Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
6
Helpful
5
Replies

6509 FWSM Security Context. Unable to ping the interface IP

csaravanan-sym
Level 1
Level 1

‎02-09-2009 03:01 PM - edited ‎03-06-2019 03:56 AM

Hi All,

I have created a VLAN in 6509 switch and have attached this VLAN as an interface to the FWSM security context. I have configured NAT to access it from other vlans as well as the access-list provided ICMP access from other vlans.

I am unable to ping the interface IP from any other vlan interfaces attached to FWSM.

Please let me know, where I am going wrong

Labels:
0 Helpful
5 Replies 5

MATTHEW BECK
Level 1
Level 1

‎02-13-2009 11:22 AM

Hi,

Did you add the commands:

icmp permit (source add range) echo (interface name)

icmp permit (source add range) echo-reply (interface name)

to your config? The FWSM will not respond to ping without them. The ACL only applies to traffic going through the interface, not hitting the interface itself.

csaravanan-sym
Level 1
Level 1
In response to MATTHEW BECK

‎02-25-2009 03:14 PM

Hi Mathew,

I added these commands and it works.

Thanks a lot for explaining and taking time to reply to this message

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-14-2009 04:23 AM

Hello Chandhrasekar,

in addition to what Matthew has already noted

>> I am unable to ping the interface IP from any other vlan interfaces attached to FWSM.

It is common for a firewall to block icmp between its own interfaces (they have different levels of security so the behavior is this) and this is one of the first basic differences with a router.

So this is not necessary a sign of a problem.

Test the configuration with user traffic.

Hope to help

Giuseppe

csaravanan-sym
Level 1
Level 1
In response to Giuseppe Larosa

‎02-18-2009 09:50 AM

Hi All,

Thanks for the reply. It is not a critiical item, but wanted to know, why I was unable to ping the interface but was able to ping the hosts connected to it

Thanks,

0 Helpful

MATTHEW BECK
Level 1
Level 1
In response to csaravanan-sym

‎02-26-2009 07:25 AM

Hello again,

The default behavior of the FWSM is to NOT respond to ICMP requests directed at an IP address of the FWSM itself. ICMP traffic through the FWSM to a host on a protected subnet is permitted if you say so via ACL. I guess it was one of those "secure in deployment" decisions. I found it in the command reference for my version of the FWSM under the command "icmp". Or here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/i1.html

Matt

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card