Cisco Catalyst 6509交换机FWSM防火墙模块配置资料大全

network · 发表于 2007-12-24 10:46:01

还行吧。应该比较全了。转载了不少。

network · 发表于 2007-12-27 10:42:10

很好的FWSM模块和负载均衡模块的使用(中文)

network · 发表于 2008-1-12 06:39:17

FWSM 3.2

FWSM

1.支持NAT日志输出，并含有Xlate地址转换信息与Session起始结束记录Info L6！

2.Syslog 输出 FWSM可达 34K/S 速度，性能业界最好新建Session 10万/S ！

3.ＦＷＳＭ　Xlate　２５６Ｋ，可以支持Ｘｌａｔｅ　bypass ( ver3.2), 其新建Ｓｅｓｓｉｏｎ不占用Ｘｌａｔｅ表！

出口ＮＡＴ!!!!

Q&A:

http://www.cisco.com/en/US/produ ... 86a00801e9e26.shtml

New in v3.2

http://www.cisco.com/en/US/produ ... 00aecd805c34ca.html

network · 发表于 2008-1-16 08:13:50

一个FWSM路由模式配置实例

应用情况为，两个接口outside应用在广域网，inside端口位于局域网，跑OSPF路由协议，将局域网能够被广域网访问的服务器和端口打开，否则不允许访问。这个应用的情况比较简单，日后可以继续扩展，如服务器区等等。

sh run
: Saved
:
FWSM Version 3.2(2)
!
hostname SDDL-Internal-FW
domain-name sddl.com
enable password Z1UFjQZdKfrZkYLf encrypted
names
!
interface Vlan254
nameif outside
security-level 0
ip address X.Y.254.254 255.255.255.252
ospf hello-interval 1
ospf dead-interval 3
!
interface Vlan2254
nameif Internal
security-level 99
ip address X.Y.254.1 255.255.255.252
ospf hello-interval 1
ospf dead-interval 3
!
passwd Z1UFjQZdKfrZkYLf encrypted
ftp mode passive
<--- More --->

access-list acl-in extended permit ip any any
access-list SHJT_to_SDDL extended permit tcp any any eq telnet
access-list SHJT_to_SDDL extended permit icmp any any
access-list SHJT_to_SDDL extended permit ospf any any
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.32 eq www
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 3389
access-list SHJT_to_SDDL extended permit tcp any host X.Y.1.13 eq lotusnotes
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq www
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq 8080
access-list SHJT_to_SDDL extended permit tcp 10.36.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp 10.229.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq pop3
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq smtp
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq www
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq imap4
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 63148
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 63148
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 143
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 389
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq https
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 8000
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 8000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 7000
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 7000
<--- More --->

access-list SHJT_to_SDDL extended permit udp any host X.Y.128.38 eq 7000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.38 eq 7000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.50 eq 8080
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.32 eq domain
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.45
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.39
access-list SHJT_to_SDDL extended permit ip any host X.Y.1.12
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.42
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.37
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.46
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.44
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.32
access-list SHJT_to_SDDL extended permit tcp 10.228.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp 10.227.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Internal 1500
ip verify reverse-path interface outside
ip verify reverse-path interface Internal
no failover
failover lan unit secondary
icmp permit any outside
<--- More --->

icmp permit any Internal
no asdm history enable
arp timeout 14400
access-group SHJT_to_SDDL in interface outside
access-group acl-in in interface Internal
!
router ospf 100
network X.Y.254.1 255.255.255.255 area 0
network X.Y.254.254 255.255.255.255 area 0
router-id X.Y.254.254
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username sddl password QZbkfU0FC8LZLZ6k encrypted
http server enable
http 0.0.0.0 0.0.0.0 outside
http X.Y.160.0 255.255.255.0 Internal
<--- More --->

http X.Y.128.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt nodnsalias inbound
sysopt nodnsalias outbound
sysopt noproxyarp outside
sysopt noproxyarp Internal
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
<--- More --->

  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect ctiqbe
  inspect dcerpc
  inspect http
  inspect icmp
  inspect ils
  inspect mgcp
  inspect rtsp
  inspect sip
  inspect snmp
class class_sip_tcp
  inspect sip
!
service-policy global_policy global
<--- More --->

prompt hostname context
Cryptochecksum:3224aa347a06e32ac4f006510f5606f0
: end

SDDL-Internal-FW# exit

network · 发表于 2008-1-20 07:21:17

现安全域划分思科对应产品解决方案设计思想分析

安全域划分度身定做的产品FWSM：

战略理念：安全域隔离系统之五层划分法：
1、物理上隔离：即支持足够种类与数量的物理端口划开Zone（SPF，GE，FE,GBIC )； Sup Engine
2、逻辑上隔离：即支持Virtuall Firewall 功能，同一物理口上可逻辑上划开Zone；          FWSM
3、策略上隔离：即支持足够的策略数在不同的安全Zone 之间，策略上划开服务Zone； FWSM
4、应用上隔离：即支持应用的DPI，能够区分出流量内容，控制Zone之间的业务；          IDSM
5、准入上隔离：即支持网络准入控制，系统能够根据接入端点的系统安全状况，接入不同等级的Zone； NAC实现策略：

  策略一：安全域核心隔离系统 (  Cat6K ＋ FWSM ＋ IDSM ＋ NAC ) 首推客户核心隔离，集中控管
  策略二: 安全域透明隔离系统  （ASA5500 + AIP-SSM ＋MARS） L2即插即用无需改变配置

售前分析思科防火墙模块架构及优势！！！
FWSM 竞争分析：

战略定位：领导高端防火墙发展趋势
1．       协作式安全、槽位化、模块化趋势
5年前，网络的安全边界是防火墙。遇到安全需求，放一个防火墙在那里。但今天网络安全已没有边界。有来自外部的安全威胁，有来自内部的安全威胁。你无法定义边界，办法是通过不同层次的协作式安全解决方案。也就是能够整合交换技术、防火墙技术、VPN技术、防DDoS攻击技术、IPS/IDS技术、防病毒技术于一体，使用多层次的协作式防护来保证网络的安全。基于这个设计思路，思科很早就推出了6500高端防火墙产品，它不仅支持强大的防火墙功能，还可以通过模块化技术集成VPN、防DDoS攻击和IDS等技术，真正体现了高端安全产品的发展趋势。
其它厂商也看到了这个趋势，但它们不具备向思科一样的网络端到端的产品和强大的产品创新能力，无法推出令用户满意的产品，没有受到市场的追捧。如Netscreen没有二层交换技术，而在有高端防火墙需求的地方必然有高端交换机的存在，所以高端防火墙呈现高吞吐量，高端口密度，与核心交换网络紧密结合，并应具备足够的可扩展性和灵活性的特点。这就使Netscreen始终无法做到将安全与网络完美的融合，所以只能局限于单纯防火墙市场的定位。另外一个厂家Crossbeam跟从了这个趋势，学习了思科的设计思路，推出了模块化协作式的安全产品，它是建立在刀片式服务器模块上运行不同厂家的软件来实现的，如Checkpoint防火墙软件，Enterasys的IDS软件，TrendMicro的防病毒软件等，但它的每个模块是一个计算机服务器，而且没有自己的核心技术，在产品的持续发展和技术支持方面，存在很大隐患。
所以只有思科可以做到整合自己的优势资源，利用思科各个方面的领先技术，持续的创新，为用户提供各种技术融合的专业化的高端防火墙产品，领导网络安全发展的趋势。

2．多NP处理架构
防火墙的硬件实现技术主要有三种：Intel X86架构工控机、ASIC硬件加速技术和NP加速技术。
Intel X86
由于基于X86 体系结构的防火墙受CPU处理能力和PCI总线速度的制约，很难满足千兆防火墙高吞吐量、低时延的要求。在实际应用中，尤其在小包情况下，这种结构的千兆防火墙达不到千兆的转发速度，难以满足千兆骨干网络的应用要求。
ASIC
采用ASIC技术可以为防火墙应用设计专门的数据包处理流水线，优化存储器等资源的利用，满足千兆环境骨干级应用的技术方案。但ASIC技术开发成本高、开发周期长且难度大，而且对新功能的实施周期长，典型设计周期18个，很不灵活。纯硬件的ASIC防火墙缺乏可编程性，这就使得它缺乏灵活性，跟不上当今防火墙功能的快速发展。Netscreen是采用该技术的代表厂家。AISC应用级检测能力局限大：标准功能无法进行深层检测，无法识别攻击变种。深度检测技术对性能影响太大，如Netscreen 5400标称性能为防火墙吞吐量12G, 深度检测性能为375M。
NP
NP（网络处理器）采用微码编程，是专门为进行网络分组处理而开发的，具有优化的体系结构和指令集，所以比X86 CPU和ASIC具备更高的处理性能。而且NP有专门的指令集和配套的软件开发系统，具有很强的编程能力，能够方便地开发各种应用，支持可扩展的服务，因而也比ASIC更具灵活性，是未来高端防火墙的发展趋势。
基于NP网络处理器架构的防火墙与基于通用CPU架构的防火墙相比，在性能上可以得到很大的提高。网络处理器能弥补通用CPU架构性能的不足，同时又不需要具备开发基于ASIC技术的防火墙所需要的大量资金和技术积累，目前各个国内外厂家为了保证其产品的开发更新成本，已经越来越多考虑NP体系结构。成为实现高端千兆防火墙的最优选择。思科公司的6500高端千兆防火墙就采用NP加速技术，单板性能高达5.5G，可扩展到4个板20G。

思科6500高端防火墙优势
1．Cisco的 6500高端防火墙可以说是业界性能最高的防火墙产品，它的所有模块都直接与交换矩阵直接相连，彻底突破了传统防火墙需要通过GE/FE链路互连的带宽瓶颈。每一个安全模块的吞吐量可以达到 5GB。在一个机箱当中可以承载多达四个安全模块，总体的处理带宽最高可达 20GB。
2．Cisco 的 6500高端防火墙优势还在于其具有充足的物理接口数量和类型，对各种流量进行物理的隔离以及为端口划分不同的安全等级，真正满足用户需求。
3．多NP处理架构在保证高性能的同时，新功能的支持和改进周期很短，如对多种语音和视频服务的支持，完全符合市场的需求，使您的网络成为一个安全的多服务网络。
4．通常防火墙可以通过加大内存的方式来保存连接状态，从而获得较高的最大连接数。但实际更重要的是每秒新建连接数，这个参数越高说明设备整体处理能力越强。高端产品位于网络核心，当受到DDoS攻击时，短时间内会有大量的新建连接，此项参数高的设备将具有更强的抗攻击能力。Cisco的 6500高端防火墙支持高达10万每秒的新连接处理能力。
5．防火墙的重要功能是实施安全策略，Cisco 的 6500高端防火墙支持高达8万个安全策略。
6．Cisco 的 6500高端防火墙可以采用虚拟防火墙以及透明防火墙的技术，从而更加有效地支持用户的安全需求。

因此，思科公司的6500高端防火墙一经面世，就得到用户的信赖，在高端防火墙市场迅速崛起，占据了大量基于ASIC芯片技术的防火墙的市场，而且其发展趋势是越来越好。

network · 发表于 2008-1-22 06:24:34

一个FWSM路由模式配置实例

应用情况为，两个接口outside应用在广域网，inside端口位于局域网，跑OSPF路由协议，将局域网能够被广域网访问的服务器和端口打开，否则不允许访问。这个应用的情况比较简单，日后可以继续扩展，如服务器区等等。

sh run
: Saved
:
FWSM Version 3.2(2)
!
hostname SDDL-Internal-FW
domain-name sddl.com
enable password Z1UFjQZdKfrZkYLf encrypted
names
!
interface Vlan254
nameif outside
security-level 0
ip address X.Y.254.254 255.255.255.252
ospf hello-interval 1
ospf dead-interval 3
!
interface Vlan2254
nameif Internal
security-level 99
ip address X.Y.254.1 255.255.255.252
ospf hello-interval 1
ospf dead-interval 3
!
passwd Z1UFjQZdKfrZkYLf encrypted
ftp mode passive
<--- More --->

access-list acl-in extended permit ip any any
access-list SHJT_to_SDDL extended permit tcp any any eq telnet
access-list SHJT_to_SDDL extended permit icmp any any
access-list SHJT_to_SDDL extended permit ospf any any
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.32 eq www
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 3389
access-list SHJT_to_SDDL extended permit tcp any host X.Y.1.13 eq lotusnotes
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq www
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq 8080
access-list SHJT_to_SDDL extended permit tcp 10.36.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp 10.229.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq pop3
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq smtp
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq www
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq imap4
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 63148
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 63148
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 143
access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 389
access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq https
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 8000
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 8000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 7000
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 7000
<--- More --->

access-list SHJT_to_SDDL extended permit udp any host X.Y.128.38 eq 7000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.38 eq 7000
access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.50 eq 8080
access-list SHJT_to_SDDL extended permit udp any host X.Y.128.32 eq domain
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.45
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.39
access-list SHJT_to_SDDL extended permit ip any host X.Y.1.12
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.42
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.37
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.46
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.44
access-list SHJT_to_SDDL extended permit ip any host X.Y.128.32
access-list SHJT_to_SDDL extended permit tcp 10.228.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982
access-list SHJT_to_SDDL extended permit tcp 10.227.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu Internal 1500
ip verify reverse-path interface outside
ip verify reverse-path interface Internal
no failover
failover lan unit secondary
icmp permit any outside
<--- More --->

icmp permit any Internal
no asdm history enable
arp timeout 14400
access-group SHJT_to_SDDL in interface outside
access-group acl-in in interface Internal
!
router ospf 100
network X.Y.254.1 255.255.255.255 area 0
network X.Y.254.254 255.255.255.255 area 0
router-id X.Y.254.254
log-adj-changes
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
username sddl password QZbkfU0FC8LZLZ6k encrypted
http server enable
http 0.0.0.0 0.0.0.0 outside
http X.Y.160.0 255.255.255.0 Internal
<--- More --->

http X.Y.128.0 255.255.255.0 Internal
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt nodnsalias inbound
sysopt nodnsalias outbound
sysopt noproxyarp outside
sysopt noproxyarp Internal
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 Internal
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map class_sip_tcp
match port tcp eq sip
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
<--- More --->

  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect xdmcp
  inspect ctiqbe
  inspect dcerpc
  inspect http
  inspect icmp
  inspect ils
  inspect mgcp
  inspect rtsp
  inspect sip
  inspect snmp
class class_sip_tcp
  inspect sip
!
service-policy global_policy global
<--- More --->

prompt hostname context
Cryptochecksum:3224aa347a06e32ac4f006510f5606f0
: end

SDDL-Internal-FW# exit

network · 发表于 2008-1-27 18:03:05

ASA/PIX里的Static Route Tracking功能介绍以及配置

Static Route Tracking可以有效解决双ISP出口问题
问题
静态路由没有固定的机制来决定是否可用，即使下一跳不可达，静态路由还是会存在路由表里，是有当ASA自己的和这条路由相关接口down了，才会从路由表里删除

解决办法
Static Route Tracking这个feature提供一种方法来追踪静态路由，当主路由失效时可以安装备份路由进路由表，例如：2条缺省指向不同ISP，当主的ISP断了，可以立即启用备用ISP链路，它是使用ICMP来进行追踪的，如果在一定holdtime没有收到reply的话就认为这条链路down了，就会立即删除该静态路由，预先设置的备份路由就会进入路由表
注意！！！配置时要在outside口上放开icmp reply（如果打开了icmp限制）

sla monitor sla_id
hostname(config-sla-monitor)# type echo protocol ipIcmpEcho target_ip interface
if_name
这个必须是个可以ping通的地址，当这个地址不可用时，track跟踪的路由就会被删除，备份路由进路由表

sla monitor schedule sla_id [life {forever | seconds}] [start-time
{hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout
seconds] [recurring]
必须要写时间表，不然track的路由进步了路由表

hostname(config)# track track_id rtr sla_id reachability

route if_name dest_ip mask gateway_ip [admin_distance] track
track_i

例
sla monitor 1
type echo protocol ipIcmpEcho 202.1.1.2 interface dx

sla monitor schedule 1 start-time now（必须配置，不然track的路由进不了路由表）

track 2 rtr 1 reachability

route dx 0.0.0.0 0.0.0.0 202.1.1.2 1 track 2(电信)
route wt 0.0.0.0 0.0.0.0 101.1.1.2 2(网通)

当配置的202.1.1.2 ping不通的时候，dx 0 0就会在路由表里删除，由wt 0 0取代，当202.1.1.2恢复后，又会重新变为dx 0 0

这个feature我想大家在很多项目里都会遇到,ASA可以有效解决

network · 发表于 2008-2-4 07:02:41

FWSM(config)# show run
: Saved
:
FWSM Version 2.2(1)
nameif vlan10 outside security0
nameif vlan20 bangong8 security100
nameif vlan2 jsjzx1 security50
nameif vlan7 jsjzx2 security100
nameif vlan3 dmtjs security50
nameif vlan4 jfang1 security100
nameif vlan5 jfang2 security100
nameif vlan6 jfang3 security100
nameif vlan11 bangong security100
nameif vlan12 bangong2 security100
nameif vlan15 bangong3 security100
nameif vlan16 bangong4 security100
nameif vlan17 bangong5 security100
nameif vlan18 bangong6 security100
nameif vlan19 bangong7 security100
nameif vlan21 bangong9 security100
nameif vlan22 xuegongchu security50
nameif vlan23 bangong10 security100
nameif vlan24 bangong11 security100
nameif vlan31 bangong12 security100
nameif vlan32 bangong13 security100
nameif vlan14 tushuguan security50
nameif vlan33 yuelanshi security100
nameif vlan40 qgjifang security100
nameif vlan26 xssushe1 security100
nameif vlan27 xssushe2 security100
nameif vlan28 xssushe3 security100
nameif vlan29 xssushe4 security100
nameif vlan30 xssushe5 security100
nameif vlan34 xssushe6 security100
nameif vlan35 xssushe7 security100
nameif vlan36 xssushe8 security100
nameif vlan13 jiaowuchu security50
enable password lUapVUSIyLfj4k.B encrypted
passwd lUapVUSIyLfj4k.B encrypted
hostname FWSM
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
access-list 100 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu bangong8 1500
mtu jsjzx1 1500
mtu jsjzx2 1500
mtu dmtjs 1500
mtu jfang1 1500
mtu jfang2 1500
mtu jfang3 1500
mtu bangong 1500
mtu bangong2 1500
mtu bangong3 1500
mtu bangong4 1500
mtu bangong5 1500
mtu bangong6 1500
mtu bangong7 1500
mtu bangong9 1500
mtu xuegongchu 1500
mtu bangong10 1500
mtu bangong11 1500
mtu bangong12 1500
mtu bangong13 1500
mtu tushuguan 1500
mtu yuelanshi 1500
mtu qgjifang 1500
mtu xssushe1 1500
mtu xssushe2 1500
mtu xssushe3 1500
mtu xssushe4 1500
mtu xssushe5 1500
mtu xssushe6 1500
mtu xssushe7 1500
mtu xssushe8 1500
mtu jiaowuchu 1500
ip address outside 172.16.1.201 255.255.255.0
ip address bangong8 202.206.148.129 255.255.255.224
ip address jsjzx1 202.206.144.33 255.255.255.224
ip address jsjzx2 202.206.144.65 255.255.255.192
ip address dmtjs 202.206.144.129 255.255.255.128
ip address jfang1 202.206.145.1 255.255.255.0
ip address jfang2 202.206.146.1 255.255.255.0
ip address jfang3 202.206.147.1 255.255.255.0
ip address bangong 202.206.148.1 255.255.255.192
ip address bangong2 202.206.148.193 255.255.255.224
ip address bangong3 202.206.148.65 255.255.255.224
ip address bangong4 202.206.149.1 255.255.255.192
ip address bangong5 202.206.149.65 255.255.255.192
ip address bangong6 202.206.149.97 255.255.255.224
ip address bangong7 202.206.149.129 255.255.255.192
ip address bangong9 202.206.148.161 255.255.255.224
ip address xuegongchu 202.206.149.193 255.255.255.192
ip address bangong10 202.206.150.1 255.255.255.192
ip address bangong11 202.206.150.65 255.255.255.192
ip address bangong12 202.206.150.129 255.255.255.192
ip address bangong13 202.206.151.129 255.255.255.128
ip address tushuguan 202.206.152.1 255.255.255.128
ip address yuelanshi 202.206.152.129 255.255.255.128
ip address qgjifang 202.206.159.1 255.255.255.0
ip address xssushe1 202.206.155.65 255.255.255.192
ip address xssushe2 202.206.154.1 255.255.255.128
ip address xssushe3 202.206.154.129 255.255.255.128
ip address xssushe4 202.206.155.1 255.255.255.192
ip address xssushe5 202.206.155.129 255.255.255.128
ip address xssushe6 202.206.156.1 255.255.255.128
ip address xssushe7 202.206.156.129 255.255.255.128
ip address xssushe8 202.206.157.1 255.255.255.128
ip address jiaowuchu 202.206.151.1 255.255.255.192
no failover
failover lan unit secondary
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
no pdm history enable
arp timeout 14400
global (outside) 1 interface
access-group 100 in interface outside
!
interface outside

  shutdown
!
!
interface bangong8

!
!
interface jsjzx1

!
!
interface jsjzx2

!
!
interface dmtjs

!
!
interface jfang1

!
!
interface jfang2

!
!
interface jfang3

!
!
interface bangong

!
!
interface bangong2

!
!
interface bangong3

!
!
interface bangong4

!
!
interface bangong5

!
!
interface bangong6

!
!
interface bangong7

!
!
interface bangong9

!
!
interface xuegongchu

!
!
interface bangong10

!
!
interface bangong11

!
!
interface bangong12

!
!
interface bangong13

!
!
interface tushuguan

!
!
interface yuelanshi

!
!
interface qgjifang

!
!
interface xssushe1

!
!
interface xssushe2

!
!
interface xssushe3

!
!
interface xssushe4

!
!
interface xssushe5

!
!
interface xssushe6

!
!
interface xssushe7

!
!
interface xssushe8

!
!
interface jiaowuchu

!

!

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
fragment size 200 outside
fragment chain 24 outside
fragment size 200 bangong8
fragment chain 24 bangong8
fragment size 200 jsjzx1
fragment chain 24 jsjzx1
fragment size 200 jsjzx2
fragment chain 24 jsjzx2
fragment size 200 dmtjs
fragment chain 24 dmtjs
fragment size 200 jfang1
fragment chain 24 jfang1
fragment size 200 jfang2
fragment chain 24 jfang2
fragment size 200 jfang3
fragment chain 24 jfang3
fragment size 200 bangong
fragment chain 24 bangong
fragment size 200 bangong2
fragment chain 24 bangong2
fragment size 200 bangong3
fragment chain 24 bangong3
fragment size 200 bangong4
fragment chain 24 bangong4
fragment size 200 bangong5
fragment chain 24 bangong5
fragment size 200 bangong6
fragment chain 24 bangong6
fragment size 200 bangong7
fragment chain 24 bangong7
fragment size 200 bangong9
fragment chain 24 bangong9
fragment size 200 xuegongchu
fragment chain 24 xuegongchu
fragment size 200 bangong10
fragment chain 24 bangong10
fragment size 200 bangong11
fragment chain 24 bangong11
fragment size 200 bangong12
fragment chain 24 bangong12
fragment size 200 bangong13
fragment chain 24 bangong13
fragment size 200 tushuguan
fragment chain 24 tushuguan
fragment size 200 yuelanshi
fragment chain 24 yuelanshi
fragment size 200 qgjifang
fragment chain 24 qgjifang
fragment size 200 xssushe1
fragment chain 24 xssushe1
fragment size 200 xssushe2
fragment chain 24 xssushe2
fragment size 200 xssushe3
fragment chain 24 xssushe3
fragment size 200 xssushe4
fragment chain 24 xssushe4
fragment size 200 xssushe5
fragment chain 24 xssushe5
fragment size 200 xssushe6
fragment chain 24 xssushe6
fragment size 200 xssushe7
fragment chain 24 xssushe7
fragment size 200 xssushe8
fragment chain 24 xssushe8
fragment size 200 jiaowuchu
fragment chain 24 jiaowuchu
telnet timeout 5
ssh timeout 5
terminal width 80
no gdb enable
Cryptochecksum:422e1b774c1f4b88a921009363cb5863
: end

seedhome · 发表于 2008-3-15 03:20:54

这么强的帖真的不想回复打断！！

network · 发表于 2008-3-29 20:08:18

FWSM配置注意点以及心得

1、FWSM与pix和ASA不同，默认FWSM不允许ping虚拟防火墙的任何端口，若想让ping,需要必须在端口上打开(icmp permit any inside/outside)；
PS:本人吃过大亏,升级OS时死活ping不同FTP SERVER,搞了好久才发现FWSM有这特性,汗!!!

2、FWSM与pix和ASA的另一个不同是：默认FWSM不允许从安全级别高的端口到安全级别底网络的访问，除非用acl明确允许（从安全级别高到安全级别底方向的访问也需要写acl并应用到高安全级别端口上明确允许，才能访问）；而pix和asa默认是允许许从安全级别高的端口到安全级别底网络的访问，并不需要写acl应用到高安全级别端口明确允许；
注意!!!在same-security permit打开的情况下，ASA默认允许同一安全等级访问,而不需要ACL放行

3,7.0和FWSM,ACL可以写OUT方向了,6.3不可以

4.7.0和FWSM允许同一安全等级的接口之间互相访问,可以通过same-security-traffic permit inter-interface解决.6.3不可以

5、FWSM默认只支持两个security context(不包括 admin context)。这和ASA一样

6、从single 转换成 multiple模式时，有时输入mode multiple防火墙模块自动重起后，使用show mode 命令查看时仍然显示为single模式，需多次输入命令mode multiple时,才能转换成multiple context模式(用show mode命令会显示)，这个现象比较怪，版本为2.3(3)。

账号		自动登录	找回密码
密码			注册

Cisco Catalyst 6509交换机FWSM防火墙模块配置资料 大全

Cisco Catalyst 6509交换机FWSM防火墙模块配置资料大全