Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

FWSM CBAC

Hi,

With CBAC I can inspect traffic, with FWSM can I configure the same process?

thanks

Everyone's tags (5)
4 REPLIES

FWSM CBAC

Hello,

Yes, you can,

The FWSM is an stateful firewall and I would say its way more flexible than CBAC,

It´s whole purpose is to be stateful so you should go for it

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

FWSM CBAC

Hi Julio,

thanks for the answer.

But for example, I don't know how to configure a thing like this in the fwsm

Router(config)# ip access-list extended EXTERNAL-ACL

Router(config-ext-nacl)# deny tcp any any log

Router(config-ext-nacl)# deny udp any any log

Router(config-ext-nacl)# deny icmp any any log

Router(config-ext-nacl)# deny ip any any

Router(config)# ip inspect name CBAC-EXAMPLE tcp

Router(config)# ip inspect name CBAC-EXAMPLE udp

Router(config)# ip inspect name CBAC-EXAMPLE icmp

Router(config)# interface ethernet0

Router(config-if)# ip access-group EXTERNAL-ACL in

Router(config-if)# ip inspect CBAC-EXAMPLE out

thanks

Regards

Fred

FWSM CBAC

Hello Frederico,

By default on a FWSM traffic from the inside to the router will be allowed and statefully inspected.

And traffic from lower to higher will be blocked. No need to configure it

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
VIP Green

FWSM CBAC

The ASA, as Julio has mentioned, is a stateful firewall.  Meaning it keeps track of the connection that originate on interfaces that are configured to allow such connections.

initially this is enabled through the use of security-levels. Interfaces configured with higher security-levels are allowed to initiate traffic to interfaces with lower security levels.  These connection are then placed in a state table which is then inspected when the return traffic reaches the ASA.  If the ASA finds a match in the state table for the return traffic the traffic is permited, otherwise it is dropped.

Once you configure an ACL on the interface then the security-level no longer has any meaning (until you remove all ACLs on the interface).  Then traffic is permitted based on the configured ACL.  All traffic that is permitted by the ACL is placed in the state table which is agian checked and permitted for the return traffic.

--

Please remember to rate and select a correct answer
319
Views
0
Helpful
4
Replies
CreatePlease to create content