Cisco FWSM 双context的配置
在6509的模式下,用session slot *** pro 1进入防火墙模块。
将在6509上配置的用于防火墙模块的接口用nameif命令设为防火墙模块的接口,其余的和配置pix差不多。
如果要建立虚拟防火墙,用命令mode mult。
pix只支持2个虚拟防火墙。命令一样。
FWSM# sh run
: Saved
:
FWSM Version 3.1(3)
!
resource acl-partition 12
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
!
interface Vlan3
!
interface Vlan4
!
interface Vlan5
!
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource All 0
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
allocate-interface Vlan3
allocate-interface Vlan4
config-url disk:/admin.cfg
!
context hello
allocate-interface Vlan3
allocate-interface Vlan5
config-url disk:/hello.cfg
!
prompt hostname context
Cryptochecksum:348705fbf2827de8f695d6cd4aeb51db
: end
FWSM/admin# sh run
: Saved
:
FWSM Version 3.1(3)
!
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan4
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address 209.165.201.2 255.255.255.224
!
passwd 2KFQnbNIdI.2KYOU encrypted
access-list INTERNET remark -Allows inside hosts to access the outside for any IP traffic
access-list INTERNET extended permit ip any any
access-list INTERNET extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 209.165.201.10-209.165.201.29
static (inside,outside) 209.165.201.30 10.1.1.75 netmask 255.255.255.255
access-group INTERNET in interface outside
access-group INTERNET out interface outside
access-group INTERNET in interface inside
access-group INTERNET out interface inside
route outside 0.0.0.0 0.0.0.0 209.165.201.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.1.1.75 255.255.255.255 inside
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
class-map default
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:f3afdfc70c6e3eee30bf86a083439ba9
: end
在路由下配:
interface Vlan3
ip address 209.165.201.1 255.255.255.224
!
文章转载至