Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

fwsm deny action

If I configure a deny access-list on my fwsms, it seems that they just drop the packet without any response to the client. If a client wants to establish a denied connection no response occurs and the client falls into a timeout.

Isn't there an option to not only drop a denied connection but response to it with a tcp/rst?

This would mean, that the client gets an immediate response instead of waiting for a timeout.

Thanks for ideas

Patrik

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: fwsm deny action

Patrik,

A good option if you REALLY REALLY want to have this feature.

I don't like overusing same security levels. Problems with connection (which is inbound which is outbound?), xlates (do you create xlates or not, which way will xlate bypass still work?) other considerations... most solved by unicast RPF but as I said, I'm not a fan.

It's just my personal opinion but the benefits are too small - mostly because of being silent the FWSM start generating lots of potential traffic.

Marcin

3 REPLIES
Cisco Employee

Re: fwsm deny action

Patrik,

What you would need is service resetoutbound, but it's not there in FWSM.

http://conft.com/en/US/docs/security/fwsm/fwsm40/command/reference/s1.html#wp2719073

You can reset inbound...

Marcin

Community Member

Re: fwsm deny action

Thank you. This option is what i looked for. Poor that there is no resetoutbound option.

But I found the following:

"If resetinbound is configured and if denied traffic flows from an interface to another interface with the same security, then a reset is sent."

My idea now is to set both security levels (on inside and on outside Interface) to 50. Then the above rule fits and a reset is sent.

This should not be a security issue, because all traffic is controlled by access-lists on each interface.

What do you think about that?

Thanks

Patrik

Cisco Employee

Re: fwsm deny action

Patrik,

A good option if you REALLY REALLY want to have this feature.

I don't like overusing same security levels. Problems with connection (which is inbound which is outbound?), xlates (do you create xlates or not, which way will xlate bypass still work?) other considerations... most solved by unicast RPF but as I said, I'm not a fan.

It's just my personal opinion but the benefits are too small - mostly because of being silent the FWSM start generating lots of potential traffic.

Marcin

260
Views
0
Helpful
3
Replies
CreatePlease to create content