Example 2: Switch Configuration - Cisco Catalyst 6500 Series Configuration Manual

Catalyst 6500 series switch and cisco 7600 series router firewall services

Hide thumbs Also See for Catalyst 6500 Series:

Software configuration manual (570 pages)

Configuration note (212 pages)

Installation manual (194 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

Table of Contents

Appendix B

Sample Configurations

global (outside) 1 209.165.201.9 netmask 255.255.255.255 [ The dept1 and dept2 networks use

PAT when accessing the outside ]

static (dmz,outside) 209.165.201.5 192.168.2.2 netmask 255.255.255.255 [ The syslog server

needs a static translation so the outside management host can access the server ]

access-list DEPTS extended permit ip any any

access-group DEPTS in interface dept1

access-group DEPTS in interface dept2 [ Allows all dept1 and dept2 hosts to access the

outside for any IP traffic ]

access-list MANAGE extended permit tcp host 209.165.200.225 host 209.165.201.5 eq telnet

access-group MANAGE in interface outside [ This ACL allows the management host to access

the syslog server ]

rip dept2 default version 2 authentication md5 scorpius 1 [ Advertises the FWSM IP address

as the default gateway for the downstream router. The FWSM does not advertise a default

route to the MSFC. ]

rip dept2 passive version 2 authentication md5 scorpius 1 [ Listens for RIP updates from

the downstream router. The FWSM does not listen for RIP updates from the MSFC because a

default route to the MSFC is all that is required. ]

isakmp policy 1 authentication pre-share [ The client uses a pre-shared key to connect to

the FWSM over IPSec. The key is the password in the username command below. ]

isakmp policy 1 encryption 3des

isakmp policy 1 group 2

isakmp policy 1 hash sha

isakmp enable outside

crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac

username admin password passw0rd

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

crypto dynamic-map vpn_client 1 set transform-set vpn

crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client

crypto map telnet_tunnel interface outside

crypto map telnet_tunnel client authentication LOCAL

ip local pool client_pool 10.1.1.2

access-list VPN_SPLIT extended permit ip host 209.165.201.3 host 10.1.1.2

vpngroup admin address-pool client_pool

vpngroup admin split-tunnel VPN_SPLIT

vpngroup admin password $ecure23

telnet 10.1.1.2 255.255.255.255 outside

telnet timeout 30

logging trap 5

logging host dmz 192.168.2.2 [ System messages are sent to the syslog server on the DMZ

network ]

logging on