Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
788
Views
0
Helpful
1
Replies

FWSM access-lists

Colin Higgins
Level 2
Level 2

‎06-25-2012 07:22 AM - edited ‎03-11-2019 04:22 PM

On the ASA, an inbound access-list controls traffic coming into an interface, aka ingress traffic.

So if I have an Internet-facing interface (outside) with security 0, and I wanted to control inbound traffic through this interface to internal hosts (on a dmz perhaps), I would apply the access-list as so

access-group TEST in interface outside

but I am looking at a FWSM config that seems to be doing the opposite. It has a vlan interface defined like this

interface Vlan58

description Network Management VLAN

nameif NetworkMgt

security-level 50

ip address 172.100.100.1 255.255.255.0

and an access-list that reads like this

access-list NETWORKMGT-IN remark THESE ACL STATEMENT PERMIT TRAFFIC FROM INSIDE THE SUBNET TO OUTSIDE HOSTS

access-list NETWORKMGT-IN extended permit tcp object-group CITRIX-SERVERS object-group DATABASE-SERVERS eq sqlnet

with the CITRIX-SERVERS as hosts on Vlan58 (172.100.100.0 /24)

and the access-list is applied as so:

access-group NETWORKMGT-IN in interface NetworkMgt

So what do we mean by "in" --this is obviously egress traffic out of the interface, not traffic coming into the interface from the outside. On the FWSM do we control traffic into a vlan by a outbound access-list?

This just seems strange to me. Any advice would help.

Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-25-2012 08:32 PM

On FWSM, you need to apply ACL on all interfaces to allow the traffic through the FWSM.

So on NetworkMgt interface, you would need to apply ACL for traffic initiated from behind this interface towards other interfaces. Similarly to the Outside interface, you would need to apply ACL for traffic initiated behind the Outside interface (aka Internet).

"in" means inbound towards the interface

"out" means outbound off that interface

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card