I have added a new FWSM in a 6509 distribution box. Here is how it is conencted
Access switch -> 6509 FWSM -> MSFC -> Core -> My PC network
config on the FWSM:
ip address 10.50.100.1 255.255.255.0
ip address 10.50.200.2 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.50.200.1
access-list acl_allow_all extended permit ip any any
access-list acl_allow_all extended permit icmp any any
access-group acl_allow_all in interface outside
access-group acl_allow_all out interface outside
access-group acl_allow_all in interface inside
access-group acl_allow_all out interface inside
icmp permit any outside
icmp permit any inside
telnet 10.27.9.52 255.255.255.255 outside
Config on MSFC:
firewall module 7 vlan-group 50
firewall vlan-group 50 850,860
ip address 10.50.200.1 255.255.255.0
ip route 10.50.100.0 255.255.255.0 10.50.200.2
I can ping the outside interface (10.50.200.2) of the FWSM from my PC but cannot ping the inside interface 10.50.100.1. I tried telent to the outside interface but I am getting the following error
May 22 2008 14:03:54: %FWSM-6-302013: Built inbound TCP connection 0 for outside:10.27.9.52/1122 (10.27.9.52/1122) to outside:10.50.200.2/23 (10.50.200.2/23)
May 22 2008 14:03:54: %FWSM-4-402117: IPSEC: Received a non-IPSec packet (protocol= tcp) from 10.27.9.52 to 10.50.200.2.
I can ping my PC 10.27.9.52 from FWSM
FWSM# ping 10.27.9.52
Sending 5, 100-byte ICMP Echos to 10.27.9.52, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
I do not have any crypto ACL and so do not know what the actual problem is.
I am running 3.1(6) code on FWSM and 12.2(18)SXF8 on the sup720.
I am puzzled. Any ideas?
We cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. This is the reason you are getting %FWSM-4-402117 syslog. Please refer to following link-
I'd rather recommend configuring SSH access on the outside interface, please refer to following link for the same:
Hope that helps.