Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

FWSM network design

Testing a FWSM in single context mode. The MSFC is located inside. There are two interfaces. One labeled outside security level 0. Inside interface security level 100.

All PC on the inside interface should be permitted outside access. I added an incoming rule to inside interface permitting all to all. Without that inside users could not access the internet.

I added incoming rules to the outside interface for devices that should be permitted to access devices on the inside interface. That is the way it is setup on our current PIX.

What is bothering me is I don't see any hits on the incoming rules on the outside interface. Do I have the rules on the wrong interface? Should I have outgoing rules as well?


Re: FWSM network design

Have you verified the ACL is applied to the interface? It should be:

access-group ACL_NAME in interface INTERFACE_NAME

One thing that has gotten me a few times is if you remove the lines from and ACL, it will remove the ACL from the applied interface and you have to re-add it.

New Member

Re: FWSM network design

I use the GUI for the ACL create. It show it is applied. I have looked at the CLI to verify. I have the ACLs as incoming rules on the outside interface. The ACL appear to be working but the hit counters are not changing. The hit counter is working on the inside interface for its incoming rules.

Still adjusting the FWSM from the PIX where I just had a outside and inside interface. I have that with the FWSM module but need to expand that with a DMZ once I get the hang of a inside and outside interface.

In the 4.0 config manual it states. 'To allow any

traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM

automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any

interface unless you restrict it using an outbound access.

What confused me was the PIX had an implicit rule that permits all traffic to less secure networks for the inside interface. For the FWSM you have to add such a rule. I was tripped up for awhile when a PC on the inside interface couldn't access the Internet off the outside interface till I added such a rule.

CreatePlease to create content