We have a few FWSMs in the core of our network, one which sits in front of all our servers, the other sitting between all our users.
There's various different interfaces on all of them for different types of servers (DMZ, normal stuff, students, etc). We're using CSM to deploy rules to them.
I've had a lot of 'fun' let's say with rules. Most rules are configured with a direction of In, but there's a few rules with an Out direction on interfaces too. The firewalls only went in last year, and we had to be finished quickly, so quite a few ANY ANY IP type rules went in, again some with in and out directions. Some are a bit more specific however.
I've had some really odd seemingly inexplicable results with these rules, and I feel the Out rules may be to blame. Having read through the FWSM documentation, I found this paragraph:
Traffic flowing across an interface in the FWSM can be controlled in two ways. Traffic that enters the
FWSM can be controlled by attaching an inbound access list to the source interface. Traffic that exits the
FWSM can be controlled by attaching an outbound access list to the destination interface. To allow any
traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM
automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any
interface unless you restrict it using an outbound access list, which adds restrictions to those already
configured in the inbound access list.
The bold is my own highlighting.
It's that last sentence that concerns me. By default the firewall lets nothing in, unless you let it in, but if you DO let something in, it assumes as you let it in, you want it let out on another port. That sentence suggests to me that if I add a single 'Allow' as an Out on an interface let's say, it denies everything else. Or does it? I'm a little confused!
We did some training on the firewalls, but it was all done at rather breakneck speed, and the trainer mentioned something about in and out rules, but I forgot what he said.
What I'd like is to use In rules only as these Out rules are getting a bit confusing, and they're making things unpredictable. I know they do have their uses, but I need to know if there's any gotchas or caveats of using them.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...