topic Re: FWSM Explicit deny strange behavior in Network Security

FWSM Explicit deny strange behavior

phmazzoni — Mon, 11 Mar 2019 19:33:49 GMT

Hello,

I am having problems with a FWSM with multiple contexts implementation.

One of the contexts has a inside interface that must have a EXPLICIT deny ip any any.

The problem is:

When I put the ACE with the explicit deny at the end of the ACL all the traffic EXPLICIT permitted before it stops working.

If I remove the explicit deny, letting the IMPLICIT deny work, everything runs fine.

I am running the 4.0(4) code.

Any ideas?

Thanks in advance,

Pedro Mazzoni

Panos Kampanakis — Tue, 11 Jan 2011 18:20:04 GMT

Pedro,

Are you using ACL optimization?

phmazzoni — Tue, 11 Jan 2011 18:34:01 GMT

No PK, I am not using ACL optimization.

Thanks,
Pedro

phmazzoni — Tue, 11 Jan 2011 18:41:41 GMT

Sorry for the wrong answer PK, but I am using it.
I didn't know that this is enable by default.

Panos Kampanakis — Tue, 11 Jan 2011 19:16:21 GMT

No worries.

Let us know if this is answered.

phmazzoni — Tue, 11 Jan 2011 19:19:40 GMT

PK, do you think that this might be the problem?

If yes, how can ACL optimization cause it?

Thanks

Kureli Sankar — Tue, 11 Jan 2011 21:02:04 GMT

Fix is in 4.0.9 or above.

Or disable acl optimization.

http://www.cisco.com/cgi-bin/tablebuild.pl/cat6000-fwsm

Click on the All new releases will be available "here"

The latest in the 4.0 train is 4.0.13
ASDM is asdm-62(1)f.bin

-KS