Cisco OL-12172-01 User Manual

Firewall Mode Overview
This chapter describes how the firewall works in each firewall mode. To set the firewall mode, see the
Note In multiple context mode, you cannot set the firewall mode separately for each context; you can only set
the firewall mode for the entire security appliance.
This chapter includes the following sections:
Routed Mode Overview, page 15-1
Transparent Mode Overview, page 15-7

Routed Mode Overview

CHAP T E R
15
In routed mode, the security appliance is considered to be a router hop in the network. It can use OSPF or RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between contexts.
This section includes the following topics:
IP Routing Support, page 15-1
How Data Moves Through the Security Appliance in Routed Firewall Mode, page 15-1

IP Routing Support

The security appliance acts as a router between connected networks, and each interface requires an IP address on a different subnet. In single context mode, the routed firewall supports OSPF and RIP. Multiple context mode supports static routes only. We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the security appliance for extensive routing needs.

How Data Moves Through the Security Appliance in Routed Firewall Mode

This section describes how data moves through the security appliance in routed firewall mode, and includes the following topics:
OL-12172-01
Cisco Security Appliance Command Line Configuration Guide
15-1
Routed Mode Overview
An Inside User Visits a Web Server, page 15-2
An Outside User Visits a Web Server on the DMZ, page 15-3
An Inside User Visits a Web Server on the DMZ, page 15-4
An Outside User Attempts to Access an Inside Host, page 15-5
A DMZ User Attempts to Access an Inside Host, page 15-6

An Inside User Visits a Web Server

Figure 15-1 shows an inside user accessing an outside web server.
Figure 15-1 Inside to Outside
Chapter 15 Firewall Mode Overview
www.example.com
Outside
209.165.201.2
Source Addr Translation
209.165.201.1010.1.2.27
Inside DMZ
User
10.1.2.27
10.1.1.110.1.2.1
92404
Web Server
10.1.1.3
The following steps describe how data moves through the security appliance (see Figure 15-1):
1. The user on the inside network requests a web page from www.example.com.
15-2
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the interface would be unique; the www.example.com IP address does not have a current address translation in a context.
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Chapter 15 Firewall Mode Overview
3. The security appliance translates the local source address (10.1.2.27) to the global address
209.165.201.10, which is on the outside interface subnet.
The global address could be on any subnet, but routing is simplified when it is on the outside interface subnet.
4. The security appliance then records that a session is established and forwards the packet from the
outside interface.
5. When www.example.com responds to the request, the packet goes through the security appliance,
and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the global destination address to the local user address, 10.1.2.27.
6. The security appliance forwards the packet to the inside user.

An Outside User Visits a Web Server on the DMZ

Figure 15-2 shows an outside user accessing the DMZ web server.
Figure 15-2 Outside to DMZ
Routed Mode Overview
Inside
User
Outside
209.165.201.2
10.1.1.110.1.2.1
DMZ
Web Server
10.1.1.3
Dest Addr Translation
209.165.201.3
10.1.1.13
92406
OL-12172-01
The following steps describe how data moves through the security appliance (see Figure 15-2):
1. A user on the outside network requests a web page from the DMZ web server using the global
destination address of 209.165.201.3, which is on the outside interface subnet.
Cisco Security Appliance Command Line Configuration Guide
15-3
Routed Mode Overview
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the classifier “knows” that the DMZ web server address belongs to a certain context because of the server address translation.
3. The security appliance translates the destination address to the local address 10.1.1.3.
4. The security appliance then adds a session entry to the fast path and forwards the packet from the
DMZ interface.
5. When the DMZ web server responds to the request, the packet goes through the security appliance
and because the session is already established, the packet bypasses the many lookups associated with a new connection. The security appliance performs NAT by translating the local source address to 209.165.201.3.
6. The security appliance forwards the packet to the outside user.

An Inside User Visits a Web Server on the DMZ

Chapter 15 Firewall Mode Overview
Figure 15-3 shows an inside user accessing the DMZ web server.
Figure 15-3 Inside to DMZ
Outside
209.165.201.2
10.1.1.110.1.2.1
Inside DMZ
92403
User
10.1.2.27
Web Server
10.1.1.3
15-4
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Chapter 15 Firewall Mode Overview
The following steps describe how data moves through the security appliance (see Figure 15-3):
1. A user on the inside network requests a web page from the DMZ web server using the destination
address of 10.1.1.3.
2. The security appliance receives the packet and because it is a new session, the security appliance
verifies that the packet is allowed according to the terms of the security policy (access lists, filters, AAA).
For multiple context mode, the security appliance first classifies the packet according to either a unique interface or a unique destination address associated with a context; the destination address is associated by matching an address translation in a context. In this case, the interface is unique; the web server IP address does not have a current address translation.
3. The security appliance then records that a session is established and forwards the packet out of the
DMZ interface.
4. When the DMZ web server responds to the request, the packet goes through the fast path, which lets
the packet bypass the many lookups associated with a new connection.
5. The security appliance forwards the packet to the inside user.

An Outside User Attempts to Access an Inside Host

Routed Mode Overview
Figure 15-4 shows an outside user attempting to access the inside network.
Figure 15-4 Outside to Inside
www.example.com
Outside
209.165.201.2
10.1.1.110.1.2.1
Inside DMZ
OL-12172-01
User
10.1.2.27
92407
Cisco Security Appliance Command Line Configuration Guide
15-5
Loading...
+ 11 hidden pages