I'm trying toget a FWSM working on a 6513 chassis running IOS. The FWSM is running 4.0(5). I'm using the MSFC behind the FWSM model. I created a SVI and presented it to the firewall as the inside interface. I created a VLAN on the 6513 and presented it to the FWSM as the outside interface. I defined it IP address in the FWSM interface. I created a default route on the FWSM pointing to the Internet address on the outside of the FWSM outside interface. I have route statements to the inside for all internal subnets.
I can telnet to the FWSM inside address from the 6513 LAN. No inside users can access the network/Internet on the outside of the FWSM. We are not using NAT. All internal devices can access other internal devices.
The inside interface is security level of 100. The outside interface is security level of 0.
The FWSM is replacing an external PIX525 currently in use. During off hours I disconnect the PIX and give the PIX inside and outside addresses to the FWSM. I can't see what I might be missing? While I telnet into the FWSM I can ping the IP just outside the outside interface. I know the FWSM can see outside but the users can't. I have an interface on the 6513 in the VLAN of the outside interface and that is where I connect external to our network. I cleared arp while testing.
I noticed our PIX has an implicit rule for the inside interface. It permits all traffic to a less secure network such as our outside interface. That implicit rule on the inside interface is missing in the FWSM. I think the PIX added that rule by default and it looks like the FWSM doesn't. Maybe that is where my issue is.
There are two pieces of the puzzle. Interface ACLs and NAT. If you are using no nat-control, then using the security level does not make a real difference. However if you have nat-control, then the security levels can give you same benefits like a PIX/ASA.
Coming from the PIX I didn't give the inside to outside acl any thought. I had gone over my config time and time and compare to the documentation. When tested and it didn't work I was at a loss as to what to try. Then after starting this post I saw the issue. I found reference in the documentation about it but it didn't really stand out. It would have saved me hours of testing and backing out. Its working now and I can move ahead.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...