FWSM connect interface

Unanswered Question
Jun 8th, 2010
User Badges:

Hi!

i have FWSM with this config:


!

interface Vlan35
nameif vlan35
security-level 100
ip address 10.10.35.1 255.255.255.0 standby 10.10.35.2
!
interface Vlan37
nameif vlan37
security-level 5
ip address 10.10.37.1 255.255.255.0 standby 10.10.37.2

!

...

!

ssh 10.10.35.0 255.255.255.0 vlan35
ssh 10.10.35.0 255.255.255.0 vlan37

!



Somebody tell me please, why i can connect to FWSM from vlan35 to 10.10.35.1 but cannot connect to  ip address 10.10.37.1(from vlan35) ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Jon Marshall Tue, 06/08/2010 - 10:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mokhovikov wrote:


Hi!

i have FWSM with this config:


!

interface Vlan35
nameif vlan35
security-level 100
ip address 10.10.35.1 255.255.255.0 standby 10.10.35.2
!
interface Vlan37
nameif vlan37
security-level 5
ip address 10.10.37.1 255.255.255.0 standby 10.10.37.2

!

...

!

ssh 10.10.35.0 255.255.255.0 vlan35
ssh 10.10.35.0 255.255.255.0 vlan37

!



Somebody tell me please, why i can connect to FWSM from vlan35 to 10.10.35.1 but cannot connect to  ip address 10.10.37.1(from vlan35) ?

By default you can't connect to an interface through the FWSM. So if you want to ssh to int vlan 37 you would need to be on vlan 37 or on a device that is reachable via vlan 37.


You could use the "management-access" command and apply it to vlan 37 and this should allow you to connect from vlan 35 -


FWSM management access


Jon

mokhovikov Tue, 06/08/2010 - 13:07
User Badges:

jon thank you for reply. I've read about this command. It correct only for VPN connection or not?


"The management-access command is supported for the following through an IPSec VPN tunnel only"

Federico Coto F... Tue, 06/08/2010 - 13:10
User Badges:
  • Green, 3000 points or more

Hi,


On the ASA firewall, the management-access inside command is only when terminating a VPN connection on the device.

I guess is the same for the FWSM.


Federico.

Jon Marshall Tue, 06/08/2010 - 13:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

mokhovikov wrote:


jon thank you for reply. I've read about this command. It correct only for VPN connection or not?


"The management-access command is supported for the following through an IPSec VPN tunnel only"


Yes it is only for connectivity via an IPSEC VPN. If you aren't using an IPSEC VPN then you cannot connect to an interface across the FWSM so to connect to vlan 37 interface with ssh you would need to connect from vlan 37 device or a device reachable via the vlan 37 interface.


Jon

Actions

This Discussion