Cisco Firewall Service Module (FWSM)

At Bluemile we have two different types of firewall for our bCloud. One is Cisco FWSM, and the other is Vyatta.

This page is meant for those using the Cisco FWSM.

For security reasons, firewall can only be accessed via VM in your cloud. Please make sure you have a VM deployed, and if it is a Windows VM, please download Putty.

Your firewall IP address is usually on .1 of your internal subnet within a VLAN, so if your internal subnet is 192.168.1.0/24, your firewall would be on 192.168.1.1 address.

Make sure that the VM you are trying to access the firewall from has it's network configured.

Your firewall username and password are given to you by Bluemile in the initial welcome email, and should be something like BIDXXYYZZ.

Logging into your firewall

Start up Putty and initiate a connection to your firewall IP, or if on a Linux machine, type ssh BIDXXYYZZ@<yourFirewallIP> (example: ssh BIDXXYYZZ@192.168.1.1).

When asked for password, type it in. You are now logged into your firewall.

Before doing any firewall config (such as creating a Static NAT as explained below), you must run the enable command, specifying no password (or your default password):

enable

Things to know before diving into the firewall config

There are some entities we deal with when configuring the firewall that one should be aware of. They are:

Private IP Address: the internal IP address of your VM (one subnet per VLAN, example: 192.168.1.10)
Public IP Address: from the range of public IPs assigned to you (provided by Bluemile, example: XXX.YYY.ZZZ.123)
Name of Internal Interface: usually BID followed by your BID #, and i (for in), example: BIDXXYYZZi
Name of External Interface: usually BID followed by your BID #, and o (for out), example: BIDXXYYZZo
Access Lists (Allowed Ports): 80 or 443 for example (web traffic), 22 (ssh), etc.
Interfaces to assign ACLs to: Internal: Vlan9XX / External: VLAN29XX, where 9XX is a VLAN # assigned to you you

Note that you can have multiple internal VLANs (9XX), however, only one external VLAN will usually be present (as in 29XX).

You can determine the names of your inside and outside interfaces by running this command in the firewall:

show run

The output will be similar to this:

interface Vlan29XX
 nameif **BIDXXYYZZo** ## Outside interface
 security-level 0
 ip address XXX.YYY.ZZZ.116 255.255.255.240 standby XXX.YYY.ZZZ.117
!
interface Vlan9XX
 nameif **BIDXXYYZZi** ## Inside interface
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

Creating a Static NAT from a Public IP to a Private (VM) IP

When you want to access a VM in your cloud from the Internet, you need to create a Static NAT in your firewall config. This would create a translation from one of the public IPs assigned to you, to one of the internal IPs (which would be your VM).

Here's an example of creating a Static NAT:

From: public IP XXX.YYY.ZZZ.123 (assigned to you by Bluemile)
To: a VM running on 192.168.1.100
Ports: allowing Web Traffic (ports 80 and 443)
Inside interface: BIDXXYYZZi
Outside interface: BIDXXYYZZo

Now that we have all the info, this would be the list of commands to type in order to create a Static NAT.

# Create Access-List (note: OUTSIDE_ACCESS_IN is how we named this access list)
access-list OUTSIDE_ACCESS_IN extended permit tcp any host XXX.YYY.ZZZ.123 eq www <- Port 80
access-list OUTSIDE_ACCESS_IN extended permit tcp any host XXX.YYY.ZZZ.123 eq https <- Port 443

# Create Static NAT Statement
static (BIDXXYYZZi,BIDXXYYZZo) XXX.YYY.ZZZ.123 192.168.1.100 netmask 255.255.255.255

# Apply Access Lists to interface
access-group OUTSIDE_ACCESS_IN in interface **BIDXXYYZZZo**

# Save changes
wr

Working with Access-Lists

Access-lists can be implemented to allow or deny traffic originating from an interface. The scope of access can be controlled by protocol (IP, TCP, UDP, and ICMP), network range (subnet), individual IP addresses, and port number.

Things to remember:

  • Access-lists can have many entries, collectively known as an access-group
  • Only one access-group can be applied to an interface direction (each interface has both an inbound and outbound direction)
  • Rules apply to the side that is initiating traffic
  • Syntax: access-list name_of_access-list extended permit protocol (TCP/UDP/IP/ICMP) source destination eq port# (optional)
# Create Access-List that allows all traffic Public -> Private
access-list INSIDE_ACCESS_OUT extended permit ip any any

# Create Access-Lists that allows any outside address to access TCP port 80, 443, and 3389 at 192.168.1.100
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 192.168.1.100 eq 80
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 192.168.1.100 eq 443
access-list OUTSIDE_ACCESS_IN extended permit tcp any host 192.168.1.100 eq 3389

# Turn ICMP (ping) access on an interface
ICMP permit any 29XX <-turns on pings for public interface
ICMP permit any 9XX <-turns on pings for private interface

# Create Access-List to allow pings
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
access-list INSIDE_ACCESS_OUT extended permit icmp any any

# Save changes
wr
fwsm.txt · Last modified: 2011/09/09 15:33 by jmorton
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki