[c-nsp] FWSM & same-security-traffic questions

Patrick Vanderstocken patrhak at gmail.com
Thu Jul 13 02:28:52 EDT 2006


Sure, you can use ACLs to policy your inter-interface traffic.
I suppose that by enabling same-security you won't need static
statements since you don't need to override the level.

It is not mandatory to use NAT statements between same security level
interfaces, up to you if you want to use it or not...

Pat

Concerning NAT you can choose whether to enable it or not using nat-control.

On 7/13/06, matthew zeier <mrz at velvet.org> wrote:
>
> Deploying a new FWSM with one outside interface and 10 or so inside
> interfaces.  All are "inside" and seperated as different purposed inside
> networks but generally all the same security-wise (none is higher or lower
> than the other in practical terms).
>
> My requirements are that inter-interface traffic talk non-NAT'd and are
> policied by ACLs (build can't talk to qa machines but can talk to the
> interface with the cvs server, for example).
>
> Is it best to use "same-security-interface permit inter-interface" ?  What are
> the drawbacks?  Can I use ACLs?
>
> Or is it better to use different security-level interfaces along with "nat
> (qa) 0 ..." and access-lists applied to interfaces?
>
> Thanks - mz.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list