一个FWSM路由模式配置实例

　　应用情况为，两个接口outside应用在广域网，inside端口位于局域网，跑OSPF路由协议，将局域网能够被广域网访问的服务器和端口打开，否则不允许访问。这个应用的情况比较简单，日后可以继续扩展，如服务器区等等。

　　sh run

　　: Saved

　　:

　　FWSM Version 3.2(2)

　　!

　　hostname SDDL-Internal-FW

　　domain-name sddl.com

　　enable password Z1UFjQZdKfrZkYLf encrypted

　　names

　　!

　　interface Vlan254

　　nameif outside

　　security-level 0

　　ip address X.Y.254.254 255.255.255.252

　　ospf hello-interval 1

　　ospf dead-interval 3

　　!

　　interface Vlan2254

　　nameif Internal

　　security-level 99

　　ip address X.Y.254.1 255.255.255.252

　　ospf hello-interval 1

　　ospf dead-interval 3

　　!

　　passwd Z1UFjQZdKfrZkYLf encrypted

　　ftp mode passive

　　<--- More --->

　　access-list acl-in extended permit ip any any

　　access-list SHJT_to_SDDL extended permit tcp any any eq telnet

　　access-list SHJT_to_SDDL extended permit icmp any any

　　access-list SHJT_to_SDDL extended permit ospf any any

　　access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.32 eq www

　　access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 3389

　　access-list SHJT_to_SDDL extended permit tcp any host X.Y.1.13 eq lotusnotes

　　access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq www

　　access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.60 eq 8080

　　access-list SHJT_to_SDDL extended permit tcp 10.36.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982

　　access-list SHJT_to_SDDL extended permit tcp 10.229.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982

　　access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq pop3

　　access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq smtp

　　access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq www

　　access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq imap4

　　access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq 63148

　　access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 63148

　　access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 143

　　access-list SHJT_to_SDDL extended permit udp any X.Y.128.0 255.255.255.0 eq 389

　　access-list SHJT_to_SDDL extended permit tcp any X.Y.128.0 255.255.255.0 eq https

　　access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 8000

　　access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 8000

　　access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.37 eq 7000

　　access-list SHJT_to_SDDL extended permit udp any host X.Y.128.37 eq 7000

　　<--- More --->

　　access-list SHJT_to_SDDL extended permit udp any host X.Y.128.38 eq 7000

　　access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.38 eq 7000

　　access-list SHJT_to_SDDL extended permit tcp any host X.Y.128.50 eq 8080

　　access-list SHJT_to_SDDL extended permit udp any host X.Y.128.32 eq domain

　　access-list SHJT_to_SDDL extended permit ip any host X.Y.128.45

　　access-list SHJT_to_SDDL extended permit ip any host X.Y.128.39

　　access-list SHJT_to_SDDL extended permit ip any host X.Y.1.12

　　access-list SHJT_to_SDDL extended permit ip any host X.Y.128.42

　　access-list SHJT_to_SDDL extended permit ip any host X.Y.128.37

　　access-list SHJT_to_SDDL extended permit ip any host X.Y.128.46

　　access-list SHJT_to_SDDL extended permit ip any host X.Y.128.44

　　access-list SHJT_to_SDDL extended permit ip any host X.Y.128.32

　　access-list SHJT_to_SDDL extended permit tcp 10.228.0.0 255.255.0.0 host X.Y.128.60 range 1976 1982

　　access-list SHJT_to_SDDL extended permit tcp 10.227.160.0 255.255.255.0 host X.Y.128.60 range 1976 1982

　　pager lines 24

　　logging enable

　　logging asdm informational

　　mtu outside 1500

　　mtu Internal 1500

　　ip verify reverse-path interface outside

　　ip verify reverse-path interface Internal

　　no failover

　　failover lan unit secondary

　　icmp permit any outside

　　<--- More --->

　　icmp permit any Internal

　　no asdm history enable

　　arp timeout 14400

　　access-group SHJT_to_SDDL in interface outside

　　access-group acl-in in interface Internal

　　!

　　router ospf 100

　　network X.Y.254.1 255.255.255.255 area 0

　　network X.Y.254.254 255.255.255.255 area 0

　　router-id X.Y.254.254

　　log-adj-changes

　　!

　　timeout xlate 3:00:00

　　timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

　　timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

　　timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

　　timeout sip-invite 0:03:00 sip-disconnect 0:02:00

　　timeout uauth 0:05:00 absolute

　　aaa-server TACACS+ protocol tacacs+

　　aaa-server RADIUS protocol radius

　　username sddl password QZbkfU0FC8LZLZ6k encrypted

　　http server enable

　　http 0.0.0.0 0.0.0.0 outside

　　http X.Y.160.0 255.255.255.0 Internal

　　<--- More --->

　　http X.Y.128.0 255.255.255.0 Internal

　　no snmp-server location

　　no snmp-server contact

　　snmp-server community public

　　snmp-server enable traps snmp authentication linkup linkdown coldstart

　　sysopt nodnsalias inbound

　　sysopt nodnsalias outbound

　　sysopt noproxyarp outside

　　sysopt noproxyarp Internal

　　telnet 0.0.0.0 0.0.0.0 outside

　　telnet 0.0.0.0 0.0.0.0 Internal

　　telnet timeout 5

　　ssh timeout 5

　　console timeout 0

　　!

　　class-map class_sip_tcp

　　match port tcp eq sip

　　class-map inspection_default

　　match default-inspection-traffic

　　!

　　!

　　policy-map global_policy

　　class inspection_default

　　inspect dns maximum-length 512

　　<--- More --->

　　inspect ftp

　　inspect h323 h225

　　inspect h323 ras

　　inspect netbios

　　inspect rsh

　　inspect skinny

　　inspect esmtp

　　inspect sqlnet

　　inspect sunrpc

　　inspect tftp

　　inspect xdmcp

　　inspect ctiqbe

　　inspect dcerpc

　　inspect http

　　inspect icmp

　　inspect ils

　　inspect mgcp

　　inspect rtsp

　　inspect sip

　　inspect snmp

　　class class_sip_tcp

　　inspect sip

　　!

　　service-policy global_policy global

　　<--- More --->

　　prompt hostname context

　　Cryptochecksum:3224aa347a06e32ac4f006510f5606f0

　　: end

　　SDDL-Internal-FW# exit