06-22-2007 08:39 AM - edited 03-11-2019 03:34 AM
Hi,
We are trying to deploy a FWSM in one of the 6500 switch in the lab. To start with, we are using this FWSM in routed mode. The inside vlan 100 and outside vlan 200. The MSFC has layer 2 vlan configured for these 2 VLANS. We are able to ping from FWSM to other side of vlan 100 and 200,but but not from other end of vlan100 to other end of vlan200. In order to verify that, the routing is proper in FWSM, we made both the security levels of vlan100 and 200 equal, after that we are able to ping from one end of vlan100 to vlan 200 passing thru the FWSM.We are not sure, what we are missing in the access-list when the security levels are different. I here by pasting some part of the relavant part of the config for your kind reference.
FWSM Version 2.3(2)
nameif vlan200 outside security0
nameif vlan100 inside security100
fixup protocol icmp
access-list inside extended permit ip any any
access-list outside extended permit ip any any
pager lines 24
ip address outside 141.198.50.22 255.255.255.252
ip address inside 168.39.50.33 255.255.255.252
icmp permit any outside
icmp permit any inside
access-group outside in interface outside
access-group outside out interface outside
access-group inside in interface inside
access-group inside out interface inside
route outside 0.0.0.0 0.0.0.0 141.198.50.21 1
Kindly let me know,if we miss something to configure
Thanking You
Regards
Anantha Subramanian Natarajan
Solved! Go to Solution.
06-23-2007 04:19 AM
Hi .. you probably need to add the below command for allowing icmp error messages to traverse the device
fixup protocol icmp error
also, when you have security 0 and 100 for the outside and inside interfaces then if you are initiating a ping from the outside segment, by default .. you would not be able to reach internally .. that is the way it works. So for example if you are trying to reach the internal devices using their real internal IP addresses then you need something like this
static (inside,outside) 168.39.50.33 168.39.50.33 netmask 255.255.255.252
The above line will solve access initiated from outside. Access initiated from inside is likely to be solve by the fixup command I have mentioned at the beginning plus the static command I had mentioned before. Of course this is not the way it would be configured on a real scenario ( private IP being advertised as private) but this is just lab scenario as you mentioned it !!
I hope it helps .. please rate it if it does !!!
06-23-2007 04:19 AM
Hi .. you probably need to add the below command for allowing icmp error messages to traverse the device
fixup protocol icmp error
also, when you have security 0 and 100 for the outside and inside interfaces then if you are initiating a ping from the outside segment, by default .. you would not be able to reach internally .. that is the way it works. So for example if you are trying to reach the internal devices using their real internal IP addresses then you need something like this
static (inside,outside) 168.39.50.33 168.39.50.33 netmask 255.255.255.252
The above line will solve access initiated from outside. Access initiated from inside is likely to be solve by the fixup command I have mentioned at the beginning plus the static command I had mentioned before. Of course this is not the way it would be configured on a real scenario ( private IP being advertised as private) but this is just lab scenario as you mentioned it !!
I hope it helps .. please rate it if it does !!!
06-23-2007 06:14 PM
Hi,
Thank you very much
Regards
Anantha Subramanian Natarajan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: