6500 FWSM security level problem

Sonugnair_2 · ‎03-01-2007

Hi,

I am facing an issue with a new 6500 router (IOS version 12.2 ) having a FWSM module. (FWSM Version 2.3(3)) which is like this:-

I have three Vlans INSIDE, OUTSIDE and DMZ with security levels 100, 0 and 50 respectively.I have created appropriate access control lists for pinging between Vlans ( INSIDE to DMZ ). But the hosts cannot ping.

However when i give the SAME security level to ALL VLANs ( INSIDE, OUTSIDE and DMZ) and give the command "

same-security-traffic permit inter-interface " , it works fine.

I am totally at a loss to understand this. This might be a workaround but , i guess the ideal situation is to give different sec levels to vlans and then control access.

Could some please advice on this issue.

Thanks & regards

Sonu

Jon Marshall · ‎03-01-2007

Hi Sonu

Couple of things to check.

1) Did you setup NAT from inside to DMZ ?

2) Did you create an access-list for both the DMZ interface and the inside interface.

Ping is not stateful so you need to let it back in from the DMZ.

BUT, unlike a standalone pix where traffic is allowed to flow by default from a higher to lower level security interface ie inside to DMZ in your case, this rule does not apply on the FWSM. You will still need an access-list on the inside interface.

HTH

Jon