tt h r e ed i f f e r e n tt h r e s h o l dv a l u e s .W ei n c r e m e n tt h e a p p r o p r i a t et h r e s h o l dc o u n t e re a c ho ft h e0 / 1 / 2t h r e s h o l d sh a v eb e e n c r o s s e df o rt h en u m b e ro ff r e eb l o c k s . F W S M / p r i / a c t #s h on pb l o c k s M A X F R E E N P 1( i n g r e s s ) 3 2 7 6 8 3 2 7 6 8 ( e g r e s s ) 5 2 1 2 0 65 2 1 2 0 6 N P 2( i n g r e s s ) 3 2 7 6 8 3 2 7 6 8 ( e g r e s s ) 5 2 1 2 0 65 2 1 2 0 6 N P 3( i n g r e s s ) 3 2 7 6 8 3 2 7 6 8 ( e g r e s s ) 5 2 1 2 0 65 2 1 2 0 6

T H R E S H _ 0 0 0 0 0 0 0

T H R E S H _ 1 0 0 0 0 0 0

T H R E S H _ 2 0 0 0 0 0 0

I ft h et h r e s h o l d2c o u n ti n c r e a s e s ,p a c k e t sw i l ls t i l lb ep r o c e s s e da n d t h i si so n l yaw a r n i n gi n d i c a t i n gt h a tw ea r ec l o s et or e a c h i n gt h e m a x i m u mt h r e s h o l d . I ft h et h r e s h o l d1c o u n ti n c r e a s e s ,t h e nd a t ap a c k e t sw i l lb ed r o p p e d , t h i si n c l u d e sp a c k e t sf l o w i n ga c r o s st h ef i r e w a l la n de v e nt h o s es e n tt o t h ef i r e w a l l( I Pp a c k e t s ) . I ft h et h r e s h o l d0c o u n ti n c r e a s e s ,t h e nt h ec o n t r o lp a c k e t sa r e d r o p p e d ,t h e s ec o n t r o lp a c k e t sa r ei n t e r n a lp a c k e t st h a ta r ep a s s e d a c r o s sm u l t i p l ep r o c e s s o r si nt h es y s t e m-t h i si sv e r ys e r i o u s .

Credits

https://supportforums.cisco.com www.wikipedia.com

Recommended Reading
1. 2. 3. 4. 5. Cisco ACS Best Practices document Cisco ASA Best Practices and Security Hardening Document. Cisco-vpn-ipsec-configuration-examples Cisco-ids-ips-aip-idsm-configuration-examples Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks ! 0

www.security-solutions.co.za/Cisco-FWSM-Intresting-Features-Configuration-Examples.html#_Toc299486266

4/5

4/24/13

Cisco ASA FWSM Intresting Features Configuration Examples

For a free recommendations on how to optimize your current Cisco FWSM solution contact us here Copyright Security Solutions - All rights reserved.

50 Lakh Sum Assured

Buy Aviva Online Term Plan in Just 4 Steps,Calculate Your Premium Now! www.avivaindia.com/Aviva-iLife-Plan 60.61% 21. 33 1.79 00:02:01 84.85%

www.security-solutions.co.za/Cisco-FWSM-Intresting-Features-Configuration-Examples.html#_Toc299486266

5/5