6500 FWSM security level problem

Unanswered Question
Mar 1st, 2007


I am facing an issue with a new 6500 router (IOS version 12.2 ) having a FWSM module. (FWSM Version 2.3(3)) which is like this:-

I have three Vlans INSIDE, OUTSIDE and DMZ with security levels 100, 0 and 50 respectively.I have created appropriate access control lists for pinging between Vlans ( INSIDE to DMZ ). But the hosts cannot ping.

However when i give the SAME security level to ALL VLANs ( INSIDE, OUTSIDE and DMZ) and give the command "

same-security-traffic permit inter-interface " , it works fine.

I am totally at a loss to understand this. This might be a workaround but , i guess the ideal situation is to give different sec levels to vlans and then control access.

Could some please advice on this issue.

Thanks & regards


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 03/01/2007 - 10:05

Hi Sonu

Couple of things to check.

1) Did you setup NAT from inside to DMZ ?

2) Did you create an access-list for both the DMZ interface and the inside interface.

Ping is not stateful so you need to let it back in from the DMZ.

BUT, unlike a standalone pix where traffic is allowed to flow by default from a higher to lower level security interface ie inside to DMZ in your case, this rule does not apply on the FWSM. You will still need an access-list on the inside interface.




This Discussion