Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
5
Helpful
2
Replies

FWSM security levels concept

Go to solution
vicente.madrigal
Level 1
Level 1

‎01-30-2008 10:12 AM - edited ‎03-11-2019 04:56 AM

Hi all,

I have 5 different VLANs created on the FWSM each one with different security levels. I have version 3.7 in single context mode and NAT disabled.

From traffic flowing from one interface with security level of 100 (called inside) to another with security level of 20 (called WEB) I need to create an access-list and apply it on the inside of the inside interface to permit traffic to the WEB interface, but I don't need to create an access-list on the WEB interface in order to permit the return traffic, is this correct?

If I want that some host on the WEB interface have access to the inside host I need to create an access-list and apply it inside on the Web interface and I need to create an access-list on the inside interface in order to permit the return traffic? I am confused with the concept of security levels because I cannot see any advantage in defining different security levels.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-30-2008 11:38 PM

Vicente

With a stateful firewall you do not need access-lists to allow the return traffic as that is what stateful firewalls do. So in your case

Inside -> Web - you only need access-list on inside interface

Web -> Inside - you only need access-list on WEB interface.

Note in the above 2 examples we are talking about where the connection is initiated from and not referring to return traffic.

On standalone pix/asa devices traffic is allowed from a higher to a lower security interface without an access-list. Only the FWSM requires and access-list no matter what the security level. I admit this can be a bit confusing.

HTH

Jon

View solution in original post

2 Replies 2

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-30-2008 11:38 PM

Vicente

With a stateful firewall you do not need access-lists to allow the return traffic as that is what stateful firewalls do. So in your case

Inside -> Web - you only need access-list on inside interface

Web -> Inside - you only need access-list on WEB interface.

Note in the above 2 examples we are talking about where the connection is initiated from and not referring to return traffic.

On standalone pix/asa devices traffic is allowed from a higher to a lower security interface without an access-list. Only the FWSM requires and access-list no matter what the security level. I admit this can be a bit confusing.

HTH

Jon

Go to solution
vicente.madrigal
Level 1
Level 1
In response to Jon Marshall

‎02-01-2008 08:11 AM

Thanks Jon,

I was confused because in a reguar ASA you don't need to configure the acces-list from a higher to a lower security interface and in the FWSM you do need to apply an inboud access-list in the interfase no matter the security level.

It looks to me that the concept of security level for the FWSM is no usefull at all.

Regards!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card