Cisco FWSM Intresting Configuration Examples



Table of Contents


1.1.       Cisco FWSM console cable installation.
1.2.       Cisco FWSM network processor
1.3.       FWSM "show np blocks" explained
1.4.       Credits


Cisco FWSM console cable installation.


There are a few reasons why a console cable may be required for accessing the FWSM
In case you have locked yourself out of the FWSM and you need to do a password recovery
In case there is a operating system failure and you need to intervene etc in any case its useful to access the device via console sometimes.Usually theFWSM can be accessed by issuing a command
Session1 slot 1 where slot 1 is the FWSM from the Cisco CAT 6500 switch etc.
Instructions on how to achieve that :
Shutdown the FWSM from the Cisco CAT 6500 switch
Then open the blade and insert the cable as show below
Then insert the blade back and have the console cable protrude so you can plug it in the back of  your PC




access-list wccp-traffic extended permit ip any
access-list wccp-destination extended permit ip host any
wccp web-cache redirect-list wccp-traffic group-list wccp-servers
wccp interface inside web-cache redirect in


Cisco FWSM network processor


What is Cisco FWSM network processor?
Very little has been written about the FWSM network processor the below is some information that I have found on Wikipedia describing that

the FWSM has 4 processors, one central CPU (Pentium III 1 GHz processor) and 3 network processors (IBM 4GS3 PowerNP)
The central CPU is responsible for fixups and for traffic sourced from and destined to the FWSM itself (mainly management traffic). The central CPU is also responsible for rule-base compilation. The rulebe base in converted (compiled) into configuration for the Network Processors, so the majority of the traffic is handled in dedicated hardware.
The three Network Processors in the FWSM handle the majority of the traffic. Fast Path NP1 and NP2 handle the main traffic and have each three 1 Gigabit connections to the Backplane. The third NP sits above NP1 and NP2 and is the session manager
As the rulebase is compiled into hardware, the FWSM has clear restrictions on the maximum number of Access Control Entries (ACE). The limitation is only reached with large and inefficient rulebases. The limit cannot be extended by memory upgrade as on PIX and ASA platforms.




NP1 and NP2 are the front line processors that are responsible for reading and analyzing all traffic initially. NP1 and NP2 are responsible for receiving packets from the switch across the backplane connection. NP1 and NP2 each have three 1 Gigabit connections which connect the FWSM to the backplane of the switch. Adding these all together gives you the 6 Gigabit link as identified in the FWSM datasheets.

NP1 and NP2 are responsible for the following functions:
- Perform per packet session lookup
- Maintain connection table
- Perform NAT/PAT
- TCP checks
- Handle reassembled IP packets (NP2 only)
- TCP sequence number shift for "randomization"
- Syn Cookies

NP3 sits above NP1 and NP2. NP3 is also known as the session manager and performs the following functions:
- Processes first packet in a flow
- ACL checks
- Translation creation
- Embryonic/establish connection counts
- TCP/UDP checksums
- Per-flow offset calculation for TCP sequence number "randomization"
- TCP intercept
- IP reassembly

NP3 talks to NP1 and NP2 as well as the CP. All packets that come to NP3 must first be processed by NP1 and NP2.

The Control Point sits above NP3, and similarly only sees traffic that is forwarded via NP3. The Control Point is primarily responsible for performing Layer 7 fixups. For example, traffic that requires embedded NAT or command inspection. The CP is also responsible for handling traffic souced from or destined to the FWSM itself:
- Syslogs
- AAA (Radius/TACACS+)
- URL filtering (Websense/N2H2)
- Management traffic (telnet/SSH/HTTPS/SNMP)
- Failover communictions
- Routing protocols
- Most Layer 7 fixups/inspections


FWSM "show np blocks" explained



The "show np blocks" outputs measures the state of the three network 
processors against three different threshold values. We increment the
appropriate threshold counter each of the 0/1/2 thresholds have been
crossed for the number of free blocks.

FWSM/pri/act# sho np blocks
                 MAX   FREE   THRESH_0   THRESH_1   THRESH_2
NP1 (ingress)  32768  32768          0          0          0
    (egress)  521206 521206          0          0          0
NP2 (ingress)  32768  32768          0          0          0
    (egress)  521206 521206          0          0          0
NP3 (ingress)  32768  32768          0          0          0
    (egress)  521206 521206          0          0          0

If the threshold 2 count increases, packets will still be processed and
this is only a warning indicating that we are close to reaching the
maximum threshold.
If the threshold 1 count increases, then data packets will be dropped,
this includes packets flowing across the firewall and even those sent to
the firewall (IP packets).

If the threshold 0 count increases, then the control packets are
dropped, these control packets are internal packets that are passed
across multiple processors in the system - this is very serious.



Recommended Reading


  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !


33 1.79 00:02:01 84.85% 60.61% 21.