topic Re: 6500 FWSM security level problem in Network Security https://community.cisco.com/t5/network-security/6500-fwsm-security-level-problem/m-p/680872#M1024481 <HTML><HEAD></HEAD><BODY><P>Hi Sonu </P><P></P><P>Couple of things to check. </P><P></P><P>1) Did you setup NAT from inside to DMZ ? </P><P></P><P>2) Did you create an access-list for both the DMZ interface and the inside interface. </P><P>Ping is not stateful so you need to let it back in from the DMZ. </P><P>BUT, unlike a standalone pix where traffic is allowed to flow by default from a higher to lower level security interface ie inside to DMZ in your case, this rule does not apply on the FWSM. You will still need an access-list on the inside interface. </P><P></P><P>HTH </P><P></P><P>Jon </P></BODY></HTML> Thu, 01 Mar 2007 18:05:48 GMT Jon Marshall 2007-03-01T18:05:48Z 6500 FWSM security level problem https://community.cisco.com/t5/network-security/6500-fwsm-security-level-problem/m-p/680871#M1024479 <P>Hi,</P><P></P><P>I am facing an issue with a new 6500 router (IOS version 12.2 ) having a FWSM module. (FWSM Version 2.3(3)) which is like this:-</P><P></P><P>I have three Vlans INSIDE, OUTSIDE and DMZ with security levels 100, 0 and 50 respectively.I have created appropriate access control lists for pinging between Vlans ( INSIDE to DMZ ). But the hosts cannot ping.</P><P></P><P>However when i give the SAME security level to ALL VLANs ( INSIDE, OUTSIDE and DMZ) and give the command " </P><P>same-security-traffic permit inter-interface " , it works fine. </P><P></P><P>I am totally at a loss to understand this. This might be a workaround but , i guess the ideal situation is to give different sec levels to vlans and then control access.</P><P></P><P>Could some please advice on this issue.</P><P></P><P>Thanks &amp; regards</P><P></P><P>Sonu</P> Mon, 11 Mar 2019 09:40:24 GMT https://community.cisco.com/t5/network-security/6500-fwsm-security-level-problem/m-p/680871#M1024479 Sonugnair_2 2019-03-11T09:40:24Z Re: 6500 FWSM security level problem https://community.cisco.com/t5/network-security/6500-fwsm-security-level-problem/m-p/680872#M1024481 <HTML><HEAD></HEAD><BODY><P>Hi Sonu </P><P></P><P>Couple of things to check. </P><P></P><P>1) Did you setup NAT from inside to DMZ ? </P><P></P><P>2) Did you create an access-list for both the DMZ interface and the inside interface. </P><P>Ping is not stateful so you need to let it back in from the DMZ. </P><P>BUT, unlike a standalone pix where traffic is allowed to flow by default from a higher to lower level security interface ie inside to DMZ in your case, this rule does not apply on the FWSM. You will still need an access-list on the inside interface. </P><P></P><P>HTH </P><P></P><P>Jon </P></BODY></HTML> Thu, 01 Mar 2007 18:05:48 GMT https://community.cisco.com/t5/network-security/6500-fwsm-security-level-problem/m-p/680872#M1024481 Jon Marshall 2007-03-01T18:05:48Z