Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
2
Replies

FWSM network design

cef2lion2
Level 1
Level 1

‎06-15-2009 12:12 PM - edited ‎03-11-2019 08:43 AM

Testing a FWSM in single context mode. The MSFC is located inside. There are two interfaces. One labeled outside security level 0. Inside interface security level 100.

All PC on the inside interface should be permitted outside access. I added an incoming rule to inside interface permitting all to all. Without that inside users could not access the internet.

I added incoming rules to the outside interface for devices that should be permitted to access devices on the inside interface. That is the way it is setup on our current PIX.

What is bothering me is I don't see any hits on the incoming rules on the outside interface. Do I have the rules on the wrong interface? Should I have outgoing rules as well?

Labels:
0 Helpful
2 Replies 2

johnnylingo
Level 5
Level 5

‎06-17-2009 11:25 AM

Have you verified the ACL is applied to the interface? It should be:

access-group ACL_NAME in interface INTERFACE_NAME

One thing that has gotten me a few times is if you remove the lines from and ACL, it will remove the ACL from the applied interface and you have to re-add it.

0 Helpful

cef2lion2
Level 1
Level 1
In response to johnnylingo

‎06-17-2009 11:54 AM

I use the GUI for the ACL create. It show it is applied. I have looked at the CLI to verify. I have the ACLs as incoming rules on the outside interface. The ACL appear to be working but the hit counters are not changing. The hit counter is working on the inside interface for its incoming rules.

Still adjusting the FWSM from the PIX where I just had a outside and inside interface. I have that with the FWSM module but need to expand that with a DMZ once I get the hang of a inside and outside interface.

In the 4.0 config manual it states. 'To allow any

traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM

automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any

interface unless you restrict it using an outbound access.

What confused me was the PIX had an implicit rule that permits all traffic to less secure networks for the inside interface. For the FWSM you have to add such a rule. I was tripped up for awhile when a PC on the inside interface couldn't access the Internet off the outside interface till I added such a rule.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card