cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
365
Views
0
Helpful
6
Replies

Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side interface

pweichmann
Level 1
Level 1

Hi,

I have the problem that I need to ping the remote side interface in a multiple context configured fwsm and cannot achieve it. Need this urgently and help is welcome.

Client 1.1.1.20 - 1.1.1.1 (MSFC) 2.2.2.1 - 2.2.2.2 (FWSM) 3.3.3.1

Ping from 1.1.1.20 to 3.3.3.1:

1.1.1.20 is a RS6000 NIM server and he tries to ping the FWSM Interface 3.3.3.1 which is the default gateway for other RS6000 machines in the secured area.

We use multiple SVI interfaces and the FWSM has a 2.2.2.2 interface with security level 100 and the 3.3.3.1 interface with security level 0

I cannot manage to get a ping from the client to the fwsm interface.

I set icmp inspection, have a permit any icmp on both interfaces.

???

Regards,

Patrick

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Patrick

Ordinarily you cannot enter the FWSM on one interface to ping another interface. However you can make the 3.3.3.1 a management interface and then try pinging -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/m.html#wp1690187

Jon

Hi Jon,

Thank you very much. I am looking at the command reference and will try to configure management access on the 3.3.3.1 interface.

Is this behaviour described anywhere? We need this because of the Network Installation manager for IBM RS Machines.

Patrick

"Is this behaviour described anywhere?"

If you mean the bit about not being able to enter one interface to ping another on the FWSM it is described under the "Usage" section in the link i sent.

Jon

Hi Jon,

I set the management-access fwsm-saptm-vlan , i.e. 3.3.3.1.

no success, still no answer.

no entries in the debug real time view as well neither for 3.3.3.1 or the standby 3.3.3.2.

Could something be missing?

I tried to configure telnet and ssh access but could not access 3.3.3.1.

?

Regards,

Patrick

Hi Jon,

I just saw that in the usage it says from outside to inside only through IPSEC VPN????

I need the access from sec level 100 to sec level 0, which is the other way around.

What if I change switch the sec levels?

<...

The management-access command is supported for the following through an IPSec VPN tunnel only:

•SNMP polls to the management interface

•HTTPS requests to the management interface

•ASDM access to the management interface

•Telnet access to the management interface

•SSH access to the management interface

•Ping to the management interface

•Syslog polls to the management interface

...>

Patrick

Good spot i didn't notice the bit about through a VPN.

Do you actually need to ping the FWSM interface or can you not ping some device in the 3.3.3.x vlan. What you are trying to do is not really allowed due to security issues.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: