Re: Migrating Router ACL to FWSM

jeffchiniewicz · ‎01-05-2007

I have been tasked with migrating a couple routers with ACLs to FWSMs on a 7600.

My question is - except for the interface IDs can I just copy the existing ACLs from the Router to the FWSM? Will that work? Or do I have to create a brand new rule set?

Thanks

Jeff

Jon Marshall · ‎01-05-2007

Firstly the router acls will probably be using inverse masks

eg. permit tcp 172.16.10.0 0.0.0.255 host 192.168.1.1 eq www

Pix rulesets don't use inverse masks so it would be

permit tcp 172.16.10.0 255.255.255.0 host 192.168.1.1 eq www.

Secondly it also depends on what lines are actually in your acl. If there are lines with the established keyword for example you wouldn't need this on the FWSM as you are now dealing with a fully stateful firewall.

You also need to be aware of the NAT statements you may well need but without knwoing your topology it is difficult to comment.

HTH

jeffchiniewicz · ‎01-05-2007

HTH,

Thank you. That is good advice.

So, other than those caveats, I should be able to copy them over and go?

Jon Marshall · ‎01-05-2007

yes you should be fine.

I would stress that you may well need NAT statements on the FWSM (if you are running it in routed mode) otherwise access will denied.

To apply the access-list to the interface you use a slightly different command -

access-group "access-list name" in interface "interface name".

By the way HTH is shorthand for Hope this Helps :-)

daniel.cleary · ‎01-10-2007

I think 3.1(4) allows you to disable using NAT. It might even be disabled by default.