For example, if I need create

Anderson Ribeiro · ‎11-25-2015

Hi guys!

I have a doubt here, I have a Cisco FWSM and I would like to active the parameter describe bellow:

"Enable traffic between two or more hosts connected to the same interface"

The motive to enable this is because I have many static rules without necessary like this:

static (BASE-ADV,NET-INT) 10.37.0.0 10.37.0.0 netmask 255.255.255.0

My FWSM is in production at this time and I can't stop the service and I can't lost any rule there.

What will happen when I active this parameter?

What will happen with the statics rules after I active the parameter?

Whats the risk

Thank you very much!

Regards,

Anderson.

Jon Marshall · ‎11-25-2015

It's not clear how enabling traffic between hosts connected to the same interface is related to your static NAT statement.

The static NAT is for traffic between two different interfaces so how will enabling traffic between hosts on the same interface replace that static NAT.

Can you clarify exactly what you are trying to do ?

Jon

Anderson Ribeiro · ‎11-25-2015

Jon,

In this case is different, look:

static (BASE-ADV,NET-INT) 10.37.0.0 10.37.0.0 netmask 255.255.255.0

Interface BASE-ADV

Interface NET-INT

Thank you!

Jon Marshall · ‎11-25-2015

Yes, they are different interfaces, that was my point.

How does enabling traffic between hosts on the same interface having anything to do with traffic between different interfaces ?

Jon

Anderson Ribeiro · ‎11-25-2015

For example, if I need create the rule where the IP 10.10.10.10 (Interface ADV-X) connect to 20.20.20.20 (Interface ADV-Y), so I need do this:

access-list ADV-X extended permit ip any host 10.10.10.10 host 20.20.20.20

static (ADV-Y,ADV-X) 20.20.20.20 20.20.20.20 netmask 255.255.255.255

What that I want to do is not use the static line more. Use only "access-list".

For this I enable the parameter "Enable traffic between two or more hosts connected to the same interface"

Do you agree?

Tks!

Jon Marshall · ‎11-25-2015

No I don't agree because the example you gave is using two different interfaces.

Jon

Anderson Ribeiro · ‎11-25-2015

Ok, sorry. I understood that I said.

How you would to do use only the acl in this case?

Thank you.

Jon Marshall · ‎11-25-2015

What code version are you running on the FWSM ?

What exactly is the problem with the static statements , do you just want to tidy up the configuration ?

Jon

Anderson Ribeiro · ‎11-26-2015

FWSM Firewall Version 4.1(11)

The problem is that I would like not use static rules when the rule is to same IP. I want to use only access-list in this case.

I saw in the documentation about "Static Identity NAT"

For example, I have the IP 10.10.10.10 in the interface LAN_X and I need permit this IP to connect the IP 20.20.20.20 in the interface DMZ in any port. How can I create this rule?

Option 1:

access-list LAN_X permit ip host 10.10.10.10 host 20.20.20.20

static (DMZ,LAN_X) 20.20.20.20 20.20.20.20 netmask 255.255.255.255

Option 2 (That I want configure):

access-list LAN_X permit ip host 10.10.10.10 host 20.20.20.20

What that I need configure to not use static rule in cases that I have the same destination IP?

Thank you.

CISCO FWSM - Enable traffic between two or more hosts connected to the same interface