Can't ping FWSM with Basic Configuration

Answered Question
Jun 1st, 2009
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi,


We just installed our new FWSM and attempted to upgrade ASDM. From the 6500, we can session into the FWSM but we CAN'T ping to it. Can anyone point out our configuration mistakes?


6500 running 12.2(33)SXH4:

<font face="courier">

interface vlan 400

ip address 10.4.4.3 255.255.255.248

no shutdown

</font>

FWSM:

<font face="courier">

hostname FWSM

names

!

interface Vlan400

nameif inside

security-level 0

ip address 10.4.4.1 255.255.255.248

!

ftp mode passive

access-list inside extended permit ip any any

pager lines 24

mtu inside 1500

no failover

no asdm history enable

arp timeout 14400

nat-control

access-group inside in interface inside

access-group inside out interface inside

route inside 0.0.0.0 0.0.0.0 10.4.4.3 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7c5bd4abd770cb0bb0014b584ec0c913

</font>

Thanks.

Correct Answer by plumbis about 8 years 3 weeks ago

Looks like you need the "icmp permit any inside". You also need to make sure you are passing the vlans to the FWSM from the switch. You can do this with the command "firewall vlan-group 1 vlan 400" and "firewall module group 1".


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
plumbis Mon, 06/01/2009 - 21:29
User Badges:
  • Silver, 250 points or more

Looks like you need the "icmp permit any inside". You also need to make sure you are passing the vlans to the FWSM from the switch. You can do this with the command "firewall vlan-group 1 vlan 400" and "firewall module group 1".


Leo Laohoo Mon, 06/01/2009 - 21:39
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Pete,

Thanks for the quick response. I forgot to include the following lines in my initial post:

firewall module 9 vlan-group 1,

firewall vlan-group 1 400

Leo Laohoo Mon, 06/01/2009 - 21:52
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Thanks Pete. Problem rectified. +5 from me.

Actions

This Discussion