10-09-2008 08:31 AM - edited 03-11-2019 06:55 AM
Hello,
I have just installed a pair of FWSM in two different Catalys 6509 in HA mode.
I left every access-list completely opened for test purposes. The stations connected to any inside interface can communicate with any other inside or outside station.
The problem is that from any station located outside is not possible to ping any FWSM inside interface. Every time a ping fails, the FWSM log is appended with a message like this:
Oct 09 2008 12:26:21: %FWSM-3-305006: portmap translation creation failed for icmp src outside:10.23.212.113 dst Subnet198:10.23.212.254 (type 8, code 0)
Unlike FWSM interfaces, when the outside station pings any inside station, it works.
I thik that I have all these items well defined:
- Static routing at both the FWSM and the Catalysts.
- Icmp permit any for every interface.
- The command same-security-traffic permit inter-interface is present.
- Access-lists completely opened and applyied to every interface.
The documentation states that the 305006 could be related to some static translations. But i was unable to overcome the problem by modifying the translations repeteadly.
I would be very grateful to anyone that could give any clue about this.
10-09-2008 08:54 AM
I post a sample of the configuration. (Names and ip numbers are different for privacy):
FWSM-SF/FWSM-1023# show run
: Saved
:
FWSM Version 3.2(5)
!
hostname FWSM-1023
enable password xxxxxxxxxxxxxx encrypted
names
!
interface Vlan225
shutdown
nameif Subnet197
security-level 95
ip address 10.23.197.254 255.255.255.0 standby 10.23.197.253
!
interface Vlan405
nameif Subnet201
security-level 95
ip address 10.23.201.254 255.255.255.0 standby 10.23.201.253
!
interface Vlan445
nameif outside
security-level 0
ip address 10.23.212.117 255.255.255.248 standby 10.23.212.116
!
passwd xxxxxxxxxxxxxxx encrypted
same-security-traffic permit inter-interface
access-list Subnet197_in extended permit icmp any any
access-list Subnet197_in extended permit ip any any
access-list Subnet201_in extended permit icmp any any
access-list Subnet201_in extended permit ip any any
access-list outside_in extended permit icmp any any
access-list outside_in extended permit ip any any
no pager
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging history warnings
logging asdm debugging
mtu Subnet197 1500
mtu Subnet201 1500
mtu outside 1500
icmp permit any Subnet197
icmp permit any Subnet201
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
static (Subnet197,outside) 10.23.197.0 10.23.197.0 netmask 255.255.255.0
static (Subnet201,outside) 10.23.201.0 10.23.201.0 netmask 255.255.255.0
access-group Subnet197_in in interface Subnet197
access-group Subnet201_in in interface Subnet201
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.23.212.115 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server location
snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:
: end
10-09-2008 10:32 AM
What you are trying to achieve (to ping the inside interface for an FWSM
context from the outside) is not possible by design.
You can use the managment-access command and ping the inside interface from the outside only if you are coming across an IPSEC tunnel.
Syed Iftekhar Ahmed
10-09-2008 11:09 AM
Thank you for your reply.
I was not aware of the unability to ping from an outside station to any inside FSWM interface, even with the access-lists completely opened.
Kind regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide