Query - FWSM Security Levels..

Unanswered Question
Dec 24th, 2009

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Hi,

I have two vlans defined on the FWSM, APP and DB,  For the APP vlan, Sec level is 60
for DB it is 100.

I wanted to allow multicast from APP to DB and Vice Versa. The necessary NAT statement
and ACLs are updated and connectivity is working from DB to APP vlan.

However though ACL and NAT statements are in place for  APP -> DB communication, I had to lower
security level of the DB vlan to 60 to make it work.  As soon as  I lowered the security level
it started working.

Is there a way to make it work without lowering the security level ?

Thanks,
Kris

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
krishnadas.R_2 Thu, 12/24/2009 - 02:58

er-db-zone = DB vlan

er-dmz-int = APP vlan

static (er-db-zone,er-dmz-int) 10.1.149.0 10.1.149.0 netmask 255.255.255.0
static (er-dmz-int,er-db-zone) 10.1.151.0 10.1.151.0 netmask 255.255.255.0

Jon Marshall Thu, 12/24/2009 - 03:36

krishnadas.R wrote:

er-db-zone = DB vlan

er-dmz-int = APP vlan

static (er-db-zone,er-dmz-int) 10.1.149.0 10.1.149.0 netmask 255.255.255.0
static (er-dmz-int,er-db-zone) 10.1.151.0 10.1.151.0 netmask 255.255.255.0

Kris

They look fine to me. I was wanting to check in case you had tried to use dynamic NAT each way in which case it would work DB -> APP but not APP -> DB.

If you have got these and your have allowed the traffic with an acl then there is no reason why it should not work. I have not come across the issue you are facing and certainly pix/asa firewalls follow the rule that from a lower to higher security interface traffic is allowed with an acl and NAT.

Perhaps there is something else in the config ?

Jon

krishnadas.R_2 Thu, 12/24/2009 - 04:41

Hi Jon,

I was getting this error continously in the FWSM logs,

Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566

As per cisco doc, http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/system/message/fsmemsgs.html

%FWSM-3-106010 --> "This is a connection-related message. This message is logged if an inbound connection

is denied by your security policy"

There is a specific permit line in ACL that allows traffic to 228.10.10.10 from 10.1.151.0 and I saw hits

aswell on those lines. I cleared the xlate for source and destination, removed and re-applied the ACL

lines with no luck untill I lowered the security level.

But the fact is that there are many other vlans working in similar fashion in this FWSM, only this

couple of interface had issues. The traffic is multicast, but does that make a diffrence when

connectivity is working one-way ?

Thanks

Kris

Jon Marshall Thu, 12/24/2009 - 05:32

Kris

What version of FWSM software are you running ?

Have you setup multicast routing on the FWSM ?

Jon

Kureli Sankar Thu, 12/24/2009 - 10:06

You need the following.

nat (er-db-zone) 0 access-list blah

access-l blah permit ip host 228.10.10.10 any

or

access-l blah permit ip host 228.10.10.10 host 10.1.1.51

Let us know how it goes.

-KS

krishnadas.R_2 Sat, 12/26/2009 - 21:52

Ks,

I am waiting for the client to be avaliable to do the test, shall let you

know the results.

Thanks

Kris

Actions

This Discussion

Related Content