ACL issue

Unanswered Question
Mar 25th, 2009

I'm attempting to provide access from one FWSM to another, using VLAN's and ACL's. the purpose is to allow a set of servers behind one firewall, to use DNS appliances behind another firewall. Here is some basic config info:



FIREWALL A&B VLAN 3 - Transit VLAN between 2 FWSM

ACL is open to VLAN 1, allowing port 53 TCP/UDP connections from all hosts in the subnet.

ACL is open to VLAN 3, allowing the traffic through the interface at FW-B.

I am able to observe the traffic (through captures) up through VLAN 3. Once I start capturing on FW-B VLAN 2, I see nothing. No traffic at all...

Any thoughts off hand? something I've missed?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Wed, 03/25/2009 - 14:14


Could be a number of things. Also the transit vlan - are you using contexts on the FWSM's ?. If not a quick schematic of the layout would be useful.

You haven't mentioned what the acl for vlan 2 is and also you haven't mentioned anything about NAT.


Bruce Summers Wed, 03/25/2009 - 14:20

Hi Jon,

we are using static statements for advertising the networks...we are using contexts on the FWSM's.

the interface at the transit vlan 3 and the interface on vlan 2 are same security levels and I'm thinking I dont need an ACL at that point. Is that thinking correct?


Jon Marshall Wed, 03/25/2009 - 14:29


Yes traffic will flow between interfaces of the same security level with the same security level as long as you have added to the config -

same-security-traffic permit inter-interface

However this is only relevant per context. I'm still not clear whether this setup is utilising one or more contexts ?


Bruce Summers Wed, 03/25/2009 - 15:07

Hi Jon,

yes, 2 contexts...I'm sorry...FW-B (DNS Appliances) uses a default context and FW-A (servers) uses a configured context (not default).

the same-security-traffic config you refer to is not setup on FW-B, however,

there is another group of servers that reside on FW-B, in VLAN 4 that ARE able to access the DNS appliances in VLAN 2...AND the interface VLAN 4 is a lower security level than VLAN 2...That is what is confusing me about this issue...

the only ACL that is applied to VLAN 2's interface is allows return traffic from the DNS appliances to any "querying" server...defined below...

access-list VLAN2 extended permit udp any eq domain

access-list VLAN2 extended permit tcp any eq domain

access-list VLAN2 extended permit icmp any


This Discussion