FWSM strange acl behavior

wildker-vit · ‎12-29-2011

Hi!

I have FWSM running 4.1(6) with two security contexts.

The context test config is:

FWSM/test# sh run

: Saved

:

FWSM Version 4.1(6) <context>

!

hostname test

domain-name fwsm.spbstu.ru

enable password 8Ry2YjIyt7RRXU24 encrypted

names

dns-guard

!

interface Vlan556

nameif inside

security-level 100

ip address 192.168.100.254 255.255.255.0

!

interface Vlan557

nameif dmz

security-level 50

ip address 172.16.2.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list permit_any extended permit tcp any any

access-list permit_any extended permit udp any any

access-list permit_any extended permit ip any any

access-list dmz_in extended permit icmp any any

access-list dmz_in extended permit udp any any

access-list dmz_in remark dmz_in

access-list dmz_in extended permit tcp any any

access-list dmz_out extended permit icmp any any

access-list dmz_out extended permit udp any any

access-list dmz_out extended permit tcp any any

access-list inside_in extended permit tcp any eq 3389 any

access-list inside_in extended permit tcp any any

access-list inside_in extended deny ip any any

access-list inside_out extended permit icmp any any

access-list inside_out extended permit udp any any

access-list inside_out extended permit tcp any any

pager lines 24

logging enable

logging console debugging

logging buffered debugging

logging asdm debugging

mtu inside 1500

mtu dmz 1500

no asdm history enable

arp timeout 14400

nat-control

access-group permit_any in interface inside

access-group permit_any out interface inside

access-group permit_any in interface dmz

access-group permit_any out interface dmz

route dmz 0.0.0.0 0.0.0.0 172.16.2.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout pptp-gre 0:02:00

timeout uauth 0:05:00 absolute

username cisco password ZBZ8GNEdrJsjFvsR encrypted

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

no snmp-server location

no snmp-server contact

telnet timeout 60

ssh timeout 60

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns

inspect ftp

inspect netbios

inspect rsh

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect http

!

service-policy global_policy global

Cryptochecksum:632fecb27da8e4b662d4197c60f1b22a

: end

Routing and vlan config is fine for sure.

but access is denied while ACL counters are 0

Does anybody have any ideas where I should look more carefully?

system context config is

FWSM# sh run
: Saved
:
FWSM Version 4.1(6) <system>
!
resource acl-partition 12
hostname FWSM
enable password 8Ry2YjIyt7RRXU24 encrypted
!
interface Vlan555
!
interface Vlan556
!
interface Vlan557
!
interface Vlan1216
!
passwd 2KFQnbNIdI.2KYOU encrypted
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
!

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
description default_context
member default
allocate-interface Vlan1216
allocate-interface Vlan555
allocate-acl-partition 0
config-url disk:/admin.cfg
!

context test
description test
member default
allocate-interface Vlan556
allocate-interface Vlan557
allocate-acl-partition 1
config-url disk:/CON_test.cfg
!

prompt hostname context
Cryptochecksum:ae682011fefdab9a0e4eeda02ca49c6e
: end

mirober2 · ‎12-29-2011

Hello,

First, since you're sharing VLANs across multiple contexts, you'll need to be aware of the FWSM's packet classifier and the requirement for sharing VLANs (i.e. you'll need to configure 'static' statements for the destination addresses behind each context):

How the FWSM Classifies Packets:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/contxt_f.html#wp1124172

Sharing Interfaces Between Contexts:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/contxt_f.html#wp1124236

If that still doesn't help, please get level 6 (informational) syslogs from both contexts when you try to send traffic.

-Mike

wildker-vit · ‎12-29-2011

access-list permit_any extended permit tcp any any

access-list permit_any extended permit udp any any

access-list permit_any extended permit ip any any

access-list permit_any extended permit icmp any any

access-group permit_any in interface inside

access-group permit_any out interface inside

access-group permit_any in interface dmz

access-group permit_any out interface dmz

I don't understand why FWSM denies ICMP:

( I am pinging from Cat6509 SUP 172.16.2.254 ( which is on dmz interface ) the host on inside interface 192.168.100.250:

%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)

%FWSM-7-111009: User 'enable_15' executed cmd: show logging

%FWSM-3-106010: Deny inbound icmp src dmz:172.16.2.254 dst inside:192.168.100.250 (type 8, code 0)

Any ideas?

Julio Carvajal · ‎12-29-2011

Hello Wilder,

Can you try the following under context TEST

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC