FWSM access-lists
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2012 07:22 AM - edited 03-11-2019 04:22 PM
On the ASA, an inbound access-list controls traffic coming into an interface, aka ingress traffic.
So if I have an Internet-facing interface (outside) with security 0, and I wanted to control inbound traffic through this interface to internal hosts (on a dmz perhaps), I would apply the access-list as so
access-group TEST in interface outside
but I am looking at a FWSM config that seems to be doing the opposite. It has a vlan interface defined like this
interface Vlan58
description Network Management VLAN
nameif NetworkMgt
security-level 50
ip address 172.100.100.1 255.255.255.0
and an access-list that reads like this
access-list NETWORKMGT-IN remark THESE ACL STATEMENT PERMIT TRAFFIC FROM INSIDE THE SUBNET TO OUTSIDE HOSTS
access-list NETWORKMGT-IN extended permit tcp object-group CITRIX-SERVERS object-group DATABASE-SERVERS eq sqlnet
with the CITRIX-SERVERS as hosts on Vlan58 (172.100.100.0 /24)
and the access-list is applied as so:
access-group NETWORKMGT-IN in interface NetworkMgt
So what do we mean by "in" --this is obviously egress traffic out of the interface, not traffic coming into the interface from the outside. On the FWSM do we control traffic into a vlan by a outbound access-list?
This just seems strange to me. Any advice would help.
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2012 08:32 PM
On FWSM, you need to apply ACL on all interfaces to allow the traffic through the FWSM.
So on NetworkMgt interface, you would need to apply ACL for traffic initiated from behind this interface towards other interfaces. Similarly to the Outside interface, you would need to apply ACL for traffic initiated behind the Outside interface (aka Internet).
"in" means inbound towards the interface
"out" means outbound off that interface
