FWSM 6500- pinging VLAN interface

Answered Question
Jul 27th, 2008
User Badges:

I have FWSM module installed in 6509e catalyst switch. I have configured 2 vlans as follows.


HR VLAN ID 16--- Gateway----X.X.16.1

Management VLAN ID 18 Gateway---X.X.18.1


i am trying to ping from host in 16 vlan to a host in 18 vlan which is successful but i cant ping 18 vlan gateway which is X.X.18.1. why it is so?


please reply.


Correct Answer by Farrukh Haroon about 8 years 10 months ago

OK thats great, please rate if helpful.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Marwan ALshawi Fri, 08/01/2008 - 18:01
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

check the following

1 ACLs in both direction because FWSM not like ASA regardless the security level u have u need to make ACL to permit traffic to flow by default evrything is denied


secondly

eable icmp and icmp error inspection

also make sure u have the right VLANs assigned to the FWSM, ports and client

finally make sure the client has the right default gateway


good luck


please if helpful Rate

Farrukh Haroon Sat, 08/02/2008 - 12:17
User Badges:
  • Red, 2250 points or more

Ahmad, are you trying to ping from a 'host' in the vlan 16 subnet to the FWSM's Vlan 18 SVI (Gateway interface)?


If so, I'm afraid this will not work. The FWSM/ASA/PIX do not allow pinging any of its interfaces UNLESS you are part of the same interface subnet/zone. For example Vlan 16 users can only ping -X.X.16.1 and NOT -X.X.18.1 and similarly Vlan 18 users can only ping -X.X.18.1.


Regards


Farrukh

ahmad-sajjad Mon, 08/04/2008 - 21:42
User Badges:

Gentlemen!


Thanks alot for your replies, i am going to enable icmp error on the fwsm to make sure about the ping.


Farrukh


someone told me that FWSM will not allow to ping from one vlan to the other vlan gateway. in my case,

it is a host in X.X.16.X vlan can ping its own gateway which is X.X.16.1 and can also ping host in X.X.18.X vlan but cant ping X.X.18.1 which is the gateway for vlan 18. What is the logic, y it cant ping.


Thanks

Farrukh Haroon Mon, 08/04/2008 - 21:55
User Badges:
  • Red, 2250 points or more

As I told you this is one of the 'rules' of FWSM/ASA/PIX. Perhaps they did this to prevent 'mapping' of zones or something, personally I find it very annoying.


You will 'not' be able to ping X.X.18.1 from ANY machine in the X.X.16.X zone. Please check my previous post also, I said the same things.


Regards


Farrukh

Marwan ALshawi Sat, 08/02/2008 - 18:58
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

in addition

if u wanna try to ping any cisco firewall interface from other interface u will not be able

but as long as u ping the clients behind that interface

so u your configurations if fine

and nothing to worry about


good luck


please, rate if helpful

ahmad-sajjad Thu, 08/07/2008 - 14:00
User Badges:

Thanks everyone! I think it was quite helpful.


Regards


Sajjad

Marwan ALshawi Thu, 08/07/2008 - 16:22
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

u welcome

please, rate the helpful post

Correct Answer
Farrukh Haroon Thu, 08/07/2008 - 23:30
User Badges:
  • Red, 2250 points or more

OK thats great, please rate if helpful.


Regards


Farrukh

Actions

This Discussion