Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

FWSM and Asymmetric routing

Hello, I need your help with a problem I have been experiencing for a couple of days.

We got a client with a Wimax Solution. They had a firewall from another vendor and needed to upgrade to a more robust platform so they went with a Cisco 6506-E with a FWSM .

They are using traffic redirection for inside networks, the wimax packet service gateway is not routing internat traffic (public to public IP addresses) instead,public IP addresses assigned to clients are forwarded to the wimax packet service gateway and then the traffic flow is redirected to the outside of the FWSM for firewall inspection. see attached diagram

 

.

 

 

I already fixed TCP traffic between those networks using TCP state bypass feature, everything works good but ICMP, this has been a total nightmare.

I have a permit any any in the inside and a permit any to public networks in the inside plus the inspect ICMP. With this configuration ICMP is treated as stateful.

when I remove the ICMP inspection, ICMP traffic from inside to outside stops working and redirected ICMP traffic works OK.

Now I tried a solution I read in the book Cisco Press - Cisco Firewalls but it didn't work:

object-group network REDIRECTED_NETWORKS
 network-object 192.168.1.0 255.255.255.0
 network-object 172.16.0.0 255.255.255.0

!

access-list ICMP extended deny icmp object-group REDIRECTED_NETWORKS object-group REDIRECTED_NETWORKS 
access-list ICMP extended permit icmp any any

!
class-map inspection_icmp
 match access-list ICMP

!

policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect skinny 
  inspect smtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
  inspect pptp 
!

class inspection_icmp
inspect icmp

!

service-policy global_policy global

 

Is there any way I could make ICMP work in this scenario?

FWSM Firewall Version 4.1(15)

 

Thanks a lot,

 

Jose.

Everyone's tags (3)
211
Views
0
Helpful
0
Replies
CreatePlease to create content