topic ICMP echo from Firewall interface in Network Security https://community.cisco.com/t5/network-security/icmp-echo-from-firewall-interface/m-p/1678363#M556773 <P>Hi guys,</P><P></P><P></P><P>Hi have the follwing scenario:</P><P></P><P>two 6509 chassis with VSS configuration.</P><P>One of those chassis have one FWSM installed and the configuration is like this:</P><P></P><P><STRONG>Switch</STRONG>:</P><P>firewall multiple-vlan-interfaces<BR />firewall switch 1 module 3 vlan-group 1<BR />firewall vlan-group 1&nbsp; 3-5,7,8,10,200</P><P></P><P>interface Vlan200<BR /> ip address 10.50.50.1 255.255.255.252<BR />end</P><P></P><P>ip route 172.20.80.0 255.255.255.0 10.50.50.2</P><P></P><P></P><P><STRONG>FSWM</STRONG>:</P><P>interface Vlan10<BR /> nameif ADMIN<BR /> security-level 100<BR /> ip address 172.20.80.1 255.255.255.0<BR />!<BR />interface Vlan200<BR /> description Lig. CORE<BR /> nameif FWSM_INSIDE<BR /> security-level 100<BR /> ip address 10.50.50.2 255.255.255.252</P><P>same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />access-list FWSM_INSIDE extended permit ip any any<BR />access-list FWSM_INSIDE extended permit icmp any any echo<BR />access-list FWSM_INSIDE extended permit icmp any any echo-reply<BR />access-list FWSM_INSIDE extended permit icmp any any unreachable<BR />access-list FWSM_INSIDE extended permit icmp any any time-exceeded<BR />access-list FWSM_INSIDE extended permit icmp any any log<BR />...</P><P>icmp permit any ADMIN<BR />icmp permit any echo ADMIN<BR />icmp permit any echo-reply ADMIN<BR />icmp permit any unreachable ADMIN<BR />icmp permit any time-exceeded ADMIN<BR />icmp permit any FWSM_INSIDE<BR />icmp permit any echo FWSM_INSIDE<BR />icmp permit any echo-reply FWSM_INSIDE<BR />icmp permit any unreachable FWSM_INSIDE<BR />icmp permit any time-exceeded FWSM_INSIDE<BR />...</P><P></P><P></P><P>I am not receiving icmp replays from the fswm interfaces if i try to ping 172.20.80.1 from 10.50.50.2.</P><P>I do not see any debuging info in the logs...</P><P></P><P>I successfully ping 10.50.50.2 from the inside networks int the cat6500, but int the network 172.20.80.0, can not ping 10.50.50.2.</P><P></P><P>can you help please?</P><P></P><P></P><P>best regards,</P><P>NC</P> Mon, 11 Mar 2019 20:27:46 GMT nunoscosta 2019-03-11T20:27:46Z ICMP echo from Firewall interface https://community.cisco.com/t5/network-security/icmp-echo-from-firewall-interface/m-p/1678363#M556773 <P>Hi guys,</P><P></P><P></P><P>Hi have the follwing scenario:</P><P></P><P>two 6509 chassis with VSS configuration.</P><P>One of those chassis have one FWSM installed and the configuration is like this:</P><P></P><P><STRONG>Switch</STRONG>:</P><P>firewall multiple-vlan-interfaces<BR />firewall switch 1 module 3 vlan-group 1<BR />firewall vlan-group 1&nbsp; 3-5,7,8,10,200</P><P></P><P>interface Vlan200<BR /> ip address 10.50.50.1 255.255.255.252<BR />end</P><P></P><P>ip route 172.20.80.0 255.255.255.0 10.50.50.2</P><P></P><P></P><P><STRONG>FSWM</STRONG>:</P><P>interface Vlan10<BR /> nameif ADMIN<BR /> security-level 100<BR /> ip address 172.20.80.1 255.255.255.0<BR />!<BR />interface Vlan200<BR /> description Lig. CORE<BR /> nameif FWSM_INSIDE<BR /> security-level 100<BR /> ip address 10.50.50.2 255.255.255.252</P><P>same-security-traffic permit inter-interface<BR />same-security-traffic permit intra-interface<BR />access-list FWSM_INSIDE extended permit ip any any<BR />access-list FWSM_INSIDE extended permit icmp any any echo<BR />access-list FWSM_INSIDE extended permit icmp any any echo-reply<BR />access-list FWSM_INSIDE extended permit icmp any any unreachable<BR />access-list FWSM_INSIDE extended permit icmp any any time-exceeded<BR />access-list FWSM_INSIDE extended permit icmp any any log<BR />...</P><P>icmp permit any ADMIN<BR />icmp permit any echo ADMIN<BR />icmp permit any echo-reply ADMIN<BR />icmp permit any unreachable ADMIN<BR />icmp permit any time-exceeded ADMIN<BR />icmp permit any FWSM_INSIDE<BR />icmp permit any echo FWSM_INSIDE<BR />icmp permit any echo-reply FWSM_INSIDE<BR />icmp permit any unreachable FWSM_INSIDE<BR />icmp permit any time-exceeded FWSM_INSIDE<BR />...</P><P></P><P></P><P>I am not receiving icmp replays from the fswm interfaces if i try to ping 172.20.80.1 from 10.50.50.2.</P><P>I do not see any debuging info in the logs...</P><P></P><P>I successfully ping 10.50.50.2 from the inside networks int the cat6500, but int the network 172.20.80.0, can not ping 10.50.50.2.</P><P></P><P>can you help please?</P><P></P><P></P><P>best regards,</P><P>NC</P> Mon, 11 Mar 2019 20:27:46 GMT https://community.cisco.com/t5/network-security/icmp-echo-from-firewall-interface/m-p/1678363#M556773 nunoscosta 2019-03-11T20:27:46Z Re: ICMP echo from Firewall interface https://community.cisco.com/t5/network-security/icmp-echo-from-firewall-interface/m-p/1678364#M556774 <HTML><HEAD></HEAD><BODY><P>You can only ping the local FWSM interface. You cannot ping the other FWSM interfaces like you can on a router.</P><P></P><P>Q. I can ping the FWSM interface that is directly connected to my network, but I am unable to ping other interfaces. Is this normal?<BR />A. Yes. This is a built-in security mechanism that also exists on the PIX Firewall.</P><P></P><P><A href="http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml#pingissu">FWSM FAQ</A></P><P></P><P>Thanks,</P><P>Brendan</P></BODY></HTML> Mon, 02 May 2011 13:51:00 GMT https://community.cisco.com/t5/network-security/icmp-echo-from-firewall-interface/m-p/1678364#M556774 brquinn 2011-05-02T13:51:00Z