I have two segments in 6500 FWSM module in routed mode, Vlan A and Vlan B with same security level of 70. I want to allow IP traffic from A to B and Vice versa.
a. I have "same-security-traffic permit inter-interface" in config. DO I still have to use ACL to permit traffic between these VLANs? Does it not allow traffic to pass between interfaces with same security level ?
b. In case if I have to use ACL,and If I have an ACL which permits traffic from VLAN A to VLAN B, Do I have to have a reverse ACL rules as well ? ( If it is a statefull firewall, this should not be the case I guess.)
with FWSM the traffic come blocked by defauld regardless the configured level of security on the interface
so from inside to out side you have to put and ACL such as prmit ip any any and aplly it to the inside interface on the inbound direction
the same with your case
if you make ACL from one direction the returing traffic will be permited automaticly
please Rate if helpful
"same-security-traffic permit inter-interface"
You do not need to use ACL.
In fact 2 interfaces at same security level, with 'same-security permit
inter-interface' don't even require any NAT in order to communicate
If you enable NAT on one of the 2 interfaces, then the traffic has to match the NAT rule you have inserted. All other traffic won't go
The FWSM is definately a statefull firewall. If a packet is allowed out, a hole or way back is opened back through which leads me to believe you may need an ACL to allow the traffic.
The return traffic is taken care of by the statefull firewall.
A) Not sure specifically, if something isn't working, try making the ACL. The FWSM is different from the other firewalls as by default traffic is NOT allowed from higher security level interfaces to lower interfaces, you must make an ACL.
B) The return traffic is taken care of by the statefull firewall. Depending on your test and version of software, you may need to use a fixup protocol or inspect rule to get various traffic through the FWSM.
This is where the FWSM is different from the ASA/PIX. You need to have an ACL applied in the incoming direction on the inteface to make traffic flow. On PIX/ASA higher>>lower and inter-interface communication does not require an ACL by default.
I dont know now, but these two products used to be developed by two different business units within Cisco. So they have some differences because of this and other design issues.
then i was helpful to NALAKA
regarding my first post which answered the questions accuratly
please, rate if helful
and thank you guys for this nice discussion
I had a chance to ptractically test the scenario. I have found out that you need ACL to pass the traffic. I cannot find what "same-security-traffic permit inter-interface" command does in the FWSM config.
Thanks for all for helpfull ideas !