思科FWSM多个虚拟防火墙部署总结v1-by gridguo

思科FWSM的多个虚拟防火墙

实际部署总结文档

V1.0

Author:

gridguo

Mail:gridguo@163.com

2007年2月

目 录

1 总体规划................................................................3 1.1 1.2

网络拓扑结构...................................................................................................................3 网络规划...........................................................................................................................3

2 相关配置................................................................4 2.1

FWSM初始配置...............................................................................................................4

2.1.1显示FWSM模块的状态..................................................................................................4 2.1.2登录到FWSM..................................................................................................................5 2.1.3 Lisence激活.....................................................................................................................5 2.1.4模式切换..........................................................................................................................6 2.2

7609相关配置..................................................................................................................6

2.2.1创建VLAN.......................................................................................................................7 2.2.2将VLAN添加到FWSM...................................................................................................9 2.3

FWSM基本配置...............................................................................................................9

2.3.1创建context......................................................................................................................9 2.3.2配置context....................................................................................................................10 2.4

FWSM高级配置.............................................................................................................12

2.4.1作portchannel后的VFW配置........................................................................................12 2.4.2附一份详细的context配置............................................................................................15 2.4.3 FWSM资源分配............................................................................................................18 3 总结...................................................................20

1 总体规划

1.1 网络拓扑结构

某一大型网络，下属10多个单位，数据中心位于总部，总接入用户超过5万个。网络核心采用一台Cisco7609路由器（内置FW及IDSM模块，FW购20个Lisence）连接下属单位，服务器区采用H3C 8512交换机，通过端口捆绑方式接入7609。网络出口采用NE40路由器接入因特网，NE40与7609也是采用端口捆绑方式连接，这三台设备启用OSPF路由协议，在Area 0中。

要求：与下属单位间、服务器区、网络出口间部署虚拟防火墙，采用透明模式。

1.2 网络规划

VFW名称 outside inside admin ne40 contexta contextb

112 10 181 182

12 110 81 82

互连网段 172.16.0.0/29 172.16.0.16/29 172.16.0.32/29 172.16.0.48/29

7609 IP 172.16.0.1 172.16.0.17 172.16.0.33 172.16.0.49

VFW 管理IP 172.16.0.2 172.16.0.18 172.16.0.34 172.16.0.50

下属单位IP172.16.0.3 172.16.0.19 172.16.0.35 172.16.0.51

contextc contextd contexte contextf contextg contexth contexti contextj

183 184 185 186 187 188 189 190

83 84 85 86 87 88 89 90

172.16.0.64/29 172.16.0.80/29 172.16.0.96/29 172.16.0.112/29172.16.0.128/29172.16.0.144/29172.16.0.160/29172.16.0.176/29

172.16.0.65 172.16.0.81 172.16.0.97 172.16.0.113172.16.0.129172.16.0.145172.16.0.161172.16.0.177

172.16.0.66 172.16.0.82 172.16.0.98

172.16.0.67 172.16.0.83 172.16.0.99

172.16.0.114 172.16.0.115172.16.0.116 172.16.0.131172.16.0.146 172.16.0.147172.16.0.162 172.16.0.163172.16.0.178 172.16.0.179

2 相关配置

2.1 FWSM初始配置

2.1.1显示FWSM模块的状态

cisco7609#sh module

Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 24 CEF720 24 port 1000mb SFP WS-X6724-SFP SAL10360*** 3 6 Firewall Module WS-SVC-FWM-1 SAD1045***

4 8 Intrusion Detection System WS-SVC-IDSM-2 SAD1036**** 5 2 Supervisor Engine 720 (Active) WS-SUP720-3B SAL1034**** 6 2 Supervisor Engine 720 (Hot) WS-SUP720-3B SAL1035**** 9 48 48-port 10/100/1000 RJ45 EtherModule WS-X6148A-GE-TX SAL103****

Mod MAC addresses Hw Fw Sw Status

--- ---------------------------------- ------ ------------ ------------ ------- 1 0019.069d.c8f4 to 0019.069d.c90b 2.4 12.2(14r)S5 12.2(18)SXF7 Ok 3 0019.aacc.4940 to 0019.aacc.4947 4.0 7.2(1) 3.1(3) Ok 4 0018.ba41.2402 to 0018.ba41.2409 6.2 7.2(1) 5.0(2) Ok 5 0017.9441.aec8 to 0017.9441.aecb 5.2 8.4(2) 12.2(18)SXF7 Ok 6 0014.a982.493c to 0014.a982.493f 5.2 8.4(2) 12.2(18)SXF7 Ok 9 0019.5610.8210 to 0019.5610.823f 1.5 8.4(1) 8.5(0.46)RFW Ok

Mod Sub-Module Model Serial Hw Status

---- --------------------------- ------------------ ----------- ------- ------- 1 Distributed Forwarding Card WS-F6700-DFC3B SAL10360*** 4.4 Ok 4 IDS 2 accelerator board WS-SVC-IDSUPG ADBG626*** 2.5 Ok 5 Policy Feature Card 3 WS-F6K-PFC3B SAL1035Z*** 2.3 Ok 5 MSFC3 Daughterboard WS-SUP720 SAL1035*** 2.5 Ok 6 Policy Feature Card 3 WS-F6K-PFC3B SAL1035ZQ*** 2.3 Ok 6 MSFC3 Daughterboard WS-SUP720 SAL1035ZM*** 2.5 Ok

Mod Online Diag Status ---- ------------------- 1 Pass 3 Pass 4 Pass 5 Pass 6 Pass 9 Pass cisco7609#

2.1.2登录到FWSM

cisco7609#session slot 3 p 1

The default escape character is Ctrl-^, then x.

You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.31 ... Open

User Access Verification

Password:

Type help or '?' for a list of available commands. FWSM> en

Password: ************* FWSM#

2.1.3 Lisence激活

license实际上是一个激活码，要获取一个激活码，你需要产品授权密钥，然后到思科网站去注册，通常KEY会发送到你的邮箱中。

！访问思科网站 http://www.cisco.com/go/license

!通过你的Product Authorization Key申请 ！使用activation-key命令激活 hostname(config)# activation-key 0xe02888da 0x4ba7bed6 0xf1c123ae 0xffd8624e

!完成激活后，可以用show version查看一下,如： FWSM# sh ver

FWSM Firewall Version 3.1(3) Device Manager Version 5.0(1)F

Compiled on Thu 06-Jul-06 12:44 by dalecki

FWSM up 19 days 1 hour

Hardware: WS-SVC-FWM-1, 1024 MB RAM, CPU Pentium III 1000 MHz Flash STI Flash 7.2.0 @ 0xc321, 20MB

0: Int: Not licensed : irq 5 1: Int: Not licensed : irq 7 2: Int: Not licensed : irq 11

Licensed features for this platform:

Maximum Interfaces : 1000 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Cut-through Proxy : Enabled Guards : Enabled URL Filtering : Enabled Security Contexts : 20 GTP/GPRS : Disabled VPN Peers : Unlimited

Serial Number: SAD10*********

Running Activation Key: 0x1b45f8b5 0x0d9733b0 XXXXXXX XXXXXXXX Configuration has not been modified since last system restart. FWSM#

2.1.4模式切换

FWSM有2种context工作模式：一种为single context mode即为一个物理FWSM；另一种为Multiple Context Mode即将FWSM虚拟成多个FW，可通过show mode命令查看。

!切换至multiple context mode ，会提示重新启动设备 FWSM(config)# mode multiple

!重启后验证一下： FWSM# sh mode

Security context mode: multiple

The flash mode is the SAME as the running mode.

2.2 7609相关配置

2.2.1创建VLAN

Cisco7609(config)#vlan 110 Cisco7609(config)#name inside_ne40

cisco7609(config)#iinterface Port-channel1 cisco7609(config-if)# switch access vlan 110 Cisco7609(config)#vlan 12

Cisco7609(config)#name inside_8512

cisco7609(config)#iinterface Port-channel 2 cisco7609(config-if)# switch access vlan 12 Cisco7609(config)#vlan 81

Cisco7609(config)#name inside_contexta cisco7609(config)#iinterface gi1/10 cisco7609(config-if)#switchport

cisco7609(config-if)# switch access vlan 81

(其他略)

cisco7609(config)#iinterface vlan 10 cisco7609(config-if)#desc outside_ne40

cisco7609(config-if)#ip add 172.16.0.17 255.255.255.248 cisco7609(config-if)#no shut

cisco7609(config)#iinterface vlan 112 cisco7609(config-if)#desc outside_8512

cisco7609(config-if)#ip add 172.16.0.1 255.255.255.248 cisco7609(config-if)#no shut

cisco7609(config)#iinterface vlan 181 cisco7609(config-if)#desc outside_contexta

cisco7609(config-if)#ip add 172.16.0.33 255.255.255.248 cisco7609(config-if)#no shut

(其他略)

用sh vlan 查看一下 (注意红色字体)

cisco7609#sh vlan

VLAN Name Status Ports

-------------------------- ---------- --------------------- 1 default active Gi1/5, Gi4/3, Gi4/4, Gi4/5 10 outside_ne40 active 12 inside_8512 active Po2 80 inside_contexta active Gi9/1 81 inside_contextb active Gi1/13 82 inside_contextc active Gi9/3 83 inside_contextd active Gi1/10 84 inside_contexte active Gi9/5 85 inside_contextf active Gi9/6 86 inside_contextg active 87 inside_contexth active Gi1/9 88 inside_contexti active Gi1/8, Gi9/8 89 inside_contextj active Gi1/12 90 inside_contextk active Gi1/7

VLAN Name Status Ports

------------------------------------------------------------------------- 110 inside-Ne40 active Po1 112 outside_8512 active 180 VLAN0180 active 181 VLAN0181 active 182 VLAN0182 active 183 VLAN0183 active 184 VLAN0184 active 185 VLAN0185 active 186 VLAN0186 active Gi1/11 187 VLAN0187 active

188 VLAN0188 active 189 VLAN0189 active 190 VLAN0190 active 191 VLAN0191 active 192 VLAN0192 active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup

2.2.2将VLAN添加到FWSM

cisco7609(config)#firewall multiple-vlan-interfaces cisco7609(config)#firewall module 3 vlan-group 1,2 cisco7609(config)#firewall vlan-group 1 10,12,110,112 cisco7609(config)#firewall vlan-group 2 80-92,180-192

这个地方将VLAN划入了两组，都加到一个组里提示超出最大VLAN数，查资料也没有说一个组里能放多少个VLAN。

2.3 FWSM基本配置

2.3.1创建context

!配置多个context必须先创建admin context，然后再创建其他的。 FWSM(config)# admin-context admin FWSM(config)# context admin

FWSM(config-ctx)# allocate-interface vlan12 FWSM(config-ctx)# allocate-interface vlan112 FWSM(config-ctx)# config-url disk:/admin.cfg FWSM(config-ctx)# context ne40

FWSM(config-ctx)# allocate-interface vlan10 FWSM(config-ctx)# allocate-interface vlan110 FWSM(config-ctx)# config-url disk:/ne40.cfg

FWSM(config-ctx)# context contexta

FWSM(config-ctx)# allocate-interface vlan81 FWSM(config-ctx)# allocate-interface vlan181 FWSM(config-ctx)# config-url disk:/contexta.cfg FWSM(config-ctx)# context contextb

FWSM(config-ctx)# allocate-interface vlan82 FWSM(config-ctx)# allocate-interface vlan182 FWSM(config-ctx)# config-url disk:/contextb.cfg 。。。。。。。。。。。

FWSM(config-ctx)# context contextj

FWSM(config-ctx)# allocate-interface vlan90 FWSM(config-ctx)# allocate-interface vlan190 FWSM(config-ctx)# config-url disk:/contextj.cfg FWSM(config-ctx)#write memory

2.3.2配置context

!用changeto context name直接切换至某一context,下面以contexta为例 FWSM#changeto context contexta

!配置虚拟FW为透明模式 FWSM/contexta#conf t

FWSM/contexta(config)# firewall transparent

!定义接口 FWSM/contexta(config)#int vlan 81 FWSM/contexta(config-if)#nameif inside

INFO: Security level for \"inside\" set to 100 by default. FWSM/contexta(config-if)#int vlan 181 FWSM/contexta(config-if)#nameif outside

INFO: Security level for \"outside\" set to 0 by default.

!设置桥接组，并设置IP（管理IP） FWSM/contexta(config)# inter BVI 1

FWSM/contexta(config-if)# ip address 172.30.0.130 255.255.255.248 FWSM/contexta(config-if)# exit

！添加路由 FWSM/contexta (config)#route outside 0 0 172.16.0.33

!允许ICMP通过。默认情况下，FWSM是不允许ICMP包通过任何接口的。这个地方也是初次调试FWSM时容易忽略的，可把俺郁闷了一下！ FWSM/contexta(config)#icmp permit any outside FWSM/contexta(config)#icmp permit any inside

！设置HTTP登录方式,可使用ASDM FWSM/contexta(config)#http server enable

FWSM/contexta(config)#http 10.10.1.0 255.255.255.0 outside FWSM/contexta(config)#http 10.110.1.225 255.255.255.255 inside FWSM/contexta(config)#username admin password ******

!允许telnet 登录 FWSM/contexta(config)#telnet 10.110.1.255 255.255.255.255 insdie

!允许通过SSH登录 FWSM/contexta(config)#crypto key generate rsa modulus 1024 FWSM/contexta(config)# write mem

FWSM/contexta(config)# ssh 10.10.1.0 255.255.255.0 outside FWSM/contexta(config)# ssh timeout 30

!创建ACL。默认FWSM不允许从安全级别高的端口到安全级别低的网络的访问，除非用ACL明确允许，特别注意的是从安全级别高到安全级别底方向的访问也需要写ACL。 access-list INTERNET remark -Allows all inside hosts to access the outside access-list INTERNET extended permit ip any any access-list INTERNET extended permit tcp any any access-list INTERNET extended permit udp any any access-list RETURN remark -Allows OSPF back access-list RETURN extended permit ospf any any access-list RETURN remark -Allows OSPF back

access-list RETURN extended permit ip any any access-list RETURN extended permit tcp any any access-list RETURN extended permit udp any any

!然后将ACL应用到接口 FWSM/contexta(config)#access-group RETURN in interface outside FWSM/contexta(config)#access-group INTERNET in interface inside

!最后将配置保存一下 FWSM/contexta(config)#wr

2.4 FWSM高级配置

2.4.1作portchannel后的VFW配置

这里主要是指与7609路由器分别与H3C的8512交换机和NE40路由器双端口portchannel后context的配置。最初的时候，配置好后，VLAN的协议老是DOWN，当然OSPF邻居学不到，后来在TAC开过CASE，TAC做实验在思科的设备测试说没有问题，可能是与H3C设备之间作channel有问题，后经我反复测试，调试成功，下面附上配置，详细过程不再描述。

！Cisco7609配置 !

interface Port-channel1 description connect_Ne40 switchport

switchport access vlan 110 no ip address speed nonegotiate !

interface Port-channel2 description connect_8512 switchport

switchport access vlan 12 no ip address

speed nonegotiate !

interface GigabitEthernet1/1 description connect_to_NE40 switchport

switchport access vlan 110 no ip address speed nonegotiate channel-group 1 mode on !

interface GigabitEthernet1/2 description connect_to_NE40 switchport

switchport access vlan 110 no ip address speed nonegotiate channel-group 1 mode on !

interface GigabitEthernet1/3 switchport

switchport access vlan 12 no ip address speed nonegotiate channel-group 2 mode on !

interface GigabitEthernet1/4 switchport

switchport access vlan 12 no ip address speed nonegotiate

channel-group 2 mode on ! ……

interface Vlan10

ip address 172.16.0.17 255.255.255.248 ip ospf priority 200 ! ……

interface Vlan112

description connect_to_s8512

ip address 172.16.0.1 255.255.255.248 !

!!H3C 8512配置 interface GigabitEthernet1/1/1 speed 1000 duplex full

port access vlan 11

port link-aggregation group 1 #

interface GigabitEthernet1/1/2 speed 1000 duplex full

port access vlan 11

port link-aggregation group 1 # .... #

interface Vlan-interface11

ip address 172.16.0.3 255.255.255.248 ospf dr-priority 100

# #

!!H3C NE40配置 interface Eth-Trunk1 undo shutdown

ip address 172.16.0.19 255.255.255.248 ospf dr-priority 0 # .... #

interface GigabitEthernet3/0/2 undo negotiation auto undo shutdown eth-trunk 1

access-group router eacl 100 #

interface GigabitEthernet3/0/3 undo negotiation auto undo shutdown eth-trunk 1

access-group router eacl 100 #

2.4.2附一份详细的context配置

FWSM/admin# sh run : Saved :

FWSM Version 3.1(3) !

firewall transparent

hostname S8512 domain-name cisco.com

enable password Y.ZJX0bOc0zkgMJ4 encrypted names !

interface Vlan112 nameif outside bridge-group 1 security-level 0 !

interface Vlan12 nameif inside bridge-group 1 security-level 100 !

interface BVI1

ip address 172.16.0.2 255.255.255.248 !

passwd lMrn707tQFaztT** encrypted

access-list INTERNET remark -Allows all inside hosts to access the outside access-list INTERNET extended permit ip any any access-list INTERNET extended permit tcp any any access-list INTERNET extended permit udp any any access-list RETURN remark -Allows OSPF back access-list RETURN extended permit ospf any any access-list RETURN remark -Allows OSPF back access-list RETURN extended permit ip any any access-list RETURN extended permit tcp any any access-list RETURN extended permit udp any any pager lines 24

logging enable logging emblem

logging monitor informational

logging host outside 10.10.1.247 format emblem mtu outside 1500 mtu inside 1500 icmp permit any outside icmp permit any inside asdm history enable arp timeout 14400

access-group RETURN in interface outside access-group INTERNET in interface inside route outside 0.0.0.0 0.0.0.0 172.16.0.1 1 timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

username admin password 1Y8WXb8aLdnf5**I encrypted aaa authentication ssh console LOCAL http server enable

http 10.10.1.0 255.255.255.0 outside http 10.110.1.225 255.255.255.255 inside snmp-server location networkcenter no snmp-server contact snmp-server community admin23

snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 10.110.1.255 255.255.255.255 insdie telnet timeout 30

ssh 10.10.1.0 255.255.255.0 outside

ssh timeout 30 !

class-map inspection_default match default-inspection-traffic ! !

policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect smtp inspect sqlnet inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect http inspect pptp !

service-policy global_policy global

Cryptochecksum:5f02de4f997ff146cbcb3ca1f87a56c8 : end FWSM/admin#

2.4.3 FWSM资源分配

!资源名称及限制

资源分配：默认情况下所有context共享FWSM的资源，即每个context都可以无限制的占用系统资源。可通过配置限定资源分配。如一个context在收到攻击时耗尽所有系统资源其他context将不能正常工作。在作资源管理配置时，首先观查整个FWSM的资源利用情况，然后再制定相应的策略，对于多个context的部署，有一个整体的评估及测试是相当重要的。

FWSM(config)# class default

FWSM(config-class)# limit-resource conns 10% FWSM(config)# class gold

FWSM(config-class)# limit-resource all 5% FWSM(config-class)# limit-resource fixups 10% FWSM(config)# class silver

FWSM(config-class)# limit-resource all 3%

FWSM(config-class)# limit-resource rate syslogs 500

3 总结

本人初次配置FWSM，以上就是实际项目中的一些总体和体会，这其中也有很多不足且急需改善的地方，不同的网络环境当然会有不同的部署方式。“三人行必有我师”，技术没有边界，欢迎大家相互之间多多交流，可随时给我发邮件，共同探讨，共同进步！ ☺☺☺