12-24-2009 01:44 AM - edited 03-11-2019 09:51 AM
Hi,
I have two vlans defined on the FWSM, APP and DB, For the APP vlan, Sec level is 60
for DB it is 100.
I wanted to allow multicast from APP to DB and Vice Versa. The necessary NAT statement
and ACLs are updated and connectivity is working from DB to APP vlan.
However though ACL and NAT statements are in place for APP -> DB communication, I had to lower
security level of the DB vlan to 60 to make it work. As soon as I lowered the security level
it started working.
Is there a way to make it work without lowering the security level ?
Thanks,
Kris
12-24-2009 02:54 AM
Can you post NAT statements used.
Jon
12-24-2009 02:58 AM
er-db-zone = DB vlan
er-dmz-int = APP vlan
static (er-db-zone,er-dmz-int) 10.1.149.0 10.1.149.0 netmask 255.255.255.0
static (er-dmz-int,er-db-zone) 10.1.151.0 10.1.151.0 netmask 255.255.255.0
12-24-2009 03:36 AM
krishnadas.R wrote:
er-db-zone = DB vlan
er-dmz-int = APP vlan
static (er-db-zone,er-dmz-int) 10.1.149.0 10.1.149.0 netmask 255.255.255.0
static (er-dmz-int,er-db-zone) 10.1.151.0 10.1.151.0 netmask 255.255.255.0
Kris
They look fine to me. I was wanting to check in case you had tried to use dynamic NAT each way in which case it would work DB -> APP but not APP -> DB.
If you have got these and your have allowed the traffic with an acl then there is no reason why it should not work. I have not come across the issue you are facing and certainly pix/asa firewalls follow the rule that from a lower to higher security interface traffic is allowed with an acl and NAT.
Perhaps there is something else in the config ?
Jon
12-24-2009 04:41 AM
Hi Jon,
I was getting this error continously in the FWSM logs,
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
As per cisco doc, http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/system/message/fsmemsgs.html
%FWSM-3-106010 --> "This is a connection-related message. This message is logged if an inbound connection
is denied by your security policy"
There is a specific permit line in ACL that allows traffic to 228.10.10.10 from 10.1.151.0 and I saw hits
aswell on those lines. I cleared the xlate for source and destination, removed and re-applied the ACL
lines with no luck untill I lowered the security level.
But the fact is that there are many other vlans working in similar fashion in this FWSM, only this
couple of interface had issues. The traffic is multicast, but does that make a diffrence when
connectivity is working one-way ?
Thanks
Kris
12-24-2009 05:32 AM
Kris
What version of FWSM software are you running ?
Have you setup multicast routing on the FWSM ?
Jon
12-24-2009 10:06 AM
You need the following.
nat (er-db-zone) 0 access-list blah
access-l blah permit ip host 228.10.10.10 any
or
access-l blah permit ip host 228.10.10.10 host 10.1.1.51
Let us know how it goes.
-KS
12-26-2009 09:52 PM
Ks,
I am waiting for the client to be avaliable to do the test, shall let you
know the results.
Thanks
Kris
12-26-2009 09:51 PM
Jon,
FWSM is running code 3.1(4).
Multicast routing is setup on the FWSM.
kris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide