04-13-2010 08:57 AM - edited 03-11-2019 10:32 AM
Hi,
I'm running some testing on a FWSM at the moment using transparent contexts.
I have one server sat behind an ACL at the moment with the following setup.
interface Vlan20
nameif public
bridge-group 10
security-level 0
!
interface Vlan21
nameif private
bridge-group 10
security-level 100
!
interface BVI10
description MANAGEMENT
ip address 1.1.1.1 255.255.255.192 standby 1.1.1.2
!
access-list INBOUND extended permit tcp any host 1.1.1.3 eq 3389
access-list INBOUND extended permit tcp any host 1.1.1.3 eq www
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any source-quench
access-list INBOUND extended permit icmp any any unreachable
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply
!
access-group INBOUND in interface public
What I'm seeing, is that you can access the server, via RDP, but the server can't initiate connections to the internet. I.E. Browsing and so on, doesn't work.
I see in the logs, denies from an invisible access-list.
For example, the DNS requests going out are to googles dns server on 8.8.8.8
FWSM-4-106023: Deny udp src private:1.1.1.3/44124 dst public:8.8.8.8/53 by access-group "" [0x0, 0x0]
%FWSM-4-106023: Deny udp src private:1.1.1.3/44124 dst public:8.8.8.8/53 by access-group "" [0x0, 0x0]
If I make the following
access-list OUTBOUND extended permit ip any any
!
access-group OUTBOUND in interface inside
Then everything works as expected.
I thought if you were going from more secure to a less secure interface, no ACL was required. I have pix's running V7 in a similar transparent setup and I haven't needed to make an OUTBOUND ACL.
What am I missing?
04-13-2010 08:58 AM
I've just answered my own question :-)
• Outbound access—The firewall only builds outbound connections that meet security policy requirements configured as an access list. (ASA and PIX platforms allow outbound connections to be initiated without an access list, by default. The FWSM requires an access list to permit outbound connections.)
04-13-2010 03:39 PM
FWSM needs ACLs on interfaces to allow traffic.
It is not like ASA/PIX where if no ACL is define high to low security is allowed by default.
It is a difference in design.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide