Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side interface

Hi,

I have the problem that I need to ping the remote side interface in a multiple context configured fwsm and cannot achieve it. Need this urgently and help is welcome.

Client 1.1.1.20 - 1.1.1.1 (MSFC) 2.2.2.1 - 2.2.2.2 (FWSM) 3.3.3.1

Ping from 1.1.1.20 to 3.3.3.1:

1.1.1.20 is a RS6000 NIM server and he tries to ping the FWSM Interface 3.3.3.1 which is the default gateway for other RS6000 machines in the secured area.

We use multiple SVI interfaces and the FWSM has a 2.2.2.2 interface with security level 100 and the 3.3.3.1 interface with security level 0

I cannot manage to get a ping from the client to the fwsm interface.

I set icmp inspection, have a permit any icmp on both interfaces.

???

Regards,

Patrick

6 REPLIES
Hall of Fame Super Blue

Re: Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side

Patrick

Ordinarily you cannot enter the FWSM on one interface to ping another interface. However you can make the 3.3.3.1 a management interface and then try pinging -

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/command/reference/m.html#wp1690187

Jon

New Member

Re: Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side

Hi Jon,

Thank you very much. I am looking at the command reference and will try to configure management access on the 3.3.3.1 interface.

Is this behaviour described anywhere? We need this because of the Network Installation manager for IBM RS Machines.

Hall of Fame Super Blue

Re: Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side

Patrick

"Is this behaviour described anywhere?"

If you mean the bit about not being able to enter one interface to ping another on the FWSM it is described under the "Usage" section in the link i sent.

Jon

New Member

Re: Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side

Hi Jon,

I set the management-access fwsm-saptm-vlan , i.e. 3.3.3.1.

no success, still no answer.

no entries in the debug real time view as well neither for 3.3.3.1 or the standby 3.3.3.2.

Could something be missing?

I tried to configure telnet and ssh access but could not access 3.3.3.1.

?

Regards,

Patrick

New Member

Re: Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side

Hi Jon,

I just saw that in the usage it says from outside to inside only through IPSEC VPN????

I need the access from sec level 100 to sec level 0, which is the other way around.

What if I change switch the sec levels?

<...

The management-access command is supported for the following through an IPSec VPN tunnel only:

•SNMP polls to the management interface

•HTTPS requests to the management interface

•ASDM access to the management interface

•Telnet access to the management interface

•SSH access to the management interface

•Ping to the management interface

•Syslog polls to the management interface

...>

Hall of Fame Super Blue

Re: Urgent: need help FWSM-3.2(x) icmp (ping) to the remote side

Patrick

Good spot i didn't notice the bit about through a VPN.

Do you actually need to ping the FWSM interface or can you not ping some device in the 3.3.3.x vlan. What you are trying to do is not really allowed due to security issues.

Jon

201
Views
0
Helpful
6
Replies