Hi,

I'm running some testing on a FWSM at the moment using transparent contexts.

I have one server sat behind an ACL at the moment with the following setup.

interface Vlan20
nameif public
bridge-group 10
security-level 0
!
interface Vlan21
nameif private
bridge-group 10
security-level 100
!
interface BVI10
description MANAGEMENT
ip address 1.1.1.1 255.255.255.192 standby 1.1.1.2
!

access-list INBOUND extended permit tcp  any host 1.1.1.3 eq 3389
access-list INBOUND extended permit tcp any host 1.1.1.3 eq www
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any source-quench
access-list INBOUND extended permit icmp any any unreachable
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply
!

access-group INBOUND in interface public

What I'm seeing, is that you can access the server, via RDP, but the server can't initiate connections to the internet. I.E. Browsing and so on, doesn't work.

I see in the logs, denies from an invisible access-list.

For example, the DNS requests going out are to googles dns server on 8.8.8.8

FWSM-4-106023: Deny udp src private:1.1.1.3/44124 dst public:8.8.8.8/53 by access-group "" [0x0, 0x0]
%FWSM-4-106023: Deny udp src private:1.1.1.3/44124 dst public:8.8.8.8/53 by access-group "" [0x0, 0x0]

If I make the following

access-list OUTBOUND extended permit ip any any

!

access-group OUTBOUND in interface inside

Then everything works as expected.

I thought if you were going from more secure to a less secure interface, no ACL was required. I have pix's running V7 in a similar transparent setup and I haven't needed to make an OUTBOUND ACL.

What am I missing?