FWSM intervlan communication failing.

Unanswered Question
Aug 16th, 2009
User Badges:

Hi ,


I have setup FWSM in my lab , and configured a security context named it "test" and configured 3 vlan interfaces on it. I have disabled the NAT between these interface traffic. below is the setup.


inside - 10.1.3.1 / 255.255.255.0

inside-2 - 10.1.4.1 /255.255.255.0

outside - 8.19.65.1/255.255.255.252

From inside interface i am unable to ping inside-2 interface IP and viceversa, can somebody please adavice.


both are directly connected interface.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vikram_anumukonda Sun, 08/16/2009 - 18:20
User Badges:
  • Bronze, 100 points or more

by default a FWSM does not allow traffic between interfaces without an access-list applied unlike and ASA/PIX.

Kevin Redmon Sun, 08/16/2009 - 18:29
User Badges:
  • Cisco Employee,

Arjun,


Can you please provide the output of 'show nameif' and 'show ip addr'? If you are referring to pinging the actual IP address of the "far-side" interface, this is NOT supported on any Cisco Firewall, unlike Cisco routers.


If you are pinging hosts off of the interface (not the interface itself), the output of 'show nameif' as above will provide insight. If the two interfaces are at the same security level, it may also be 'same-security-traffic permit inter-interface'.


Hope this helps. If you still need assistance, please provide the output requested above.

arjun_ankathil Sun, 08/16/2009 - 20:38
User Badges:

Please find the outputs below. permit inter-interface was already added.


FWSM/test# sh nameif

Interface Name Security

Vlan100 outside 0

Vlan101 inside 100

Vlan112 inside-2 100

FWSM/test# sh run | in permit inter

same-security-traffic permit inter-interface

FWSM/test# sh int ip br

Interface IP-Address OK? Method Status Protocol

Vlan100 8.19.65.1 YES CONFIG up up

Vlan101 10.1.3.1 YES CONFIG up up

Vlan112 10.1.4.1 YES CONFIG up up


10.1.4.2 is another switch connected the FWSM. on vlan 112, below is the ping response.


FWSM/test# ping 10.1.4.2

Sending 5, 100-byte ICMP Echos to 10.1.4.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

FWSM/test# ping inside 10.1.4.2

Sending 5, 100-byte ICMP Echos to 10.1.4.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)


Below is the log i get when I ping 10.1.4.2 using inside interface. says no route, however these are directly connected routers.


Aug 17 2009 04:30:30: %FWSM-5-111008: User 'enable_15' executed the 'ping 10.1.4.2' command.

Aug 17 2009 04:30:41: %FWSM-6-110001: No route to 10.1.4.2 from 10.1.3.1

Aug 17 2009 04:30:51: %FWSM-5-111008: User 'enable_15' executed the 'ping inside 10.1.4.2' command.


vikram_anumukonda Tue, 08/18/2009 - 01:25
User Badges:
  • Bronze, 100 points or more

that's definetly not a routing issue, why would you send the icmp traffic to 10.1.4.2 out of inside interface when it's directly connected to inside-2.


please refer to this link http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/command/reference/p.html#wp1628969


the " ping inside 10.1.4.2 " tells the FWSM to reach 10.1.4.2 via inside interface.


HTH

Kevin Redmon Thu, 08/20/2009 - 13:15
User Badges:
  • Cisco Employee,

As Vikram stated, the 'ping inside' command implies to send the ping out the inside interface. The FWSM maintains a route table on a per-interface basis. As a ping 'inside' command, we'll reference the route table for the 'inside' interface.


These route tables also come into play when a bad translation is formed through the FWSM. The route table for the egress interface will be referenced when processing the packet.

arjun_ankathil Thu, 08/20/2009 - 20:04
User Badges:

Thanks Guys for the clarity on the command, i mistook this command for the cisco source interface option.


However I have been facing problems in ping between the servers connected to inside and inside-2 interfaces as mentioned in the 1st post of this netflow discussion.

Actions

This Discussion