Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FWSM Inter-VLAN Issue

Hello All,

I've looked through this site on multiple occasions and there has already been topics or questions that helped resolve mine however this one that I'm having doesn't appear to be anywhere. I'm having a problem with our 6500 and our FWSM. The problem I'm having is inter-vlan communication. So, We have our FWSM running multiple contexts for clients, and I have an admin Context in there as well. With this network I would like to be able to access every server from it from very context from it. However I am having some difficulty.

So, basically I have setup a NAT statement on both sides of the contexts and an access list permitting icmp and ip traffic between the two contexts., however I have no communuication. I notice when I run show access-list that the access-list for the NAT statement builds up after a string of pings so the NAT is definetely happening, however it is getting denied. This is the error that fills up in the logs

Deny tcp src outside1:1.1.1.1/49163 dst inside1:2.2.2.2/80 by access-group "" [0x0, 0x0]

Deny icmp src outside1:1.1.1.1/49163 dst inside1:2.2.2.2/80 by access-group "" [0x0, 0x0]

Has anyone ever seen this before and maybe could provide some insight. Thank You very much in advance for all who help.

Below is the config for the FWSM Context that is giving the denies. The other side doesn't give denies. .

!

interface Vlanx

nameif outside7

bridge-group z

security-level 0

!

interface Vlany

nameif inside7

bridge-group z

security-level 100

!

interface BVIz

ip address

!

access-list INSIDE extended permit ip any any

access-list OUTSIDE extended permit icmp any any echo

access-list OUTSIDE extended permit icmp any any time-exceeded

access-list NO_NAT_INSIDE extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

pager lines 24

logging enable

logging asdm informational

mtu outside1 1500

mtu inside1 1500

icmp permit any outside7

icmp permit any inside7

global (outside7) 1 x.x.x.x

nat (inside7) 0 access-list NO_NAT_INSIDE

nat (inside7) 1 p.p.p.p a.a.a.a

access-group INSIDE in interface inside7

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect sunrpc

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

1 ACCEPTED SOLUTION

Accepted Solutions

FWSM Inter-VLAN Issue

Hello John,

Just to confirm this is an ACL issue.

Can you place a permit ip any any and check the logs please.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5 REPLIES

FWSM Inter-VLAN Issue

Hello John,

Do the following and let me know the result:

no access-list OUTSIDE extended permit icmp any any echo

no access-list OUTSIDE extended permit icmp any any time-exceeded

access-list OUTSIDE permit icmp any any

Let me know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

FWSM Inter-VLAN Issue

Thank you for the quick response jcarvaja. I tried exactly what you requested, however the logs still give me the same deny statement.

FWSM Inter-VLAN Issue

Hello John,

Just to confirm this is an ACL issue.

Can you place a permit ip any any and check the logs please.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

FWSM Inter-VLAN Issue

Hi jcarvaja,

Thanks for the quick response again. The issue was I never applied the access group for the outside interfaces. Once this was applied on both sides of the contexts the pings went through successfully. Thanks Again!

FWSM Inter-VLAN Issue

Hello John,

Excelent that we now have solved the issue.

Have a wonderful night!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
357
Views
0
Helpful
5
Replies
CreatePlease login to create content