12-09-2012 12:39 PM - edited 03-11-2019 05:35 PM
Hi,
I have few question about FWSM configuration and best practices.
1. I have internal and external networks on both sides of FWSM. All the VLANs/IP/Ports that need to be filtered on both inside and outside are remote for FWSM and are only learned via layer 3 routing. Is it OK to configure only two interfaces on FWSM, INSIDE and OUTSIDE and route traffic accordingly?
2. Internal VLANS each have different security ACL policies. How do I differentiate between them when creating ACL rules when using only INSIDE interface for all networks? I guess one way to do is to create multiple object groups for each VLAN and define ACLS accordingly??
3. Is it OK if you mix and match multiple permit and deny statements in this case? For example, for one object group there will be some deny and some permit statements and then for next object group there will be some deny and permit statements. Does it work? Is it scalable?
4. When a packet arrives on the interface, does the entire ACL is checked, or it exits as soon as it matches a permit or deny?
5. Do you need to specify an explicit deny at the end or is it there by default?
Thanks
12-09-2012 01:48 PM
Hi,
- Jouni
12-09-2012 07:22 PM
Thanks for your reply, Jouni.
1. Internal networks are a mix of user VLANs, server farms etc. External network is all internet. This FWSM is going to be on Internet Perimeter router.
2. I cannot bring internal VLANs to FWSM and make it L3 gateway. Traffic between all internal vlan is through routers. It is only when they need to go to internet they will pass through FWSM.
3. I am guessing for each object group there will be "deny" statements at the top and then "permit" statements.
Can it me multiple permit statements and then deny all" for the object group? It is not a very large network .
12-09-2012 11:27 PM
Hi,
There is really no limitation on how many permit or deny statements to have other than the devices resources (which probably wont be the case) and that there cant be 2 identical statements (As an exception to this is configuring an ACL line and there being also that identical rule in a ACL rule which uses object-group)
A normal case where you might have permit and deny ACL rules after eachother is for example first allowing SMTP connections to some servers then blocking all the rest of the SMTP connections in the next ACL rule.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide