We have a few FWSMs in the core of our network, one which sits in front of all our servers, the other sitting between all our users.
There's various different interfaces on all of them for different types of servers (DMZ, normal stuff, students, etc). We're using CSM to deploy rules to them.
I've had a lot of 'fun' let's say with rules. Most rules are configured with a direction of In, but there's a few rules with an Out direction on interfaces too. The firewalls only went in last year, and we had to be finished quickly, so quite a few ANY ANY IP type rules went in, again some with in and out directions. Some are a bit more specific however.
I've had some really odd seemingly inexplicable results with these rules, and I feel the Out rules may be to blame. Having read through the FWSM documentation, I found this paragraph:
Traffic flowing across an interface in the FWSM can be controlled in two ways. Traffic that enters the
FWSM can be controlled by attaching an inbound access list to the source interface. Traffic that exits the
FWSM can be controlled by attaching an outbound access list to the destination interface. To allow any
traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM
automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any
interface unless you restrict it using an outbound access list, which adds restrictions to those already
configured in the inbound access list.
The bold is my own highlighting.
It's that last sentence that concerns me. By default the firewall lets nothing in, unless you let it in, but if you DO let something in, it assumes as you let it in, you want it let out on another port. That sentence suggests to me that if I add a single 'Allow' as an Out on an interface let's say, it denies everything else. Or does it? I'm a little confused!
We did some training on the firewalls, but it was all done at rather breakneck speed, and the trainer mentioned something about in and out rules, but I forgot what he said.
What I'd like is to use In rules only as these Out rules are getting a bit confusing, and they're making things unpredictable. I know they do have their uses, but I need to know if there's any gotchas or caveats of using them.
Are you responsible for risk management, compliance management and auditing of a network?
If so, we’d like to speak with you to learn your current processes of enforcing compliance and managing risk to help us develop services that will ...
Once you've expanded Cisco Secure Endpoint connector deployment to about 50% of your licensed count (check out this article that shows you how to do that), it's time to put those connectors to action i.e. convert them to Protect from Audit mode for vari...
Hello! I’m Betsy, UX Researcher, on the Cisco+ Secure Connect Now team. Nice to meet you all .We have a short survey to learn about your Zero Trust Network Access (ZTNA) journey. Whether you have, plan to, or have not implemented a ...
A set of interface access rules can cause the Cisco Adaptive Security Appliance to permit or deny a designated host to access another particular host with a specific network application (service). When there is only one client, one host and one se...
How To: Cisco ISE Captive Portals with Aruba Wireless
Authors: Adam Hollifield, Brad Johnson
IntroductionPrerequisitesMinimum RequirementsComponents UsedConfigurationAruba Wireless ControllerWLAN CreationAuthentication ConfigurationRole & Policy Confi...