FWSM ICMP Issue

John Apricena — Mon, 11 Mar 2019 22:41:32 GMT

Hello All,

I am currently having a ping issue with my FWSM and was wondering if anyone could provide some insight. So, I have a 6500 along with an FWSM running in transparent mode. This is a test environment so I can make changes at any time. Below is the show run for the FWSM. I can ping the SVI interface along with the HSRP interface from the FWSM, and vice versa. However I cannot ping any outside addresses from the FWSM and the FWSM produces no long output when I try to do so. I can also not ping from the 6500 or the FWSM to the test host. The test host has full internet connectivity and can ping both the 6500 and the FWSM however from the 6500 or the FWSM I cannot ping the host. I get the following error in the ASDM when I try tio ping from the 6500 to the Host. 192.168.0.2 is the SVI and 192.168.0.10 is the host. Thanks in advance for all the advice.

Deny inbound icmp src outside:192.168.0.2 dst inside:192.168.0.10 (type 8, code 0)

NYSPAL03FW02/MGMT# show run

: Saved

FWSM Version 4.0(14) <context>

firewall transparent

hostname

names

dns-guard

interface Vlan10

nameif outside

bridge-group 1

security-level 0

interface Vlan210

nameif inside

bridge-group 1

security-level 100

interface BVI1

ip address 192.168.0.4 255.255.255.0

access-list INSIDE_IN extended permit ip any any

access-list INSIDE_IN extended permit icmp any any

access-list OUTSIDE_IN extended permit icmp any any echo

access-list OUTSIDE_IN extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1 x.x.x.x

nat (inside) 1 192.168.0.0 255.255.255.0

static (inside,outside) x.x.x.x 192.168.0.10 netmask 255.255.255.255

access-group OUTSIDE_IN in interface outside

access-group INSIDE_IN in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect sunrpc

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

service-policy global_policy global

Cryptochecksum:d16f9498d431d0e810347e787749baaf

: end

NYSPAL03FW02/MGMT#

FWSM ICMP Issue

John Apricena — Tue, 13 Mar 2012 19:54:02 GMT

I've noticed that I am able to ping the Natted IP of this host from the 6500. So, it seems as if the FWSM is seeing pings from the 6500 as Outside traffic so I will change the soruce these packets come from and give a reply back. However I still cannot ping outside from the FWSM.

topic FWSM ICMP Issue in Network Security

FWSM ICMP Issue

FWSM ICMP Issue