Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

6500 FWSM security level problem

Hi,

I am facing an issue with a new 6500 router (IOS version 12.2 ) having a FWSM module. (FWSM Version 2.3(3)) which is like this:-

I have three Vlans INSIDE, OUTSIDE and DMZ with security levels 100, 0 and 50 respectively.I have created appropriate access control lists for pinging between Vlans ( INSIDE to DMZ ). But the hosts cannot ping.

However when i give the SAME security level to ALL VLANs ( INSIDE, OUTSIDE and DMZ) and give the command "

same-security-traffic permit inter-interface " , it works fine.

I am totally at a loss to understand this. This might be a workaround but , i guess the ideal situation is to give different sec levels to vlans and then control access.

Could some please advice on this issue.

Thanks & regards

Sonu

1 REPLY
Hall of Fame Super Blue

Re: 6500 FWSM security level problem

Hi Sonu

Couple of things to check.

1) Did you setup NAT from inside to DMZ ?

2) Did you create an access-list for both the DMZ interface and the inside interface.

Ping is not stateful so you need to let it back in from the DMZ.

BUT, unlike a standalone pix where traffic is allowed to flow by default from a higher to lower level security interface ie inside to DMZ in your case, this rule does not apply on the FWSM. You will still need an access-list on the inside interface.

HTH

Jon

170
Views
0
Helpful
1
Replies
CreatePlease login to create content