Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM and security levels

I'm hoping someone can clarify a difference that I'm seeing between the PIX 6.x and FWSM 3.x.

Assume a 3 interface firewall (outside,inside,dmz) with no address translation going on at all. The inside has the highest security level, the dmz is lower, and the outside is 0. With 6.x, to allow connections from lower to higher interfaces I would configure a static and use an access list to permit the desired traffic (along with a nat 0 statement for the inside and dmz).

Now assume a FWSM running 3.1.3 (routed context) using the same configuration as above. I understand that NAT statements in this case are no longer needed. It would also appear that I no longer need a static either, and connections between security levels (even lower to higher) seem to be solely controlled by access lists. I'm attaching the config of a FWSM context that I used for testing.

In this test config I purposely set the security level of the Inside to be lower then the DMZ, unless I modify the inside_in access-list to prevent it, the FWSM happily allows connections from lower to higher.

I'm confused that the security levels don't seem to be preventing traffic by default. If someone could confirm if this is proper behavior for the FWSM that would be great.


New Member

Re: FWSM and security levels

fwsm 3.1(3) and 7.x is behaved this way by

default. By default, "no nat-control" is

enabled, unless you decide to disable it with


Remember, the FWSM is operating in "routed"

in your configuration. Because you are NOT

doing any static NAT, traffics are controlled

by your ACL which they are.


CCIE Security

New Member

Re: FWSM and security levels


Thanks for the reply. So, if I'm not using address translation and follow these steps with the FWSM I will be Ok ?

- no nat-control

- no nat0 statements

- no static statements

- control packet flow with access lists

New Member

Re: FWSM and security levels

that's correct.