FWSM config issue

Unanswered Question
May 31st, 2009
User Badges:

I'm trying toget a FWSM working on a 6513 chassis running IOS. The FWSM is running 4.0(5). I'm using the MSFC behind the FWSM model. I created a SVI and presented it to the firewall as the inside interface. I created a VLAN on the 6513 and presented it to the FWSM as the outside interface. I defined it IP address in the FWSM interface. I created a default route on the FWSM pointing to the Internet address on the outside of the FWSM outside interface. I have route statements to the inside for all internal subnets.


I can telnet to the FWSM inside address from the 6513 LAN. No inside users can access the network/Internet on the outside of the FWSM. We are not using NAT. All internal devices can access other internal devices.


The inside interface is security level of 100. The outside interface is security level of 0.


The FWSM is replacing an external PIX525 currently in use. During off hours I disconnect the PIX and give the PIX inside and outside addresses to the FWSM. I can't see what I might be missing? While I telnet into the FWSM I can ping the IP just outside the outside interface. I know the FWSM can see outside but the users can't. I have an interface on the 6513 in the VLAN of the outside interface and that is where I connect external to our network. I cleared arp while testing.


I noticed our PIX has an implicit rule for the inside interface. It permits all traffic to a less secure network such as our outside interface. That implicit rule on the inside interface is missing in the FWSM. I think the PIX added that rule by default and it looks like the FWSM doesn't. Maybe that is where my issue is.


Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cef2lion2 Sun, 05/31/2009 - 10:52
User Badges:

I added a rule to allow inside users to access the outside interface and things started working. I was tripped up by the PIX doing that for you.


Craig

Kureli Sankar Mon, 06/01/2009 - 03:55
User Badges:
  • Cisco Employee,

By default the PIX/ASA platform will allow traffic from the higher security to lower security interface with out an acl applied on the higher security interface.


This is diff. in case of the FWSM. Irrespective of the security level on the individual interface, you need to allow the flow via access-list.



cef2lion2 Mon, 06/01/2009 - 05:38
User Badges:

Given so. Is the security level on an interface of the FWSM of any more value then a label for the Interface?

Farrukh Haroon Mon, 06/01/2009 - 05:54
User Badges:
  • Red, 2250 points or more

There are two pieces of the puzzle. Interface ACLs and NAT. If you are using no nat-control, then using the security level does not make a real difference. However if you have nat-control, then the security levels can give you same benefits like a PIX/ASA.


Regards


Farrukh

Kureli Sankar Mon, 06/01/2009 - 06:23
User Badges:
  • Cisco Employee,

FWSM platform.

With nat-control

with inside 100 level security

with outside 0 level security


You must allow inside to outside flow via an acl applied on the inside interface. Otherwise traffic will not flow from inside to outside.



cef2lion2 Mon, 06/01/2009 - 06:33
User Badges:

Coming from the PIX I didn't give the inside to outside acl any thought. I had gone over my config time and time and compare to the documentation. When tested and it didn't work I was at a loss as to what to try. Then after starting this post I saw the issue. I found reference in the documentation about it but it didn't really stand out. It would have saved me hours of testing and backing out. Its working now and I can move ahead.

Kureli Sankar Mon, 06/01/2009 - 06:07
User Badges:
  • Cisco Employee,


It sure does in case of same-security level.


When the interfaces are created on the firewall they are assigned a PIF

value. You can determine an interfaces PIF with the command "show np 3

pif vlan vlan#"



This is the value, that the firewall uses to decide which interface is the "inside" where the xlate was built.


An xlate will be built for the interface with the lower PIF value.





Actions

This Discussion