FWSM issue

Answered Question
Aug 30th, 2008

Dear All,

I have a very basic scenario, of one 6500 with FWSM.

I have created 4 vlans one inside, outside, dmz1 and dmz2.

the outside interface is connected to the MSFC using SVI and rest of the vlans are part of FWSM vlan group i.e vlan 10, 20, 30, 40. I also have tested by adding outside vlan 101 to the vlan group.

the problem is that I cannot ping from my internal host placed in inside VLAN to the ip configured on inside vlan of FWSM i.e 10.1.10.1. The scenario is attached along with the configuration.

All my vlans are up but still i cannot ping . what can be the problem?

Attachment: 
I have this problem too.
0 votes
Correct Answer by Marwan ALshawi about 8 years 3 months ago

can u ping 172.16.1.2 ?

if yes, then dont worry about it too much

by the way for ur informationin cisco firewalls u cant pint any interface from another interface this in ASA not sure if in fwsm too

first try this

icmp permit any echo inside

icmp permit any echo-reply inside

if didnt work try the following ACL and apply it on ur inside interface

access-list allow-in extended permit icmp 10.1.10.0 255.255.255.0 host 10.1.10.1

access-list allow-in extended permit ip any any

access-group allow-in in interface inside

good luck

if helpful rate

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marwan ALshawi Sat, 08/30/2008 - 07:49

first of all there is two important point u need to consider

first FWSM no like ASA because by default all traffic is denied even from higher security level to lower sio u need to make ACL on each interface to let it pass traffic

for example oneach inside interface u could make an ACL with permit any any to let it pass traffic

so make sure to put permit ACL

remember anything not permited implicitly by an ACL will be denied

so u need to allow IP and ICMP for ping echo

if u want the firewall itself to make ping u need to permit echo-reply aswel

**by the way u need to add vlan 101 assigned to the outdie interface and used as SVI to the firewall-vlan group**

good luck

please, if helpful Rate

Tahir Ali Sat, 08/30/2008 - 09:53

Thanks Marwan, but the problem is that i cant ping from a host in inside network to the FW inter vlan in the same inside network. i.e 10.1.10.10 cant ping 10.1.10.1 ( inside interface ip). we havent even tried to reach outside.

We have also checked with the ACLs as mention previously by you. IS there any other command which can connect the switch msfc to the firewall or something like that... OR can you suggest me the confiugration based on my scenaario attached previously.

Marwan ALshawi Sat, 08/30/2008 - 18:30

to ping the inside interface from the inside hots do somthing like

Beginning with FWSM 3.1(1) and ASA 7.0(1), an ICMP inspection engine is available. Rather

than explicitly configuring access list rules to permit inbound ICMP traffic, the firewall can

selectively (and automatically) permit return traffic based on the original outbound requests

so make sure under

policy-map global_policy

class inspection_default

u have

inspect icmp

inspect icmp error

and follow the instructions inthe following nice config example

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml

and let me know

good luck

Tahir Ali Sat, 08/30/2008 - 22:34

Well i have tried every thing u mentioned, the inspect commands, the ACLs, but still i cant ping from my host in 10.1.10.0 network to the inside interface for this network. i have read many config guides but nothing is missing in our config and we are doing a very basic config scenario but still its not working. Any new suggestions.? by the way My FWSM is in slot 2 of 6509 , ver 3.2 and SUP is 720 adv ip services.

besides this we can ping the outside too.

Correct Answer
Marwan ALshawi Sat, 08/30/2008 - 22:58

can u ping 172.16.1.2 ?

if yes, then dont worry about it too much

by the way for ur informationin cisco firewalls u cant pint any interface from another interface this in ASA not sure if in fwsm too

first try this

icmp permit any echo inside

icmp permit any echo-reply inside

if didnt work try the following ACL and apply it on ur inside interface

access-list allow-in extended permit icmp 10.1.10.0 255.255.255.0 host 10.1.10.1

access-list allow-in extended permit ip any any

access-group allow-in in interface inside

good luck

if helpful rate

Tahir Ali Sun, 08/31/2008 - 00:50

yes the icmp permit any echo inside and echo-reply inside worked. Thanks very much for your support

shahzad.arif Sat, 08/30/2008 - 08:05

Along with using ACL with appropriate entries to allow traffic and assigning VLAN 101 to firewall vlan-group; you can also add "firewall multiple-vlan-interfaces".

Regards

Actions

This Discussion