I'm attempting to provide access from one FWSM to another, using VLAN's and ACL's. the purpose is to allow a set of servers behind one firewall, to use DNS appliances behind another firewall. Here is some basic config info:
FIREWALL A = VLAN 1 - Host VLAN
FIREWALL B = VLAN 2 - DNS Appliance VLAN
FIREWALL A&B VLAN 3 - Transit VLAN between 2 FWSM
ACL is open to VLAN 1, allowing port 53 TCP/UDP connections from all hosts in the subnet.
ACL is open to VLAN 3, allowing the traffic through the interface at FW-B.
I am able to observe the traffic (through captures) up through VLAN 3. Once I start capturing on FW-B VLAN 2, I see nothing. No traffic at all...
yes, 2 contexts...I'm sorry...FW-B (DNS Appliances) uses a default context and FW-A (servers) uses a configured context (not default).
the same-security-traffic config you refer to is not setup on FW-B, however,
there is another group of servers that reside on FW-B, in VLAN 4 that ARE able to access the DNS appliances in VLAN 2...AND the interface VLAN 4 is a lower security level than VLAN 2...That is what is confusing me about this issue...
the only ACL that is applied to VLAN 2's interface is allows return traffic from the DNS appliances to any "querying" server...defined below...
access-list VLAN2 extended permit udp any eq domain
access-list VLAN2 extended permit tcp any eq domain
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...