FWSM rules - are they statefull?

Unanswered Question
Jul 30th, 2008

I have two segments in 6500 FWSM module in routed mode, Vlan A and Vlan B with same security level of 70. I want to allow IP traffic from A to B and Vice versa.

a. I have "same-security-traffic permit inter-interface" in config. DO I still have to use ACL to permit traffic between these VLANs? Does it not allow traffic to pass between interfaces with same security level ?

b. In case if I have to use ACL,and If I have an ACL which permits traffic from VLAN A to VLAN B, Do I have to have a reverse ACL rules as well ? ( If it is a statefull firewall, this should not be the case I guess.)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Marwan ALshawi Wed, 07/30/2008 - 20:31

interesting question

with FWSM the traffic come blocked by defauld regardless the configured level of security on the interface

so from inside to out side you have to put and ACL such as prmit ip any any and aplly it to the inside interface on the inbound direction

the same with your case

if you make ACL from one direction the returing traffic will be permited automaticly

please Rate if helpful

Syed Iftekhar Ahmed Wed, 07/30/2008 - 20:37


"same-security-traffic permit inter-interface"

You do not need to use ACL.

In fact 2 interfaces at same security level, with 'same-security permit

inter-interface' don't even require any NAT in order to communicate

If you enable NAT on one of the 2 interfaces, then the traffic has to match the NAT rule you have inserted. All other traffic won't go



Marwan ALshawi Wed, 07/30/2008 - 20:51

hi syed

but as i know with FWSM the traffic denied by default and should be enabled by an ACL ??

do u have idea about that ?

mherald Wed, 07/30/2008 - 21:40

The FWSM is definately a statefull firewall. If a packet is allowed out, a hole or way back is opened back through which leads me to believe you may need an ACL to allow the traffic.

The return traffic is taken care of by the statefull firewall.

A) Not sure specifically, if something isn't working, try making the ACL. The FWSM is different from the other firewalls as by default traffic is NOT allowed from higher security level interfaces to lower interfaces, you must make an ACL.

B) The return traffic is taken care of by the statefull firewall. Depending on your test and version of software, you may need to use a fixup protocol or inspect rule to get various traffic through the FWSM.


Marwan ALshawi Wed, 07/30/2008 - 21:44

then i was right when i said there must be an ACL to pemrmit traffic in FWSM because by defaul it is not permited..

Farrukh Haroon Wed, 07/30/2008 - 23:42

This is where the FWSM is different from the ASA/PIX. You need to have an ACL applied in the incoming direction on the inteface to make traffic flow. On PIX/ASA higher>>lower and inter-interface communication does not require an ACL by default.

I dont know now, but these two products used to be developed by two different business units within Cisco. So they have some differences because of this and other design issues.



Marwan ALshawi Thu, 07/31/2008 - 00:30

then i was helpful to NALAKA

regarding my first post which answered the questions accuratly

please, rate if helful

and thank you guys for this nice discussion

nkariyawasam Thu, 07/31/2008 - 09:16

I had a chance to ptractically test the scenario. I have found out that you need ACL to pass the traffic. I cannot find what "same-security-traffic permit inter-interface" command does in the FWSM config.

Thanks for all for helpfull ideas !

Farrukh Haroon Thu, 07/31/2008 - 11:10

The command permits traffic between interfaces that are at the same security level.



Marwan ALshawi Thu, 07/31/2008 - 16:42

but with FWSM regardless of this command u need pemrmit ACL to allow traffic to pass!!

so no benifit like ASA

Farrukh Haroon Thu, 07/31/2008 - 18:07

Well this was a design shift from old code. Otherwise you would be stuck with only 100 vlan interfaces (there can be only 100 security levels). This was one motivation to allow same-security 'inter' interface traffic. This is particularly true for MSSP setups etc.




This Discussion