04-28-2010 03:52 AM - edited 03-11-2019 10:38 AM
Hi
I would like to create 'logical Zones' by 'grouping' a number of vlans on a FWSM version 4.0(4).
Can this be done by setting the same security-level for each 'zone' i.e. all DMZ vlans with security-level 50
and all Safezone vlans with security-level 70 and using the same-security-traffic permit inter-interface command?
Each interface would still have ACL's to define traffic between Safezone and DMZ.
I guess the main question is on the FWSM. Does the traffic for interfaces set at the same security-level 'bypass' the ACL's
(which would effectively allow the above set up).
Or is it the case that once an ACL is applied to an interface, all traffic is permited only if defined in the ACL
and the security level is effectively ignored.
Thanks
Don
Solved! Go to Solution.
04-28-2010 04:11 AM
You are right. Even though the interfaces have same security level, once you applied an access-list, you would need to explicitly configure ACL to allow traffic between the same security level interface.
04-28-2010 04:11 AM
You are right. Even though the interfaces have same security level, once you applied an access-list, you would need to explicitly configure ACL to allow traffic between the same security level interface.
04-28-2010 05:11 AM
Thanks for the clarification on security levels. Is there another way it may be possible to create 'logical' DMZ and Safezones on the FWSM?
regards
Don
04-28-2010 05:17 AM
Actually, with FWSM, eventhough they are same security level interface, you still need to configure access-list to allow the traffic. Unfortunately, with FWSM, there is a must to configure inbound access-list on every single VLAN interface whether they are same security level, or not.
With ASA/PIX firewall, if they are in same security level interface, you don't need to configure ACL, however, once you apply an ACL on the interface, you would need to explicitly allow traffic between same security interfaces.
04-28-2010 06:16 AM
Hi, re-posting as I'm not sure if you picked up this further question? (this is the first time I've used this forum)
Thanks for the clarification on security levels. Is there another way it may be possible to create 'logical' DMZ and Safezones on the FWSM?
regards
Don
04-28-2010 06:21 AM
No, there is no other way except the way you have mentioned on your original post.
Alternatively, instead of having 3 DMZ subnets, you can configure 1 bigger range of DMZ subnet as your goal is for all the subnets to be communicating freely with each other anyway.
So, instead of 3 DMZ VLAN, with subnet of for example: 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24, why don't you just have 1 big DMZ subnet of 192.168.0.0/22, then all hosts within the DMZ can communicate freely.
Then configure the same for Safezones, and only segregate communication between DMZ and Safezones through the FWSM.
04-28-2010 06:47 AM
OK thanks. ACL's is the way to do it then. (Re-numbering is out of the question as it's a live datacentre)
regards
Don
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide