can't successfully ping the SVI address on FWSM. WHY?

Answered Question
Mar 16th, 2007
User Badges:

I have two C6509-E switch outfitted with one FWSM per each. And use vlan 200 for outside between C6509 and FWSM. the snapshot of configure are as follows, but i can't ping the SVI of vlan 200 from FWSM. However "show arp" on c6509 indicate that C6509 has learned the correct MAC address of outside ip address.


SW Config

firewall multiple-vlan-interfaces

firewall module 2 vlan-group 1

firewall vlan-group 1 101,102,200,210-221


FWSM config


FWSM Version 2.3(4) <system>

resource acl-partition 3

enable password xxx

passwd xxx

hostname Primary

ftp mode passive

pager lines 24

logging buffer-size 4096

class default

limit-resource IPSec 5

limit-resource Mac-addresses 65535

limit-resource PDM 5

limit-resource SSH 5

limit-resource Telnet 5

limit-resource All 0

!


class low

limit-resource All 5.0%

!


failover

failover lan unit primary

failover lan interface faillink vlan 101

failover polltime unit 1 holdtime 15

failover polltime interface 15

failover interface-policy 50%

failover replication http

failover link statelink vlan 102

failover interface ip faillink 172.16.17.1 255.255.255.252 standby 172.16.17.2

failover interface ip statelink 172.16.17.5 255.255.255.252 standby 172.16.17.6

arp timeout 14400



!


timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

terminal width 80


admin-context context-a

context context-a

description used-for-backend-servers

member default

allocate-interface vlan200

allocate-interface vlan210-vlan215

allocate-acl-partition 0

config-url disk:/context-a.cfg

!


context admin

member low

config-url disk:/admin.cfg

!


Cryptochecksum:xxx


FWSM Context-a Config


Primary/context-a# sho run

: Saved

:

FWSM Version 2.3(4) <context>

nameif vlan200 outside security0

nameif vlan210 inside security100

nameif vlan211 dmz1 security50

nameif vlan212 dmz2 security50

nameif vlan213 dmz3 security50

enable password xxx

passwd xxx

hostname context-a

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rsh 514

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list deny-flow-max 4096

access-list alert-interval 300

access-list acl-in extended permit ip any any

pager lines 24

logging buffer-size 4096

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu dmz2 1500

mtu dmz3 1500

ip address outside 10.0.180.253 255.255.255.0 standby 10.0.180.254

ip address inside 10.0.181.253 255.255.255.0 standby 10.0.181.254

pdm location 10.0.181.0 255.255.255.0 inside

no pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0

access-group acl-in in interface outside

access-group acl-in in interface inside

!

interface outside

!

!

interface inside

!

!

interface dmz1

!

!

interface dmz2

!

!

interface dmz3

!



!


route outside 0.0.0.0 0.0.0.0 10.0.180.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

..

..

floodguard enable

fragment size 200 outside

fragment chain 24 outside

fragment size 200 inside

fragment chain 24 inside

fragment size 200 dmz1

fragment chain 24 dmz1

fragment size 200 dmz2

fragment chain 24 dmz2

fragment size 200 dmz3

fragment chain 24 dmz3

telnet 10.0.181.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80


And I can successfully ping the failover and statelnk ip address from FWSM each other.

Correct Answer by Fernando_Meza about 10 years 4 months ago

Hi ..


if you want to allow icmp traffic that terminates at the FWSM interfaces then you need to use the icmp command. The ACL are for traffic that traverses the FWSM.


Quoted from FWSM Command reference Guide ..

"icmp

To configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an

interface, use the icmp command. To remove access rules, use the no form of this command."


I hope it helps .. please rate if it does !!!


Correct Answer by Jon Marshall about 10 years 4 months ago

Hi


Try adding to the admin context


"icmp permit any outside"


You don't have to use "any", you can restrict it to only certain ip addresses.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 03/16/2007 - 07:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Try adding to the admin context


"icmp permit any outside"


You don't have to use "any", you can restrict it to only certain ip addresses.


HTH


Jon

kevin.john Sun, 03/18/2007 - 19:57
User Badges:

in my config, the context-a is the admin-context and I have added the "permit ip any any" ACL both in outside and inside interface. So why still need add icmp related ACL? In addition, I restore the multiple context mode to single context mode and also correctly config the basic setting. But it still didn't work. I can successfuly ping the each other through the failover and stateful link.


An interesting thing is when I execute the "show interface" command regardless on context or system execution space, it showed lots of packets were dropped except for under the edbc interface(internal interface connected to C6509 Switch). WHY?

Correct Answer
Fernando_Meza Sun, 03/18/2007 - 20:53
User Badges:
  • Gold, 750 points or more

Hi ..


if you want to allow icmp traffic that terminates at the FWSM interfaces then you need to use the icmp command. The ACL are for traffic that traverses the FWSM.


Quoted from FWSM Command reference Guide ..

"icmp

To configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an

interface, use the icmp command. To remove access rules, use the no form of this command."


I hope it helps .. please rate if it does !!!


Actions

This Discussion