6509 FWSM Security Context. Unable to ping the interface IP

Unanswered Question
Feb 9th, 2009
User Badges:

Hi All,


I have created a VLAN in 6509 switch and have attached this VLAN as an interface to the FWSM security context. I have configured NAT to access it from other vlans as well as the access-list provided ICMP access from other vlans.


I am unable to ping the interface IP from any other vlan interfaces attached to FWSM.


Please let me know, where I am going wrong



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
MATTHEW BECK Fri, 02/13/2009 - 11:22
User Badges:

Hi,

Did you add the commands:

icmp permit (source add range) echo (interface name)

icmp permit (source add range) echo-reply (interface name)


to your config? The FWSM will not respond to ping without them. The ACL only applies to traffic going through the interface, not hitting the interface itself.

csaravanan-sym Wed, 02/25/2009 - 15:14
User Badges:

Hi Mathew,


I added these commands and it works.


Thanks a lot for explaining and taking time to reply to this message

Giuseppe Larosa Sat, 02/14/2009 - 04:23
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Chandhrasekar,

in addition to what Matthew has already noted


>> I am unable to ping the interface IP from any other vlan interfaces attached to FWSM.


It is common for a firewall to block icmp between its own interfaces (they have different levels of security so the behavior is this) and this is one of the first basic differences with a router.


So this is not necessary a sign of a problem.

Test the configuration with user traffic.


Hope to help

Giuseppe



csaravanan-sym Wed, 02/18/2009 - 09:50
User Badges:

Hi All,


Thanks for the reply. It is not a critiical item, but wanted to know, why I was unable to ping the interface but was able to ping the hosts connected to it


Thanks,

MATTHEW BECK Thu, 02/26/2009 - 07:25
User Badges:

Hello again,


The default behavior of the FWSM is to NOT respond to ICMP requests directed at an IP address of the FWSM itself. ICMP traffic through the FWSM to a host on a protected subnet is permitted if you say so via ACL. I guess it was one of those "secure in deployment" decisions. I found it in the command reference for my version of the FWSM under the command "icmp". Or here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/i1.html


Matt

Actions

This Discussion