注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

CCIE那点事-李萧明

博客已转移到www.jdccie.com CCIE那点事敬请期待

 
 
 

日志

 
 

Cisco FWSM路由模式配置实例【MSFC前后】  

2011-03-28 23:25:00|  分类: 施工经验 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

Cisco FWSM路由模式配置实例【MSFC前后】
路由模式配置例子
FWSM可以在MSFC前,也可以在MSFC后
3个配置例子
1
OUTSIDE——MSFC—vlan10—FWSM—vlan20—CORE——HOST的配置过程
· Create the Layer 3 Interface to be used as gateway by FWSM. This is done in global config mode.
o MSFC(config)#interface vlan 10
o MSFC(config-int)#ip address 206.10.10.1 255.255.255.0
o MSFC(config-int)#no shutdown
· Define a vlan-group for the Firewall Module and assign the vlans to a Firewall Module.
o MSFC(config)#firewall vlan-group 1 10,20
o MSFC(config)#firewall module 3 vlan-group 1
· Session to the FWSM. To do this type “session slot &module # proc 1” in enable mode. For our example
we will assume the
FWSM is in slot 3 of the chassis.
o MSFC#session slot 3 proc 1
·Create Layer 3 interfaces on the FWSM. The command to do this is“nameif &vlan# &interface name
&security level” in
global config mode.
o FWSM(config)#nameif 10 outside 0
o FWSM(config)#ip address outside 206.10.10.2 255.255.255.0
o FWSM(config)#nameif 20 inside 100
o FWSM(config)#ip address inside 10.20.20.1 255.255.255.0
· Add default route to Outside security level on the FWSM.
o FWSM(config)#route outside 0.0.0.0 0.0.0.0 206.10.10.1 1
· Configure a STATICNATentry for hosts A and B to be seen by outside users.
o FWSM(config)#static (inside,outside) 206.10.10.25 10.20.20.25 netmask 255.255.255.255 ?Host A
o FWSM(config)#static (inside,outside) 206.10.10.26 10.20.20.26 netmask 255.255.255.255 ?Host B
·Configure a NAT entry for users in the inside security level that wishto initiate a connection to the
outside security level.
o FWSM(config)#nat (inside) 1 0 0
o FWSM(config)#global (outside) 1 206.10.10.100
·Configure access control lists and apply them to the interfaces torestrict access to the inside securty
level by hosts on the
outside security level.
o FWSM(config)#access-list outside-acl permit tcp any host 206.10.10.25 eq www
o FWSM(config)# access-list outside-acl permit tcp any host 206.10.10.25 eq ftp
o FWSM(config)# access-list outside-acl permit tcp any host 206.10.10.25 eq ftp-data
o FWSM(config)# access-list outside-acl permit icmp any host 206.10.10.25 (this allows outside users to
ping)
o FWSM(config)#access-list outside-acl permit tcp any host 206.10.10.26 eq www
o FWSM(config)# access-list outside-acl permit tcp any host 206.10.10.26 eq ftp
o FWSM(config)# access-list outside-acl permit tcp any host 206.10.10.26 eq ftp-data
o FWSM(config)# access-list outside-acl permit icmp any host 206.10.10.26 ?(this allows outside users to
ping)
· Now apply the defined access-list "outside-acl" to the outside interface as follows:
o FWSM(config)#access-group outside-acl in interface outside
2
OUTSIDE—vlan10—FWSM—vlan20—MSFC—vlan30—CORE——HOST 与上面例子的不同之处在于:
FWSM通过vlan10连接外部,所以65连接外部的g8/1要属于vlan10
o MSFC(config)#interface gigabit 8/1
o MSFC(config-int)# switchport
o MSFC(config-int)#switchport mode access
o MSFC(config-int)#switchport access vlan 10
o MSFC(config-int)#no shutdown
MSFC上使用静态路由即可
o MSFC(config)#ip route 0.0.0.0 0.0.0.0 10.20.20.1
FWSM使用静态路由以便使外部数据可以进入内部
o FWSM(config)#route inside 10.0.0.0 255.0.0.0 10.20.20.2

3
DMZ
|
vlan50
|
OUTSIDE——MSFC—vlan10—FWSM—vlan20—CORE——HOST的配置过程比1增加了如下:
|
vlan60
|
DMZ
· Create the DMZ VLAN’s on the MSFC in global config mode
o MSFC(config)#vlan 50
o MSFC(config-vlan)#no shutdown
o MSFC(config)#vlan 60
o MSFC(config-vlan)#no shutdown
· Add VLAN’s 50 and 60 to the firewall-vlan group created in Configuration #1.
o MSFC(config)#firewall vlan-group 1 50,60
DMZ的计算机连接端口要设成switchport以便FWSM可以看到
o MSFC(config)#interface FastEthernet 7/1
o MSFC(config-int)#switchport
o MSFC(config-int)switchport mode access
o MSFC(config-int)switchport access vlan 60
o MSFC(config-int)no shutdown
· Session to the FWSM as outlined in Configuration #1 and configure the Layer 3 interfaces for the DMZ
security levels.
o FWSM(config)#nameif 60 dmz1 60
o FWSM(config)#nameif 50 dmz2 50
o FWSM(config)#ip address dmz1 10.60.60.1 255.255.255.0
o FWSM(config)#ip address dmz2 10.50.50.1 255.255.255.0
· To enable users to be able to connect with theservers in the DMZ’s, STATIC and NAT translations will
have to be
established depending upon the direction of the traffic flow.
o FWSM(config)#nat (dmz1) 2 10.60.60.0 255.255.255.0
o FWSM(config)#global (outside) 2 206.10.10.60
o FWSM(config)#global (dmz2) 2 10.50.50.200
o FWSM(config)#nat (dmz2) 3 10.50.50.0 255.255.255.0
o FWSM(config)#global (outside) 3 206.10.10.50
o FWSM(config)#static (inside,dmz1) 10.60.60.60 10.20.20.25 netmask 255.255.255.255
o FWSM(config)#static (inside,dmz2) 10.50.50.50 10.20.20.25 netmask 255.255.255.255
o FWSM(config)#static (dmz1,dmz2) 10.50.50.50 10.60.60.25 netmask 255.255.255.255
有关acl
o FWSM(config)#access-list web permit tcp any host 206.10.10.125 eq www
o FWSM(config)#access-list web permit tcp any host 206.10.1

  评论这张
 
阅读(10)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018