topic Re: FWSM - telnet/ssh access in Network Security

FWSM - telnet/ssh access

mchockalingam — Tue, 26 Mar 2019 00:40:10 GMT

I have added a new FWSM in a 6509 distribution box. Here is how it is conencted

Access switch -> 6509 FWSM -> MSFC -> Core -> My PC network

config on the FWSM:

interface Vlan850

nameif inside

security-level 100

ip address 10.50.100.1 255.255.255.0

interface Vlan860

nameif outside

security-level 0

ip address 10.50.200.2 255.255.255.0

route outside 0.0.0.0 0.0.0.0 10.50.200.1

access-list acl_allow_all extended permit ip any any

access-list acl_allow_all extended permit icmp any any

access-group acl_allow_all in interface outside

access-group acl_allow_all out interface outside

access-group acl_allow_all in interface inside

access-group acl_allow_all out interface inside

icmp permit any outside

icmp permit any inside

no nat-control

telnet 10.27.9.52 255.255.255.255 outside

Config on MSFC:

firewall module 7 vlan-group 50

firewall vlan-group 50 850,860

interface Vlan860

ip address 10.50.200.1 255.255.255.0

ip route 10.50.100.0 255.255.255.0 10.50.200.2

I can ping the outside interface (10.50.200.2) of the FWSM from my PC but cannot ping the inside interface 10.50.100.1. I tried telent to the outside interface but I am getting the following error

May 22 2008 14:03:54: %FWSM-6-302013: Built inbound TCP connection 0 for outside:10.27.9.52/1122 (10.27.9.52/1122) to outside:10.50.200.2/23 (10.50.200.2/23)

May 22 2008 14:03:54: %FWSM-4-402117: IPSEC: Received a non-IPSec packet (protocol= tcp) from 10.27.9.52 to 10.50.200.2.

I can ping my PC 10.27.9.52 from FWSM

FWSM# ping 10.27.9.52

Sending 5, 100-byte ICMP Echos to 10.27.9.52, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I do not have any crypto ACL and so do not know what the actual problem is.

I am running 3.1(6) code on FWSM and 12.2(18)SXF8 on the sup720.

I am puzzled. Any ideas?

Re: FWSM - telnet/ssh access

vitripat — Thu, 22 May 2008 18:33:30 GMT

Hi ,

We cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. This is the reason you are getting %FWSM-4-402117 syslog. Please refer to following link-

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mgacc_f.html#wp1054101

I'd rather recommend configuring SSH access on the outside interface, please refer to following link for the same:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/mgacc_f.html#wp1042023

Hope that helps.

Regards,

Vibhor.

Re: FWSM - telnet/ssh access

mchockalingam — Thu, 22 May 2008 18:42:24 GMT

SSH worked.

I do not have any PC/machine on the inside yet and so this was just temporary.

Thank you very much for your help.

Re: FWSM - telnet/ssh access

mchockalingam — Thu, 29 May 2008 13:16:29 GMT

Now, I have a host on the inside network with a static IP of 10.50.100.11 and the default gateway of FWSM's inside IP which is 10.50.100.1.

I cannot ping anything from that machine to outside. Tried other types of traffic like ssh or telnet and nothing works. I disabled NAT and also allowed all ICMP and IP traffic and applied to the interfaces in all directions.

Any ideas?