cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1225
Views
0
Helpful
3
Replies

can't successfully ping the SVI address on FWSM. WHY?

kevin.john
Level 1
Level 1

I have two C6509-E switch outfitted with one FWSM per each. And use vlan 200 for outside between C6509 and FWSM. the snapshot of configure are as follows, but i can't ping the SVI of vlan 200 from FWSM. However "show arp" on c6509 indicate that C6509 has learned the correct MAC address of outside ip address.

SW Config

firewall multiple-vlan-interfaces

firewall module 2 vlan-group 1

firewall vlan-group 1 101,102,200,210-221

FWSM config

FWSM Version 2.3(4) <system>

resource acl-partition 3

enable password xxx

passwd xxx

hostname Primary

ftp mode passive

pager lines 24

logging buffer-size 4096

class default

limit-resource IPSec 5

limit-resource Mac-addresses 65535

limit-resource PDM 5

limit-resource SSH 5

limit-resource Telnet 5

limit-resource All 0

!

class low

limit-resource All 5.0%

!

failover

failover lan unit primary

failover lan interface faillink vlan 101

failover polltime unit 1 holdtime 15

failover polltime interface 15

failover interface-policy 50%

failover replication http

failover link statelink vlan 102

failover interface ip faillink 172.16.17.1 255.255.255.252 standby 172.16.17.2

failover interface ip statelink 172.16.17.5 255.255.255.252 standby 172.16.17.6

arp timeout 14400

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

terminal width 80

admin-context context-a

context context-a

description used-for-backend-servers

member default

allocate-interface vlan200

allocate-interface vlan210-vlan215

allocate-acl-partition 0

config-url disk:/context-a.cfg

!

context admin

member low

config-url disk:/admin.cfg

!

Cryptochecksum:xxx

FWSM Context-a Config

Primary/context-a# sho run

: Saved

:

FWSM Version 2.3(4) <context>

nameif vlan200 outside security0

nameif vlan210 inside security100

nameif vlan211 dmz1 security50

nameif vlan212 dmz2 security50

nameif vlan213 dmz3 security50

enable password xxx

passwd xxx

hostname context-a

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

fixup protocol rsh 514

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list deny-flow-max 4096

access-list alert-interval 300

access-list acl-in extended permit ip any any

pager lines 24

logging buffer-size 4096

mtu outside 1500

mtu inside 1500

mtu dmz1 1500

mtu dmz2 1500

mtu dmz3 1500

ip address outside 10.0.180.253 255.255.255.0 standby 10.0.180.254

ip address inside 10.0.181.253 255.255.255.0 standby 10.0.181.254

pdm location 10.0.181.0 255.255.255.0 inside

no pdm history enable

arp timeout 14400

nat (inside) 0 0.0.0.0 0.0.0.0

access-group acl-in in interface outside

access-group acl-in in interface inside

!

interface outside

!

!

interface inside

!

!

interface dmz1

!

!

interface dmz2

!

!

interface dmz3

!

!

route outside 0.0.0.0 0.0.0.0 10.0.180.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

..

..

floodguard enable

fragment size 200 outside

fragment chain 24 outside

fragment size 200 inside

fragment chain 24 inside

fragment size 200 dmz1

fragment chain 24 dmz1

fragment size 200 dmz2

fragment chain 24 dmz2

fragment size 200 dmz3

fragment chain 24 dmz3

telnet 10.0.181.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

terminal width 80

And I can successfully ping the failover and statelnk ip address from FWSM each other.

2 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Try adding to the admin context

"icmp permit any outside"

You don't have to use "any", you can restrict it to only certain ip addresses.

HTH

Jon

View solution in original post

Hi ..

if you want to allow icmp traffic that terminates at the FWSM interfaces then you need to use the icmp command. The ACL are for traffic that traverses the FWSM.

Quoted from FWSM Command reference Guide ..

"icmp

To configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an

interface, use the icmp command. To remove access rules, use the no form of this command."

I hope it helps .. please rate if it does !!!

View solution in original post

3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Try adding to the admin context

"icmp permit any outside"

You don't have to use "any", you can restrict it to only certain ip addresses.

HTH

Jon

in my config, the context-a is the admin-context and I have added the "permit ip any any" ACL both in outside and inside interface. So why still need add icmp related ACL? In addition, I restore the multiple context mode to single context mode and also correctly config the basic setting. But it still didn't work. I can successfuly ping the each other through the failover and stateful link.

An interesting thing is when I execute the "show interface" command regardless on context or system execution space, it showed lots of packets were dropped except for under the edbc interface(internal interface connected to C6509 Switch). WHY?

Hi ..

if you want to allow icmp traffic that terminates at the FWSM interfaces then you need to use the icmp command. The ACL are for traffic that traverses the FWSM.

Quoted from FWSM Command reference Guide ..

"icmp

To configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an

interface, use the icmp command. To remove access rules, use the no form of this command."

I hope it helps .. please rate if it does !!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: