Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
1
Replies

6500 FWSM security level problem

Sonugnair_2
Level 3
Level 3

‎03-01-2007 08:36 AM - edited ‎03-11-2019 02:40 AM

Hi,

I am facing an issue with a new 6500 router (IOS version 12.2 ) having a FWSM module. (FWSM Version 2.3(3)) which is like this:-

I have three Vlans INSIDE, OUTSIDE and DMZ with security levels 100, 0 and 50 respectively.I have created appropriate access control lists for pinging between Vlans ( INSIDE to DMZ ). But the hosts cannot ping.

However when i give the SAME security level to ALL VLANs ( INSIDE, OUTSIDE and DMZ) and give the command "

same-security-traffic permit inter-interface " , it works fine.

I am totally at a loss to understand this. This might be a workaround but , i guess the ideal situation is to give different sec levels to vlans and then control access.

Could some please advice on this issue.

Thanks & regards

Sonu

Labels:
0 Helpful
1 Reply 1

Jon Marshall
Hall of Fame
Hall of Fame

‎03-01-2007 10:05 AM

Hi Sonu

Couple of things to check.

1) Did you setup NAT from inside to DMZ ?

2) Did you create an access-list for both the DMZ interface and the inside interface.

Ping is not stateful so you need to let it back in from the DMZ.

BUT, unlike a standalone pix where traffic is allowed to flow by default from a higher to lower level security interface ie inside to DMZ in your case, this rule does not apply on the FWSM. You will still need an access-list on the inside interface.

HTH

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card