Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1810
Views
0
Helpful
2
Replies

FWSM Security Level

Go to solution
estelamathew
Level 2
Level 2

‎05-31-2011 07:38 AM - edited ‎03-11-2019 01:40 PM

Hello Friends,

What i know is in ASA Higher Security level can access lower security level without an access-list but Natting is must if NAT-CONTROL is enabled

BUT in FWSM Higher Security  when it needs to access lower security level it needs access-list and Natting ???? m i correct????   And the same applies for lower security level.

Please clear my doubt.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎05-31-2011 08:32 AM

Hello,

Yes, you are correct. The FWSM differs from the ASA in that you must permit the traffic in the inbound ACL, regardless of the security level. This is documented here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/nwacc_f.html
"To allow any traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM automatically drops all traffic that enters that interface."

So, even for high security to low security traffic, you still must have an ACL to permit the traffic on the FWSM. Likewise, if NAT control is enabled, the traffic must also match a NAT rule (this is the same as the ASA behavior).

Hope that helps.

-Mike

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mirober2
Cisco Employee
Cisco Employee

‎05-31-2011 08:32 AM

Hello,

Yes, you are correct. The FWSM differs from the ASA in that you must permit the traffic in the inbound ACL, regardless of the security level. This is documented here:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/nwacc_f.html
"To allow any traffic to enter the FWSM, you must attach an inbound access list to an interface; otherwise, the FWSM automatically drops all traffic that enters that interface."

So, even for high security to low security traffic, you still must have an ACL to permit the traffic on the FWSM. Likewise, if NAT control is enabled, the traffic must also match a NAT rule (this is the same as the ASA behavior).

Hope that helps.

-Mike

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to mirober2

‎06-02-2011 03:23 PM

Thanks Dear.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card