Cisco Catalyst 6509交换机FWSM防火墙模块配置资料 大全

xujie

呵呵 好久没来了，来灌会水。。。

network

FWSM透明模式,PC无法和MSFC网关通讯


MSFC
   |     vlan 5
   |
FWSM
   |     vlan 6
   |
PC机

MSFC网关地址int vlan5 1.1.1.1/24,FWSM透明模式管理地址1.1.1.2/24,PC机地址1.1.1.10/24


FWSM/contexta# sho run
: Saved
:
FWSM Version 3.2(2) <context>
!
firewall transparent
hostname contexta
domain-name cisco.com
enable password 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan5
nameif outside
security-level 0
bridge-group 1
!
interface Vlan6
nameif inside
security-level 100
bridge-group 1
!
passwd 2KFQnbNIdI.2KYOU encrypted
interface bvi 1
ip address 1.1.1.2 255.255.255.0
access-list out-to-in extended permit ip any any
access-list out-to-in extended permit icmp any any
access-list in-to-out extended permit ip any any
access-list in-to-out extended permit icmp any any
pager lines 24
logging enable
logging timestamp
logging standby
logging trap informational
logging history notifications
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
static (inside,outside) 10.19.81.0 10.19.81.0 netmask 255.255.255.0
access-group out-to-in in interface outside
access-group in-to-out in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
!            
class-map inspection_default
match default-inspection-traffic
!            
!            
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect smtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:7d7fcf8bfa1ab8a99e23281c571105f4
: end
FWSM/contexta#

我在FWSM上,可以ping通MSFC上的1.1.1.1,可以ping通PC1.1.1.10
在PC无法ping通1.1.1.1,arp-a,可以正确解析到网关1.1.1.1的mac
在MSFC上,也可以看到正确的PC的arp

在防火墙上capture,在MSFC上ping1.1.1.10,count=1000
显示如下
FWSM/contexta# sho capture 2 detail
220 packets seen, 220 captured
   1: 03:15:45.75507590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 75)
   2: 03:15:45.75507590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 75)
   3: 03:15:47.75509590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 76)
   4: 03:15:47.75509590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 76)
   5: 03:15:49.75511590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 77)
   6: 03:15:49.75511590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 77)
   7: 03:15:51.75513590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 78)
   8: 03:15:51.75513590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 78)
   9: 03:15:53.75515590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 79)
  10: 03:15:53.75515590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 79)
  11: 03:15:55.75517590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 80)
  12: 03:15:55.75517590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 80)
  13: 03:15:57.75519590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 81)
  14: 03:15:57.75519590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 81)
  15: 03:15:59.75521590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 82)
  16: 03:15:59.75521590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 82)
  17: 03:16:01.75523590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 83)
  18: 03:16:01.75523590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 83)
  19: 03:16:03.75525590 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#5
P0 1.1.1.1 > 1.1.1.10: icmp: echo request (ttl 255, id 84)
  20: 03:16:03.75525600 001e.4947.cc00 0016.4114.d4e6 0x8100 118: 802.1Q vlan#6

但在PC上.ping MSFC 1.1.1.1,却capture不到任何数据
对于两个vlan间做桥,在MSFC与FWSM之间trunk上的tag,是怎么区别呢?

透明模式还需要额外打开什么命令么?

network

在MSFC上去掉了interface vlan 6，内部主机就可以正常通信了。

个人认为，因为在MSFC上有vlan 6的接口，vlan 6的主机会先在MSFC上找网关，所以出不去，去掉接口后，FWSM的桥接组正常工作，通信正常

network

一个关于FWSM的怪问题。。。。(pending) 问题已经解决。。


环境：FWSM双A部署，透明模式。

问题：外部用户无法访问到防火墙里面的主机，需要主机主动发送一个数据包到出来以后（如ping网关或其他VLAN的主机）后，外部用户才能访问到该主机（包括ping ICMP）

这样通了以后就一直可以通了，但是长时间没有通信后又会出现不通的现象，需要防火墙内的主机在往外部ping一下才通。

透明模式不支持NAT，而且我show xlate时候发现已经有映射表了。。但是还是不能ping通(包括其他的应用，如HTTP,FTP等)

请问这是什么问题？？？

配置文件如下：

一、FWSM配置：
IDC-FWSM-01# show run
: Saved
:
FWSM Version 3.1(4) <system>

!
interface Vlan8
description LAN Failover Interface
!
interface Vlan9
description STATE Failover Interface
!
interface Vlan10
!
interface Vlan11
!
interface Vlan20
!
interface Vlan21
!            
interface Vlan30
!
interface Vlan31
!
interface Vlan40
!
interface Vlan41
!
interface Vlan50
!
interface Vlan51
!
interface Vlan60
!
interface Vlan61
!
passwd 2KFQnbNIdI.2KYOU encrypted
class default
  limit-resource IPSec 5
  limit-resource Mac-addresses 65535
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
  limit-resource All 0
!
ftp mode passive
pager lines 24
failover
failover lan unit secondary
failover lan interface faillink Vlan8
failover link statelink Vlan9
failover interface ip faillink 172.16.250.49 255.255.255.252 standby 172.16.250.50
failover interface ip statelink 172.16.250.53 255.255.255.252 standby 172.16.250.54
failover group 1
  preempt
  replication http
failover group 2
  secondary
  preempt
  replication http
no asdm history enable
arp timeout 14400
username cisco password 3USUcOPFUiMCO4Jk encrypted
console timeout 0
admin-context admin
context admin
  config-url disk:/admin.cfg
!
context contexta
  allocate-interface Vlan10
  allocate-interface Vlan11
  allocate-interface Vlan20
  allocate-interface Vlan21
  allocate-interface Vlan30
  allocate-interface Vlan31
  config-url disk:/contexta.cfg
  join-failover-group 1
!
context contextb
  allocate-interface Vlan40
  allocate-interface Vlan41
  allocate-interface Vlan50
  allocate-interface Vlan51
  allocate-interface Vlan60
  allocate-interface Vlan61
  config-url disk:/contextb.cfg
  join-failover-group 2
!            


二、CONTEXTA的配置：

IDC-FWSM-01/admin# changeto context a?
  WORD  
IDC-FWSM-01/admin# changeto context contexta
IDC-FWSM-01/contexta# show run
: Saved
:
FWSM Version 3.1(4) <context>
!
firewall transparent
hostname contexta
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan10
nameif inside10
bridge-group 10
security-level 100
asr-group 1
!
interface Vlan11
nameif outside11
bridge-group 10
security-level 0
asr-group 1
!
interface Vlan20
nameif inside20
bridge-group 20
security-level 100
asr-group 1  
!
interface Vlan21
nameif outside21
bridge-group 20
security-level 0
asr-group 1
!
interface Vlan30
nameif inside30
bridge-group 30
security-level 100
asr-group 1
!
interface Vlan31
nameif outside31
bridge-group 30
security-level 0
asr-group 1
!
interface BVI10
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
same-security-traffic permit inter-interface
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any
access-list inside10_ether_in ethertype permit any
access-list inside10_ether_out ethertype permit any
access-list inside20_ether_in ethertype permit any
access-list inside20_ether_out ethertype permit any
access-list inside30_ether_in ethertype permit any
access-list inside30_ether_out ethertype permit any
access-list outside11_ether_in ethertype permit any
access-list outside11_ether_out ethertype permit any
access-list outside21_ether_in ethertype permit any
access-list outside21_ether_out ethertype permit any
access-list outside31_ether_in ethertype permit any
access-list outside31_ether_out ethertype permit any
pager lines 24
logging enable
logging asdm informational
mtu inside10 1500
mtu outside11 1500
mtu inside20 1500
mtu outside21 1500
mtu inside30 1500
mtu outside31 1500
monitor-interface inside10
monitor-interface outside11
monitor-interface inside20
monitor-interface outside21
monitor-interface inside30
monitor-interface outside31
icmp permit any inside10
icmp permit any outside11
icmp permit any inside20
icmp permit any outside21
icmp permit any inside30
icmp permit any outside31
no asdm history enable
arp timeout 14400
access-group inside10_ether_in in interface inside10
access-group inside10_ether_out out interface inside10
access-group 100 in interface inside10
access-group outside11_ether_in in interface outside11
access-group outside11_ether_out out interface outside11
access-group 100 in interface outside11
access-group inside20_ether_in in interface inside20
access-group inside20_ether_out out interface inside20
access-group 100 in interface inside20
access-group outside21_ether_in in interface outside21
access-group outside21_ether_out out interface outside21
access-group 100 in interface outside21
access-group inside30_ether_in in interface inside30
access-group inside30_ether_out out interface inside30
access-group 100 in interface inside30
access-group outside31_ether_in in interface outside31
access-group outside31_ether_out out interface outside31
access-group 100 in interface outside31
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside10
http 0.0.0.0 0.0.0.0 inside20
http 0.0.0.0 0.0.0.0 inside30
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside10
telnet 0.0.0.0 0.0.0.0 outside11
telnet 0.0.0.0 0.0.0.0 inside20
telnet 0.0.0.0 0.0.0.0 outside21
telnet 0.0.0.0 0.0.0.0 inside30
telnet 0.0.0.0 0.0.0.0 outside31
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect smtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!            
: Saved

network

出现的怪问题已经解决。。

第一个问题：

外部用户无法访问到防火墙里面的主机，需要主机主动发送一个数据包到出来以后（如ping网关或其他VLAN的主机）后，外部用户才能访问到该主机（包括ping ICMP）

这样通了以后就一直可以通了，但是长时间没有通信后又会出现不通的现象，需要防火墙内的主机在往外部ping一下才通。

另外还有一点：PC机器只能ping通两台6509的其中一个网关的IP（nterface vlan的IP），且是HSRP处于standby的接口IP才能ping通，而且能够ping通HSRP的浮动IP。

最后发现是6509 RS引擎的配置问题。

我在6509上配置了
interface vlan 10
no shutdown

interface vlan 11
ip add xxx.xxx.xxx.xxx
standby 11 ip xxx.xxx.xxx
standby xxxxxxxxxxx
no shutdown
并将vlan 10和 11加入到firewall group里面
最后在context里面将vlan 10和vlan 11做一个bridge

导致ping有问题的原因就是因为我在6509上建立了interface vlan 10，并将它no shutdown。

解决方法就是将interface vlan shutdown或者删除。(VLAN 10只是其中一个VLAN，其他需要桥接的VLAN都要这样修改)

第二个问题：导致FWSM无法启动，状态等灭。 在show module时候显示PWRdown，最后做了RMA，新备件到了以后替换测试发现是flash（CF）里的image文件有问题。


第三个问题是：其他代理商在我们的用户环境里部署了两台PC server ，OS:windows 2003 ，启用网络负载均衡协议。
                     故障现象：在同一个VLAN的PC机能够ping通负载均衡的虚拟IP，但是在6509上怎么都ping不通，show arp
show mac-address dy address 都看不到这个虚拟IP对应的MAC地址（因为PC机能ping通，按理6509的MAC表里应该有虚拟IP的MAC地址）。

                抓包分析：ARP包看到虚拟IP回应的MAC地址是个多播MAC地址（回应的源MAC是两台WIN2003的真实网卡MAC），cisco交换机无法记录这个多播MAC地址。零时想一个解决方法，做ARP绑定，将虚拟IP与MAC地址绑定。结果这样通了。。。但是无法做到负载均衡了。

                查找windows2003网络负载均衡的相关资料发现这个协议有单播和多播两种负载均衡的部署方式。将WIN2003的负载均衡方式改为单播后就搞定了。（这个问题花了最多时间）

network

fwsm经验分享


以前是neteye防火墙，也有一些小BUG，比如UDP 123端口不好用等等。

新用的FWSM后也发现一些问题，分享给大家：

1 邮件不好用，解决方法，删除防火墙默认的inspect esmtp就OK了。与邮件的应用层设置有关系，我们用的SUN的邮件系统，说是邮件字段不标准。。。牛人可以读读RFC82

2 实施后开通permit icmp any any 后从防火墙内trace依然全***，解决方法： 保持inspect icmp 这条命令不被删除

3 FWSM配置完毕后与sqlnet有关的应用不正常。
&#61656; 解决方法：no inspect sqlnet

4 cute ftp 无法用web登陆（命令行可以）。

no ftp mode passive ( 注意：如果启用虚拟防火墙，这条命令不存在。需要在管理防火墙下写这条命令才好用）

class-map ftp-port
match port tcp eq ftp

policy-map sample_policy
class ftp-port
  inspect ftp
!
service-policy sample_policy interface outside


另外一个解决方案：调整FTP服务器模式为被动模式也可。

network

FWSM 3.2 新特性索引 参考


[size=+0]FWSM 3.2 is a feature rich release that focuses in the areas of flexible management options, scalability improvements, expanded inspection support, network collaboration, and network integration.

A summary of the features are as follows:

Flexible Management Options
SNMP enhancements
AAA in system context
Command authorization enhancements

Scalability Improvements
Knob for dynamic reallocation of limits
URL Filtering feature performance

Expanded Inspection Support
MS-RPC Inspection feature
Support for H.323 GUP
RTSP PAT support
SIP enhancements

Network Collaboration
Interoperability with WAAS

Enhanced Network Integration
Transparent Firewall NAT/PAT
TCP state bypass
(non TCP) timeout on per flow basis
GGSN load-balancing
IOS auto state
DHCP replay - per interface

Routing Support
BGP stub
Miscellaneous features/fixes


Please refer to the following collateral for more information on FWSM 3.2:

Documentation: http://www.cisco.com/en/US/produ ... 186a0080697fb0.html

What's new in v3.2: http://www.cisco.com/en/US/produ ... 00aecd805c34ca.html

ASDM for 3.2: http://www.cisco.com/en/US/produ ... 00aecd803ded77.html

FWSM 3.2 At a Glance: http://www.cisco.com/application ... 900aecd805c34d3.pdf

3.2 Data sheet: http://wwwin.cisco.com/marketing ... 6500_7600_ds_ex.pdf

FWSM EAL4 Certification: http://wwwin.cisco.com/data-shar ... M/eal4_asa_fwsm.ppt

Internal FAQ for 3.2: http://wwwin.cisco.com/data-shar ... .2_internal_faq.pdf

Technical Overview on BGP feature in 3.2: http://bock-bock.cisco.com/~cpag ... Pstub_FWSM_V0.2.pdf

Technical Overview of support for MS-RPC in 3.2: http://bock-bock.cisco.com/~cpag ... /MSRPC-app-note.doc

Understanding ACL memory utilization in 3.2: http://bock-bock.cisco.com/~cpag ... SM-ACL_part_mgr.doc

WP on Deploying FWSM 3.2 with WAAS: http://wwwin.cisco.com/data-shar ... ntegration_v2.0.doc

Technical overview of SNMP MIB enheancements in 3.2: http://bock-bock.cisco.com/~cpag ... .2/SNMP_Summary.pdf

Internal training Material for 3.2:
http://bock-bock.cisco.com/~cpag ... 3.2/FWSM3.2_NPI.ppt
http://wwwin.cisco.com/data-shar ... l_training_v3.2.ppt

Scaling FWSM to 20 Gbps (Flash): http://cisco.partnerelearning.co ... 0&ledefid=20748

VoD on 3.2 features: http://wwwin-tools.cisco.com/cmn/jsp/index.jsp?id=58107 (Chris Paggen)

VoD on 4.0 futures  (LAN Campus):  http://vsearch.cisco.com/?cid=2095  (Mun Hossain)

External site: http://www.cisco.com/en/US/produ ... 6/ps4452/index.html

network

关于加强FWSM/ASA稳定运行暨性能调优的通告!


[转]




特此致谢！




     三个要点：1。平日配置Syslog Server （记录运行状态与报警）


2。查障时按Action Plan （Show and Capture )

                           3。应急回退设计 （SW clear ARP and Bypass Firewall)




     策略要点：有话提前说，有话好好说！


详文如下：

FWSM/ASA setup best practise -- 2 mandatory design & 4 Actions you must know

2 Mandatory design :

1. For critical firewall application, besides the Firewall failover pair.
It is always a must to design a standby L3 switch (policy routing or cold stanby) for emergency failure.

2.Make sure in critical firewall environment you have following logging config enabled.
Cause log message of cisco firewall is key for troubleshooting.

logging enable
logging timestamp
logging standby
logging buffer-size 1048576
logging monitor info
logging buffered informational
logging trap informational
logging host outside 172.16.200.2 <--the syslog server's IP  (syslog server is a must for firewall system)


4 FWSM/ASA troubleshooting action plan that all the field engineer need to know :
   1. collect  "show conn long 5"  "show tech " "show local-host" "show xlate" while problem happen

   2.capture the traffic at Vlan61 & Vlan100 as below:

     access-list 101 extended permit ip host 1.1.1.1 host 2.2.2.2
<---1.1.1.1 & 2.2.2.2 is vpn client , telnet server's IP.
     access-list 101 extended permit ip host 2.2.2.2 host 1.1.1.1

capture CAPOUTSIDE access-list 101 buffer 1024000 interface outside
capture CAPDMZ access-list 101 buffer 1024000 interface dmz
*use circular-buffer if needed
capture cc circular-buffer buffer 512000 interface outside

show capture CAPOUTSIDE to view the captured packet.
show capture CAPDMZ

copy /pcap capture:CAPOUTSIDE  tftp:1.1.1.1/CAPOUTSIDE.pcap to collect the captured packet. View it via ethereal (www.ethereal.com).


3. follow procedure below while problem happening:
-------------------------
"clear service-policy global"
"clear asp drop "

If problem still happen , pls collect following info:


"show local-host detail" while the connection fail.
"show service-policy" two times at 60 seconds while connection fail "show asp drop" two times at 60 seconds while connection fail

4. For Internet FWSM , consider following config to prevent FWSM from overload by a single host:

nat (inside) 1 access-list nwu tcp 50 10 udp 50
* nwu is an access-list matching traffic which need to be restricted.

after config done,
make sure you have done clear local-host to make config work

rew31280

你是我的活着的理由, 你知道不
你是我生命的支柱 , 你知道不
我发错了,你知道不 你写的确实不错~~~~~~顶
















_______________________________________________________________________
北京代办工商注册北京公司注册北京企业注册代办执照北京工商注册北京

xzb824

学习学习！！！！！！！！！！！！