FWSM More > Less secure ACL's

Unanswered Question
Apr 13th, 2010

Hi,

I'm running some testing on a FWSM at the moment using transparent contexts.

I have one server sat behind an ACL at the moment with the following setup.

interface Vlan20
nameif public
bridge-group 10
security-level 0
!
interface Vlan21
nameif private
bridge-group 10
security-level 100
!
interface BVI10
description MANAGEMENT
ip address 1.1.1.1 255.255.255.192 standby 1.1.1.2
!

access-list INBOUND extended permit tcp  any host 1.1.1.3 eq 3389
access-list INBOUND extended permit tcp any host 1.1.1.3 eq www
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any source-quench
access-list INBOUND extended permit icmp any any unreachable
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply
!

access-group INBOUND in interface public

What I'm seeing, is that you can access the server, via RDP, but the server can't initiate connections to the internet. I.E. Browsing and so on, doesn't work.

I see in the logs, denies from an invisible access-list.

For example, the DNS requests going out are to googles dns server on 8.8.8.8

FWSM-4-106023: Deny udp src private:1.1.1.3/44124 dst public:8.8.8.8/53 by access-group "" [0x0, 0x0]
%FWSM-4-106023: Deny udp src private:1.1.1.3/44124 dst public:8.8.8.8/53 by access-group "" [0x0, 0x0]

If I make the following

access-list OUTBOUND extended permit ip any any

!

access-group OUTBOUND in interface inside

Then everything works as expected.

I thought if you were going from more secure to a less secure interface, no ACL was required. I have pix's running V7 in a similar transparent setup and I haven't needed to make an OUTBOUND ACL.

What am I missing?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
webfusion-networks Tue, 04/13/2010 - 08:58

I've just answered my own question :-)

• Outbound access—The firewall only builds  outbound connections that meet security policy requirements configured  as an access list. (ASA and PIX platforms allow outbound connections to  be initiated without an access list, by default. The FWSM requires an  access list to permit outbound connections.)

Panos Kampanakis Tue, 04/13/2010 - 15:39

FWSM needs ACLs on interfaces to allow traffic.

It is not like ASA/PIX where if no ACL is define high to low security is allowed by default.

It is a difference in design.

PK

Actions

This Discussion