https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709252#M1025797 <HTML><HEAD></HEAD><BODY><P>that's correct.</P></BODY></HTML> Sat, 17 Feb 2007 04:40:07 GMT daviddtran 2007-02-17T04:40:07Z https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709249#M1025794 <P>I'm hoping someone can clarify a difference that I'm seeing between the PIX 6.x and FWSM 3.x.</P><P></P><P>Assume a 3 interface firewall (outside,inside,dmz) with no address translation going on at all. The inside has the highest security level, the dmz is lower, and the outside is 0. With 6.x, to allow connections from lower to higher interfaces I would configure a static and use an access list to permit the desired traffic (along with a nat 0 statement for the inside and dmz).</P><P></P><P>Now assume a FWSM running 3.1.3 (routed context) using the same configuration as above. I understand that NAT statements in this case are no longer needed. It would also appear that I no longer need a static either, and connections between security levels (even lower to higher) seem to be solely controlled by access lists. I'm attaching the config of a FWSM context that I used for testing.</P><P></P><P>In this test config I purposely set the security level of the Inside to be lower then the DMZ, unless I modify the inside_in access-list to prevent it, the FWSM happily allows connections from lower to higher.</P><P></P><P>I'm confused that the security levels don't seem to be preventing traffic by default. If someone could confirm if this is proper behavior for the FWSM that would be great.</P><P></P><P>Thanks </P><P></P><P> </P><P></P> Mon, 11 Mar 2019 09:34:43 GMT https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709249#M1025794 KENT EITZMANN 2019-03-11T09:34:43Z https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709250#M1025795 <HTML><HEAD></HEAD><BODY><P>fwsm 3.1(3) and 7.x is behaved this way by </P><P>default. By default, "no nat-control" is </P><P>enabled, unless you decide to disable it with</P><P>"nat-control".</P><P></P><P>Remember, the FWSM is operating in "routed" </P><P>in your configuration. Because you are NOT</P><P>doing any static NAT, traffics are controlled</P><P>by your ACL which they are.</P><P></P><P>David</P><P>CCIE Security</P></BODY></HTML> Sat, 17 Feb 2007 00:57:05 GMT https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709250#M1025795 daviddtran 2007-02-17T00:57:05Z https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709251#M1025796 <HTML><HEAD></HEAD><BODY><P>David,</P><P></P><P>Thanks for the reply. So, if I'm not using address translation and follow these steps with the FWSM I will be Ok ? </P><P></P><P>- no nat-control</P><P>- no nat0 statements</P><P>- no static statements</P><P>- control packet flow with access lists</P><P></P><P></P></BODY></HTML> Sat, 17 Feb 2007 03:48:14 GMT https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709251#M1025796 KENT EITZMANN 2007-02-17T03:48:14Z https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709252#M1025797 <HTML><HEAD></HEAD><BODY><P>that's correct.</P></BODY></HTML> Sat, 17 Feb 2007 04:40:07 GMT https://community.cisco.com/t5/network-security/fwsm-and-security-levels/m-p/709252#M1025797 daviddtran 2007-02-17T04:40:07Z