Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VM environment and Firewall

We have a vm environment and then a physical switch and a firewall

can't seem to get it to work

need some assistance and I am trying to learn what is going on

Cisco Employee

Re: VM environment and Firewall


Start with bascis - topology diagram and IP schema. :-)

What is working, what is not working (pings, http, dns?)?


New Member

Re: VM environment and Firewall

Sure thing

we have a virtual cluster

and currently a single esx host connected to a

physical cisco switch then from the switch to the firewall.

the firewall has 3 interfaces for 3 different networks, and

which are going to simulate INT, EXT, and DMZ

the switch has the routing disabled and configured

on trunk port from the vm environment and the 3 ports

with the different vlan for the 3 different networks.

either I can ping everything with ICMP being permitted

or I can't ping anything with it being blocked.

vlan's have an ip of .1 firewall interfaces have an ip of .2

and each test system has an ip of .3. I am trying to get a basic

firewall config to allow all outbound from INT to pass and DMZ to gout but not in

and nothing to come in from EXT. Also can anyone explain to me why a switch needs a default gateway when ip routing is disabled?

Cisco Employee

Re: VM environment and Firewall


ip default-gateway is used to manage switch, it's not there for routing of packets.

Can you attach "show run" from ASA and enable logging on informational level to buffer, do the test and extract "show logg" output?


logg on

logg buffered info

logg buffer-size 1000000


If the output of "show logg" is too big you can tailor it by doing "show logg | i IP_ADDR"


New Member

Re: VM environment and Firewall


I'll work on getting you the config and the buffer/log info

And what do you mean its for managing switch.

because i am being told that it directing traffic

on the gateway

Cisco Employee

Re: VM environment and Firewall


Regular packets from a host going to the internet are not going to be routed using that default gateway. That default gateway will be used if you are doing telnet to the switch from a subnet that is not the same as the switch is located, the telnet replies to the default gateway address.

Will be waiting for the config and the logs.



CreatePlease to create content