FWSM: Permiting Traffic

Unanswered Question
Jul 30th, 2009
User Badges:

Current lab is setup with 3 VLANS 109,199,200 protected behind the FWSM.


Q1. Pc 10.27.2.12 (VLAN 200) cannot ping 10.26.6.1 (VLAN 109) and 10.27.0.1 (VLAN 199) on the FWSM. Is this possible?


Q2. Pc 10.27.2.12 (VLAN 200) cannot access the FWSM using ASDM software. Is this possible?


Please advise,


Regards,

C



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Thu, 07/30/2009 - 10:29
User Badges:
  • Green, 3000 points or more

Colm, I have not play with fwsm but does have some similarities with asa's, I'll give this one a shot.


starting with the easy one.

Q2. Pc 10.27.2.12 (VLAN 200) cannot access the FWSM using ASDM software. Is this possible?


Allow admin access for that host on the fwsm to be able to access asdm

http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html#wp1047288


e.i


fwsm(config)# http 10.27.2.12 255.255.255.255 cm-servers



Q1. Pc 10.27.2.12 (VLAN 200) cannot ping 10.26.6.1 (VLAN 109) and 10.27.0.1 (VLAN 199) on the FWSM. Is this possible?


Vlan109 wireless interface, and vlan 200 cm-servers interface have same security level of 100, to enable communication between the two you need same sec traffic intra-interface.


same-security-traffic permit inter-interface


http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/intfce_f.html#wp1059402


Regards



colmgrier Fri, 07/31/2009 - 05:15
User Badges:

Thanks Jorge for the reply.


Q1. Pc 10.27.2.12 (VLAN 200) cannot ping 10.26.6.1 (VLAN 109) and 10.27.0.1 (VLAN 199) on the FWSM. Is this possible?


I already had this command applied to the FWSM. For the inside VLANS I can ping hosts on all the inside VLANS but cannot ping the default gateways for other inside vlans. Is this allowed on the FWSM?


same-security-traffic permit inter-interface




JORGE RODRIGUEZ Fri, 07/31/2009 - 09:05
User Badges:
  • Green, 3000 points or more

As far as I know a host from one vlan where its L3 interface resides in the firewall cannot ping the default gateway of another vlan on the same firewall like you would in a non-firewall router .. this is the way it is on pix/asa and would expect the same behaviour-restriction in FWSM..


If I am mistaken on fwsm perhaps someone could correct.


Regards

Actions

This Discussion