01-30-2008 10:12 AM - edited 03-11-2019 04:56 AM
Hi all,
I have 5 different VLANs created on the FWSM each one with different security levels. I have version 3.7 in single context mode and NAT disabled.
From traffic flowing from one interface with security level of 100 (called inside) to another with security level of 20 (called WEB) I need to create an access-list and apply it on the inside of the inside interface to permit traffic to the WEB interface, but I don't need to create an access-list on the WEB interface in order to permit the return traffic, is this correct?
If I want that some host on the WEB interface have access to the inside host I need to create an access-list and apply it inside on the Web interface and I need to create an access-list on the inside interface in order to permit the return traffic? I am confused with the concept of security levels because I cannot see any advantage in defining different security levels.
Regards
Solved! Go to Solution.
01-30-2008 11:38 PM
Vicente
With a stateful firewall you do not need access-lists to allow the return traffic as that is what stateful firewalls do. So in your case
Inside -> Web - you only need access-list on inside interface
Web -> Inside - you only need access-list on WEB interface.
Note in the above 2 examples we are talking about where the connection is initiated from and not referring to return traffic.
On standalone pix/asa devices traffic is allowed from a higher to a lower security interface without an access-list. Only the FWSM requires and access-list no matter what the security level. I admit this can be a bit confusing.
HTH
Jon
01-30-2008 11:38 PM
Vicente
With a stateful firewall you do not need access-lists to allow the return traffic as that is what stateful firewalls do. So in your case
Inside -> Web - you only need access-list on inside interface
Web -> Inside - you only need access-list on WEB interface.
Note in the above 2 examples we are talking about where the connection is initiated from and not referring to return traffic.
On standalone pix/asa devices traffic is allowed from a higher to a lower security interface without an access-list. Only the FWSM requires and access-list no matter what the security level. I admit this can be a bit confusing.
HTH
Jon
02-01-2008 08:11 AM
Thanks Jon,
I was confused because in a reguar ASA you don't need to configure the acces-list from a higher to a lower security interface and in the FWSM you do need to apply an inboud access-list in the interfase no matter the security level.
It looks to me that the concept of security level for the FWSM is no usefull at all.
Regards!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide