03-13-2012 12:25 PM - edited 03-11-2019 03:41 PM
Hello All,
I am currently having a ping issue with my FWSM and was wondering if anyone could provide some insight. So, I have a 6500 along with an FWSM running in transparent mode. This is a test environment so I can make changes at any time. Below is the show run for the FWSM. I can ping the SVI interface along with the HSRP interface from the FWSM, and vice versa. However I cannot ping any outside addresses from the FWSM and the FWSM produces no long output when I try to do so. I can also not ping from the 6500 or the FWSM to the test host. The test host has full internet connectivity and can ping both the 6500 and the FWSM however from the 6500 or the FWSM I cannot ping the host. I get the following error in the ASDM when I try tio ping from the 6500 to the Host. 192.168.0.2 is the SVI and 192.168.0.10 is the host. Thanks in advance for all the advice.
Deny inbound icmp src outside:192.168.0.2 dst inside:192.168.0.10 (type 8, code 0)
NYSPAL03FW02/MGMT# show run
: Saved
:
FWSM Version 4.0(14) <context>
!
firewall transparent
hostname
names
dns-guard
!
interface Vlan10
nameif outside
bridge-group 1
security-level 0
!
interface Vlan210
nameif inside
bridge-group 1
security-level 100
!
interface BVI1
ip address 192.168.0.4 255.255.255.0
!
access-list INSIDE_IN extended permit ip any any
access-list INSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit icmp any any echo
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) x.x.x.x 192.168.0.10 netmask 255.255.255.255
access-group OUTSIDE_IN in interface outside
access-group INSIDE_IN in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect sunrpc
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
Cryptochecksum:d16f9498d431d0e810347e787749baaf
: end
NYSPAL03FW02/MGMT#
03-13-2012 12:54 PM
I've noticed that I am able to ping the Natted IP of this host from the 6500. So, it seems as if the FWSM is seeing pings from the 6500 as Outside traffic so I will change the soruce these packets come from and give a reply back. However I still cannot ping outside from the FWSM.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: