Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Ping from FWSM

Dear *,

I have a simple setup with a core switch and FWSM. From the FWSM I am able to ping from the inside interface (interface between FWSM and MSFC) of the FWSM to other vlan on the core switch and to the internet however when i source the ping from another vlan of FWSM to internet or other vlan of core switch, no reply. Here is my config on FWSM:

FWSM-1# sh run
: Saved
:
FWSM Version 4.0(4)
!
hostname FWSM-1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Vlan102
description *** Servers ***
nameif SRVR
security-level 50
ip address 10.10.2.1 255.255.255.0
!
interface Vlan103
description *** Servers Mgmt ***
nameif SRVR-mgmt
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Vlan174
description LAN/STATE Failover Interface
!
interface Vlan175
description *** Inside Interface to MSFC ***
nameif inside
security-level 100
ip address 10.10.75.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
access-list inside-in extended permit ip any any
access-list inside-in extended permit icmp any any
access-list SRVR-in extended permit ip any any
access-list SRVR-mgmt-in extended permit ip any any
access-list SRVR extended permit icmp any any
access-list SRVR-mgmt extended permit icmp any any
pager lines 24
mtu SRVR 1500
mtu SRVR-mgmt 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface FAIL Vlan174
failover key *****
failover replication http
failover link FAIL Vlan174
failover interface ip FAIL 192.168.74.1 255.255.255.252 standby 192.168.74.2
icmp permit any echo SRVR
icmp permit any SRVR
icmp permit any echo SRVR-mgmt
icmp permit any SRVR-mgmt
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group SRVR-in in interface SRVR
access-group SRVR-mgmt-in in interface SRVR-mgmt
access-group inside-in in interface inside
route inside 0.0.0.0 0.0.0.0 10.10.75.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http 10.10.0.0 255.255.0.0 SRVR
http 10.10.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service reset no-connection
telnet 10.10.0.0 255.255.0.0 SRVR
telnet 10.10.0.0 255.255.0.0 SRVR-mgmt
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect smtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30
: end
FWSM-1#

FWSM-1# ping inside 4.2.2.2
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 130/140/150 ms
FWSM-1# ping in
FWSM-1# ping inside 10.10.10.1
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
FWSM-1# ping in
FWSM-1# ping SRV 4.2.2.2

FWSM-1# ping SRVR 4.2.2.2
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
FWSM-1# ping SRVR 10.10.10.1
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
?????


Core Switch:

interface Vlan175
description *** Connected to FWSM ***
ip address 10.10.75.1 255.255.255.0
end

interface Vlan100
  description *** NQA-mgmt ***
ip address 10.10.1.1 255.255.255.0
end

ip route 10.10.2.0 255.255.255.0 Vlan175
ip route 10.10.3.0 255.255.255.0 Vlan175


Any help is appreciated as this is the first time i am configuring FWSM.

Thanks,
Aamir

1 REPLY

Ping from FWSM

Hello,

Please add the following commands and let me know:

policy-map global_policy

class inspection_default

Inspect ICMP

Please rate helpful posts,

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
685
Views
3
Helpful
1
Replies
CreatePlease login to create content