11-25-2015 06:20 AM - edited 03-11-2019 11:56 PM
Hi guys!
I have a doubt here, I have a Cisco FWSM and I would like to active the parameter describe bellow:
"Enable traffic between two or more hosts connected to the same interface"
The motive to enable this is because I have many static rules without necessary like this:
static (BASE-ADV,NET-INT) 10.37.0.0 10.37.0.0 netmask 255.255.255.0
My FWSM is in production at this time and I can't stop the service and I can't lost any rule there.
What will happen when I active this parameter?
What will happen with the statics rules after I active the parameter?
Whats the risk
Thank you very much!
Regards,
Anderson.
11-25-2015 08:12 AM
It's not clear how enabling traffic between hosts connected to the same interface is related to your static NAT statement.
The static NAT is for traffic between two different interfaces so how will enabling traffic between hosts on the same interface replace that static NAT.
Can you clarify exactly what you are trying to do ?
Jon
11-25-2015 09:24 AM
Jon,
In this case is different, look:
static (BASE-ADV,NET-INT) 10.37.0.0 10.37.0.0 netmask 255.255.255.0
Interface BASE-ADV
Interface NET-INT
Thank you!
11-25-2015 10:06 AM
Yes, they are different interfaces, that was my point.
How does enabling traffic between hosts on the same interface having anything to do with traffic between different interfaces ?
Jon
11-25-2015 11:30 AM
For example, if I need create the rule where the IP 10.10.10.10 (Interface ADV-X) connect to 20.20.20.20 (Interface ADV-Y), so I need do this:
access-list ADV-X extended permit ip any host 10.10.10.10 host 20.20.20.20
static (ADV-Y,ADV-X) 20.20.20.20 20.20.20.20 netmask 255.255.255.255
What that I want to do is not use the static line more. Use only "access-list".
For this I enable the parameter "Enable traffic between two or more hosts connected to the same interface"
Do you agree?
Tks!
11-25-2015 11:36 AM
No I don't agree because the example you gave is using two different interfaces.
Jon
11-25-2015 12:20 PM
Ok, sorry. I understood that I said.
How you would to do use only the acl in this case?
Thank you.
11-25-2015 01:35 PM
What code version are you running on the FWSM ?
What exactly is the problem with the static statements , do you just want to tidy up the configuration ?
Jon
11-26-2015 02:41 AM
FWSM Firewall Version 4.1(11)
The problem is that I would like not use static rules when the rule is to same IP. I want to use only access-list in this case.
I saw in the documentation about "Static Identity NAT"
For example, I have the IP 10.10.10.10 in the interface LAN_X and I need permit this IP to connect the IP 20.20.20.20 in the interface DMZ in any port. How can I create this rule?
Option 1:
access-list LAN_X permit ip host 10.10.10.10 host 20.20.20.20
static (DMZ,LAN_X) 20.20.20.20 20.20.20.20 netmask 255.255.255.255
Option 2 (That I want configure):
access-list LAN_X permit ip host 10.10.10.10 host 20.20.20.20
What that I need configure to not use static rule in cases that I have the same destination IP?
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide