Hi Julio,

thanks for the answer.

But for example, I don't know how to configure a thing like this in the fwsm

Router(config)# ip access-list extended EXTERNAL-ACL

Router(config-ext-nacl)# deny tcp any any log

Router(config-ext-nacl)# deny udp any any log

Router(config-ext-nacl)# deny icmp any any log

Router(config-ext-nacl)# deny ip any any

Router(config)# ip inspect name CBAC-EXAMPLE tcp

Router(config)# ip inspect name CBAC-EXAMPLE udp

Router(config)# ip inspect name CBAC-EXAMPLE icmp

Router(config)# interface ethernet0

Router(config-if)# ip access-group EXTERNAL-ACL in

Router(config-if)# ip inspect CBAC-EXAMPLE out

thanks

Regards

Fred

Hello Frederico,

By default on a FWSM traffic from the inside to the router will be allowed and statefully inspected.

And traffic from lower to higher will be blocked. No need to configure it

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

The ASA, as Julio has mentioned, is a stateful firewall.  Meaning it keeps track of the connection that originate on interfaces that are configured to allow such connections.

initially this is enabled through the use of security-levels. Interfaces configured with higher security-levels are allowed to initiate traffic to interfaces with lower security levels.  These connection are then placed in a state table which is then inspected when the return traffic reaches the ASA.  If the ASA finds a match in the state table for the return traffic the traffic is permited, otherwise it is dropped.

Once you configure an ACL on the interface then the security-level no longer has any meaning (until you remove all ACLs on the interface).  Then traffic is permitted based on the configured ACL.  All traffic that is permitted by the ACL is placed in the state table which is agian checked and permitted for the return traffic.