FWSM access-lists

Colin Higgins · ‎06-25-2012

On the ASA, an inbound access-list controls traffic coming into an interface, aka ingress traffic.

So if I have an Internet-facing interface (outside) with security 0, and I wanted to control inbound traffic through this interface to internal hosts (on a dmz perhaps), I would apply the access-list as so

access-group TEST in interface outside

but I am looking at a FWSM config that seems to be doing the opposite. It has a vlan interface defined like this

interface Vlan58

description Network Management VLAN

nameif NetworkMgt

security-level 50

ip address 172.100.100.1 255.255.255.0

and an access-list that reads like this

access-list NETWORKMGT-IN remark THESE ACL STATEMENT PERMIT TRAFFIC FROM INSIDE THE SUBNET TO OUTSIDE HOSTS

access-list NETWORKMGT-IN extended permit tcp object-group CITRIX-SERVERS object-group DATABASE-SERVERS eq sqlnet

with the CITRIX-SERVERS as hosts on Vlan58 (172.100.100.0 /24)

and the access-list is applied as so:

access-group NETWORKMGT-IN in interface NetworkMgt

So what do we mean by "in" --this is obviously egress traffic out of the interface, not traffic coming into the interface from the outside. On the FWSM do we control traffic into a vlan by a outbound access-list?

This just seems strange to me. Any advice would help.

Jennifer Halim · ‎06-25-2012

On FWSM, you need to apply ACL on all interfaces to allow the traffic through the FWSM.

So on NetworkMgt interface, you would need to apply ACL for traffic initiated from behind this interface towards other interfaces. Similarly to the Outside interface, you would need to apply ACL for traffic initiated behind the Outside interface (aka Internet).

"in" means inbound towards the interface

"out" means outbound off that interface