FWSM路由、透明总结+路由、透明模式配置实例

network

FWSM路由、透明总结+路由、透明模式配置实例

路由模式注意事项

• cisco7609#show module
  显示FWSM模块的状态cisco7609#session slot 3 p 1        登陆到第3槽位的FWSM,Ctrl-^后，x，表示退出，或exit推出，enable进入
  
• Lisence激活： 第一次进入FWSM，需要激活：登陆www.cisco.com/go/license
  ,通过产品授权key申请activation key
  hostname(config)#activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e        完成激活
  FWSM#SH VER 察看激活情况，可以看到security contexts 被激活的个数
  
• FWSM可以插在65或者76的任意一个交换槽位
• inside到outside也要有ACL permit
• FWSM2.1开始支持same security traffic communication
• FWSM和65背板有6G的带宽
• 默认FWSM只能有一个VLAN和MSFC关联，但是可以通过命令firewall multiple-vlan-interfaces将多个MSFC的SVI和FWSM的VLAN关联
• 默认FWSM的所有接口禁ping，需要通过icmp permit inside , icmp permit outside放开
• 支持256个context
• context之间的通讯
      需要配置静态路由指向MSFC的地址
• 将配置在MSFC上的vlan和FWSM关联方式
  cisco7609(config#firewall multiple-vlan-interface
  cisco7609(config#firewall module 3 vlan-group 1,2
  cisco7609(config#firewall vlan-group 1 10,12,110,112
  cisco7609(config#firewall vlan-group 2 80-92,182-192
  //如果把多个vlan放入一个组，有时会提示超出最大VLAN数目
  
• FWSM的flash结构The FWSM has a 128-MB Flash memory card that stores the operating system, configurations, and other data. The Flash memory includes six partitions, called cf:n in Cisco IOS and Catalyst operating system software commands:
  • Maintenance partition (cf:1)—Contains the maintenance software. Use the maintenance software to upgrade or install application images if you cannot boot into the application partition, to reset the application image password, or to display the crash dump information.
  • Network configuration partition (cf:2)—Contains the network configuration of the maintenance software. The maintenance software requires IP settings so that the FWSM can reach the TFTP server to download application software images.
  • Crash dump partition (cf:3)—Stores the crash dump information.
  • Application partitions (cf:4 and cf:5)—Stores the application software image, system configuration, and ASDM. By default, Cisco installs the images on cf:4. You can use cf:5 as a test partition. For example, if you want to upgrade your software, you can install the new software on cf:5, but maintain the old software as a backup in case you have problems. Each partition includes its own startup configuration.
  • Security context partition (cf:6)—64 MB are dedicated to this partition, which stores security context configurations (if desired) and RSA keys in a navigable file system. Other partitions do not have file systems that allow you to perform common tasks such as listing files. This partition is called disk when using the copy command.
  
  

network

透明模式注意事项
1. 若使用context，透明模式下每个context可以支持多个接口，但是只支持8个bridge
2. 不能使用NAT
3. 默认时，不放行BPDU，因此可能会有环路，必须输入bpdu forwarding
4. FWSM配置为透明模式时，尽管与透明防火墙的FWSM的inside和outside两个逻辑端口关联的vlan是两个不同的vlan(如nameif vlan88 inside security100 nameif vlan100 outside security0)，但是从
cat6500上互连出去的ip与inside 或outside（取决于mfsc和fwsm的逻辑位置）互连的mfsc侧的逻辑
端口ip必须是同一网段的ip。
在下图更容易理解：

5. 配置方式:
        interface vlan 150
            nameif outside
            security-level 0
            bridge-group 1
        interface vlan 4
            nameif inside
            security-level 100
            bridge-group 1
        interface bvi 1
            ip address 10.1.1.1 255.255.255.0
        //管理地址

network

由模式配置例子
FWSM可以在MSFC前，也可以在MSFC后

3个配置例子
1

OUTSIDE——MSFC—vlan10—FWSM—vlan20—CORE——HOST的配置过程

· Create the Layer 3 Interface to be used as gateway by FWSM. This is done in global config mode.
o MSFC(config)#interface vlan 10
o MSFC(config-int)#ip address 206.10.10.1 255.255.255.0
o MSFC(config-int)#no shutdown
· Define a vlan-group for the Firewall Module and assign the vlans to a Firewall Module.
o MSFC(config)#firewall vlan-group 1 10,20
o MSFC(config)#firewall module 3 vlan-group 1
· Session to the FWSM. To do this type “session slot &module # proc 1” in enable mode. For our example we will assume the
FWSM is in slot 3 of the chassis.
o MSFC#session slot 3 proc 1
· Create Layer 3 interfaces on the FWSM. The command to do this is “nameif &vlan# &interface name &security level” in
global config mode.
o FWSM(config)#nameif 10 outside 0
o FWSM(config)#ip address outside 206.10.10.2 255.255.255.0
o FWSM(config)#nameif 20 inside 100
o FWSM(config)#ip address inside 10.20.20.1 255.255.255.0
· Add default route to Outside security level on the FWSM.
o FWSM(config)#route outside 0.0.0.0 0.0.0.0 206.10.10.1 1
· Configure a STATIC NAT entry for hosts A and B to be seen by outside users.
o FWSM(config)#static (inside,outside) 206.10.10.25 10.20.20.25 netmask 255.255.255.255 ?Host A
o FWSM(config)#static (inside,outside) 206.10.10.26 10.20.20.26 netmask 255.255.255.255 ?Host B
· Configure a NAT entry for users in the inside security level that wish to initiate a connection to the outside security level.
o FWSM(config)#nat (inside) 1 0 0
o FWSM(config)#global (outside) 1 206.10.10.100
· Configure access control lists and apply them to the interfaces to restrict access to the inside securty level by hosts on the
outside security level.
o FWSM(config)#access-list outside-acl permit tcp any host 206.10.10.25 eq www
o FWSM(config)# access-list outside-acl permit tcp any host 206.10.10.25 eq ftp
o FWSM(config)# access-list outside-acl permit tcp any host 206.10.10.25 eq ftp-data
o FWSM(config)# access-list outside-acl permit icmp any host 206.10.10.25 (this allows outside users to ping)
o FWSM(config)#access-list outside-acl permit tcp any host 206.10.10.26 eq www
o FWSM(config)# access-list outside-acl permit tcp any host 206.10.10.26 eq ftp
o FWSM(config)# access-list outside-acl permit tcp any host 206.10.10.26 eq ftp-data
o FWSM(config)# access-list outside-acl permit icmp any host 206.10.10.26 ?(this allows outside users to ping)
· Now apply the defined access-list "outside-acl" to the outside interface as follows:
o FWSM(config)#access-group outside-acl in interface outside

2

OUTSIDE—vlan10—FWSM—vlan20—MSFC—vlan30—CORE——HOST 与上面例子的不同之处在于：
FWSM通过vlan10连接外部，所以65连接外部的g8/1要属于vlan10
o MSFC(config)#interface gigabit 8/1
o MSFC(config-int)# switchport
o MSFC(config-int)#switchport mode access
o MSFC(config-int)#switchport access vlan 10
o MSFC(config-int)#no shutdown
MSFC上使用静态路由即可
o MSFC(config)#ip route 0.0.0.0 0.0.0.0 10.20.20.1
FWSM使用静态路由以便使外部数据可以进入内部
o FWSM(config)#route inside 10.0.0.0 255.0.0.0 10.20.20.2


3

DMZ
|
vlan50
|
OUTSIDE——MSFC—vlan10—FWSM—vlan20—CORE——HOST的配置过程比1增加了如下：
|
vlan60
|
DMZ
· Create the DMZ VLAN’s on the MSFC in global config mode
o MSFC(config)#vlan 50
o MSFC(config-vlan)#no shutdown
o MSFC(config)#vlan 60
o MSFC(config-vlan)#no shutdown
· Add VLAN’s 50 and 60 to the firewall-vlan group created in Configuration #1.
o MSFC(config)#firewall vlan-group 1 50,60
DMZ的计算机连接端口要设成switchport以便FWSM可以看到
o MSFC(config)#interface FastEthernet 7/1
o MSFC(config-int)#switchport
o MSFC(config-int)switchport mode access
o MSFC(config-int)switchport access vlan 60
o MSFC(config-int)no shutdown
· Session to the FWSM as outlined in Configuration #1 and configure the Layer 3 interfaces for the DMZ security levels.
o FWSM(config)#nameif 60 dmz1 60
o FWSM(config)#nameif 50 dmz2 50
o FWSM(config)#ip address dmz1 10.60.60.1 255.255.255.0
o FWSM(config)#ip address dmz2 10.50.50.1 255.255.255.0
· To enable users to be able to connect with the servers in the DMZ’s, STATIC and NAT translations will have to be
established depending upon the direction of the traffic flow.
o FWSM(config)#nat (dmz1) 2 10.60.60.0 255.255.255.0
o FWSM(config)#global (outside) 2 206.10.10.60
o FWSM(config)#global (dmz2) 2 10.50.50.200
o FWSM(config)#nat (dmz2) 3 10.50.50.0 255.255.255.0
o FWSM(config)#global (outside) 3 206.10.10.50
o FWSM(config)#static (inside,dmz1) 10.60.60.60 10.20.20.25 netmask 255.255.255.255
o FWSM(config)#static (inside,dmz2) 10.50.50.50 10.20.20.25 netmask 255.255.255.255
o FWSM(config)#static (dmz1,dmz2) 10.50.50.50 10.60.60.25 netmask 255.255.255.255
有关acl
o FWSM(config)#access-list web permit tcp any host 206.10.10.125 eq www
o FWSM(config)#access-list web permit tcp any host 206.10.1

network

透明模式配置例子

hostname Farscape
password passw0rd
enable password chr1cht0n
interface vlan 4
interface vlan 5
interface vlan 6
interface vlan 7
interface vlan 150
interface vlan 151
interface vlan 152
interface vlan 153
admin-context admin
context admin
allocate-interface vlan150
allocate-interface vlan4
config-url disk://admin.cfg
member default
context customerA
description This is the context for customer A
allocate-interface vlan151
allocate-interface vlan5
config-url disk://contexta.cfg
member gold
context customerB
description This is the context for customer B
allocate-interface vlan152
allocate-interface vlan6
config-url disk://contextb.cfg
member silver
context customerC
description This is the context for customer C
allocate-interface vlan153
allocate-interface vlan7
config-url disk://contextc.cfg
member bronze
Changeto context admin
firewall transparent
passwd secret1969
enable password h1andl0
interface vlan 150
    nameif outside
    security-level 0
    bridge-group 1
interface vlan 4
    nameif inside
    security-level 100
    bridge-group 1
interface bvi 1
    ip address 10.1.1.1 255.255.255.0
route outside 0 0 10.1.1.2 1
ssh 10.1.1.75 255.255.255.255 inside
arp outside 10.1.1.2 0009.7cbe.2100
arp inside 10.1.1.3 0009.7cbe.1000
arp-inspection inside enable flood
arp-inspection outside enable flood
access-list INTERNET remark -Allows all inside hosts to access the outside
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside
access-list RETURN remark -Allows OSPF back
access-list RETURN extended permit 89 any any
access-list RETURN remark -Allows DHCP back
access-list RETURN extended permit udp any any eq 68
access-group RETURN in interface outside
Changeto context a
firewall transparent
passwd hell0!
enable password enter55
interface vlan 151
    nameif outside
    security-level 0
    bridge-group 45
interface vlan 5
    nameif inside
    security-level 100
    bridge-group 45
interface bvi 45
    ip address 10.1.2.1 255.255.255.0
route outside 0 0 10.1.2.2 1
access-list INTERNET remark -Allows all inside hosts to access the outside
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside
access-list RETURN remark -Allows OSPF back
access-list RETURN extended permit 89 any any
access-list RETURN remark -Allows DHCP back
access-list RETURN extended permit udp any any eq 68
access-group RETURN in interface outside
Changeto context b
firewall transparent
passwd tenac10us
enable password defen$e
interface vlan 152
    nameif outside
    security-level 0
    bridge-group 1
interface vlan 6
    nameif inside
    security-level 100
    bridge-group 1
interface bvi 1
    ip address 10.1.3.1 255.255.255.0
route outside 0 0 10.1.3.2 1
access-list INTERNET remark -Allows all inside hosts to access the outside
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside
access-list RETURN remark -Allows OSPF back
access-list RETURN extended permit 89 any any
access-list RETURN remark -Allows DHCP back
access-list RETURN extended permit udp any any eq 68
access-group RETURN in interface outside
Changeto context c
firewall transparent
passwd fl0wer
enable password treeh0u$e
interface vlan 153
    nameif outside
    security-level 0
    bridge-group 100
interface vlan 7
    nameif inside
    security-level 100
    bridge-group 100
interface bvi 100
    ip address 10.1.4.1 255.255.255.0
route outside 0 0 10.1.4.2 1
access-list INTERNET remark -Allows all inside hosts to access the outside
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside
access-list RETURN remark -Allows OSPF back
access-list RETURN extended permit 89 any any
access-list RETURN remark -Allows DHCP back
access-list RETURN extended permit udp any any eq 68
access-group RETURN in interface outside

miniboy

最近在做透明模式的
3750  vlan301  FWSM   vlan400  MSFC 7304
在3750 MSFC 7304都启opsf路由:
3750接口地址为:10.5.46.2
此接口连6509上的接口划到vlan301,vlan301不配地址
vlan400:10.5.46.1

情况:6509与3750的ospf邻接关系始终为init状态,不知道
什么问题,帮我分析下!


Router#sh run
Building configuration...
Current configuration : 5734 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 10
!
hostname Router
!
boot system flash sup-bootflash:s72033-psv-mz.122-18.SXD7b.bin
!
no aaa new-model
firewall multiple-vlan-interfaces
firewall module 1 vlan-group 1,2
firewall vlan-group 1  301,400
firewall vlan-group 2  302,401
ip subnet-zero
!
!
no ip domain-lookup
!
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls cef error action freeze
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
!
redundancy
mode sso
main-cpu
  auto-sync running-config
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface GigabitEthernet9/1
no ip address
switchport
switchport access vlan 301
switchport mode access
!
interface GigabitEthernet9/2
no ip address
shutdown
!
interface GigabitEthernet9/3
ip address 10.5.46.17 255.255.255.240
!         
interface GigabitEthernet9/4
no ip address
shutdown
!
interface GigabitEthernet9/5
no ip address
switchport
switchport access vlan 302
switchport mode access
!
interface Vlan1
no ip address
shutdown
!
interface Vlan301
no ip address
!
interface Vlan302
no ip address
!
interface Vlan400
ip address 10.5.46.1 255.255.255.240
!
interface Vlan401
ip address 10.5.47.1 255.255.255.240
!
router ospf 1
router-id 3.3.3.3
log-adjacency-changes
network 10.5.46.0 0.0.0.15 area 0
network 10.5.46.16 0.0.0.15 area 0
network 10.5.47.0 0.0.0.15 area 0
!
ip classless
no ip http server
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line vty 0 4
no login
!
!
end
Router# wr   
Building configuration...
[OK]
Router#sess
Router#session slot 1 pr
Router#session slot 1 processor 1
The default escape character is Ctrl-^, then x.
You can also type 'exit' at the remote prompt to end the session
Trying 127.0.0.11 ... Open

User Access Verification
Password:
Type help or '?' for a list of available commands.
FWSM> en
Password:
FWSM#
FWSM# sh run
: Saved
:
FWSM Version 2.3(4) <system>
firewall transparent
resource acl-partition 12
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FWSM
ftp mode passive
pager lines 24
logging buffer-size 4096
class default
  limit-resource All 0
  limit-resource IPSec 5
  limit-resource Mac-addresses 65535
  limit-resource PDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!
no failover
failover lan unit secondary
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
arp timeout 14400

!

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
terminal width 80
admin-context admin
context admin
  allocate-interface vlan301
  allocate-interface vlan400
  config-url disk:/admin.cfg
!
context bangong
  allocate-interface vlan302
  allocate-interface vlan401
  config-url disk:/bangong.cfg
!
context server
  allocate-interface vlan303
  allocate-interface vlan402
  config-url disk:/server.cfg
!
Cryptochecksum:95a947487f9f8d7a76f8f535bdec080d
: end
FWSM# changeto context admin
FWSM/admin# sh run
: Saved
:
FWSM Version 2.3(4) <context>
firewall transparent
nameif vlan301 inside security100
nameif vlan400 outside security0
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname FWSM
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
access-list INTERNET extended permit ospf any any
access-list INTERNET extended permit ip any any
access-list INTERNET extended permit icmp any any
access-list INTERNET extended permit tcp any any
access-list INTERNET extended permit udp any any
access-list OSPF extended permit ospf any any
access-list OSPF extended permit ip any any
pager lines 24
logging buffer-size 4096
mtu inside 1500
mtu outside 1500
ip address  10.5.46.4 255.255.255.240
no pdm history enable
arp timeout 14400
access-group INTERNET in interface inside
access-group INTERNET in interface outside
!
interface inside
!
!
interface outside
!

!

route outside 0.0.0.0 0.0.0.0 10.5.46.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
fragment size 200 inside
fragment chain 24 inside
fragment size 200 outside
fragment chain 24 outside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:a846f408852921aa37f5b8af3cfd6fc7
: end         
FWSM/admin# wr mem
Building configuration...
Cryptochecksum: d2a32901 c09529e8 cc165d29 55ab47d6
Reading ...
!
Writing to disk. This may take sometime..
!
2062 bytes copied in 1.210 secs (2062 bytes/sec)
FWSM/admin# changeto context bangong
FWSM/bangong# sh run
: Saved
:
FWSM Version 2.3(4) <context>
firewall transparent
nameif vlan302 inside security100
nameif vlan401 outside security0
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bangong
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
access-list internet extended permit ip any any
access-list ospf extended permit ospf any any
access-list ospf extended permit ip any any
pager lines 24
logging buffer-size 4096
mtu inside 1500
mtu outside 1500
ip address  10.5.47.4 255.255.255.240
no pdm history enable
arp timeout 14400
access-group internet in interface inside
access-group ospf in interface outside
!
interface inside
!
!
interface outside
!

!

route outside 0.0.0.0 0.0.0.0 10.5.47.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
fragment size 200 inside
fragment chain 24 inside
fragment size 200 outside
fragment chain 24 outside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:760b43387c34e0e45706dfdb95083983
: end

[ 本帖最后由 miniboy 于 2008-7-3 12:12 编辑 ]