FWSM security levels concept

Answered Question
Jan 30th, 2008
User Badges:

Hi all,


I have 5 different VLANs created on the FWSM each one with different security levels. I have version 3.7 in single context mode and NAT disabled.


From traffic flowing from one interface with security level of 100 (called inside) to another with security level of 20 (called WEB) I need to create an access-list and apply it on the inside of the inside interface to permit traffic to the WEB interface, but I don't need to create an access-list on the WEB interface in order to permit the return traffic, is this correct?


If I want that some host on the WEB interface have access to the inside host I need to create an access-list and apply it inside on the Web interface and I need to create an access-list on the inside interface in order to permit the return traffic? I am confused with the concept of security levels because I cannot see any advantage in defining different security levels.


Regards


Correct Answer by Jon Marshall about 9 years 5 months ago

Vicente


With a stateful firewall you do not need access-lists to allow the return traffic as that is what stateful firewalls do. So in your case


Inside -> Web - you only need access-list on inside interface


Web -> Inside - you only need access-list on WEB interface.


Note in the above 2 examples we are talking about where the connection is initiated from and not referring to return traffic.


On standalone pix/asa devices traffic is allowed from a higher to a lower security interface without an access-list. Only the FWSM requires and access-list no matter what the security level. I admit this can be a bit confusing.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 01/30/2008 - 23:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Vicente


With a stateful firewall you do not need access-lists to allow the return traffic as that is what stateful firewalls do. So in your case


Inside -> Web - you only need access-list on inside interface


Web -> Inside - you only need access-list on WEB interface.


Note in the above 2 examples we are talking about where the connection is initiated from and not referring to return traffic.


On standalone pix/asa devices traffic is allowed from a higher to a lower security interface without an access-list. Only the FWSM requires and access-list no matter what the security level. I admit this can be a bit confusing.


HTH


Jon

vicente.madrigal Fri, 02/01/2008 - 08:11
User Badges:

Thanks Jon,


I was confused because in a reguar ASA you don't need to configure the acces-list from a higher to a lower security interface and in the FWSM you do need to apply an inboud access-list in the interfase no matter the security level.


It looks to me that the concept of security level for the FWSM is no usefull at all.


Regards!



Actions

This Discussion