03-25-2009 02:09 PM - edited 03-11-2019 08:10 AM
I'm attempting to provide access from one FWSM to another, using VLAN's and ACL's. the purpose is to allow a set of servers behind one firewall, to use DNS appliances behind another firewall. Here is some basic config info:
FIREWALL A = VLAN 1 - Host VLAN
FIREWALL B = VLAN 2 - DNS Appliance VLAN
FIREWALL A&B VLAN 3 - Transit VLAN between 2 FWSM
ACL is open to VLAN 1, allowing port 53 TCP/UDP connections from all hosts in the subnet.
ACL is open to VLAN 3, allowing the traffic through the interface at FW-B.
I am able to observe the traffic (through captures) up through VLAN 3. Once I start capturing on FW-B VLAN 2, I see nothing. No traffic at all...
Any thoughts off hand? something I've missed?
03-25-2009 02:14 PM
Bruce
Could be a number of things. Also the transit vlan - are you using contexts on the FWSM's ?. If not a quick schematic of the layout would be useful.
You haven't mentioned what the acl for vlan 2 is and also you haven't mentioned anything about NAT.
Jon
03-25-2009 02:20 PM
Hi Jon,
we are using static statements for advertising the networks...we are using contexts on the FWSM's.
the interface at the transit vlan 3 and the interface on vlan 2 are same security levels and I'm thinking I dont need an ACL at that point. Is that thinking correct?
bruce
03-25-2009 02:29 PM
Bruce
Yes traffic will flow between interfaces of the same security level with the same security level as long as you have added to the config -
same-security-traffic permit inter-interface
However this is only relevant per context. I'm still not clear whether this setup is utilising one or more contexts ?
Jon
03-25-2009 03:07 PM
Hi Jon,
yes, 2 contexts...I'm sorry...FW-B (DNS Appliances) uses a default context and FW-A (servers) uses a configured context (not default).
the same-security-traffic config you refer to is not setup on FW-B, however,
there is another group of servers that reside on FW-B, in VLAN 4 that ARE able to access the DNS appliances in VLAN 2...AND the interface VLAN 4 is a lower security level than VLAN 2...That is what is confusing me about this issue...
the only ACL that is applied to VLAN 2's interface is allows return traffic from the DNS appliances to any "querying" server...defined below...
access-list VLAN2 extended permit udp
access-list VLAN2 extended permit tcp
access-list VLAN2 extended permit icmp
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: