Ping from FWSM

xshant — Mon, 11 Mar 2019 21:54:44 GMT

Dear *,

I have a simple setup with a core switch and FWSM. From the FWSM I am able to ping from the inside interface (interface between FWSM and MSFC) of the FWSM to other vlan on the core switch and to the internet however when i source the ping from another vlan of FWSM to internet or other vlan of core switch, no reply. Here is my config on FWSM:

FWSM-1# sh run
: Saved
:
FWSM Version 4.0(4)
!
hostname FWSM-1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Vlan102
description *** Servers ***
nameif SRVR
security-level 50
ip address 10.10.2.1 255.255.255.0
!
interface Vlan103
description *** Servers Mgmt ***
nameif SRVR-mgmt
security-level 50
ip address 10.10.3.1 255.255.255.0
!
interface Vlan174
description LAN/STATE Failover Interface
!
interface Vlan175
description *** Inside Interface to MSFC ***
nameif inside
security-level 100
ip address 10.10.75.2 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
same-security-traffic permit inter-interface
access-list inside-in extended permit ip any any
access-list inside-in extended permit icmp any any
access-list SRVR-in extended permit ip any any
access-list SRVR-mgmt-in extended permit ip any any
access-list SRVR extended permit icmp any any
access-list SRVR-mgmt extended permit icmp any any
pager lines 24
mtu SRVR 1500
mtu SRVR-mgmt 1500
mtu inside 1500
failover
failover lan unit primary
failover lan interface FAIL Vlan174
failover key *****
failover replication http
failover link FAIL Vlan174
failover interface ip FAIL 192.168.74.1 255.255.255.252 standby 192.168.74.2
icmp permit any echo SRVR
icmp permit any SRVR
icmp permit any echo SRVR-mgmt
icmp permit any SRVR-mgmt
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group SRVR-in in interface SRVR
access-group SRVR-mgmt-in in interface SRVR-mgmt
access-group inside-in in interface inside
route inside 0.0.0.0 0.0.0.0 10.10.75.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http 10.10.0.0 255.255.0.0 SRVR
http 10.10.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service reset no-connection
telnet 10.10.0.0 255.255.0.0 SRVR
telnet 10.10.0.0 255.255.0.0 SRVR-mgmt
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30
: end
FWSM-1#

FWSM-1# ping inside 4.2.2.2
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 130/140/150 ms
FWSM-1# ping in
FWSM-1# ping inside 10.10.10.1
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
FWSM-1# ping in
FWSM-1# ping SRV 4.2.2.2

FWSM-1# ping SRVR 4.2.2.2
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
FWSM-1# ping SRVR 10.10.10.1
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
?????

Core Switch:

interface Vlan175
description *** Connected to FWSM ***
ip address 10.10.75.1 255.255.255.0
end

interface Vlan100
description *** NQA-mgmt ***
ip address 10.10.1.1 255.255.255.0
end

ip route 10.10.2.0 255.255.255.0 Vlan175
ip route 10.10.3.0 255.255.255.0 Vlan175

Any help is appreciated as this is the first time i am configuring FWSM.

Thanks,
Aamir

Ping from FWSM

Julio Carvajal — Fri, 25 Nov 2011 04:28:58 GMT

Hello,

Please add the following commands and let me know:

policy-map global_policy

class inspection_default

Inspect ICMP

Please rate helpful posts,

Regards,

Julio

topic Ping from FWSM in Network Security

Ping from FWSM

Ping from FWSM