I'm hoping someone can clarify a difference that I'm seeing between the PIX 6.x and FWSM 3.x.
Assume a 3 interface firewall (outside,inside,dmz) with no address translation going on at all. The inside has the highest security level, the dmz is lower, and the outside is 0. With 6.x, to allow connections from lower to higher interfaces I would configure a static and use an access list to permit the desired traffic (along with a nat 0 statement for the inside and dmz).
Now assume a FWSM running 3.1.3 (routed context) using the same configuration as above. I understand that NAT statements in this case are no longer needed. It would also appear that I no longer need a static either, and connections between security levels (even lower to higher) seem to be solely controlled by access lists. I'm attaching the config of a FWSM context that I used for testing.
In this test config I purposely set the security level of the Inside to be lower then the DMZ, unless I modify the inside_in access-list to prevent it, the FWSM happily allows connections from lower to higher.
I'm confused that the security levels don't seem to be preventing traffic by default. If someone could confirm if this is proper behavior for the FWSM that would be great.