Firewall Services Module blocking traffic when it should be allowed

Unanswered Question
Oct 2nd, 2007

Hi all, Im trying to set up a 6509 with a FWSM and am having some trouble. I have most of the config set up and working, I can ping from inside of the 6509 to a cisco 3750 that is connected on the outside with a L3 SVI with ip 192.168.113.10(represents real IPs)

The Outside interface on fwsm is 192.168.113.8, inside interface is 10.1.0.10. Sup720 L3 SVI 10.1.0.11. Both 10.x.x.x ips are on vlan10, the 192.168.x.x ips are on vlan113.

The problem is that the 3750 with ip 192.168.113.10 cannot ping anything past 192.168.113.8. It is my understanding that my access lists should allow everything thru for testing purposes and I will lock it down more once I have it figured out. I have posted the fwsm config to help with any questions.

======FWSM config=======

FWSM# sh run

: Saved

:

FWSM Version 2.3(4)

nameif vlan113 outside security0

nameif vlan10 inside security100

enable password xxx

passwd xxx

hostname FWSM

ftp mode passive

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 H225 1720

fixup protocol h323 ras 1718-1719

no fixup protocol icmp

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol sip 5060

no fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list deny-flow-max 4096

access-list alert-interval 300

access-list in_out extended permit ip any any

access-list in_out extended permit icmp any any

access-list out_in extended permit icmp any any

access-list out_in extended permit ip any any

access-list test extended permit icmp any any

access-list test extended permit ip any any

pager lines 22

logging buffer-size 4096

logging buffered debugging

mtu outside 1500

mtu inside 1500

ip address outside 192.168.113.8 255.255.255.0

ip address inside 10.1.0.10 255.255.255.0

no failover

failover lan unit secondary

failover polltime unit 1 holdtime 15

failover polltime interface 15

failover interface-policy 50%

icmp permit any outside

icmp permit any inside

no pdm history enable

arp timeout 14400

global (outside) 1 192.168.113.57

global (outside) 1 192.168.113.58

global (outside) 1 192.168.113.59

nat (outside) 0 192.168.113.0 255.255.255.0

nat (inside) 0 192.168.113.0 255.255.255.0

nat (inside) 1 10.1.0.0 255.255.0.0

access-group test in interface outside

access-group test out interface outside

access-group test in interface inside

access-group test out interface inside

!

interface outside

!

!

interface inside

!

!

route outside 0.0.0.0 0.0.0.0 192.168.113.10 1

route inside 10.1.0.0 255.255.0.0 10.1.0.11 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h3

23 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp

floodguard enable

fragment size 200 outside

fragment chain 24 outside

fragment size 200 inside

fragment chain 24 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum: xxxx

: end

===Relevant Sup720 configs====

firewall module 2 vlan-group 2

firewall vlan-group 2 10,113

interface GigabitEthernet1/1

switchport

switchport access vlan 113

no ip address

!

interface GigabitEthernet1/2

switchport

switchport access vlan 10

no ip address

!

!

interface Vlan10

ip address 10.1.0.11 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.1.0.10

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Jon Marshall Tue, 10/02/2007 - 12:57

Hi

What are you trying to ping on the inside network. You will need to setup static translations for the machines on the inside of the FWSM eg.

if you want to ping 10.1.0.20 from the 3750

static (inside,outside) 10.1.0.20 10.1.0.20 netmask 255.255.255.255

and you need to do this for all servers on the inside or for testing you can just present the entire network

static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.255.0

Of course this will now conflict with

global (outside) 1 192.168.113.59

nat (inside) 1 10.1.0.0 255.255.0.0

But if you need to initiate connections from outside to inside then you cannot use dynamic PAT like this.

HTH

Jon

amadeusri Tue, 10/02/2007 - 13:29

I have a workstation sitting on the inside network with ip address 10.1.0.50.

Is there a way to have NAT setup so that the internal computers can access outside networks but also be reachable from the outside?

What Im saying is I dont want to have static routes set up for all the computers and I dont want the 'global' static route for ALL computers with the ip 10.1.x.x since it will not NAT if I do that.

Jon Marshall Tue, 10/02/2007 - 22:32

Hi

"Is there a way to have NAT setup so that the internal computers can access outside networks but also be reachable from the outside?"

If you want to initiate connections from the outside to your internal machines you have 2 options

1) Setup static translations for them

2) Turn off NAT, but then the inside addresses must be routable from the outside.

The problem you face is that you Dynamically NAT all your 10.1.0.x address to one outside address. This is fine for connections initiated from the inside but if you wanted to inititate a connection to 10.1.0.50 from outside, in your current setup you would have to connect to the 192.168.113.59 address. But how would the firewall know which 10.1.0.x address this was meant to be going to ?

If your inside machines are routable from outside then as i say either turn off NAT or

static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.255.0

Jon

amadeusri Wed, 10/03/2007 - 05:39

Thank you, thats what I thought was going to be the problem. The 192.x.x.x addresses actually represent public addresses on the network where I work, we are trying to do a network migration to private addresses (10.1.x.x.) but would need to still be reachable for about a week. Im thinking the only way to do this is move all physical connections to the 6509 in one day and then start changing addresses, since everything will be behind the firewall there would be no problems with connectivity, Im assuming.

Thanks again for the help, its truely appreciated

Actions

This Discussion