Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side interface

Unanswered Question
Jan 13th, 2009
User Badges:

Hi,


I have the problem that I need to ping the remote side interface in a multiple context configured fwsm and cannot achieve it. Need this urgently and help is welcome.


Client 1.1.1.20 - 1.1.1.1 (MSFC) 2.2.2.1 - 2.2.2.2 (FWSM) 3.3.3.1


Ping from 1.1.1.20 to 3.3.3.1:


1.1.1.20 is a RS6000 NIM server and he tries to ping the FWSM Interface 3.3.3.1 which is the default gateway for other RS6000 machines in the secured area.


We use multiple SVI interfaces and the FWSM has a 2.2.2.2 interface with security level 100 and the 3.3.3.1 interface with security level 0


I cannot manage to get a ping from the client to the fwsm interface.


I set icmp inspection, have a permit any icmp on both interfaces.


???


Regards,

Patrick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pweichmann Tue, 01/13/2009 - 13:23
User Badges:

Hi Jon,


Thank you very much. I am looking at the command reference and will try to configure management access on the 3.3.3.1 interface.


Is this behaviour described anywhere? We need this because of the Network Installation manager for IBM RS Machines.



Jon Marshall Tue, 01/13/2009 - 13:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Patrick


"Is this behaviour described anywhere?"


If you mean the bit about not being able to enter one interface to ping another on the FWSM it is described under the "Usage" section in the link i sent.


Jon

pweichmann Tue, 01/13/2009 - 14:09
User Badges:

Hi Jon,


I set the management-access fwsm-saptm-vlan , i.e. 3.3.3.1.


no success, still no answer.


no entries in the debug real time view as well neither for 3.3.3.1 or the standby 3.3.3.2.


Could something be missing?


I tried to configure telnet and ssh access but could not access 3.3.3.1.


?


Regards,

Patrick


pweichmann Tue, 01/13/2009 - 14:19
User Badges:

Hi Jon,


I just saw that in the usage it says from outside to inside only through IPSEC VPN????


I need the access from sec level 100 to sec level 0, which is the other way around.


What if I change switch the sec levels?


<...

The management-access command is supported for the following through an IPSec VPN tunnel only:


•SNMP polls to the management interface

•HTTPS requests to the management interface

•ASDM access to the management interface

•Telnet access to the management interface

•SSH access to the management interface

•Ping to the management interface

•Syslog polls to the management interface


...>

Jon Marshall Tue, 01/13/2009 - 14:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Patrick


Good spot i didn't notice the bit about through a VPN.


Do you actually need to ping the FWSM interface or can you not ping some device in the 3.3.3.x vlan. What you are trying to do is not really allowed due to security issues.


Jon

Actions

This Discussion