1.

1 Cấu hình switch làm việc với module FWSM

Chức năng của FWSM sẽ thay thế các thiết bị PIX 525 riêng lẻ trước đây, vì vậy các
cấu hình hiện tại của các PIX 525 sẽ được chuyển sang cấu hình trên FWSM, bảo toàn
cấu hình hiện tại và tăng cường tối ưu hoá hệ thống.
Sau đây là các bước cơ bản liên quan tới việc cấu hình FWSM
o Kiểm tra các module

Router> show module

Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAD0444099Y
2 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD03475619
3 2 Intrusion Detection System WS-X6381-IDS SAD04250KV5
4 6 Firewall Module WS-SVC-FWM-1 SAD062302U4

o Gán Vlan vào Firewall group

Router(config)# firewall vlan-group firewall_group vlan_range

The vlan_range can be one or more VLANs (1 to 1000 and from 1025 to 4094) identified in one of the following ways:
• A single number (n)
• A range (n-x)

o Gán Firewall group vào FWSM

Router(config)# firewall module module_number vlan-group firewall_group

The firewall_group is one or more group numbers:

• A single number (n)
• A range (n-x)

Ví dụ:
Router(config)# firewall vlan-group 50 55-57
Router(config)# firewall vlan-group 51 70-85
Router(config)# firewall module 5 vlan-group 50,51

Router# show firewall vlan-group

Group vlans
----- ------
50 55-57
51 70-85

Router# show firewall module

Module Vlan-groups
5 50,51

1.2 Cấu hình FWSM

o Login vào FWSM
Router# session slot number processor 1
FWSM passwd:
By default, the password is cisco
FWSM> enable
Password:
By default, the password is blank, and you can press the Enter key to continue
FWSM#
FWSM# show running-config
FWSM# configure terminal
FWSM(config)#
o Setting the Name and Security Level
FWSM(config)# nameif {vlann | context_map_name} name [security]n
FWSM# show nameif
nameif vlan100 outside security0
nameif vlan101 inside security100
nameif vlan102 dmz security50
o Configuring Connection Limits for Non-NAT Configurations
FWSMconfig)# static (inside_interface,outside_interface) local_ip_address local_ip_address
netmask mask [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

FWSM(config)# static (inside,outside) 10.1.1.1 10.1.1.1 netmask 255.255.255.255

norandomseq tcp 1000 200 udp 1000

o Assigning IP Addresses to Interfaces for a Routed Firewall

FWSM(config)# ip address interface_name ip_address mask [standby ip_address]
FWSM(config)# ip address inside 192.168.1.1 255.255.255.0
o Configuring the Default Route
FWSM(config)# route gateway_interface 0 0 gateway_ip [metric]
The metric is the number of hops to gateway_ip. The default is 1 if you do not specify a metric.
FWSM(config)# route outside 0 0 10.1.1.1 1
o Configuring Static Routes
FWSM(config)# route gateway_interface dest_ip mask gateway_ip [metric]

The metric is the number of hops to gateway_ip. The default is 1 if you do not specify a metric.
The addresses you specify for the static route are the addresses that are in the packet before
entering the FWSM and performing NAT.
FWSM(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1

The following static routes are equal cost routes that direct traffic to three different routers on the
outside interface. The FWSM sends 1/3 of the traffic to each router.
FWSM(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1
FWSM(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2
FWSM(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3

o Configuring OSPF
FWSM(config)# router ospf process_id
FWSM(config-router)# network ip_address mask area area_id

FWSM(config)# router ospf 2

FWSM(config-router)# network 2.0.0.0 255.0.0.0 area 0
o Redistributing Static, Connected, or OSPF Routes to an OSPF Process
FWSM(config)# router ospf process_id
FWSM(config-router)# redistribute {ospf process_id | static | connect}
[match {internal | external 1 | external 2}] [metric metric-value]
[metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map map_name]

FWSM(config)# router ospf 109

FWSM(config-router)# redistribute static 108 metric 100 subnets
o Configuring Route Summarization When Redistributing Routes into OSPF
FWSM(config)# router ospf process_id
FWSM(config-router)# summary-address ip_address mask [not advertise] [tag tag]
1.3 Các phương pháp cấu hình firewall điển hình

o Configuring Network Address Translation

FWSM(config)# nat (inside) 1 10.1.2.0 255.255.255.0

FWSM(config)# global (outside) 1 209.165.201.1-209.165.201.15
o Static PAT

FWSM(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask

255.255.255.255
FWSM(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http
netmask 255.255.255.255
FWSM(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp
netmask 255.255.255.255
FWSM(config)# nat (inside) 1 10.1.2.27 255.255.255.255
FWSM(config)# global (outside) 1 209.165.201.3

o Policy NAT with Different Destination Addresses

FWSM(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0

255.255.255.224
FWSM(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
FWSM(config)# nat (inside) 1 access-list NET1
FWSM(config)# global (outside) 1 209.165.202.129
FWSM(config)# nat (inside) 2 access-list NET2
FWSM(config)# global (outside) 2 209.165.202.130

o Policy NAT with Different Destination Ports

FWSM(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
FWSM(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
FWSM(config)# nat (inside) 1 access-list WEB
FWSM(config)# global (outside) 1 209.165.202.129
FWSM(config)# nat (inside) 2 access-list TELNET
FWSM(config)# global (outside) 2 209.165.202.130

o DNS Reply Modification

FWSM(config)# static (inside,outside) 209.165.201.10 10.1.3.14 netmask
255.255.255.255 dns
o DNS Reply Modification Using Outside NAT

FWSM(config)# static (outside,inside) 10.1.2.56 209.165.201.10 netmask

255.255.255.255 dns
o NAT and Global ID Matching

FWSM(config)# nat (inside) 1 10.1.2.0 255.255.255.0

FWSM(config)# global (outside) 1 209.165.201.3-209.165.201.10
o NAT Statements on Multiple Interfaces

FWSM(config)# nat (inside) 1 10.1.2.0 255.255.255.0

FWSM(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
FWSM(config)# global (outside) 1 209.165.201.3-209.165.201.10
o Global and NAT Statements on Multiple Interfaces
FWSM(config)# nat (inside) 1 10.1.2.0 255.255.255.0
FWSM(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
FWSM(config)# global (outside) 1 209.165.201.3-209.165.201.10
FWSM(config)# global (dmz) 1 10.1.1.23

o Different NAT IDs

FWSM(config)# nat (inside) 1 10.1.2.0 255.255.255.0
FWSM(config)# nat (inside) 2 192.168.1.0 255.255.255.0
FWSM(config)# global (outside) 1 209.165.201.3-209.165.201.10
FWSM(config)# global (outside) 2 209.165.201.11
o NAT and PAT Together

FWSM(config)# nat (inside) 1 10.1.2.0 255.255.255.0

FWSM(config)# global (outside) 1 209.165.201.3-209.165.201.4
FWSM(config)# global (outside) 1 209.165.201.5
o Outside NAT and Inside NAT Combined

FWSM(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside

FWSM(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
FWSM(config)# static (inside,dmz) 10.1.2.27 10.1.1.5 netmask 255.255.255.255
FWSM(config)# global (outside) 1 209.165.201.3-209.165.201.4
FWSM(config)# global (inside) 1 10.1.2.30-1-10.1.2.40

o Using Outside NAT with Overlapping Networks

Translate 192.168.100.0/24 on the inside to 10.1.2.0 /24 when it accesses the dmz by entering the
following command:
FWSM(config)# static (inside,dmz) 10.1.2.0 192.168.100.0 netmask 255.255.255.0

Translate the 192.168.100.0/24 network on the dmz to 10.1.3.0/24 when it accesses the inside by
entering the following command:
FWSM(config)# static (dmz,inside) 10.1.3.0 192.168.100.0 netmask 255.255.255.0

Configure the following static routes so that traffic to the dmz network can be routed correctly by
the FWSM:
FWSM(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1
FWSM(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1

o Port Redirection Using Static PAT

In the configuration described in this section, port redirection occurs for hosts on external
networks as follows:
 Telnet requests to IP address 209.165.201.5 are redirected to 10.1.1.6
 FTP requests to IP address 209.165.201.5 are redirected to 10.1.1.3
 HTTP request to FWSM outside IP address 209.165.201.25 are redirected to 10.1.1.5
 HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port
80
To implement this scenario, complete the following steps:

Configure PAT for the inside network by entering the following commands:
FWSM(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
FWSM(config)# global (outside) 1 209.165.201.15

Redirect Telnet requests for 209.165.201.5 to 10.1.1.6 by entering the following command:
FWSM(config)# static (inside,outside) tcp 209.165.201.5 telnet 10.1.1.6 telnet netmask
255.255.255.255

Redirect FTP requests for IP address 209.165.201.5 to 10.1.1.3 by entering the following
command:
FWSM(config)# static (inside,outside) tcp 209.165.201.5 ftp 10.1.1.3 ftp netmask
255.255.255.255

Redirect HTTP requests for the FWSM outside interface address to 10.1.1.5 by entering the
following command:
FWSM(config)# static (inside,outside) tcp interface www 10.1.1.5 www netmask
255.255.255.255

Redirect HTTP requests on port 8080 for PAT address 209.165.201.15 to 10.1.1.7 port 80 by
entering the following command:
FWSM(config)# static (inside,outside) tcp 209.165.201.15 8080 10.1.1.7 www
netmask 255.255.255.255

o Access-list Example configuration

Configuring NAT or PAT
FWSM(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
FWSM(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
FWSM(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
FWSM(config)# global (outside) 1 209.165.202.129
FWSM(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
FWSM(config)# global (outside) 2 209.165.202.130

FWSM(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11

255.255.255.255 eq 80
FWSM(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
FWSM(config)# nat (inside) 1 access-list WEB
FWSM(config)# global (outside) 1 209.165.202.129
FWSM(config)# nat (inside) 2 access-list TELNET
FWSM(config)# global (outside) 2 209.165.202.130

Using Static NAT

FWSM(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0
255.255.255.224
FWSM(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
FWSM(config)# static (inside,outside) 209.165.202.129 access-list NET1
FWSM(config)# static (inside,outside) 209.165.202.130 access-list NET2

Using Static PAT

FWSM(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0
255.255.255.0 eq telnet
FWSM(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET

o Xoá 1 tổ hợp lệnh trong cấu hình

FWSM# clear configurationcommand [subconfigurationcommand]

o Xoá 1 câu lệnh trong cấu hình

FWSM# no configurationcommand [subconfigurationcommand] qualifier

o Lưu cấu hình

FWSM# copy running-config startup-config
1.4 Ví dụ cấu hình firewall trong thực tế
o Single Mode Using Same Security Level
This configuration creates three internal interfaces. Two of the interfaces connect to departments
that are on the same security level, which allows all hosts to communicate without using NAT.
The DMZ interface hosts a Syslog server. The management host on the outside needs access to the
Syslog server and the FWSM. To connect to the FWSM, the host uses a VPN connection. The
FWSM uses RIP on the inside interfaces to learn routes. Because the FWSM does not advertise
routes with RIP, the MSFC needs to use static routes for FWSM traffic.

The Department networks are allowed to access the Internet, and use PAT.
FWSM Configuration
nameif vlan3 outside security0
nameif vlan4 dept2 security100
nameif vlan5 dept1 security100
nameif vlan10 dmz security50
passwd g00fba11
enable password gen1u$
hostname Buster
same-security-traffic permit inter-interface
ip address outside 209.165.201.3 255.255.255.224
ip address dept2 10.1.2.1 255.255.255.0
ip address dept2 10.1.1.1 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
route outside 0 0 209.165.201.1 1
nat (dept1) 1 10.1.1.0 255.255.255.0
nat (dept2) 1 10.1.2.0 255.255.255.0
global (outside) 1 209.165.201.9 netmask 255.255.255.255 [The dept1 and dept2 networks use
PAT when accessing the outside]
static (dmz,outside) 209.165.201.5 192.168.2.2 netmask 255.255.255.255 [The syslog server
needs a static translation so the outside management host can access the server]
access-list DEPTS extended permit ip any any
access-group DEPTS in interface dept1
access-group DEPTS in interface dept2 [Allows all dept1 and dept2 hosts to access the
outside for any IP traffic]
access-list MANAGE extended permit tcp host 209.165.200.225 host 209.165.201.5 eq telnet
access-group MANAGE in interface outside [This ACL allows the management host to access
the syslog server]
rip dept2 default version 2 authentication md5 scorpius 1 [Advertises the FWSM IP address
as the default gateway for the downstream router. The FWSM does not advertise a default
route to the MSFC.]
rip dept2 passive version 2 authentication md5 scorpius 1 [Listens for RIP updates from
the downstream router. The FWSM does not listen for RIP updates from the MSFC because a
default route to the MSFC is all that is required.]
isakmp policy 1 authentication pre-share [The client uses a pre-shared key to connect to
the FWSM over IPSec. The key is the password in the username command below.]
isakmp policy 1 encryption 3des
isakmp policy 1 group 2
isakmp policy 1 hash sha
isakmp enable outside
crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac
username admin password passw0rd
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map vpn_client 1 set transform-set vpn
crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client
crypto map telnet_tunnel interface outside
crypto map telnet_tunnel client authentication LOCAL
ip local pool client_pool 10.1.1.2
access-list VPN_SPLIT extended permit ip host 209.165.201.3 host 10.1.1.2
vpngroup admin address-pool client_pool
vpngroup admin split-tunnel VPN_SPLIT
vpngroup admin password $ecure23
telnet 10.1.1.2 255.255.255.255 outside
telnet timeout 30
logging trap 5
logging host dmz 192.168.2.2 [System messages are sent to the syslog server on the DMZ
network]
logging on

Switch Configuration on MSFC

interface vlan 3
ip address 209.165.201.1 255.255.255.224
no shut
...

o Shared Resources for Multiple Contexts

This configuration includes multiple contexts for multiple departments within a company. Each
department has its own security context so that each department can have its own security policy.
However, the syslog, mail, and AAA servers are shared across all departments. These servers are
placed on a shared VLAN.

Department 1 has a web server that outside users who are authenticated by the AAA server can
access.
See the following sections for the configurations :
• System Configuration

• Admin Context Configuration

• Department 1 Context Configuration

• Department 2 Context Configuration

• Switch Configuration

System Configuration
You must first enable multiple context mode using the mode multiple command. Then enter the
activation key to allow more than two contexts using the activation-key command. The mode and
the activation key are not stored in the configuration file, even though they do endure reboots. If
you view the configuration on the FWSM using the write terminal, show startup, or show
running commands, the mode displays after the FWSM Version (blank means single mode,
"<system>" means you are in multiple mode in the system configuration, and <context> means
you are in multiple mode in a context).

hostname Ubik
password pkd55
 enable password deckard69
admin-context admin
context admin
allocate-interface vlan200
allocate-interface vlan201
allocate-interface vlan300
config-url disk://admin.cfg
context department1
allocate-interface vlan200
allocate-interface vlan202
allocate-interface vlan300
config-url ftp://admin:passw0rd@10.1.0.16/dept1.cfg
context department2
allocate-interface vlan200
allocate-interface vlan203
allocate-interface vlan300
config-url ftp://admin:passw0rd@10.1.0.16/dept2.cfg

Admin Context Configuration

hostname Admin
nameif vlan200 outside security0
nameif vlan201 inside security100
nameif vlan300 shared security50
passwd v00d00
enable password d011
ip address outside 209.165.201.3 255.255.255.224
ip address inside 10.1.0.1 255.255.255.0
ip address shared 10.1.1.1 255.255.255.0
route outside 0 0 209.165.201.2 1
nat (inside) 1 10.1.0.0 255.255.255.0
global (outside) 1 209.165.201.6 netmask 255.255.255.255 [This context uses PAT for inside
users that access the outside]
global (shared) 1 10.1.1.30 [This context uses PAT for inside users that access the shared
network]
static (inside,outside) 209.165.201.7 10.1.0.15 netmask 255.255.255.255 [Because this host
can access the web server in the Department 1 context, it requires a static translation]
static (inside,shared) 10.1.1.78 10.1.0.15 netmask 255.255.255.255 [Because this host has
management access to the servers on the Shared interface, it requires a static translation
to be used in an ACL]
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside [Allows all inside hosts to access the outside
and shared network for any IP traffic]
access-list SHARED extended permit ip host 10.1.1.78 any
access-list SHARED extended permit tcp host 10.1.1.30 host 10.1.1.7 eq smtp
access-group SHARED out interface shared [This ACL allows only mail traffic from the
inside network to exit out the shared interface, but allows the admin host to access any
server. Note that the translated addresses are used.]
telnet 10.1.0.15 255.255.255.255 inside [Allows 10.1.0.15 to access the admin context
using Telnet. From the admin context, you can access all other contexts.]
aaa-server AAA-SERVER protocol tacacs+
aaa-server AAA-SERVER (shared) host 10.1.1.6 TheUauthKey
aaa authentication telnet console AAA-SERVER [The host at 10.1.0.15 must authenticate with
the AAA server to log in]
logging trap 6
logging host shared 10.1.1.8 [System messages are sent to the syslog server on the Shared
network]
logging on

Department 1 Context Configuration

nameif vlan200 outside security0
nameif vlan202 inside security100
nameif vlan300 shared security50
passwd cugel
enable password rhialto
ip address outside 209.165.201.4 255.255.255.224
ip address inside 10.1.2.1 255.255.255.0
ip address shared 10.1.1.2 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 209.165.201.8 netmask 255.255.255.255 [The inside network uses PAT when
accessing the outside]
global (shared) 1 10.1.1.31-10.1.1.37 [The inside network uses dynamic NAT when accessing
the shared network]
static (inside,outside) 209.165.201.9 10.1.2.3 netmask 255.255.255.255 [The web server can
be accessed from outside and requires a static translation]
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside [Allows all inside hosts to access the outside
and shared network for any IP traffic]
access-list WEBSERVER extended permit ip host 209.165.201.7 host 209.165.201.9 [This ACE
allows the management host (its translated address) on the admin context to access the web
server for management (it can use any IP protocol)]
access-list WEBSERVER extended permit tcp any eq http host 209.165.201.9 eq http [This ACE
allows any outside address to access the web server with HTTP]
access-group WEBSERVER in interface outside
access-list MAIL extended permit tcp host 10.1.1.31 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.32 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.33 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.34 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.35 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.36 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.37 eq smtp host 10.1.1.7 eq smtp
access-group MAIL out interface shared [This ACL allows only mail traffic from the inside
network to exit out the shared interface. Note that the translated addresses are used.]
aaa-server AAA-SERVER protocol tacacs+
aaa-server AAA-SERVER (shared) host 10.1.1.6 TheUauthKey
aaa authentication match WEBSERVER outside AAA-SERVER [All traffic matching the
WEBSERVER
ACL must authenticate with the AAA server]
logging trap 4
logging host shared 10.1.1.8 [System messages are sent to the syslog server on the Shared
network]
logging on

Department 2 Context Configuration

nameif vlan200 outside security0
nameif vlan203 inside security100
nameif vlan300 shared security50
passwd maz1r1an
enable password ly0ne$$e
ip address outside 209.165.201.5 255.255.255.224
ip address inside 10.1.3.1 255.255.255.0
ip address shared 10.1.1.3 255.255.255.0
route outside 0 0 209.165.201.2 1
nat (inside) 1 10.1.3.0 255.255.255.0
global (outside) 1 209.165.201.10 netmask 255.255.255.255 [The inside network uses PAT
when accessing the outside]
global (shared) 1 10.1.1.38 [The inside network uses PAT when accessing the shared
network]
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside [Allows all inside hosts to access the outside
and shared network for any IP traffic]
access-list MAIL extended permit tcp host 10.1.1.38 host 10.1.1.7 eq smtp
access-group MAIL out interface shared [This ACL allows only mail traffic from the inside
network to exit out the shared interface. Note that the translated PAT address is used.]
logging trap 3
logging host shared 10.1.1.8 [System messages are sent to the syslog server on the Shared
network]
logging on
Switch Configuration
...
firewall module 6 vlan-group 1
firewall vlan-group 1 200-203,300
interface vlan 200
ip address 209.165.201.2 255.255.255.224
no shut
...

o Cấu hình Failover giữa 2 thiết bị switch

This configuration shows a routed, multiple context mode FWSM in one switch, and another
FWSM in a second switch acting as a backup. Each context (A, B, and C) monitors the inside
interface, and context A, which is the admin context, also monitors the outside interface. Because
the outside interface is shared among all contexts, monitoring in one context benefits all contexts.

The secondary FWSM is also in routed, multiple context mode, and has the same software version
See the following sections for the configurations:
• Primary FWSM Configuration

• Secondary FWSM System Configuration

• Switch Configuration

Primary FWSM Configuration

The following sections include the configuration for the primary FWSM:

• System Configuration (Primary)

• Context A Configuration (Primary)

• Context B Configuration (Primary)

• Context C Configuration (Primary)

Primary FWSM Configuration

System Configuration (Primary)
You must first enable multiple context mode using the mode multiple command. Then enter the activation
key to allow more than two contexts using the activation-key command. The mode and the activation key are
not stored in the configuration file, even though they do endure reboots. If you view the configuration on the
FWSM using the write terminal, show startup, or show running commands, the mode displays after the
FWSM Version (blank means single mode, "<system>" means you are in multiple mode in the system
configuration, and <context> means you are in multiple mode in a context).
hostname primary
enable password farscape
password crichton
failover lan interface faillink vlan 10
failover link statelink vlan 11
failover lan unit primary
failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2
failover interface ip statelink 192.168.253.5 255.255.255.252 standby 192.168.253.6
failover interface-policy 50%
failover replication http
failover
admin-context contexta
context contexta
allocate-interface vlan200
allocate-interface vlan201
config-url disk://contexta.cfg
context contextb
allocate-interface vlan200
allocate-interface vlan202
config-url ftp://admin:passw0rd@10.0.3.16/contextb.cfg
context contextc
allocate-interface vlan200
allocate-interface vlan203
config-url ftp://admin:passw0rd@10.0.3.16/contextc.cfg

Context A Configuration (Primary)

nameif vlan200 outside security0
nameif vlan201 inside security100
passwd secret1969
enable password h1andl0
ip address outside 209.165.201.2 255.255.255.224 standby 209.165.201.6
ip address inside 10.0.3.1 255.255.255.0 standby 10.0.3.2
monitor-interface inside
monitor-interface outside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 209.165.201.10 netmask 255.255.255.224 [This context uses dynamic PAT
for inside users that access the outside]
route outside 0 0 209.165.201.1 1
telnet 10.0.3.75 255.255.255.255 inside
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside [Allows all inside hosts to access the outside
for any IP traffic]

Context B Configuration (Primary)

nameif vlan200 outside security0
nameif vlan202 inside security100
passwd secret1978
enable password 7samura1
ip address outside 209.165.201.4 255.255.255.224 standby 209.165.201.8
ip address inside 10.0.2.1 255.255.255.0 standby 10.0.2.2
monitor-interface inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 209.165.201.11 netmask 255.255.255.224 [This context uses dynamic PAT
for inside users that access the outside]
route outside 0 0 209.165.201.1 1
telnet 10.0.2.14 255.255.255.255 inside
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside [Allows all inside hosts to access the outside
for any IP traffic]

Context C Configuration (Primary)

nameif vlan200 outside security0
nameif vlan203 inside security100
passwd secret0997
enable password strayd0g
ip address outside 209.165.201.3 255.255.255.224 standby 209.165.201.7
ip address inside 10.0.1.1 255.255.255.0 standby 10.0.1.2
monitor-interface inside
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
global (outside) 1 209.165.201.12 netmask 255.255.255.224 [This context uses dynamic PAT
for inside users that access the outside]
route outside 0 0 209.165.201.1 1
telnet 10.0.1.65 255.255.255.255 inside
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside [Allows all inside hosts to access the outside
for any IP traffic]
Secondary FWSM System Configuration
You do not need to configure any contexts, just the following minimal configuration for the system.
You must first enable multiple context mode using the mode multiple command. Then enter the activation
key to allow more than two contexts using the activation-key command. The mode and the activation key are
not stored in the configuration file, even though they do endure reboots. If you view the configuration on the
FWSM using the write terminal, show startup, or show running commands, the mode displays after the
FWSM Version (blank means single mode, "<system>" means you are in multiple mode in the system
configuration, and <context> means you are in multiple mode in a context).
failover lan interface faillink vlan 10
failover interface ip faillink 192.168.253.1 255.255.255.252 standby 192.168.253.2
failover lan unit secondary
failover

Switch Configuration
The following lines in the Cisco IOS switch configuration on both switches relate to the FWSM. For
information about configuring redundancy for the switch, see the switch documentation.
...
firewall module 1 vlan-group 1
firewall vlan-group 1 10,11,200-203
interface vlan 200
ip address 209.165.201.1 255.255.255.224
standby 200 ip 209.165.201.2
standby 200 priority 110
standby 200 preempt
standby 200 timers 5 15
standby 200 authentication Secret
no shut
interface range gigabitethernet 2/1-3
channel-group 2 mode on
switchport trunk encapsulation dot1q
no shut
...