High to low security level, implicit deny on FWSM

Unanswered Question
Apr 11th, 2010

Hi all,

I am new using FWSM and I have find out a problem that I did not have with the ASA. As I have read, ASAs permit traffic for outbound connections (from high to low security level interfaces), but in FWSM that it is not allowed and everything is denied.

My problem is how to permit in FWSM do the same that ASAs for the outside(Internet) interface.

I do not do any NAT in the FWSM and I have only aplied inbound ACLs to premit/ deny traffic in the FWSM. As I using ASDM to configure I thought that when I was applying permit ip any any in a interface it only applied to lower security interfaces (ASDM makes me thought so), but I was wrong and it is applied to higher and lower security interfaces. What should I have to do? Do I have to apply an outgoing ACL in the outside interface.

I will try to make it more clear with an example:

     _ inside, sec level 100

     _ DMZ1, sec level 90

     _ DMZ2, sec level 70

     _ DMZ3, sec level 70

     _ outside, sec level 0

I have a default route to outside, no NAT and permit traffic between interfaces with the same sec level

I just want to permit all traffic from inside,DMZ1, DMZ2 and DMZ3 to outside, but not for example from to DMZ3 to DMZ1. Will this be solved applying an outbound ACL in outside interface? If that´s so how does the FWSM work with an ingoing and outgoing ACL?

Thank you very much

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 04/11/2010 - 04:31

By default, FWSM does not pass traffic if you do not configure access-list to allow traffic to pass between interface. Every single interfaces need to have an access-list to allow those traffic. Completely different to ASA where only inbound connection (from low to high security level) requires access-list.

I would suggest that you configure deny first between interfaces that you do not want traffic to pass, then permit to any from that subnet.

Unfortunately you can't just configure outbound access-list on the outside interface because to permit traffic inbound to an interface, you would need to configure an inbound access-list. Outbound access-list is normally used to provide further restriction.

Here is the command reference for FWSM that will provide you with more explaination:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/a1.html#wp1590368

Hope that helps.

lcuchisanmillan Sun, 04/11/2010 - 09:00

Thank you for your response halijenn,

I have also thought about of denying the access to the interfaces I do not want access first and then have a permit any any at the end, the problem is that I have more than 50 vlan interfaces defined in the FWSM (almost all of them will need access to INTERNET) and doing what you propose, will make the configuration very complex with a lot of deny access statements in each vlan interface, does anyone know another method?

Thank you.

Kureli Sankar Sun, 04/11/2010 - 13:01

If the denies are going to be more, then just permit the few and let the implicit deny any any kick in the bottom.

There is no other way. With the FWSM you need to allow via ACL for all interfaces irrespective of the security level.

-KS

Actions

This Discussion

Related Content