Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
576
Views
0
Helpful
5
Replies

FWSM Inter-VLAN Issue

Go to solution
John Apricena
Level 1
Level 1

‎11-30-2011 02:45 PM - edited ‎03-11-2019 02:57 PM

Hello All,

I've looked through this site on multiple occasions and there has already been topics or questions that helped resolve mine however this one that I'm having doesn't appear to be anywhere. I'm having a problem with our 6500 and our FWSM. The problem I'm having is inter-vlan communication. So, We have our FWSM running multiple contexts for clients, and I have an admin Context in there as well. With this network I would like to be able to access every server from it from very context from it. However I am having some difficulty.

So, basically I have setup a NAT statement on both sides of the contexts and an access list permitting icmp and ip traffic between the two contexts., however I have no communuication. I notice when I run show access-list that the access-list for the NAT statement builds up after a string of pings so the NAT is definetely happening, however it is getting denied. This is the error that fills up in the logs

Deny tcp src outside1:1.1.1.1/49163 dst inside1:2.2.2.2/80 by access-group "" [0x0, 0x0]

Deny icmp src outside1:1.1.1.1/49163 dst inside1:2.2.2.2/80 by access-group "" [0x0, 0x0]

Has anyone ever seen this before and maybe could provide some insight. Thank You very much in advance for all who help.

Below is the config for the FWSM Context that is giving the denies. The other side doesn't give denies. .

!

interface Vlanx

nameif outside7

bridge-group z

security-level 0

!

interface Vlany

nameif inside7

bridge-group z

security-level 100

!

interface BVIz

ip address

!

access-list INSIDE extended permit ip any any

access-list OUTSIDE extended permit icmp any any echo

access-list OUTSIDE extended permit icmp any any time-exceeded

access-list NO_NAT_INSIDE extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

pager lines 24

logging enable

logging asdm informational

mtu outside1 1500

mtu inside1 1500

icmp permit any outside7

icmp permit any inside7

global (outside7) 1 x.x.x.x

nat (inside7) 0 access-list NO_NAT_INSIDE

nat (inside7) 1 p.p.p.p a.a.a.a

access-group INSIDE in interface inside7

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect sunrpc

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to John Apricena

‎11-30-2011 03:19 PM

Hello John,

Just to confirm this is an ACL issue.

Can you place a permit ip any any and check the logs please.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-30-2011 03:01 PM

Hello John,

Do the following and let me know the result:

no access-list OUTSIDE extended permit icmp any any echo

no access-list OUTSIDE extended permit icmp any any time-exceeded

access-list OUTSIDE permit icmp any any

Let me know.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
John Apricena
Level 1
Level 1
In response to Julio Carvajal

‎11-30-2011 03:08 PM

Thank you for the quick response jcarvaja. I tried exactly what you requested, however the logs still give me the same deny statement.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to John Apricena

‎11-30-2011 03:19 PM

Hello John,

Just to confirm this is an ACL issue.

Can you place a permit ip any any and check the logs please.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
John Apricena
Level 1
Level 1
In response to Julio Carvajal

‎11-30-2011 08:02 PM

Hi jcarvaja,

Thanks for the quick response again. The issue was I never applied the access group for the outside interfaces. Once this was applied on both sides of the contexts the pings went through successfully. Thanks Again!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to John Apricena

‎11-30-2011 09:06 PM

Hello John,

Excelent that we now have solved the issue.

Have a wonderful night!!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card