https://community.cisco.com/t5/network-security/fwsm-access-lists/m-p/1977053#M440503 <P>On the ASA, an inbound access-list controls traffic coming into an interface, aka ingress traffic.</P><P></P><P>So if I have an Internet-facing interface (outside) with security 0, and I wanted to control inbound traffic through this interface to internal hosts (on a dmz perhaps), I would apply the access-list as so</P><P></P><P>access-group TEST in interface outside</P><P></P><P>but I am looking at a FWSM config that seems to be doing the opposite. It has a vlan interface defined like this</P><P></P><P>interface Vlan58</P><P> description Network Management VLAN </P><P> nameif NetworkMgt</P><P> security-level 50</P><P> ip address 172.100.100.1 255.255.255.0 </P><P></P><P>and an access-list that reads like this</P><P></P><P></P><P>access-list NETWORKMGT-IN remark THESE ACL STATEMENT PERMIT TRAFFIC FROM INSIDE THE SUBNET TO OUTSIDE HOSTS</P><P>access-list NETWORKMGT-IN extended permit tcp object-group CITRIX-SERVERS object-group DATABASE-SERVERS eq sqlnet</P><P></P><P>with the CITRIX-SERVERS as hosts on Vlan58 (172.100.100.0 /24)</P><P></P><P>and the access-list is applied as so:</P><P></P><P>access-group NETWORKMGT-IN in interface NetworkMgt</P><P></P><P>So what do we mean by "in" --this is obviously egress traffic out of the interface, not traffic coming into the interface from the outside. On the FWSM do we control traffic into a vlan by a outbound access-list?</P><P></P><P>This just seems strange to me. Any advice would help.</P> Mon, 11 Mar 2019 23:22:39 GMT Colin Higgins 2019-03-11T23:22:39Z https://community.cisco.com/t5/network-security/fwsm-access-lists/m-p/1977053#M440503 <P>On the ASA, an inbound access-list controls traffic coming into an interface, aka ingress traffic.</P><P></P><P>So if I have an Internet-facing interface (outside) with security 0, and I wanted to control inbound traffic through this interface to internal hosts (on a dmz perhaps), I would apply the access-list as so</P><P></P><P>access-group TEST in interface outside</P><P></P><P>but I am looking at a FWSM config that seems to be doing the opposite. It has a vlan interface defined like this</P><P></P><P>interface Vlan58</P><P> description Network Management VLAN </P><P> nameif NetworkMgt</P><P> security-level 50</P><P> ip address 172.100.100.1 255.255.255.0 </P><P></P><P>and an access-list that reads like this</P><P></P><P></P><P>access-list NETWORKMGT-IN remark THESE ACL STATEMENT PERMIT TRAFFIC FROM INSIDE THE SUBNET TO OUTSIDE HOSTS</P><P>access-list NETWORKMGT-IN extended permit tcp object-group CITRIX-SERVERS object-group DATABASE-SERVERS eq sqlnet</P><P></P><P>with the CITRIX-SERVERS as hosts on Vlan58 (172.100.100.0 /24)</P><P></P><P>and the access-list is applied as so:</P><P></P><P>access-group NETWORKMGT-IN in interface NetworkMgt</P><P></P><P>So what do we mean by "in" --this is obviously egress traffic out of the interface, not traffic coming into the interface from the outside. On the FWSM do we control traffic into a vlan by a outbound access-list?</P><P></P><P>This just seems strange to me. Any advice would help.</P> Mon, 11 Mar 2019 23:22:39 GMT https://community.cisco.com/t5/network-security/fwsm-access-lists/m-p/1977053#M440503 Colin Higgins 2019-03-11T23:22:39Z https://community.cisco.com/t5/network-security/fwsm-access-lists/m-p/1977054#M440504 <HTML><HEAD></HEAD><BODY><P>On FWSM, you need to apply ACL on all interfaces to allow the traffic through the FWSM. </P><P></P><P>So on NetworkMgt interface, you would need to apply ACL for traffic initiated from behind this interface towards other interfaces. Similarly to the Outside interface, you would need to apply ACL for traffic initiated behind the Outside interface (aka Internet).</P><P></P><P>"in" means inbound towards the interface</P><P>"out" means outbound off that interface</P></BODY></HTML> Tue, 26 Jun 2012 03:32:16 GMT https://community.cisco.com/t5/network-security/fwsm-access-lists/m-p/1977054#M440504 Jennifer Halim 2012-06-26T03:32:16Z