Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
5
Helpful
2
Replies

FWSM 2.3

Go to solution
anasubra_2
Level 1
Level 1

‎06-22-2007 08:39 AM - edited ‎03-11-2019 03:34 AM

Hi,

We are trying to deploy a FWSM in one of the 6500 switch in the lab. To start with, we are using this FWSM in routed mode. The inside vlan 100 and outside vlan 200. The MSFC has layer 2 vlan configured for these 2 VLANS. We are able to ping from FWSM to other side of vlan 100 and 200,but but not from other end of vlan100 to other end of vlan200. In order to verify that, the routing is proper in FWSM, we made both the security levels of vlan100 and 200 equal, after that we are able to ping from one end of vlan100 to vlan 200 passing thru the FWSM.We are not sure, what we are missing in the access-list when the security levels are different. I here by pasting some part of the relavant part of the config for your kind reference.

FWSM Version 2.3(2)

nameif vlan200 outside security0

nameif vlan100 inside security100

fixup protocol icmp

access-list inside extended permit ip any any

access-list outside extended permit ip any any

pager lines 24

ip address outside 141.198.50.22 255.255.255.252

ip address inside 168.39.50.33 255.255.255.252

icmp permit any outside

icmp permit any inside

access-group outside in interface outside

access-group outside out interface outside

access-group inside in interface inside

access-group inside out interface inside

route outside 0.0.0.0 0.0.0.0 141.198.50.21 1

Kindly let me know,if we miss something to configure

Thanking You

Regards

Anantha Subramanian Natarajan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Fernando_Meza
Level 7
Level 7

‎06-23-2007 04:19 AM

Hi .. you probably need to add the below command for allowing icmp error messages to traverse the device

fixup protocol icmp error

also, when you have security 0 and 100 for the outside and inside interfaces then if you are initiating a ping from the outside segment, by default .. you would not be able to reach internally .. that is the way it works. So for example if you are trying to reach the internal devices using their real internal IP addresses then you need something like this

static (inside,outside) 168.39.50.33 168.39.50.33 netmask 255.255.255.252

The above line will solve access initiated from outside. Access initiated from inside is likely to be solve by the fixup command I have mentioned at the beginning plus the static command I had mentioned before. Of course this is not the way it would be configured on a real scenario ( private IP being advertised as private) but this is just lab scenario as you mentioned it !!

I hope it helps .. please rate it if it does !!!

View solution in original post

2 Replies 2

Go to solution
Fernando_Meza
Level 7
Level 7

‎06-23-2007 04:19 AM

Hi .. you probably need to add the below command for allowing icmp error messages to traverse the device

fixup protocol icmp error

also, when you have security 0 and 100 for the outside and inside interfaces then if you are initiating a ping from the outside segment, by default .. you would not be able to reach internally .. that is the way it works. So for example if you are trying to reach the internal devices using their real internal IP addresses then you need something like this

static (inside,outside) 168.39.50.33 168.39.50.33 netmask 255.255.255.252

The above line will solve access initiated from outside. Access initiated from inside is likely to be solve by the fixup command I have mentioned at the beginning plus the static command I had mentioned before. Of course this is not the way it would be configured on a real scenario ( private IP being advertised as private) but this is just lab scenario as you mentioned it !!

I hope it helps .. please rate it if it does !!!

Go to solution
anasubra_2
Level 1
Level 1
In response to Fernando_Meza

‎06-23-2007 06:14 PM

Hi,

Thank you very much

Regards

Anantha Subramanian Natarajan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card