Basic ACL to test FWSM connectivity

Unanswered Question
Jan 21st, 2010

Hi All, we have a few problem relative to FWSM integration in a 6513 cluster (VSS). All IOS are up to date.

We suspect the <default>configuration running int the FWSM doesnt permit communication with anything, so we are unable to check connectivity with VRF and Global router.

What i want to be sure, its about access list in the context. i created an access list named PermitAll and applied it on both interface. The permit all access list is  permit ip any any.

So here is a sample of the setup :

On the 6500 :

vlan 192

vlan 196

int vlan192 ip /24

int vlan196 vrf forwarding TEST

int vlan 196ip /24

firewall vlan-group 1 192-196

firewall sw 1 slot 6 vlan-group 1

Both interface are up after been assigned to fwsm


In the FW

system : int vlan 192 and 196 are visible and no shut (UP)

both int are allocated in context admin

in context admin

int vlan192  ip is /24 with security level 100

int vlan 196 ip is /24 with security level 50

telnet and ssh

both interface are up


at this point if we are in the context admin, we are unable to ping the svi on vlan 192 ( but of course we ping local interface sucessfully.

same problem on int 196.

we put access list permit ip any any in on both interface but this not resolve.

when on MSFC, we ping local but we dont ping fwsm int192 on the same vlan. strangely, the sh arp command show the ip of the FWSM in router and same command show svi ip in the FWSM.  Also, we are unable to telnet from 10.65.192.x to the FWSM.

Do we need something else to permit these elementary things ?  we dont set up any nat command at this point.

We also suspect problem communication between the FWSM module and the switch, but if it would be the case, i dont think we would see other module MAC adresse in the arp table.

Any tips would be appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Kureli Sankar Thu, 01/21/2010 - 19:29

You need

icmp permit any

for both interfaces. Otherwise you cannot ping the FWSM interface.



This Discussion