https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697192#M534782 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P>I already allowed everything from inside as below,</P><P></P><P>access-list inside_access_out extended permit ip any any</P><P></P><P>access-group inside_access_out in interface inside </P><P>access-group inside_access_out out interface inside</P></BODY></HTML> Fri, 29 Jul 2011 07:58:02 GMT abdulrasheeth 2011-07-29T07:58:02Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697188#M534775 <P>Hi Experts,</P><P>I have an FWSM configured which has communication between hosts on the inside interface(10.101.101.254). The inside host 10.101.101.10 with default gateway as FWSM is trying to communicate with another internal host 192.168.200.6 (different vlan). </P><P></P><P></P><P>FWSM has,</P><P>1. routes to all internal networks.</P><P>2. NAT exempt using nat 0 command for all internal networks.</P><P>3. same-security-traffic permit intra-interface.</P><P>4. ACL on inside interface permitting any any.</P><P></P><P>I am able to ping the internal hosts each other, but other ports are not communicating.</P><P></P><P>Please me if i missed some configuration.</P> Mon, 11 Mar 2019 21:05:02 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697188#M534775 abdulrasheeth 2019-03-11T21:05:02Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697189#M534777 <HTML><HEAD></HEAD><BODY><P> <BR />Hi Abdulrasheeth,</P><P>I'am not expert but I have a good experiences in FWSM. Maybe I can help you. </P><P>Is your switch knows networks 10.101.101.0 and 192.168.200.0 as connected networks ?</P><P>Can you show your config ?</P><P>regards,</P></BODY></HTML> Thu, 28 Jul 2011 13:13:36 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697189#M534777 Hans Blink 2011-07-28T13:13:36Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697190#M534778 <HTML><HEAD></HEAD><BODY><P>Hi Blink,</P><P>Thanks for your response...</P><P></P><P>10.101.101.0 is direclty connected, but 192.168.200.0 is 1 hop away in the internal network.</P><P></P><P>Below are the config...</P><P></P><P>!<BR />interface Vlan101<BR /> nameif inside<BR /> security-level 100<BR /> ip address 10.101.101.254 255.255.255.0 <BR />!<BR />interface Vlan666<BR /> nameif MSFC<BR /> security-level 0<BR /> ip address 10.100.100.253 255.255.255.252 <BR />!</P><P>access-list outside_acess_in extended permit icmp any any </P><P>access-list inside_access_out extended permit ip any any </P><P>nat (inside) 0 10.101.101.0 255.255.255.0</P><P>nat (inside) 0 192.168.200.0 255.255.255.0<BR />access-group inside_access_out in interface inside</P><P>access-group inside_access_out out interface inside<BR />access-group outside_acess_in in interface MSFC</P><P>route inside 0.0.0.0 0.0.0.0 10.101.101.250&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -------- default gateway to internal core switch---------</P><P>same-security-traffic permit intra-interface</P><P>!</P><P></P><P></P><P>----------------------------------------------------------------------</P><P>I am able to ping from inside host 10.101.101.10 to another inside host 192.168.200.6, but other ports are not opening. E.g i can't telnet from 10.101.101.10 to 192.168.200.6 on port 1433(SQL server). When i bypass the firewall, all ports are working...</P><P></P><P>Awaiting your reply...</P><P>Thanks in advance.</P><DIV class="mcePaste" id="_mcePaste" style="position: absolute; width: 1px; height: 1px; overflow: hidden; top: 0px; left: -10000px;"></DIV></BODY></HTML> Thu, 28 Jul 2011 20:42:16 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697190#M534778 abdulrasheeth 2011-07-28T20:42:16Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697191#M534780 <HTML><HEAD></HEAD><BODY><P>Hello Abdulah</P><P></P><P></P><P></P><P>You want to be able to communicate on the same interface beetwen host on different networks.</P><P></P><P></P><P></P><P>My question would be, Its the FWSM the default gateway of the 192.168.200.0 network as well?</P><P></P><P>Because if not we might need to add a U-Turning </P><P></P><P></P><P></P><P>Regards</P></BODY></HTML> Fri, 29 Jul 2011 00:30:58 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697191#M534780 Julio Carvajal 2011-07-29T00:30:58Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697192#M534782 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P>I already allowed everything from inside as below,</P><P></P><P>access-list inside_access_out extended permit ip any any</P><P></P><P>access-group inside_access_out in interface inside </P><P>access-group inside_access_out out interface inside</P></BODY></HTML> Fri, 29 Jul 2011 07:58:02 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697192#M534782 abdulrasheeth 2011-07-29T07:58:02Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697193#M534783 <HTML><HEAD></HEAD><BODY><P>Can you explain topology a bit more. </P><P></P><P>10.101.101.250 is the default-gateway. What is that device ie. is it a 6500 ? </P><P></P><P>Where does the MSFC (in your config) sit in relation to your default-gateway ? </P><P></P><P>Jon</P></BODY></HTML> Fri, 29 Jul 2011 11:08:08 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697193#M534783 Jon Marshall 2011-07-29T11:08:08Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697194#M534785 <HTML><HEAD></HEAD><BODY><P>Hi Jon,</P><P></P><P>Below is the topology...</P><P></P><P>LAN-CORE_6500 ---------------------- 7613FWSM-----------------------------------MSFC---------------WAN-ISP----</P><P>(10.101.101.250)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (10.101.101.254)&nbsp; /&nbsp; (10.100.100.254)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (10.100.100.253)</P><P></P><P></P><P>192.168.200.0/24 is another vlan in the LAN-CORE.</P></BODY></HTML> Fri, 29 Jul 2011 21:21:55 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697194#M534785 abdulrasheeth 2011-07-29T21:21:55Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697195#M534787 <HTML><HEAD></HEAD><BODY><P><BR />FWSM is not the default gateway for 192.168.200.0. So how i do the U-Turning</P></BODY></HTML> Mon, 01 Aug 2011 09:06:58 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697195#M534787 abdulrasheeth 2011-08-01T09:06:58Z https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697196#M534789 <HTML><HEAD></HEAD><BODY><P> Hi all,</P><P>I got the solution...</P><P></P><P>The problem is asymmetric network topology. The request was going through the firewall, but the return traffic reaches the server directly via core switch. hence when further packets go through the fwsm was deny because it did not know about the connection.</P><P></P><P>I used the <STRONG>tcp-state-bypass </STRONG>option for this traffic in the MPF and it solved the problem.</P><P></P><P>Thanks for all your replies...</P></BODY></HTML> Thu, 11 Aug 2011 20:00:29 GMT https://community.cisco.com/t5/network-security/fwsm-not-allowing-hosts-communication-on-same-interface/m-p/1697196#M534789 abdulrasheeth 2011-08-11T20:00:29Z