https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226105#M346354 <HTML><HEAD></HEAD><BODY><P>Hello Frederico,</P><P></P><P>By default on a FWSM traffic from the inside to the router will be allowed and statefully inspected.</P><P></P><P>And traffic from lower to higher will be blocked. No need to configure it </P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking">http://laguiadelnetworking</A><SPAN>. </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Mon, 02 Sep 2013 17:35:57 GMT Julio Carvajal 2013-09-02T17:35:57Z https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226102#M346349 <P>Hi,</P><P></P><P>With CBAC I can inspect traffic, with FWSM can I configure the same process? </P><P></P><P>thanks</P> Tue, 12 Mar 2019 02:12:42 GMT https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226102#M346349 frede_frede 2019-03-12T02:12:42Z https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226103#M346351 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Yes, you can,</P><P></P><P>The FWSM is an stateful firewall and I would say its way more flexible than CBAC,</P><P></P><P>It´s whole purpose is to be stateful so you should go for it <SPAN __jive_emoticon_name="grin" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/grin.gif"></SPAN></P><P></P><P></P><P><SPAN>For Networking Posts check my blog at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking.com/">http://laguiadelnetworking.com/</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Tue, 16 Jul 2013 17:01:26 GMT https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226103#M346351 Julio Carvajal 2013-07-16T17:01:26Z https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226104#M346353 <HTML><HEAD></HEAD><BODY><P>Hi Julio,</P><P></P><P>thanks for the answer.</P><P></P><P>But for example, I don't know how to configure a thing like this in the fwsm</P><P></P><P>Router(config)# ip access-list extended EXTERNAL-ACL</P><P>Router(config-ext-nacl)# deny tcp any any log</P><P>Router(config-ext-nacl)# deny udp any any log</P><P>Router(config-ext-nacl)# deny icmp any any log</P><P>Router(config-ext-nacl)# deny ip any any</P><P>Router(config)# ip inspect name CBAC-EXAMPLE tcp</P><P>Router(config)# ip inspect name CBAC-EXAMPLE udp</P><P>Router(config)# ip inspect name CBAC-EXAMPLE icmp</P><P>Router(config)# interface ethernet0</P><P>Router(config-if)# ip access-group EXTERNAL-ACL in</P><P>Router(config-if)# ip inspect CBAC-EXAMPLE out</P><P></P><P>thanks</P><P></P><P>Regards</P><P></P><P>Fred</P></BODY></HTML> Mon, 02 Sep 2013 14:58:48 GMT https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226104#M346353 frede_frede 2013-09-02T14:58:48Z https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226105#M346354 <HTML><HEAD></HEAD><BODY><P>Hello Frederico,</P><P></P><P>By default on a FWSM traffic from the inside to the router will be allowed and statefully inspected.</P><P></P><P>And traffic from lower to higher will be blocked. No need to configure it </P><P></P><P><SPAN>For more information about Core and Security Networking follow my website at </SPAN><A class="jive-link-external-small" href="http://laguiadelnetworking">http://laguiadelnetworking</A><SPAN>. </SPAN><BR /> <BR /><SPAN>Any question contact me at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura</P></BODY></HTML> Mon, 02 Sep 2013 17:35:57 GMT https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226105#M346354 Julio Carvajal 2013-09-02T17:35:57Z https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226106#M346355 <HTML><HEAD></HEAD><BODY><P>The ASA, as Julio has mentioned, is a stateful firewall.&nbsp; Meaning it keeps track of the connection that originate on interfaces that are configured to allow such connections.</P><P></P><P>initially this is enabled through the use of security-levels. Interfaces configured with higher security-levels are allowed to initiate traffic to interfaces with lower security levels.&nbsp; These connection are then placed in a state table which is then inspected when the return traffic reaches the ASA.&nbsp; If the ASA finds a match in the state table for the return traffic the traffic is permited, otherwise it is dropped.</P><P></P><P>Once you configure an ACL on the interface then the security-level no longer has any meaning (until you remove all ACLs on the interface).&nbsp; Then traffic is permitted based on the configured ACL.&nbsp; All traffic that is permitted by the ACL is placed in the state table which is agian checked and permitted for the return traffic.</P></BODY></HTML> Tue, 03 Sep 2013 10:18:19 GMT https://community.cisco.com/t5/network-security/fwsm-cbac/m-p/2226106#M346355 Marius Gunnerud 2013-09-03T10:18:19Z