topic Unable to ping one vlan int to other vlan int FWSM in Network Security

Unable to ping one vlan int to other vlan int FWSM

Jose Alejandro Rodriguez Rodriguez — Tue, 12 Mar 2019 02:49:19 GMT

I have created two vlan interfaces in my FWSM:

interface Vlan30

description Internet

nameif outside

security-level 0

ip address 190.202.128.204 255.255.255.248

interface Vlan500

description Interfaz Interna

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

I see them in the route table:

S 0.0.0.0 0.0.0.0 [1/0] via 190.202.128.201, outside

C 190.202.128.200 255.255.255.248 is directly connected, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

I have permitted the traffic icmp in the default class-map:

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect sunrpc

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

inspect http

However i'm unable to ping from inside interface to outside interface:

FWSM-UBV-01# ping inside 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

I have permmitted icmp in both interfaces

icmp permit any outside

icmp permit any inside

Any ideas why?

Thanks in advance

Alejandro Rodríguez

Unable to ping one vlan int to other vlan int FWSM

Jouni Forss — Wed, 09 Oct 2013 16:09:53 GMT

Hi,

After the ICMP can you see anything in the ARP table for 190.202.128.201?

show arp

- Jouni

Unable to ping one vlan int to other vlan int FWSM

Jose Alejandro Rodriguez Rodriguez — Wed, 09 Oct 2013 16:14:34 GMT

Yes,

I learned it

FWSM-UBV-01# sh arp

outside 190.202.128.201 58bf.eabf.cb40

eobc 127.0.0.51 0000.1500.0000

I even has and ACL tha permits anything

I'm even unable to ping my outside vlan int

FWSM-UBV-01# ping inside 190.202.128.204

Sending 5, 100-byte ICMP Echos to 190.202.128.204, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Here' s my config

FWSM-UBV-01# sh run

: Saved

FWSM Version 4.0(4)

hostname FWSM-UBV-01

domain-name UBV.local

enable password 22hEzYDRd/PSXhZG encrypted

names

dns-guard

interface Vlan30

description Internet

nameif outside

security-level 0

ip address 190.202.128.204 255.255.255.248

interface Vlan500

description Interfaz Interna

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group 101 in interface outside

access-group 101 out interface outside

access-group 101 in interface inside

access-group 101 out interface inside

route outside 0.0.0.0 0.0.0.0 190.202.128.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username cpsadmin password uOBCikV6i4nTdDHP encrypted privilege 15

http server enable

http 200.109.233.226 255.255.255.255 outside

http 190.142.129.227 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service reset no-connection

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect sunrpc

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

inspect http

service-policy global_policy global

prompt hostname context

Cryptochecksum:2c824700279062c092f17087c47035ef

: end

If i dont specify the source i get the ping:

FWSM-UBV-01# ping 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

FWSM-UBV-01#

Unable to ping one vlan int to other vlan int FWSM

Anas Hijjawi — Wed, 09 Oct 2013 16:16:32 GMT

This is your outside ip address 190.202.128.204 and you are saying that you want to ping 190.202.128.204

FWSM-UBV-01# ping inside 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Can you please confirm what you are trying to ping?

Unable to ping one vlan int to other vlan int FWSM

Jose Alejandro Rodriguez Rodriguez — Wed, 09 Oct 2013 16:21:00 GMT

I'm trying to ping both first my outside address and my MSFC who is 190.202.128.201

FWSM-UBV-01# ping inside 190.202.128.204

Sending 5, 100-byte ICMP Echos to 190.202.128.204, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

if i dont specify the source i get the ping, but i suppose its because i'm using the outside iface as source addrress

FWSM-UBV-01# ping 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Re: Unable to ping one vlan int to other vlan int FWSM

Jouni Forss — Wed, 09 Oct 2013 16:28:22 GMT

Hi,

You would probably be better of PINGing from an actual host interface behind the "inside" interface (didnt even notice the "inside" interface specified on the first readthrough)

If ICMP to "outside" network doesnt work from an IP address behind "inside" interface then I would either configure Dynamic PAT for the "inside" users or configure a route that tells tha the "inside" network is found behind the "outside" interface IP address.

Notice though that a host behind "inside" wont be able to ICMP to the "outside" interface IP address and host behind "outside" wont be able to ICMP the "inside" interface. This is normal behaviour

- Jouni

Unable to ping one vlan int to other vlan int FWSM

Jose Alejandro Rodriguez Rodriguez — Wed, 09 Oct 2013 16:39:49 GMT

JouniForss

"Notice though that a host behind "inside" wont be able to ICMP to the "outside"

interface IP address and host behind "outside" wont be able to ICMP the "inside" interface. This is normal behaviour"

This is precisely what i wanna do but instead of using a host of the inside interface i want to use the svi inside in the FWSM as source of ping, this is because i'm trying to see if PAT works being able to ping to Internet hosts from the inside interface"

But i'm not able even to ping my own interfaces.....

Unable to ping one vlan int to other vlan int FWSM

Jouni Forss — Wed, 09 Oct 2013 16:49:24 GMT

Hi,

I am not 100% sure about the FWSM but the ASA atleast wont apply NAT configurations for traffic that you generate with the "ping" command. It just forwards the traffic without NAT applied.

I confirmed this on the ASA with traffic capture (my public gw IP replaced with 1.1.1.1)

interface Vlan1

description LAN

nameif LAN

security-level 100

ip address 10.0.10.2 255.255.254.0

ASA(config)# ping LAN 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA(config)# sh capture

capture ICMP-CAP type raw-data access-list ICMP-CAP interface WAN [Capturing - 670 bytes]

ASA(config)# sh capture ICMP-CAP

5 packets captured

1: 19:46:36.814151 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

2: 19:46:38.811740 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

3: 19:46:40.811847 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

4: 19:46:42.811984 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

5: 19:46:44.812015 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

As you can see I did the capture on the WAN interface and no PAT has been applied to this traffic.

- Jouni

Unable to ping one vlan int to other vlan int FWSM

Jose Alejandro Rodriguez Rodriguez — Wed, 09 Oct 2013 17:05:10 GMT

Hmm so its not possible to ping form inside iface to ouside iface after all?

I have issued a sh iface and see a lot of packed dropped

Interface Vlan500 "inside", is up, line protocol is up

Hardware is EtherSVI, BW Unknown Speed-Capability, DLY 10 usec

Description: Interfaz Interna

MAC address d867.d992.5400, MTU 1500

IP address 192.168.1.1, subnet mask 255.255.255.0

Traffic Statistics for "inside":

0 packets input, 0 bytes

1 packets output, 68 bytes

        4696 packets dropped Interface Vlan500 "inside", is up, line protocol is up
Hardware is EtherSVI, BW Unknown Speed-Capability, DLY 10 usec
        Description: Interfaz Interna
        MAC address d867.d992.5400, MTU 1500
        IP address 192.168.1.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
        0 packets input, 0 bytes
        1 packets output, 68 bytes
        4696 packets dropped

Even when i have explicitely set an ACL for permit all traffic ...

Unable to ping one vlan int to other vlan int FWSM

Jouni Forss — Wed, 09 Oct 2013 17:10:05 GMT

Hi,

Cisco firewalls and routers tend to drop traffic all the time mostly because the device next to them has a service/setting enabled that the firewall/router doesnt support.

But its a known fact that you cant ping the actual interface IP address from behind another interface.

From the FWSM you should be able to ping any interface IP address configured on the FWSM directly. (Wihtout specifying any interface in the "ping" command)

From behind some FWSM interface you should only be able to ping the IP address of your interface. Not any other FWSM interface IP address.

- Jouni

Unable to ping one vlan int to other vlan int FWSM

Anas Hijjawi — Wed, 09 Oct 2013 18:00:21 GMT

Yes I beleive Jouni's answer is correct, FWSM will not allow to ping from one vlan to the other vlan gateway

Please rate helpful answers

Unable to ping one vlan int to other vlan int FWSM

Jose Alejandro Rodriguez Rodriguez — Wed, 09 Oct 2013 18:17:16 GMT

Yes,

Thank you all. I guess I should figure it out and see how can i test PAT without using icmp