FWSM - telnet/ssh access

Answered Question
May 22nd, 2008
User Badges:

I have added a new FWSM in a 6509 distribution box. Here is how it is conencted


Access switch -> 6509 FWSM -> MSFC -> Core -> My PC network


config on the FWSM:


interface Vlan850

nameif inside

security-level 100

ip address 10.50.100.1 255.255.255.0

!

interface Vlan860

nameif outside

security-level 0

ip address 10.50.200.2 255.255.255.0


route outside 0.0.0.0 0.0.0.0 10.50.200.1


access-list acl_allow_all extended permit ip any any

access-list acl_allow_all extended permit icmp any any


access-group acl_allow_all in interface outside

access-group acl_allow_all out interface outside

access-group acl_allow_all in interface inside

access-group acl_allow_all out interface inside


icmp permit any outside

icmp permit any inside


no nat-control


telnet 10.27.9.52 255.255.255.255 outside


Config on MSFC:


firewall module 7 vlan-group 50

firewall vlan-group 50 850,860


interface Vlan860

ip address 10.50.200.1 255.255.255.0


ip route 10.50.100.0 255.255.255.0 10.50.200.2


I can ping the outside interface (10.50.200.2) of the FWSM from my PC but cannot ping the inside interface 10.50.100.1. I tried telent to the outside interface but I am getting the following error


May 22 2008 14:03:54: %FWSM-6-302013: Built inbound TCP connection 0 for outside:10.27.9.52/1122 (10.27.9.52/1122) to outside:10.50.200.2/23 (10.50.200.2/23)

May 22 2008 14:03:54: %FWSM-4-402117: IPSEC: Received a non-IPSec packet (protocol= tcp) from 10.27.9.52 to 10.50.200.2.


I can ping my PC 10.27.9.52 from FWSM


FWSM# ping 10.27.9.52

Sending 5, 100-byte ICMP Echos to 10.27.9.52, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


I do not have any crypto ACL and so do not know what the actual problem is.


I am running 3.1(6) code on FWSM and 12.2(18)SXF8 on the sup720.


I am puzzled. Any ideas?






Correct Answer by vitripat about 9 years 2 months ago

Hi ,


We cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. This is the reason you are getting %FWSM-4-402117 syslog. Please refer to following link-


http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mgacc_f.html#wp1054101


I'd rather recommend configuring SSH access on the outside interface, please refer to following link for the same:


http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mgacc_f.html#wp1042023


Hope that helps.


Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
vitripat Thu, 05/22/2008 - 11:33
User Badges:
  • Gold, 750 points or more

Hi ,


We cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. This is the reason you are getting %FWSM-4-402117 syslog. Please refer to following link-


http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mgacc_f.html#wp1054101


I'd rather recommend configuring SSH access on the outside interface, please refer to following link for the same:


http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mgacc_f.html#wp1042023


Hope that helps.


Regards,

Vibhor.

mchockalingam Thu, 05/22/2008 - 11:42
User Badges:

SSH worked.


I do not have any PC/machine on the inside yet and so this was just temporary.


Thank you very much for your help.

mchockalingam Thu, 05/29/2008 - 06:16
User Badges:

Now, I have a host on the inside network with a static IP of 10.50.100.11 and the default gateway of FWSM's inside IP which is 10.50.100.1.


I cannot ping anything from that machine to outside. Tried other types of traffic like ssh or telnet and nothing works. I disabled NAT and also allowed all ICMP and IP traffic and applied to the interfaces in all directions.


Any ideas?

Actions

This Discussion