I have an FWSM running in L3 mode, installed in C6509E Switch, L3 of all other distribution layer switches are created in FWSM.
I have a long running problem of one way communication with this FWSM. IOS version is "FWSM Firewall Version 3.2(4)".
I have two pcs (PC1 and PC2) connected to two different zones of FWSM which is connected thru two different L3 Swiches.
The prob is I can ping from PC2 to PC1(I verified the path by traceroute, its coming via fwsm only), but I cannot ping to PC1 to PC2. All zones are binded with access-lists "permit ip any any" and "permit icmp any any".
While ping from PC1 to PC2 I am getting "Destination net unreachable", when tracing FWSM reports "Destination net unreachable". Interesting thing is I can ping the PC2 from FWSM.
I also tried to put a capture in FWSM for this particular source and destination(by attaching a specific access list), where I found that I am getting hits in one of the interfaces connected to PC1, and I cannot see any hits in the interface which is connected to PC2.
I am attaching a diagram for more details, any piece of info is appreciable.
1. Make sure SW1 has a route to 172.16.134.0/24 via 172.16.24.84
2. Make sure SW2 has a route back to 172.16.15.0/24 via 172.16.34.161
3. apply acl (line 1) for icmp traffic between 172.16.15.70 to 172.16.134.16 on the acl facing the interface close to PC1 above the permit ip any any line. Start a continuous ping between PC1 and PC2 and watch the hit counts.
4. apply acl (line 1) for icmp traffic between 172.16.134.16 (source) and 172.16.15.(destination) on the acl applied on the interface close to PC2 above the permit ip any any line. Watch the hit counts to see if you see ICMP response.
2. I Applied accesslist in the vlan interfaces and I couldnot see any logs for ICMP packets.
3. SW1 cannot ping PC2 (Result is UUUUU)
4. SW2 can ping PC1
I have noticed one more thing. When I unchecked ICMP from the inpection policy rule action of Service Policy Rules, I am getting Request Time Out when I ping from PC1 to PC2 (SW1 to PC2), I am getting Network unreachable message when I put ICMP back.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...