B-7
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Appendix B Sample Configurations
Routed Mode Examples
global (outside) 1 209.165.201.9 netmask 255.255.255.255 [
The dept1 and dept2 networks use
PAT when accessing the outside
]
static (dmz,outside) 209.165.201.5 192.168.2.2 netmask 255.255.255.255 [
The syslog server
needs a static translation so the outside management host can access the server
]
access-list DEPTS extended permit ip any any
access-group DEPTS in interface dept1
access-group DEPTS in interface dept2 [
Allows all dept1 and dept2 hosts to access the
outside for any IP traffic
]
access-list MANAGE extended permit tcp host 209.165.200.225 host 209.165.201.5 eq telnet
access-group MANAGE in interface outside [
This ACL allows the management host to access
the syslog server
]
rip dept2 default version 2 authentication md5 scorpius 1 [
Advertises the FWSM IP address
as the default gateway for the downstream router. The FWSM does not advertise a default
route to the MSFC.
]
rip dept2 passive version 2 authentication md5 scorpius 1 [
Listens for RIP updates from
the downstream router. The FWSM does not listen for RIP updates from the MSFC because a
default route to the MSFC is all that is required.
]
isakmp policy 1 authentication pre-share [
The client uses a pre-shared key to connect to
the FWSM over IPSec. The key is the password in the username command below.
]
isakmp policy 1 encryption 3des
isakmp policy 1 group 2
isakmp policy 1 hash sha
isakmp enable outside
crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac
username admin password passw0rd
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map vpn_client 1 set transform-set vpn
crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client
crypto map telnet_tunnel interface outside
crypto map telnet_tunnel client authentication LOCAL
ip local pool client_pool 10.1.1.2
access-list VPN_SPLIT extended permit ip host 209.165.201.3 host 10.1.1.2
vpngroup admin address-pool client_pool
vpngroup admin split-tunnel VPN_SPLIT
vpngroup admin password $ecure23
telnet 10.1.1.2 255.255.255.255 outside
telnet timeout 30
logging trap 5
logging host dmz 192.168.2.2 [
System messages are sent to the syslog server on the DMZ
network
]
logging on
Example 2: Switch Configuration
The following lines in the switch configuration relate to the FWSM:
Catalyst OS on the supervisor:
set vlan 3-5,9,10 firewall-vlan 8
Cisco IOS software on the MSFC:
interface vlan 3
ip address 209.165.201.1 255.255.255.224
no shut
...
To Next Page
Loading...
Need help?
General