Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
534
Views
0
Helpful
1
Replies

FWSM ICMP Issue

John Apricena
Level 1
Level 1

‎03-13-2012 12:25 PM - edited ‎03-11-2019 03:41 PM

Hello All,

I am currently having a ping issue with my FWSM and was wondering if anyone could provide some insight. So, I have a 6500 along with an FWSM running in transparent mode. This is a test environment so I can make changes at any time. Below is the show run for the FWSM. I can ping the SVI interface along with the HSRP interface from the FWSM, and vice versa. However I cannot ping any outside addresses from the FWSM and the FWSM produces no long output when I try to do so. I can also not ping from the 6500 or the FWSM to the test host. The test host has full internet connectivity and can ping both the 6500 and the FWSM however from the 6500 or the FWSM I cannot ping the host. I get the following error in the ASDM when I try tio ping from the 6500 to the Host. 192.168.0.2 is the SVI and 192.168.0.10 is the host. Thanks in advance for all the advice.

Deny inbound icmp src outside:192.168.0.2 dst inside:192.168.0.10 (type 8, code 0)

NYSPAL03FW02/MGMT# show run

: Saved

:

FWSM Version 4.0(14) <context>

!

firewall transparent

hostname

names

dns-guard

!

interface Vlan10

nameif outside

bridge-group 1

security-level 0

!

interface Vlan210

nameif inside

bridge-group 1

security-level 100

!

interface BVI1

ip address 192.168.0.4 255.255.255.0

!

access-list INSIDE_IN extended permit ip any any

access-list INSIDE_IN extended permit icmp any any

access-list OUTSIDE_IN extended permit icmp any any echo

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 1 192.168.0.0 255.255.255.0

static (inside,outside) x.x.x.x 192.168.0.10 netmask 255.255.255.255

access-group OUTSIDE_IN in interface outside

access-group INSIDE_IN in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect sunrpc

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

Cryptochecksum:d16f9498d431d0e810347e787749baaf

: end

NYSPAL03FW02/MGMT#

Labels:
0 Helpful
1 Reply 1

John Apricena
Level 1
Level 1

‎03-13-2012 12:54 PM

I've noticed that I am able to ping the Natted IP of this host from the 6500. So, it seems as if the FWSM is seeing pings from the 6500 as Outside traffic so I will change the soruce these packets come from and give a reply back. However I still cannot ping outside from the FWSM.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card