FWSM 2.3

Answered Question
Jun 22nd, 2007

Hi,

We are trying to deploy a FWSM in one of the 6500 switch in the lab. To start with, we are using this FWSM in routed mode. The inside vlan 100 and outside vlan 200. The MSFC has layer 2 vlan configured for these 2 VLANS. We are able to ping from FWSM to other side of vlan 100 and 200,but but not from other end of vlan100 to other end of vlan200. In order to verify that, the routing is proper in FWSM, we made both the security levels of vlan100 and 200 equal, after that we are able to ping from one end of vlan100 to vlan 200 passing thru the FWSM.We are not sure, what we are missing in the access-list when the security levels are different. I here by pasting some part of the relavant part of the config for your kind reference.

FWSM Version 2.3(2)

nameif vlan200 outside security0

nameif vlan100 inside security100

fixup protocol icmp

access-list inside extended permit ip any any

access-list outside extended permit ip any any

pager lines 24

ip address outside 141.198.50.22 255.255.255.252

ip address inside 168.39.50.33 255.255.255.252

icmp permit any outside

icmp permit any inside

access-group outside in interface outside

access-group outside out interface outside

access-group inside in interface inside

access-group inside out interface inside

route outside 0.0.0.0 0.0.0.0 141.198.50.21 1

Kindly let me know,if we miss something to configure

Thanking You

Regards

Anantha Subramanian Natarajan

I have this problem too.
0 votes
Correct Answer by Fernando_Meza about 9 years 5 months ago

Hi .. you probably need to add the below command for allowing icmp error messages to traverse the device

fixup protocol icmp error

also, when you have security 0 and 100 for the outside and inside interfaces then if you are initiating a ping from the outside segment, by default .. you would not be able to reach internally .. that is the way it works. So for example if you are trying to reach the internal devices using their real internal IP addresses then you need something like this

static (inside,outside) 168.39.50.33 168.39.50.33 netmask 255.255.255.252

The above line will solve access initiated from outside. Access initiated from inside is likely to be solve by the fixup command I have mentioned at the beginning plus the static command I had mentioned before. Of course this is not the way it would be configured on a real scenario ( private IP being advertised as private) but this is just lab scenario as you mentioned it !!

I hope it helps .. please rate it if it does !!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Fernando_Meza Sat, 06/23/2007 - 04:19

Hi .. you probably need to add the below command for allowing icmp error messages to traverse the device

fixup protocol icmp error

also, when you have security 0 and 100 for the outside and inside interfaces then if you are initiating a ping from the outside segment, by default .. you would not be able to reach internally .. that is the way it works. So for example if you are trying to reach the internal devices using their real internal IP addresses then you need something like this

static (inside,outside) 168.39.50.33 168.39.50.33 netmask 255.255.255.252

The above line will solve access initiated from outside. Access initiated from inside is likely to be solve by the fixup command I have mentioned at the beginning plus the static command I had mentioned before. Of course this is not the way it would be configured on a real scenario ( private IP being advertised as private) but this is just lab scenario as you mentioned it !!

I hope it helps .. please rate it if it does !!!

Actions

This Discussion