RE: Off-Topic: FWSM Question

From: Roberto Clavero Montano (Roberto.Clavero@TELINDUS.ES)
Date: Fri Mar 14 2008 - 06:33:37 ARST

• Next message: YourPal: "Re: HSRP tracking of Frame Relay physical interface"
• Previous message: Carlos G Mendioroz: "Re: connectivity checking"
• Maybe in reply to: groupstudy email: "Off-Topic: FWSM Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,
        By one hand, finese sofware below release 3(for appliance7) don't support "intrazone" routing, one packet incoming using outside interface never can't leave the fw using this same interface. That behaviour applies to the rest of int. Later in releases like 3 (for appl. 7) or higher, you can say to ignore this default behaviour. Something similar to "split horitzon"
Same problem with the traffic between two interfaces with the same security level.

Command-lines for appliance, don't sure if the same at FWSM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface (That one is the one you need)

        By the other hand, the other problem that you explain is because the architecture of Catalyst and CEF. If you can disable CEF then you will see that no traffic is trying to reach other host in the same vlan crossing your FW. That problem is explained at the following docucment: Cisco Catalyst 6500 Switch Architecture RST-3465(USA,2006) Networkers 2006. If you don't find it, unicast me!

Kind regards,
Roberto

Roberto Clavero Montano
CCNP, CCSP, SCSA, CCSA y WLFES
Seguretat de Xarxes, Telindus,S.A.U.
Parc de Negocis Mas Blau II
Avinguda de les Garrigues n: 38 - 44, planta baixa
Edifici Mar Blau
El Prat de Llobregat - 08820 Barcelona
Mailto:roberto.clavero@telindus.es
T +34 93 303 01 59
F +34 93 307 26 95
Telindus. Change things your way.
http://www.telindus.es

-----Mensaje original-----
De: nobody@groupstudy.com [mailto:nobody@groupstudy.com] En nombre de groupstudy email
Enviado el: jueves, 13 de marzo de 2008 20:03
Para: ccielab@groupstudy.com
Asunto: Off-Topic: FWSM Question

Hello,

I am working on a strange issue with my FWSM perhaps someone in the group
can help me with.

I have two VLANs configured:

vlan 4 outside
vlan 5 inside

I noticed in my log that traffic between devices in VLAN 4 (outside) is
being blocked by the FW. The FW seems to think that this traffic is
destined to the inside interface. That's one issue. Another issue is the
fact it should never even hit the FW as the devices are on the same subnet.
Here is a snippet from the log:

Mar 13 2008 04:03:38 FWSMcontext : %FWSM-4-106023: Deny tcp src outside:
10.10.10.34/1155 dst inside:10.10.10.45/139 by access-group "outside-in"
[0x0, 0x0]

My question are:

1. Does all traffic flow through the FW even if it is on the same subnet?
2. If so, why does the FW believe the destination is on the inside
segment?

Looks like a bug but I am not sure.

Any help would be greatly appreciated.

Thanks,
S. Rick

• Next message: YourPal: "Re: HSRP tracking of Frame Relay physical interface"
• Previous message: Carlos G Mendioroz: "Re: connectivity checking"
• Maybe in reply to: groupstudy email: "Off-Topic: FWSM Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Apr 01 2008 - 07:53:53 ART