Solved: FWSM security-level question

demslie · ‎04-28-2010

Hi

I would like to create 'logical Zones' by 'grouping' a number of vlans on a FWSM version 4.0(4).

Can this be done by setting the same security-level for each 'zone' i.e. all DMZ vlans with security-level 50

and all Safezone vlans with security-level 70 and using the same-security-traffic permit inter-interface command?

Each interface would still have ACL's to define traffic between Safezone and DMZ.

I guess the main question is on the FWSM. Does the traffic for interfaces set at the same security-level 'bypass' the ACL's

(which would effectively allow the above set up).

Or is it the case that once an ACL is applied to an interface, all traffic is permited only if defined in the ACL

and the security level is effectively ignored.

Thanks

Don

Jennifer Halim · ‎04-28-2010

You are right. Even though the interfaces have same security level, once you applied an access-list, you would need to explicitly configure ACL to allow traffic between the same security level interface.

View solution in original post

Jennifer Halim · ‎04-28-2010

You are right. Even though the interfaces have same security level, once you applied an access-list, you would need to explicitly configure ACL to allow traffic between the same security level interface.

demslie · ‎04-28-2010

Thanks for the clarification on security levels. Is there another way it may be possible to create 'logical' DMZ and Safezones on the FWSM?

regards

Don

Jennifer Halim · ‎04-28-2010

Actually, with FWSM, eventhough they are same security level interface, you still need to configure access-list to allow the traffic. Unfortunately, with FWSM, there is a must to configure inbound access-list on every single VLAN interface whether they are same security level, or not.

With ASA/PIX firewall, if they are in same security level interface, you don't need to configure ACL, however, once you apply an ACL on the interface, you would need to explicitly allow traffic between same security interfaces.

demslie · ‎04-28-2010

Hi, re-posting as I'm not sure if you picked up this further question? (this is the first time I've used this forum)

Thanks for the clarification on security levels. Is there another way it may be possible to create 'logical' DMZ and Safezones on the FWSM?

regards

Don

Jennifer Halim · ‎04-28-2010

No, there is no other way except the way you have mentioned on your original post.

Alternatively, instead of having 3 DMZ subnets, you can configure 1 bigger range of DMZ subnet as your goal is for all the subnets to be communicating freely with each other anyway.

So, instead of 3 DMZ VLAN, with subnet of for example: 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24, why don't you just have 1 big DMZ subnet of 192.168.0.0/22, then all hosts within the DMZ can communicate freely.

Then configure the same for Safezones, and only segregate communication between DMZ and Safezones through the FWSM.

demslie · ‎04-28-2010

OK thanks. ACL's is the way to do it then. (Re-numbering is out of the question as it's a live datacentre)

regards

Don