Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

6509 FWSM Security Context. Unable to ping the interface IP

Hi All,

I have created a VLAN in 6509 switch and have attached this VLAN as an interface to the FWSM security context. I have configured NAT to access it from other vlans as well as the access-list provided ICMP access from other vlans.

I am unable to ping the interface IP from any other vlan interfaces attached to FWSM.

Please let me know, where I am going wrong

5 REPLIES
New Member

Re: 6509 FWSM Security Context. Unable to ping the interface IP

Hi,

Did you add the commands:

icmp permit (source add range) echo (interface name)

icmp permit (source add range) echo-reply (interface name)

to your config? The FWSM will not respond to ping without them. The ACL only applies to traffic going through the interface, not hitting the interface itself.

New Member

Re: 6509 FWSM Security Context. Unable to ping the interface IP

Hi Mathew,

I added these commands and it works.

Thanks a lot for explaining and taking time to reply to this message

Hall of Fame Super Silver

Re: 6509 FWSM Security Context. Unable to ping the interface IP

Hello Chandhrasekar,

in addition to what Matthew has already noted

>> I am unable to ping the interface IP from any other vlan interfaces attached to FWSM.

It is common for a firewall to block icmp between its own interfaces (they have different levels of security so the behavior is this) and this is one of the first basic differences with a router.

So this is not necessary a sign of a problem.

Test the configuration with user traffic.

Hope to help

Giuseppe

New Member

Re: 6509 FWSM Security Context. Unable to ping the interface IP

Hi All,

Thanks for the reply. It is not a critiical item, but wanted to know, why I was unable to ping the interface but was able to ping the hosts connected to it

Thanks,

New Member

Re: 6509 FWSM Security Context. Unable to ping the interface IP

Hello again,

The default behavior of the FWSM is to NOT respond to ICMP requests directed at an IP address of the FWSM itself. ICMP traffic through the FWSM to a host on a protected subnet is permitted if you say so via ACL. I guess it was one of those "secure in deployment" decisions. I found it in the command reference for my version of the FWSM under the command "icmp". Or here: http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/command/reference/i1.html

Matt

724
Views
6
Helpful
5
Replies