Re: Query - FWSM Security Levels..

krishnadas.R_2 · ‎12-24-2009

Hi,

I have two vlans defined on the FWSM, APP and DB, For the APP vlan, Sec level is 60
for DB it is 100.

I wanted to allow multicast from APP to DB and Vice Versa. The necessary NAT statement
and ACLs are updated and connectivity is working from DB to APP vlan.

However though ACL and NAT statements are in place for APP -> DB communication, I had to lower
security level of the DB vlan to 60 to make it work. As soon as I lowered the security level
it started working.

Is there a way to make it work without lowering the security level ?

Thanks,
Kris

Jon Marshall · ‎12-24-2009

Can you post NAT statements used.

Jon

krishnadas.R_2 · ‎12-24-2009

er-db-zone = DB vlan

er-dmz-int = APP vlan

static (er-db-zone,er-dmz-int) 10.1.149.0 10.1.149.0 netmask 255.255.255.0
static (er-dmz-int,er-db-zone) 10.1.151.0 10.1.151.0 netmask 255.255.255.0

Jon Marshall · ‎12-24-2009

krishnadas.R wrote:
er-db-zone = DB vlan
er-dmz-int = APP vlan
static (er-db-zone,er-dmz-int) 10.1.149.0 10.1.149.0 netmask 255.255.255.0 
static (er-dmz-int,er-db-zone) 10.1.151.0 10.1.151.0 netmask 255.255.255.0

Kris

They look fine to me. I was wanting to check in case you had tried to use dynamic NAT each way in which case it would work DB -> APP but not APP -> DB.

If you have got these and your have allowed the traffic with an acl then there is no reason why it should not work. I have not come across the issue you are facing and certainly pix/asa firewalls follow the rule that from a lower to higher security interface traffic is allowed with an acl and NAT.

Perhaps there is something else in the config ?

Jon

krishnadas.R_2 · ‎12-24-2009

Hi Jon,

I was getting this error continously in the FWSM logs,

Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566
Dec 23 2009 12:41:18: %FWSM-3-106010: Deny inbound udp src er-dmz-int:10.1.151.5/60812 dst er-db-zone:228.10.10.10/45566

As per cisco doc, http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/system/message/fsmemsgs.html

%FWSM-3-106010 --> "This is a connection-related message. This message is logged if an inbound connection

is denied by your security policy"

There is a specific permit line in ACL that allows traffic to 228.10.10.10 from 10.1.151.0 and I saw hits

aswell on those lines. I cleared the xlate for source and destination, removed and re-applied the ACL

lines with no luck untill I lowered the security level.

But the fact is that there are many other vlans working in similar fashion in this FWSM, only this

couple of interface had issues. The traffic is multicast, but does that make a diffrence when

connectivity is working one-way ?

Thanks

Kris

Jon Marshall · ‎12-24-2009

Kris

What version of FWSM software are you running ?

Have you setup multicast routing on the FWSM ?

Jon

Kureli Sankar · ‎12-24-2009

You need the following.

nat (er-db-zone) 0 access-list blah

access-l blah permit ip host 228.10.10.10 any

or

access-l blah permit ip host 228.10.10.10 host 10.1.1.51

Let us know how it goes.

-KS

krishnadas.R_2 · ‎12-26-2009

Ks,

I am waiting for the client to be avaliable to do the test, shall let you

know the results.

Thanks

Kris

krishnadas.R_2 · ‎12-26-2009

Jon,

FWSM is running code 3.1(4).

Multicast routing is setup on the FWSM.

kris