Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2553
Views
0
Helpful
3
Replies

High to low security level, implicit deny on FWSM

lcuchisanmillan
Level 1
Level 1

‎04-11-2010 03:31 AM - edited ‎03-11-2019 10:31 AM

Hi all,

I am new using FWSM and I have find out a problem that I did not have with the ASA. As I have read, ASAs permit traffic for outbound connections (from high to low security level interfaces), but in FWSM that it is not allowed and everything is denied.

My problem is how to permit in FWSM do the same that ASAs for the outside(Internet) interface.

I do not do any NAT in the FWSM and I have only aplied inbound ACLs to premit/ deny traffic in the FWSM. As I using ASDM to configure I thought that when I was applying permit ip any any in a interface it only applied to lower security interfaces (ASDM makes me thought so), but I was wrong and it is applied to higher and lower security interfaces. What should I have to do? Do I have to apply an outgoing ACL in the outside interface.

I will try to make it more clear with an example:

     _ inside, sec level 100

     _ DMZ1, sec level 90

     _ DMZ2, sec level 70

     _ DMZ3, sec level 70

     _ outside, sec level 0

I have a default route to outside, no NAT and permit traffic between interfaces with the same sec level

I just want to permit all traffic from inside,DMZ1, DMZ2 and DMZ3 to outside, but not for example from to DMZ3 to DMZ1. Will this be solved applying an outbound ACL in outside interface? If that´s so how does the FWSM work with an ingoing and outgoing ACL?

Thank you very much

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-11-2010 04:31 AM

By default, FWSM does not pass traffic if you do not configure access-list to allow traffic to pass between interface. Every single interfaces need to have an access-list to allow those traffic. Completely different to ASA where only inbound connection (from low to high security level) requires access-list.

I would suggest that you configure deny first between interfaces that you do not want traffic to pass, then permit to any from that subnet.

Unfortunately you can't just configure outbound access-list on the outside interface because to permit traffic inbound to an interface, you would need to configure an inbound access-list. Outbound access-list is normally used to provide further restriction.

Here is the command reference for FWSM that will provide you with more explaination:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/a1.html#wp1590368

Hope that helps.

0 Helpful

lcuchisanmillan
Level 1
Level 1
In response to Jennifer Halim

‎04-11-2010 09:00 AM

Thank you for your response halijenn,

I have also thought about of denying the access to the interfaces I do not want access first and then have a permit any any at the end, the problem is that I have more than 50 vlan interfaces defined in the FWSM (almost all of them will need access to INTERNET) and doing what you propose, will make the configuration very complex with a lot of deny access statements in each vlan interface, does anyone know another method?

Thank you.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to lcuchisanmillan

‎04-11-2010 01:01 PM

If the denies are going to be more, then just permit the few and let the implicit deny any any kick in the bottom.

There is no other way. With the FWSM you need to allow via ACL for all interfaces irrespective of the security level.

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card