FWSM Inter-VLAN Issue

John Apricena — Mon, 11 Mar 2019 21:57:36 GMT

Hello All,

I've looked through this site on multiple occasions and there has already been topics or questions that helped resolve mine however this one that I'm having doesn't appear to be anywhere. I'm having a problem with our 6500 and our FWSM. The problem I'm having is inter-vlan communication. So, We have our FWSM running multiple contexts for clients, and I have an admin Context in there as well. With this network I would like to be able to access every server from it from very context from it. However I am having some difficulty.

So, basically I have setup a NAT statement on both sides of the contexts and an access list permitting icmp and ip traffic between the two contexts., however I have no communuication. I notice when I run show access-list that the access-list for the NAT statement builds up after a string of pings so the NAT is definetely happening, however it is getting denied. This is the error that fills up in the logs

Deny tcp src outside1:1.1.1.1/49163 dst inside1:2.2.2.2/80 by access-group "" [0x0, 0x0]

Deny icmp src outside1:1.1.1.1/49163 dst inside1:2.2.2.2/80 by access-group "" [0x0, 0x0]

Has anyone ever seen this before and maybe could provide some insight. Thank You very much in advance for all who help.

Below is the config for the FWSM Context that is giving the denies. The other side doesn't give denies. .

interface Vlanx

nameif outside7

bridge-group z

security-level 0

interface Vlany

nameif inside7

bridge-group z

security-level 100

interface BVIz

ip address

access-list INSIDE extended permit ip any any

access-list OUTSIDE extended permit icmp any any echo

access-list OUTSIDE extended permit icmp any any time-exceeded

access-list NO_NAT_INSIDE extended permit ip 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255

pager lines 24

logging enable

logging asdm informational

mtu outside1 1500

mtu inside1 1500

icmp permit any outside7

icmp permit any inside7

global (outside7) 1 x.x.x.x

nat (inside7) 0 access-list NO_NAT_INSIDE

nat (inside7) 1 p.p.p.p a.a.a.a

access-group INSIDE in interface inside7

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect sunrpc

inspect rsh

inspect smtp

inspect sqlnet

inspect skinny

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

FWSM Inter-VLAN Issue

Julio Carvajal — Wed, 30 Nov 2011 23:01:16 GMT

Hello John,

Do the following and let me know the result:

no access-list OUTSIDE extended permit icmp any any echo

no access-list OUTSIDE extended permit icmp any any time-exceeded

access-list OUTSIDE permit icmp any any

Let me know.

Regards,

Julio

FWSM Inter-VLAN Issue

John Apricena — Wed, 30 Nov 2011 23:08:13 GMT

Thank you for the quick response jcarvaja. I tried exactly what you requested, however the logs still give me the same deny statement.

FWSM Inter-VLAN Issue

Julio Carvajal — Wed, 30 Nov 2011 23:19:38 GMT

Hello John,

Just to confirm this is an ACL issue.

Can you place a permit ip any any and check the logs please.

Regards,

Julio

FWSM Inter-VLAN Issue

John Apricena — Thu, 01 Dec 2011 04:02:21 GMT

Hi jcarvaja,

Thanks for the quick response again. The issue was I never applied the access group for the outside interfaces. Once this was applied on both sides of the contexts the pings went through successfully. Thanks Again!

FWSM Inter-VLAN Issue

Julio Carvajal — Thu, 01 Dec 2011 05:06:24 GMT

Hello John,

Excelent that we now have solved the issue.

Have a wonderful night!!

Julio

topic FWSM Inter-VLAN Issue in Network Security

FWSM Inter-VLAN Issue

FWSM Inter-VLAN Issue

FWSM Inter-VLAN Issue

FWSM Inter-VLAN Issue

FWSM Inter-VLAN Issue

FWSM Inter-VLAN Issue