https://community.cisco.com/t5/network-security/fwsm-security-levels-concept/m-p/850602#M955974 <P>Hi all,</P><P></P><P>I have 5 different VLANs created on the FWSM each one with different security levels. I have version 3.7 in single context mode and NAT disabled.</P><P></P><P>From traffic flowing from one interface with security level of 100 (called inside) to another with security level of 20 (called WEB) I need to create an access-list and apply it on the inside of the inside interface to permit traffic to the WEB interface, but I don't need to create an access-list on the WEB interface in order to permit the return traffic, is this correct?</P><P></P><P>If I want that some host on the WEB interface have access to the inside host I need to create an access-list and apply it inside on the Web interface and I need to create an access-list on the inside interface in order to permit the return traffic? I am confused with the concept of security levels because I cannot see any advantage in defining different security levels.</P><P></P><P>Regards</P><P></P> Mon, 11 Mar 2019 11:56:08 GMT vicente.madrigal 2019-03-11T11:56:08Z https://community.cisco.com/t5/network-security/fwsm-security-levels-concept/m-p/850602#M955974 <P>Hi all,</P><P></P><P>I have 5 different VLANs created on the FWSM each one with different security levels. I have version 3.7 in single context mode and NAT disabled.</P><P></P><P>From traffic flowing from one interface with security level of 100 (called inside) to another with security level of 20 (called WEB) I need to create an access-list and apply it on the inside of the inside interface to permit traffic to the WEB interface, but I don't need to create an access-list on the WEB interface in order to permit the return traffic, is this correct?</P><P></P><P>If I want that some host on the WEB interface have access to the inside host I need to create an access-list and apply it inside on the Web interface and I need to create an access-list on the inside interface in order to permit the return traffic? I am confused with the concept of security levels because I cannot see any advantage in defining different security levels.</P><P></P><P>Regards</P><P></P> Mon, 11 Mar 2019 11:56:08 GMT https://community.cisco.com/t5/network-security/fwsm-security-levels-concept/m-p/850602#M955974 vicente.madrigal 2019-03-11T11:56:08Z https://community.cisco.com/t5/network-security/fwsm-security-levels-concept/m-p/850603#M955975 <HTML><HEAD></HEAD><BODY><P>Vicente </P><P></P><P>With a stateful firewall you do not need access-lists to allow the return traffic as that is what stateful firewalls do. So in your case </P><P></P><P>Inside -&gt; Web - you only need access-list on inside interface </P><P></P><P>Web -&gt; Inside - you only need access-list on WEB interface. </P><P></P><P>Note in the above 2 examples we are talking about where the connection is initiated from and not referring to return traffic.</P><P></P><P>On standalone pix/asa devices traffic is allowed from a higher to a lower security interface without an access-list. Only the FWSM requires and access-list no matter what the security level. I admit this can be a bit confusing.</P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Thu, 31 Jan 2008 07:38:30 GMT https://community.cisco.com/t5/network-security/fwsm-security-levels-concept/m-p/850603#M955975 Jon Marshall 2008-01-31T07:38:30Z https://community.cisco.com/t5/network-security/fwsm-security-levels-concept/m-p/850604#M955976 <HTML><HEAD></HEAD><BODY><P>Thanks Jon,</P><P></P><P>I was confused because in a reguar ASA you don't need to configure the acces-list from a higher to a lower security interface and in the FWSM you do need to apply an inboud access-list in the interfase no matter the security level.</P><P></P><P>It looks to me that the concept of security level for the FWSM is no usefull at all.</P><P></P><P>Regards!</P><P></P><P></P></BODY></HTML> Fri, 01 Feb 2008 16:11:31 GMT https://community.cisco.com/t5/network-security/fwsm-security-levels-concept/m-p/850604#M955976 vicente.madrigal 2008-02-01T16:11:31Z