06-15-2009 12:12 PM - edited 03-11-2019 08:43 AM
Testing a FWSM in single context mode. The MSFC is located inside. There are two interfaces. One labeled outside security level 0. Inside interface security level 100.
All PC on the inside interface should be permitted outside access. I added an incoming rule to inside interface permitting all to all. Without that inside users could not access the internet.
I added incoming rules to the outside interface for devices that should be permitted to access devices on the inside interface. That is the way it is setup on our current PIX.
What is bothering me is I don't see any hits on the incoming rules on the outside interface. Do I have the rules on the wrong interface? Should I have outgoing rules as well?
06-17-2009 11:25 AM
Have you verified the ACL is applied to the interface? It should be:
access-group ACL_NAME in interface INTERFACE_NAME
One thing that has gotten me a few times is if you remove the lines from and ACL, it will remove the ACL from the applied interface and you have to re-add it.
06-17-2009 11:54 AM
I use the GUI for the ACL create. It show it is applied. I have looked at the CLI to verify. I have the ACLs as incoming rules on the outside interface. The ACL appear to be working but the hit counters are not changing. The hit counter is working on the inside interface for its incoming rules.
Still adjusting the FWSM from the PIX where I just had a outside and inside interface. I have that with the FWSM module but need to expand that with a DMZ once I get the hang of a inside and outside interface.
In the 4.0 config manual it states. 'To allow any
traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM
automatically drops all traffic that enters that interface. By default, traffic can exit the FWSM on any
interface unless you restrict it using an outbound access.
What confused me was the PIX had an implicit rule that permits all traffic to less secure networks for the inside interface. For the FWSM you have to add such a rule. I was tripped up for awhile when a PC on the inside interface couldn't access the Internet off the outside interface till I added such a rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide