FWSM context

Unanswered Question
Nov 20th, 2009

Hi NetGurus,

I have configured 2 contexes called backend and frontend. I have given a default route on both the contexes to reach the SVI on the 6509 switch. I am only able to reach

the SVI IP from the both context and vice versa. But i am unable to ping any other VLAN's created on both the contexts from the MSFC (the SVI). I have configured only

one SVI on the switch and used that as outside VLAN on both the contexts. I have also enabled ICMP permit command as well. What am i missing. Thanks in advance for all.

Regards

MFM

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Jon Marshall Sat, 11/21/2009 - 03:41

[email protected]

Hi NetGurus,

I have configured 2 contexes called backend and frontend. I have given a default route on both the contexes to reach the SVI on the 6509 switch. I am only able to reach

the SVI IP from the both context and vice versa. But i am unable to ping any other VLAN's created on both the contexts from the MSFC (the SVI). I have configured only

one SVI on the switch and used that as outside VLAN on both the contexts. I have also enabled ICMP permit command as well. What am i missing. Thanks in advance for all.

Regards

MFM

MFM

Couple of things

1) when you say you cannot ping any other vlans - do you mean the vlan interface on the FWSM or hosts on that vlan protected by the FWSM. If you mean the interface then you can't because this is a security feature of the FWSM

2) If you mean hosts then you need to check 2 things

i) have you allowed the traffic through with an acl. Be aware that with the FWSM you do not just need an acl for lower to higher security interface (which is standard for all Cisco firewalls) but you also need an acl for higher to lower as well. Alternatively you can enable ICMP inspection on the FWSM

ii) Do you have routes on the MSFC telling it how to get to the vlans protected by the FWSM ?

Jon

Actions

This Discussion