Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
856
Views
0
Helpful
4
Replies

FWSM CBAC

frede_frede
Level 1
Level 1

‎07-16-2013 08:35 AM - edited ‎03-11-2019 07:12 PM

Hi,

With CBAC I can inspect traffic, with FWSM can I configure the same process?

thanks

Labels:
0 Helpful
4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

‎07-16-2013 10:01 AM

Hello,

Yes, you can,

The FWSM is an stateful firewall and I would say its way more flexible than CBAC,

It´s whole purpose is to be stateful so you should go for it

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

frede_frede
Level 1
Level 1
In response to Julio Carvajal

‎09-02-2013 07:58 AM

Hi Julio,

thanks for the answer.

But for example, I don't know how to configure a thing like this in the fwsm

Router(config)# ip access-list extended EXTERNAL-ACL

Router(config-ext-nacl)# deny tcp any any log

Router(config-ext-nacl)# deny udp any any log

Router(config-ext-nacl)# deny icmp any any log

Router(config-ext-nacl)# deny ip any any

Router(config)# ip inspect name CBAC-EXAMPLE tcp

Router(config)# ip inspect name CBAC-EXAMPLE udp

Router(config)# ip inspect name CBAC-EXAMPLE icmp

Router(config)# interface ethernet0

Router(config-if)# ip access-group EXTERNAL-ACL in

Router(config-if)# ip inspect CBAC-EXAMPLE out

thanks

Regards

Fred

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to frede_frede

‎09-02-2013 10:35 AM

Hello Frederico,

By default on a FWSM traffic from the inside to the router will be allowed and statefully inspected.

And traffic from lower to higher will be blocked. No need to configure it

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Marius Gunnerud
VIP
VIP
In response to frede_frede

‎09-03-2013 03:18 AM

The ASA, as Julio has mentioned, is a stateful firewall.  Meaning it keeps track of the connection that originate on interfaces that are configured to allow such connections.

initially this is enabled through the use of security-levels. Interfaces configured with higher security-levels are allowed to initiate traffic to interfaces with lower security levels.  These connection are then placed in a state table which is then inspected when the return traffic reaches the ASA.  If the ASA finds a match in the state table for the return traffic the traffic is permited, otherwise it is dropped.

Once you configure an ACL on the interface then the security-level no longer has any meaning (until you remove all ACLs on the interface).  Then traffic is permitted based on the configured ACL.  All traffic that is permitted by the ACL is placed in the state table which is agian checked and permitted for the return traffic.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card