Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FWSM rules - are they statefull?

I have two segments in 6500 FWSM module in routed mode, Vlan A and Vlan B with same security level of 70. I want to allow IP traffic from A to B and Vice versa.

a. I have "same-security-traffic permit inter-interface" in config. DO I still have to use ACL to permit traffic between these VLANs? Does it not allow traffic to pass between interfaces with same security level ?

b. In case if I have to use ACL,and If I have an ACL which permits traffic from VLAN A to VLAN B, Do I have to have a reverse ACL rules as well ? ( If it is a statefull firewall, this should not be the case I guess.)


  • Firewalling

Re: FWSM rules - are they statefull?

interesting question

with FWSM the traffic come blocked by defauld regardless the configured level of security on the interface

so from inside to out side you have to put and ACL such as prmit ip any any and aplly it to the inside interface on the inbound direction

the same with your case

if you make ACL from one direction the returing traffic will be permited automaticly

please Rate if helpful

Re: FWSM rules - are they statefull?


"same-security-traffic permit inter-interface"

You do not need to use ACL.

In fact 2 interfaces at same security level, with 'same-security permit

inter-interface' don't even require any NAT in order to communicate

If you enable NAT on one of the 2 interfaces, then the traffic has to match the NAT rule you have inserted. All other traffic won't go



Re: FWSM rules - are they statefull?

hi syed

but as i know with FWSM the traffic denied by default and should be enabled by an ACL ??

do u have idea about that ?

New Member

Re: FWSM rules - are they statefull?

The FWSM is definately a statefull firewall. If a packet is allowed out, a hole or way back is opened back through which leads me to believe you may need an ACL to allow the traffic.

The return traffic is taken care of by the statefull firewall.

A) Not sure specifically, if something isn't working, try making the ACL. The FWSM is different from the other firewalls as by default traffic is NOT allowed from higher security level interfaces to lower interfaces, you must make an ACL.

B) The return traffic is taken care of by the statefull firewall. Depending on your test and version of software, you may need to use a fixup protocol or inspect rule to get various traffic through the FWSM.


Re: FWSM rules - are they statefull?

then i was right when i said there must be an ACL to pemrmit traffic in FWSM because by defaul it is not permited..

Re: FWSM rules - are they statefull?

You are right.

ACL is needed for same security level interface.

Re: FWSM rules - are they statefull?

This is where the FWSM is different from the ASA/PIX. You need to have an ACL applied in the incoming direction on the inteface to make traffic flow. On PIX/ASA higher>>lower and inter-interface communication does not require an ACL by default.

I dont know now, but these two products used to be developed by two different business units within Cisco. So they have some differences because of this and other design issues.



Re: FWSM rules - are they statefull?

then i was helpful to NALAKA

regarding my first post which answered the questions accuratly

please, rate if helful

and thank you guys for this nice discussion

New Member

Re: FWSM rules - are they statefull?

I had a chance to ptractically test the scenario. I have found out that you need ACL to pass the traffic. I cannot find what "same-security-traffic permit inter-interface" command does in the FWSM config.

Thanks for all for helpfull ideas !

This widget could not be displayed.