Example 1: Switch Configuration; Example 2: Single Mode Using Same Security Level - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Appendix B
Sample Configurations
filter url http 10.1.4.0 255.255.255.0 0 0 [ When inside users access an HTTP server, the
FWSM consults with a Websense server to determine if the traffic is allowed ]
nat (inside) 1 10.1.4.0 255.255.255.0
global (outside) 1 209.165.201.9 netmask 255.255.255.255 [ This context uses dynamic NAT
for inside users that access the outside ]
static (dmz,outside) 209.165.201.6 192.168.2.2 netmask 255.255.255.255 [ A host on the
admin context requires access to the Websense server for management using pcAnywhere, so
the Websense server requires a static translation ]
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside [ Allows all inside hosts to access the outside
for any IP traffic. Because there is no NAT from inside to dmz, you do not have to deny
traffic from accessing the dmz. ]
access-list MANAGE extended permit tcp host 209.165.201.30 host 209.165.201.6 eq
pcanywhere-data
access-list MANAGE extended permit udp host 209.165.201.30 host 209.165.201.6 eq
pcanywhere-status
access-group MANAGE in interface outside [ This ACL allows the management host to use
pcAnywhere on the Websense server ]
access-list WEBSENSE extended permit tcp host 192.168.2.2 any eq http [ The Websense server
needs to access the Websense updater server on the outside ]
access-group WEBSENSE in interface dmz
Example 1: Switch Configuration
The following lines in the Cisco IOS switch configuration relate to the FWSM:
...
firewall module 8 vlan-group 1
firewall vlan-group 1 3-8
interface vlan 3
...
Example 2: Single Mode Using Same Security Level
This configuration creates three internal interfaces. Two of the interfaces connect to departments that are
on the same security level, which allows all hosts to communicate without using NAT. The DMZ
interface hosts a Syslog server. The management host on the outside needs access to the Syslog server
and the FWSM. To connect to the FWSM, the host uses a VPN connection. The FWSM uses RIP on the
inside interfaces to learn routes. Because the FWSM does not advertise routes with RIP, the MSFC needs
to use static routes for FWSM traffic (See
The Department networks are allowed to access the Internet, and use PAT.
OL-6392-01
ip address 209.165.201.1 255.255.255.224
no shut
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Figure
B-2.)
Routed Mode Examples
B-5
Advertisement
Table of Contents
Troubleshooting
