Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FWSM: Permiting Traffic

Current lab is setup with 3 VLANS 109,199,200 protected behind the FWSM.

Q1. Pc 10.27.2.12 (VLAN 200) cannot ping 10.26.6.1 (VLAN 109) and 10.27.0.1 (VLAN 199) on the FWSM. Is this possible?

Q2. Pc 10.27.2.12 (VLAN 200) cannot access the FWSM using ASDM software. Is this possible?

Please advise,

Regards,

C

3 REPLIES

Re: FWSM: Permiting Traffic

Colm, I have not play with fwsm but does have some similarities with asa's, I'll give this one a shot.

starting with the easy one.

Q2. Pc 10.27.2.12 (VLAN 200) cannot access the FWSM using ASDM software. Is this possible?

Allow admin access for that host on the fwsm to be able to access asdm

http://www.cisco.com/en/US/partner/docs/security/fwsm/fwsm40/configuration/guide/mgacc_f.html#wp1047288

e.i

fwsm(config)# http 10.27.2.12 255.255.255.255 cm-servers

Q1. Pc 10.27.2.12 (VLAN 200) cannot ping 10.26.6.1 (VLAN 109) and 10.27.0.1 (VLAN 199) on the FWSM. Is this possible?

Vlan109 wireless interface, and vlan 200 cm-servers interface have same security level of 100, to enable communication between the two you need same sec traffic intra-interface.

same-security-traffic permit inter-interface

http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/intfce_f.html#wp1059402

Regards

New Member

Re: FWSM: Permiting Traffic

Thanks Jorge for the reply.

Q1. Pc 10.27.2.12 (VLAN 200) cannot ping 10.26.6.1 (VLAN 109) and 10.27.0.1 (VLAN 199) on the FWSM. Is this possible?

I already had this command applied to the FWSM. For the inside VLANS I can ping hosts on all the inside VLANS but cannot ping the default gateways for other inside vlans. Is this allowed on the FWSM?

same-security-traffic permit inter-interface

Re: FWSM: Permiting Traffic

As far as I know a host from one vlan where its L3 interface resides in the firewall cannot ping the default gateway of another vlan on the same firewall like you would in a non-firewall router .. this is the way it is on pix/asa and would expect the same behaviour-restriction in FWSM..

If I am mistaken on fwsm perhaps someone could correct.

Regards

139
Views
0
Helpful
3
Replies