https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449566#M836544 <HTML><HEAD></HEAD><BODY><P>OK thanks.&nbsp; ACL's is the way to do it then.&nbsp;&nbsp; (Re-numbering is out of the question as it's a live datacentre)</P><P></P><P>regards</P><P>Don</P></BODY></HTML> Wed, 28 Apr 2010 13:47:22 GMT demslie 2010-04-28T13:47:22Z https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449560#M836538 <P>Hi</P><P></P><P>I would like to create&nbsp; 'logical Zones' by 'grouping' a number of vlans on a FWSM&nbsp; version 4.0(4).</P><P>Can this be done by setting the same security-level for each 'zone' i.e. all DMZ vlans with security-level 50 </P><P>and all Safezone vlans with security-level 70 and using the same-security-traffic permit inter-interface command?</P><P>Each interface would still have ACL's to define traffic between Safezone and DMZ.</P><P></P><P>I guess the main question is on the FWSM.&nbsp; Does the traffic for interfaces set at the same security-level 'bypass' the ACL's</P><P>(which would effectively allow the above set up).</P><P></P><P>Or is it the case that once an ACL is applied to an interface, all traffic is permited only if defined in the ACL</P><P>and the security level is effectively ignored.</P><P></P><P>Thanks</P><P>Don</P> Mon, 11 Mar 2019 17:38:13 GMT https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449560#M836538 demslie 2019-03-11T17:38:13Z https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449561#M836539 <HTML><HEAD></HEAD><BODY><P>You are right. Even though the interfaces have same security level, once you applied an access-list, you would need to explicitly configure ACL to allow traffic between the same security level interface.</P></BODY></HTML> Wed, 28 Apr 2010 11:11:40 GMT https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449561#M836539 Jennifer Halim 2010-04-28T11:11:40Z https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449562#M836540 <HTML><HEAD></HEAD><BODY><P>Thanks for the clarification on security levels.&nbsp; Is there another way it may be possible to create 'logical' DMZ and Safezones on the FWSM?</P><P></P><P>regards</P><P>Don</P></BODY></HTML> Wed, 28 Apr 2010 12:11:11 GMT https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449562#M836540 demslie 2010-04-28T12:11:11Z https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449563#M836541 <HTML><HEAD></HEAD><BODY><P>Actually, with FWSM, eventhough they are same security level interface, you still need to configure access-list to allow the traffic. Unfortunately, with FWSM, there is a must to configure inbound access-list on every single VLAN interface whether they are same security level, or not.</P><P></P><P>With ASA/PIX firewall, if they are in same security level interface, you don't need to configure ACL, however, once you apply an ACL on the interface, you would need to explicitly allow traffic between same security interfaces.</P></BODY></HTML> Wed, 28 Apr 2010 12:17:46 GMT https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449563#M836541 Jennifer Halim 2010-04-28T12:17:46Z https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449564#M836542 <HTML><HEAD></HEAD><BODY><P>Hi, re-posting as I'm not sure if you picked up this further question? (this is the first time I've used this forum)</P><P>Thanks for the clarification on security levels.&nbsp; Is there another way it may be possible to create 'logical' DMZ and Safezones on the FWSM?</P><P></P><P>regards</P><P>Don</P></BODY></HTML> Wed, 28 Apr 2010 13:16:09 GMT https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449564#M836542 demslie 2010-04-28T13:16:09Z https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449565#M836543 <HTML><HEAD></HEAD><BODY><P>No, there is no other way except the way you have mentioned on your original post.</P><P></P><P>Alternatively, instead of having 3 DMZ subnets, you can configure 1 bigger range of DMZ subnet as your goal is for all the subnets to be communicating freely with each other anyway.</P><P></P><P>So, instead of 3 DMZ VLAN, with subnet of for example: 192.168.0.0/24, 192.168.1.0/24 and 192.168.2.0/24, why don't you just have 1 big DMZ subnet of 192.168.0.0/22, then all hosts within the DMZ can communicate freely.</P><P></P><P>Then configure the same for Safezones, and only segregate communication between DMZ and Safezones through the FWSM.</P></BODY></HTML> Wed, 28 Apr 2010 13:21:15 GMT https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449565#M836543 Jennifer Halim 2010-04-28T13:21:15Z https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449566#M836544 <HTML><HEAD></HEAD><BODY><P>OK thanks.&nbsp; ACL's is the way to do it then.&nbsp;&nbsp; (Re-numbering is out of the question as it's a live datacentre)</P><P></P><P>regards</P><P>Don</P></BODY></HTML> Wed, 28 Apr 2010 13:47:22 GMT https://community.cisco.com/t5/network-security/fwsm-security-level-question/m-p/1449566#M836544 demslie 2010-04-28T13:47:22Z