Yes, you can,
The FWSM is an stateful firewall and I would say its way more flexible than CBAC,
It´s whole purpose is to be stateful so you should go for it
For Networking Posts check my blog at http://laguiadelnetworking.com/
Julio Carvajal Segura
thanks for the answer.
But for example, I don't know how to configure a thing like this in the fwsm
Router(config)# ip access-list extended EXTERNAL-ACL
Router(config-ext-nacl)# deny tcp any any log
Router(config-ext-nacl)# deny udp any any log
Router(config-ext-nacl)# deny icmp any any log
Router(config-ext-nacl)# deny ip any any
Router(config)# ip inspect name CBAC-EXAMPLE tcp
Router(config)# ip inspect name CBAC-EXAMPLE udp
Router(config)# ip inspect name CBAC-EXAMPLE icmp
Router(config)# interface ethernet0
Router(config-if)# ip access-group EXTERNAL-ACL in
Router(config-if)# ip inspect CBAC-EXAMPLE out
By default on a FWSM traffic from the inside to the router will be allowed and statefully inspected.
And traffic from lower to higher will be blocked. No need to configure it
The ASA, as Julio has mentioned, is a stateful firewall. Meaning it keeps track of the connection that originate on interfaces that are configured to allow such connections.
initially this is enabled through the use of security-levels. Interfaces configured with higher security-levels are allowed to initiate traffic to interfaces with lower security levels. These connection are then placed in a state table which is then inspected when the return traffic reaches the ASA. If the ASA finds a match in the state table for the return traffic the traffic is permited, otherwise it is dropped.
Once you configure an ACL on the interface then the security-level no longer has any meaning (until you remove all ACLs on the interface). Then traffic is permitted based on the configured ACL. All traffic that is permitted by the ACL is placed in the state table which is agian checked and permitted for the return traffic.