cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
364
Views
0
Helpful
1
Replies

FWSM w/ Multiple CXT understanding..

Not applicable

I am trying to get my config working with 6500 and Virtual FWs with an FWSM.

My first issue is that I cannot even ping from my VLAN5 outside interface which was created in the MSFC and has been allocated to the FWSM admin cxt 'outside' interface. I'm not sure if I need to setup static(inside,outside) mappings on the admin context? Vlans 10 & 20 have also been allocated to the FWSM module but I'm stuck. Can someone please advise on how I can get ip connectivity through VLAN 5 (admin cxt) down to vlan 10 inside (customer-a) cxt?

Display vlan-groups created by both ACE module and FWSM

Group Created by vlans

----- ---------- -----

1 FWSM 5,10,20

5 FWSM <empty>

10 FWSM <empty>

20 FWSM <empty>

6504-B#show firewall mod

Module Vlan-groups

------ -----------

04 1,5,10,20

6504-B#

===========================

FWSM config below

FWSM-B# sho context

Context Name Class Interfaces Mode URL

*admin default Vlan5 Routed disk:/admin.cfg

customer-a default Vlan10,Vlan5 Routed disk:/cust-a.cfg

Total active Security Contexts: 2

FWSM-B#

+++++++++++++++++++++++++++++++++++++++

Admin context

FWSM-B/admin# sho run

: Saved

:

FWSM Version 3.2(2) <context>

!

hostname FWSM-B

enable password xxx

names

!

interface Vlan5

nameif outside

security-level 0

ip address 10.0.0.2 255.255.255.0

!

passwd xxx

access-list 101 extended permit icmp any any

pager lines 24

mtu outside 1500

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15

aaa authentication http console LOCAL

http server enable

http 10.0.0.0 255.255.255.255 outside

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

class-map default

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

FWSM-B/admin#

thanks,

`Al

1 Reply 1

yongl
Level 1
Level 1

Hi,

Please add 'icmp permit any outside' in FWSM configuration.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: