FWSM w/ Multiple CXT understanding..

Unanswered Question
Mar 10th, 2008

I am trying to get my config working with 6500 and Virtual FWs with an FWSM.

My first issue is that I cannot even ping from my VLAN5 outside interface which was created in the MSFC and has been allocated to the FWSM admin cxt 'outside' interface. I'm not sure if I need to setup static(inside,outside) mappings on the admin context? Vlans 10 & 20 have also been allocated to the FWSM module but I'm stuck. Can someone please advise on how I can get ip connectivity through VLAN 5 (admin cxt) down to vlan 10 inside (customer-a) cxt?

Display vlan-groups created by both ACE module and FWSM

Group Created by vlans

----- ---------- -----

1 FWSM 5,10,20

5 FWSM <empty>

10 FWSM <empty>

20 FWSM <empty>

6504-B#show firewall mod

Module Vlan-groups

------ -----------

04 1,5,10,20



FWSM config below

FWSM-B# sho context

Context Name Class Interfaces Mode URL

*admin default Vlan5 Routed disk:/admin.cfg

customer-a default Vlan10,Vlan5 Routed disk:/cust-a.cfg

Total active Security Contexts: 2



Admin context

FWSM-B/admin# sho run

: Saved


FWSM Version 3.2(2) <context>


hostname FWSM-B

enable password xxx



interface Vlan5

nameif outside

security-level 0

ip address


passwd xxx

access-list 101 extended permit icmp any any

pager lines 24

mtu outside 1500

no asdm history enable

arp timeout 14400

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15

aaa authentication http console LOCAL

http server enable

http outside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5


class-map inspection_default

match default-inspection-traffic

class-map default



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp


service-policy global_policy global


: end




I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
yongl Tue, 03/11/2008 - 01:55


Please add 'icmp permit any outside' in FWSM configuration.


This Discussion