Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
2
Replies

Some Clients can not connect through the Firewall (FWSM)

Go to solution
alexander.cario
Level 1
Level 1

‎04-11-2012 03:41 AM - edited ‎03-11-2019 03:52 PM

Hello Everybody,

we have some probs with our implemented FWSM. Some Clients can not connect through the firewall. I give u an example, the Subnet 10.1.4.72/29 is a normal subnet when I try to reach the router for this vpn-subnet 10.1.4.73 I got a echo-reply, but when I try to get an reply from 10.1.4.77 I didn´t get it, but from  the IP-Phone 10.1.4.75 I got an reply. At the client 10.1.4.77 the firewall on this pc is deactivated. Our VPN Concentrator reach also the pc 10.1.4.77 through the VPN Tunnel. When I try to ping the pc from the ESA4 interface from FWSM I got "?????" this as reply, do I the same with the router 10.1.4.73 I got success "!!!!!".... Did u imagine what I mean?? thx a lot in advanced alexx

We have the FWSM 4.1.7

Is it possible that the FWSM is blocking some adresses, how can I check this.... thanks in advanved for any solutions

Labels:
126142-fwsm-running.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-12-2012 03:15 AM

Hi,

The network mask you give in the original post /29 is not atleast matching your actual FWSM route command which is

route esa4 10.1.4.72 255.255.255.252 cc3kvpn01 1

That route command includes addresses 10.1.4.72 - 75 and the mask is /30

You also have route command (and name command)

name 10.1.0.0 VPN-REMOTE

route esa4 VPN-REMOTE 255.255.0.0 10.10.84.254 2

Which would mean that if you ping from the FWSM or anywhere else, the ICMP would be sent some other gateway address. That is, when you are pinging the host 10.1.4.77 address. It would be forwarded to another gateway compared to the addresses 10.1.4.73 and .75

Please rate if this information was helpfull

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-12-2012 03:15 AM

Hi,

The network mask you give in the original post /29 is not atleast matching your actual FWSM route command which is

route esa4 10.1.4.72 255.255.255.252 cc3kvpn01 1

That route command includes addresses 10.1.4.72 - 75 and the mask is /30

You also have route command (and name command)

name 10.1.0.0 VPN-REMOTE

route esa4 VPN-REMOTE 255.255.0.0 10.10.84.254 2

Which would mean that if you ping from the FWSM or anywhere else, the ICMP would be sent some other gateway address. That is, when you are pinging the host 10.1.4.77 address. It would be forwarded to another gateway compared to the addresses 10.1.4.73 and .75

Please rate if this information was helpfull

- Jouni

0 Helpful

Go to solution
alexander.cario
Level 1
Level 1

‎04-12-2012 03:26 AM

Yes thats right, basic issue netmask 252 magic number is 4. Oh my god so fucking simple. Thx a lot sometimes u need a second one ;-) thx alexx

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card