https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085111#M913730 <HTML><HEAD></HEAD><BODY><P>Well i have tried every thing u mentioned, the inspect commands, the ACLs, but still i cant ping from my host in 10.1.10.0 network to the inside interface for this network. i have read many config guides but nothing is missing in our config and we are doing a very basic config scenario but still its not working. Any new suggestions.? by the way My FWSM is in slot 2 of 6509 , ver 3.2 and SUP is 720 adv ip services.</P><P></P><P>besides this we can ping the outside too.</P></BODY></HTML> Sun, 31 Aug 2008 05:34:49 GMT Tahir Ali 2008-08-31T05:34:49Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085106#M913703 <P>Dear All,</P><P>I have a very basic scenario, of one 6500 with FWSM.</P><P></P><P>I have created 4 vlans one inside, outside, dmz1 and dmz2. </P><P></P><P>the outside interface is connected to the MSFC using SVI and rest of the vlans are part of FWSM vlan group i.e vlan 10, 20, 30, 40. I also have tested by adding outside vlan 101 to the vlan group.</P><P></P><P>the problem is that I cannot ping from my internal host placed in inside VLAN to the ip configured on inside vlan of FWSM i.e 10.1.10.1. The scenario is attached along with the configuration.</P><P></P><P>All my vlans are up but still i cannot ping . what can be the problem? </P><P></P><P></P><P> </P><P></P> Mon, 11 Mar 2019 13:37:56 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085106#M913703 Tahir Ali 2019-03-11T13:37:56Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085107#M913715 <HTML><HEAD></HEAD><BODY><P>first of all there is two important point u need to consider</P><P>first FWSM no like ASA because by default all traffic is denied even from higher security level to lower sio u need to make ACL on each interface to let it pass traffic</P><P>for example oneach inside interface u could make an ACL with permit any any to let it pass traffic</P><P></P><P>so make sure to put permit ACL</P><P>remember anything not permited implicitly by an ACL will be denied</P><P>so u need to allow IP and ICMP for ping echo</P><P>if u want the firewall itself to make ping u need to permit echo-reply aswel</P><P></P><P>**by the way u need to add vlan 101 assigned to the outdie interface and used as SVI to the firewall-vlan group**</P><P>good luck</P><P></P><P>please, if helpful Rate</P></BODY></HTML> Sat, 30 Aug 2008 14:49:10 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085107#M913715 Marwan ALshawi 2008-08-30T14:49:10Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085108#M913720 <HTML><HEAD></HEAD><BODY><P>Along with using ACL with appropriate entries to allow traffic and assigning VLAN 101 to firewall vlan-group; you can also add "firewall multiple-vlan-interfaces".</P><P></P><P>Regards </P></BODY></HTML> Sat, 30 Aug 2008 15:05:41 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085108#M913720 shahzad.arif 2008-08-30T15:05:41Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085109#M913723 <HTML><HEAD></HEAD><BODY><P>Thanks Marwan, but the problem is that i cant ping from a host in inside network to the FW inter vlan in the same inside network. i.e 10.1.10.10 cant ping 10.1.10.1 ( inside interface ip). we havent even tried to reach outside.</P><P></P><P>We have also checked with the ACLs as mention previously by you. IS there any other command which can connect the switch msfc to the firewall or something like that... OR can you suggest me the confiugration based on my scenaario attached previously.</P></BODY></HTML> Sat, 30 Aug 2008 16:53:20 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085109#M913723 Tahir Ali 2008-08-30T16:53:20Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085110#M913726 <HTML><HEAD></HEAD><BODY><P>to ping the inside interface from the inside hots do somthing like</P><P></P><P>Beginning with FWSM 3.1(1) and ASA 7.0(1), an ICMP inspection engine is available. Rather</P><P>than explicitly configuring access list rules to permit inbound ICMP traffic, the firewall can</P><P>selectively (and automatically) permit return traffic based on the original outbound requests</P><P></P><P>so make sure under</P><P></P><P>policy-map global_policy</P><P> class inspection_default</P><P></P><P></P><P>u have</P><P></P><P> inspect icmp</P><P> inspect icmp error</P><P></P><P>and follow the instructions inthe following nice config example</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00808b4d9f.shtml</A></P><P></P><P>and let me know</P><P></P><P>good luck</P><P></P></BODY></HTML> Sun, 31 Aug 2008 01:30:56 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085110#M913726 Marwan ALshawi 2008-08-31T01:30:56Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085111#M913730 <HTML><HEAD></HEAD><BODY><P>Well i have tried every thing u mentioned, the inspect commands, the ACLs, but still i cant ping from my host in 10.1.10.0 network to the inside interface for this network. i have read many config guides but nothing is missing in our config and we are doing a very basic config scenario but still its not working. Any new suggestions.? by the way My FWSM is in slot 2 of 6509 , ver 3.2 and SUP is 720 adv ip services.</P><P></P><P>besides this we can ping the outside too.</P></BODY></HTML> Sun, 31 Aug 2008 05:34:49 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085111#M913730 Tahir Ali 2008-08-31T05:34:49Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085112#M913733 <HTML><HEAD></HEAD><BODY><P>can u ping 172.16.1.2 ?</P><P></P><P>if yes, then dont worry about it too much</P><P></P><P>by the way for ur informationin cisco firewalls u cant pint any interface from another interface this in ASA not sure if in fwsm too</P><P></P><P>first try this</P><P></P><P>icmp permit any echo inside</P><P>icmp permit any echo-reply inside</P><P></P><P></P><P>if didnt work try the following ACL and apply it on ur inside interface</P><P></P><P>access-list allow-in extended permit icmp 10.1.10.0 255.255.255.0 host 10.1.10.1</P><P>access-list allow-in extended permit ip any any</P><P></P><P>access-group allow-in in interface inside</P><P></P><P>good luck</P><P></P><P>if helpful rate</P><P></P><P></P></BODY></HTML> Sun, 31 Aug 2008 05:58:54 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085112#M913733 Marwan ALshawi 2008-08-31T05:58:54Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085113#M913736 <HTML><HEAD></HEAD><BODY><P>yes the icmp permit any echo inside and echo-reply inside worked. Thanks very much for your support</P></BODY></HTML> Sun, 31 Aug 2008 07:50:06 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085113#M913736 Tahir Ali 2008-08-31T07:50:06Z https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085114#M913738 <HTML><HEAD></HEAD><BODY><P>u welcome <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sun, 31 Aug 2008 07:53:10 GMT https://community.cisco.com/t5/network-security/fwsm-issue/m-p/1085114#M913738 Marwan ALshawi 2008-08-31T07:53:10Z