Example 3: Department 1 Context Configuration - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Appendix B
Sample Configurations
Routed Mode Examples
telnet 10.1.0.15 255.255.255.255 inside [ Allows 10.1.0.15 to access the admin context
using Telnet. From the admin context, you can access all other contexts. ]
aaa-server AAA-SERVER protocol tacacs+
aaa-server AAA-SERVER (shared) host 10.1.1.6 TheUauthKey
aaa authentication telnet console AAA-SERVER [ The host at 10.1.0.15 must authenticate with
the AAA server to log in ]
logging trap 6
logging host shared 10.1.1.8 [ System messages are sent to the syslog server on the Shared
network ]
logging on
Example 3: Department 1 Context Configuration
nameif vlan200 outside security0
nameif vlan202 inside security100
nameif vlan300 shared security50
passwd cugel
enable password rhialto
ip address outside 209.165.201.4 255.255.255.224
ip address inside 10.1.2.1 255.255.255.0
ip address shared 10.1.1.2 255.255.255.0
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 209.165.201.8 netmask 255.255.255.255 [ The inside network uses PAT when
accessing the outside ]
global (shared) 1 10.1.1.31-10.1.1.37 [ The inside network uses dynamic NAT when accessing
the shared network ]
static (inside,outside) 209.165.201.9 10.1.2.3 netmask 255.255.255.255 [ The web server can
be accessed from outside and requires a static translation ]
access-list INTERNET extended permit ip any any
access-group INTERNET in interface inside [ Allows all inside hosts to access the outside
and shared network for any IP traffic ]
access-list WEBSERVER extended permit ip host 209.165.201.7 host 209.165.201.9 [ This ACE
allows the management host (its translated address) on the admin context to access the web
server for management (it can use any IP protocol) ]
access-list WEBSERVER extended permit tcp any eq http host 209.165.201.9 eq http [ This ACE
allows any outside address to access the web server with HTTP ]
access-group WEBSERVER in interface outside
access-list MAIL extended permit tcp host 10.1.1.31 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.32 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.33 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.34 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.35 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.36 eq smtp host 10.1.1.7 eq smtp
access-list MAIL extended permit tcp host 10.1.1.37 eq smtp host 10.1.1.7 eq smtp
access-group MAIL out interface shared [ This ACL allows only mail traffic from the inside
network to exit out the shared interface. Note that the translated addresses are used. ]
aaa-server AAA-SERVER protocol tacacs+
aaa-server AAA-SERVER (shared) host 10.1.1.6 TheUauthKey
aaa authentication match WEBSERVER outside AAA-SERVER [ All traffic matching the WEBSERVER
ACL must authenticate with the AAA server ]
logging trap 4
logging host shared 10.1.1.8 [ System messages are sent to the syslog server on the Shared
network ]
logging on
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
B-10
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
