11-30-2011 02:45 PM - edited 03-11-2019 02:57 PM
Hello All,
I've looked through this site on multiple occasions and there has already been topics or questions that helped resolve mine however this one that I'm having doesn't appear to be anywhere. I'm having a problem with our 6500 and our FWSM. The problem I'm having is inter-vlan communication. So, We have our FWSM running multiple contexts for clients, and I have an admin Context in there as well. With this network I would like to be able to access every server from it from very context from it. However I am having some difficulty.
So, basically I have setup a NAT statement on both sides of the contexts and an access list permitting icmp and ip traffic between the two contexts., however I have no communuication. I notice when I run show access-list that the access-list for the NAT statement builds up after a string of pings so the NAT is definetely happening, however it is getting denied. This is the error that fills up in the logs
Deny tcp src outside1:1.1.1.1/49163 dst inside1:2.2.2.2/80 by access-group "" [0x0, 0x0]
Deny icmp src outside1:1.1.1.1/49163 dst inside1:2.2.2.2/80 by access-group "" [0x0, 0x0]
Has anyone ever seen this before and maybe could provide some insight. Thank You very much in advance for all who help.
Below is the config for the FWSM Context that is giving the denies. The other side doesn't give denies. .
!
interface Vlanx
nameif outside7
bridge-group z
security-level 0
!
interface Vlany
nameif inside7
bridge-group z
security-level 100
!
interface BVIz
ip address
!
access-list INSIDE extended permit ip any any
access-list OUTSIDE extended permit icmp any any echo
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list NO_NAT_INSIDE extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255
pager lines 24
logging enable
logging asdm informational
mtu outside1 1500
mtu inside1 1500
icmp permit any outside7
icmp permit any inside7
global (outside7) 1 x.x.x.x
nat (inside7) 0 access-list NO_NAT_INSIDE
nat (inside7) 1 p.p.p.p a.a.a.a
access-group INSIDE in interface inside7
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect sunrpc
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
Solved! Go to Solution.
11-30-2011 03:19 PM
Hello John,
Just to confirm this is an ACL issue.
Can you place a permit ip any any and check the logs please.
Regards,
Julio
11-30-2011 03:01 PM
Hello John,
Do the following and let me know the result:
no access-list OUTSIDE extended permit icmp any any echo
no access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE permit icmp any any
Let me know.
Regards,
Julio
11-30-2011 03:08 PM
Thank you for the quick response jcarvaja. I tried exactly what you requested, however the logs still give me the same deny statement.
11-30-2011 03:19 PM
Hello John,
Just to confirm this is an ACL issue.
Can you place a permit ip any any and check the logs please.
Regards,
Julio
11-30-2011 08:02 PM
Hi jcarvaja,
Thanks for the quick response again. The issue was I never applied the access group for the outside interfaces. Once this was applied on both sides of the contexts the pings went through successfully. Thanks Again!
11-30-2011 09:06 PM
Hello John,
Excelent that we now have solved the issue.
Have a wonderful night!!
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide