topic What code version are you in Network Security

CISCO FWSM - Enable traffic between two or more hosts connected to the same interface

Anderson Ribeiro — Tue, 12 Mar 2019 06:56:53 GMT

Hi guys!

I have a doubt here, I have a Cisco FWSM and I would like to active the parameter describe bellow:

"Enable traffic between two or more hosts connected to the same interface"

The motive to enable this is because I have many static rules without necessary like this:

static (BASE-ADV,NET-INT) 10.37.0.0 10.37.0.0 netmask 255.255.255.0

My FWSM is in production at this time and I can't stop the service and I can't lost any rule there.

What will happen when I active this parameter?

What will happen with the statics rules after I active the parameter?

Whats the risk

Thank you very much!

Regards,

Anderson.

It's not clear how enabling

Jon Marshall — Wed, 25 Nov 2015 16:12:56 GMT

It's not clear how enabling traffic between hosts connected to the same interface is related to your static NAT statement.

The static NAT is for traffic between two different interfaces so how will enabling traffic between hosts on the same interface replace that static NAT.

Can you clarify exactly what you are trying to do ?

Jon

Jon,

Anderson Ribeiro — Wed, 25 Nov 2015 17:24:17 GMT

Jon,

In this case is different, look:

static (BASE-ADV,NET-INT) 10.37.0.0 10.37.0.0 netmask 255.255.255.0

Interface BASE-ADV

Interface NET-INT

Thank you!

Yes, they are different

Jon Marshall — Wed, 25 Nov 2015 18:06:29 GMT

Yes, they are different interfaces, that was my point.

How does enabling traffic between hosts on the same interface having anything to do with traffic between different interfaces ?

Jon

For example, if I need create

Anderson Ribeiro — Wed, 25 Nov 2015 19:30:02 GMT

For example, if I need create the rule where the IP 10.10.10.10 (Interface ADV-X) connect to 20.20.20.20 (Interface ADV-Y), so I need do this:

access-list ADV-X extended permit ip any host 10.10.10.10 host 20.20.20.20

static (ADV-Y,ADV-X) 20.20.20.20 20.20.20.20 netmask 255.255.255.255

What that I want to do is not use the static line more. Use only "access-list".

For this I enable the parameter "Enable traffic between two or more hosts connected to the same interface"

Do you agree?

Tks!

No I don't agree because the

Jon Marshall — Wed, 25 Nov 2015 19:36:02 GMT

No I don't agree because the example you gave is using two different interfaces.

Jon

Ok, sorry. I understood that

Anderson Ribeiro — Wed, 25 Nov 2015 20:20:13 GMT

Ok, sorry. I understood that I said.

How you would to do use only the acl in this case?

Thank you.

What code version are you

Jon Marshall — Wed, 25 Nov 2015 21:35:10 GMT

What code version are you running on the FWSM ?

What exactly is the problem with the static statements , do you just want to tidy up the configuration ?

Jon

FWSM Firewall Version 4.1(11)

Anderson Ribeiro — Thu, 26 Nov 2015 10:41:12 GMT

FWSM Firewall Version 4.1(11)

The problem is that I would like not use static rules when the rule is to same IP. I want to use only access-list in this case.

I saw in the documentation about "Static Identity NAT"

For example, I have the IP 10.10.10.10 in the interface LAN_X and I need permit this IP to connect the IP 20.20.20.20 in the interface DMZ in any port. How can I create this rule?

Option 1:

access-list LAN_X permit ip host 10.10.10.10 host 20.20.20.20

static (DMZ,LAN_X) 20.20.20.20 20.20.20.20 netmask 255.255.255.255

Option 2 (That I want configure):

access-list LAN_X permit ip host 10.10.10.10 host 20.20.20.20

What that I need configure to not use static rule in cases that I have the same destination IP?

Thank you.