Hi All, I wonder if anyone could clarify this for me, please ? We have a FWSM with interfaces Inside (sec level = 100), Outside (sec level = 0) and numerous Dmz's (various sec levels between 30 and 90). Nat-control is disabled. The FWSM is version 4.0(8) We have recently noticed that packets from private ip addresses (192.168.x.x) are getting from the Inside and the Dmz's through to the Outside and on to our perimeter router, i.e. the chassis MSFC, where they are being dropped by an outgoing ACL. But, this is despite the fact that the FWSM has an outgoing access-list on the Outside interface which should block this traffic and indeed does have a hitcount: access-list UNNToOutside line 1 extended deny icmp 192.168.0.0 255.255.0.0 any (hitcnt=2348) access-list UNNToOutside line 2 extended deny ip 192.168.0.0 255.255.0.0 any (hitcnt=270899) My question is: if nat-control is disabled, does that mean that outgoing access-lists are ignored for traffic from a higher to a lower rated interface ? The documentation is a bit vague on this point. Thanks for your time. Chris.
I have this problem too.