[c-nsp] FWSM & same-security-traffic questions

Andrew Yourtchenko ayourtch at cisco.com
Thu Jul 13 08:25:07 EDT 2006


As a "generic version-independent approach", based on my experience I'd 
opt for different security levels and "nat 0 access-list" to bypass the NAT, and use the 
normal interface ACLs for policy enforcement.

If you do not do any NAT on the box at all - then this kind of config is 
not a big burden - just a single ACL and one line of "nat (foo) 0 
access-list blah" per interface.

thanks,
andrew



On Thu, 13 Jul 2006, Patrick Vanderstocken wrote:

> Sure, you can use ACLs to policy your inter-interface traffic.
> I suppose that by enabling same-security you won't need static
> statements since you don't need to override the level.
>
> It is not mandatory to use NAT statements between same security level
> interfaces, up to you if you want to use it or not...
>
> Pat
>
> Concerning NAT you can choose whether to enable it or not using nat-control.
>
> On 7/13/06, matthew zeier <mrz at velvet.org> wrote:
>>
>> Deploying a new FWSM with one outside interface and 10 or so inside
>> interfaces.  All are "inside" and seperated as different purposed inside
>> networks but generally all the same security-wise (none is higher or lower
>> than the other in practical terms).
>>
>> My requirements are that inter-interface traffic talk non-NAT'd and are
>> policied by ACLs (build can't talk to qa machines but can talk to the
>> interface with the cvs server, for example).
>>
>> Is it best to use "same-security-interface permit inter-interface" ?  What are
>> the drawbacks?  Can I use ACLs?
>>
>> Or is it better to use different security-level interfaces along with "nat
>> (qa) 0 ..." and access-lists applied to interfaces?
>>
>> Thanks - mz.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list