FWSM Transparent routing

Unanswered Question
Feb 8th, 2008

I have FWSM in 6509 running the latest firware. It is inside of my network so when I refer to "outside" I do not mean the Internet I mean outside of the FWSM but still on my internal network. I have a different Internet firewall.

I can ping the management interface from outside addresses and I can also manage the firewall from "outside". I can ping it from the inside workstation and manage it.

My issue is inside workstations can not go further than the FWSM and "outside" systems can not access the workstation even though I have opened up the firewall a I have been troubleshooting. (Keep in mind again that it isnt open to the Internet just my internal network)




<Outside - VLAN30- IP Address>

I thought with transparent I used the Outside VLAN IP of as the gateway for my inside clients? I have also tried the MGMT IP and neither work.

Switch config

interface Vlan30

ip address

no ip unreachables

no ip proxy-arp


VLAN 31 is a VLAN but not set as an interface

Firewall config

interface Vlan30

nameif outside

bridge-group 2

security-level 0


interface Vlan31

nameif inside

bridge-group 2

security-level 100


interface BVI2

ip address

route outside access-list outside extended permit tcp any any

access-list outside extended permit udp any any

access-group outside in interface outside

(I do realize that I have opened it up not a risk at the moment)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tmcls Mon, 02/11/2008 - 08:18

I got it working once I looked at the syslogs. (Duh)

I got it to work by NAT but I guess I didnt think with transparent you needed to define NAT rule. I thought it just didnt need it. I was also getting ACL denies on the inside interface so once I opened up the inside it worked which I didnt think I needed to do.

lowen Mon, 02/11/2008 - 12:35

You *don't* need to define NAT w/transparent mode. However, on the FWSM (unlike PIX and ASA) you *do* need an ACL on the inside interface before you can pass traffic.

zlabovic Tue, 04/08/2008 - 23:54


I have the same problem. I have put ACL with permit icmp any any and permit ip any any on both the inside and outside, and I still cannot ping or pass through the FWSM.

I have put icmp permit any outside command and icmp permit inside command as well

I am interested to know whether you have resloved the problem and how?


This Discussion