I'm hoping someone can clarify a difference that I'm seeing between the PIX 6.x and FWSM 3.x.
Assume a 3 interface firewall (outside,inside,dmz) with no address translation going on at all. The inside has the highest security level, the dmz is lower, and the outside is 0. With 6.x, to allow connections from lower to higher interfaces I would configure a static and use an access list to permit the desired traffic (along with a nat 0 statement for the inside and dmz).
Now assume a FWSM running 3.1.3 (routed context) using the same configuration as above. I understand that NAT statements in this case are no longer needed. It would also appear that I no longer need a static either, and connections between security levels (even lower to higher) seem to be solely controlled by access lists. I'm attaching the config of a FWSM context that I used for testing.
In this test config I purposely set the security level of the Inside to be lower then the DMZ, unless I modify the inside_in access-list to prevent it, the FWSM happily allows connections from lower to higher.
I'm confused that the security levels don't seem to be preventing traffic by default. If someone could confirm if this is proper behavior for the FWSM that would be great.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...