Sup720 communicating with fwsm

Answered Question
Jun 27th, 2007

Hi, I have a 6509 switch with the Sup720 and a fwsm. I cannot get these two modules to communicate. When I ping the fwsm from the sup720 I get no response, and when I ping the sup720 from the fwsm I get no response. This is my first experience with the fwsm and the 6509 series switch.

I have added the vlans into the firewall so it can communicate with those and the interfaces have the correct ips.

the sup720 has ip 10.1.0.2 on vlan10

the fwsm has ip 10.1.0.1 on vlan10

I am just looking for some advice and any will be appreciated, this is holding up the upgrade to our network. Thank you.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 9 years 5 months ago

Hi

Can you add the following in your config

icmp permit any "pix interface"

where pix interface is the name of the interface with the 10.1.0.1 ip address.

If this does not work can you send a copy of your config.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 06/27/2007 - 22:45

Hi

Can you add the following in your config

icmp permit any "pix interface"

where pix interface is the name of the interface with the 10.1.0.1 ip address.

If this does not work can you send a copy of your config.

HTH

Jon

amadeusri Fri, 06/29/2007 - 19:17

Ok, so that last post fixed my problem but now I have one more. Traffic is bypassing the firewall module and going straight out of the switch. If anyone has any ideas on this I would appreciate the help, thank you!

Jon Marshall Sat, 06/30/2007 - 02:25

Hi

Coudl you send some more details as to how you have setup your FWSM etc and how you know traffic is bypassing the FWSM.

If traffic is not going through the FWSM it sounds the MSFC is routing traffic around it.

Jon

glynnd Sun, 07/01/2007 - 05:52

you probably created more than one SVI's. Other than the one inside interface, which in your case is vlan 10. For any other vlans on your FWSM, you do NOT want to create layer 3 vlan interfaces in IOS.

jlhainy Sun, 07/01/2007 - 11:04

On my 6500 & FWSM, I configured the FWSM is routed mode. Each firewall interface is actually a vlan that sits on the 6500. To link a vlan to your FWSM, you need to use the firewall vlan-group command. So for example, if you have vlan 100 as your Inside interface and vlan 101 as the outside interface, you would use the command (config)#firewall vlan-group 1 100,101.

This will link those vlans to the FWSM. You can then go into the fwsm and link a firewall interface to one of those vlans. You need to do the same if you want to create DMZ interfaces and have them link to vlans.

Once that is done, I just created a static default route to the "inside" interface of the FWSM, thus forcing all of my traffic to go through the firewall.

Hopefully that will give you some ideas.

Actions

This Discussion