I'm using a FWSM with static nat. I have an outside interface connected to the internet. I have an inside interface with security level 100. I added a second interface with security level of 100.
With ACL I'm not able to allow traffic to pass from one inside interface to another. I enabled 'same-security-traffic' between same security level interfaces.
Is there no means to allow traffic via ACLs between these interfaces? If I ahve to use the same-security-traffic then to I need to use deny ACLS to restrict unwanted traffic?
I need to add a DMZ interface. I planned to assign a security for the DMZ somewhere between 0 and 100. Will I be able to use ACLs to allow some traffic from the inside interface to the DMZ? I hope so. If that is the case maybe I should give the inside interface a level of 100 and all other less then 100 to avoid the same-security-traffic command.
With the firewall services module the high to low security behaviour we know from the pix/asa does not apply in the same way. You have to explicitly apply access groups to each interface to allow traffic flow. The High to Low security levels does not allow traffic to flow without them.
The same-security-traffic command has two keywords, permit intra-interface which basically allows traffic to flow in and back out of the same interface without the AS Algorithm dropping it. Typically used with VPNs etc.
The permit inter-interface allows the interfaces with the same security level to communicate with each other.
In your scenario where you have have same security levels on the FWSM you would need to apply both the ACLs and the same-security-traffic permit inter-interface command.
You would not need to apply deny acls for unwanted traffic as traffic would need to be allowed in your ACL's all other traffic would be denied by default and typically you may follow up with a deny any any log at the bottom of your list anyway.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :