FWSM and security levels

Unanswered Question
Feb 16th, 2007

I'm hoping someone can clarify a difference that I'm seeing between the PIX 6.x and FWSM 3.x.

Assume a 3 interface firewall (outside,inside,dmz) with no address translation going on at all. The inside has the highest security level, the dmz is lower, and the outside is 0. With 6.x, to allow connections from lower to higher interfaces I would configure a static and use an access list to permit the desired traffic (along with a nat 0 statement for the inside and dmz).

Now assume a FWSM running 3.1.3 (routed context) using the same configuration as above. I understand that NAT statements in this case are no longer needed. It would also appear that I no longer need a static either, and connections between security levels (even lower to higher) seem to be solely controlled by access lists. I'm attaching the config of a FWSM context that I used for testing.

In this test config I purposely set the security level of the Inside to be lower then the DMZ, unless I modify the inside_in access-list to prevent it, the FWSM happily allows connections from lower to higher.

I'm confused that the security levels don't seem to be preventing traffic by default. If someone could confirm if this is proper behavior for the FWSM that would be great.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
daviddtran Fri, 02/16/2007 - 16:57

fwsm 3.1(3) and 7.x is behaved this way by

default. By default, "no nat-control" is

enabled, unless you decide to disable it with


Remember, the FWSM is operating in "routed"

in your configuration. Because you are NOT

doing any static NAT, traffics are controlled

by your ACL which they are.


CCIE Security

KENT EITZMANN Fri, 02/16/2007 - 19:48


Thanks for the reply. So, if I'm not using address translation and follow these steps with the FWSM I will be Ok ?

- no nat-control

- no nat0 statements

- no static statements

- control packet flow with access lists


This Discussion