cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3366
Views
9
Helpful
11
Replies

Unable to ping one vlan int to other vlan int FWSM

I have created two vlan interfaces in my FWSM:

interface Vlan30

description Internet

nameif outside

security-level 0

ip address 190.202.128.204 255.255.255.248

!

interface Vlan500

description Interfaz Interna

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

I see them in the route table:

S    0.0.0.0 0.0.0.0 [1/0] via 190.202.128.201, outside

C    190.202.128.200 255.255.255.248 is directly connected, outside

C    192.168.1.0 255.255.255.0 is directly connected, inside

I have permitted the traffic icmp in the default class-map:

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect sunrpc

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

  inspect http

However i'm unable to ping from inside interface to outside interface:

FWSM-UBV-01# ping inside 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

I have permmitted icmp in both interfaces

icmp permit any outside

icmp permit any inside

Any ideas why?

Thanks in advance

Alejandro RodrĆ­guez

2 Accepted Solutions

Accepted Solutions

Anas Hijjawi
Level 1
Level 1

I,

This is your outside ip address 190.202.128.204 and you are saying that you want to ping 190.202.128.204


FWSM-UBV-01# ping inside 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Can you please confirm what you are trying to ping?

Thanks, Anas *--* Please rate the useful post,its free ;) *--*

View solution in original post

Hi,

Cisco firewalls and routers tend to drop traffic all the time mostly because the device next to them has a service/setting enabled that the firewall/router doesnt support.

But its a known fact that you cant ping the actual interface IP address from behind another interface.

From the FWSM you should be able to ping any interface IP address configured on the FWSM directly. (Wihtout specifying any interface in the "ping" command)

From behind some FWSM interface you should only be able to ping the IP address of your interface. Not any other FWSM interface IP address.

- Jouni

View solution in original post

11 Replies 11

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

After the ICMP can you see anything in the ARP table for 190.202.128.201?

show arp

- Jouni

Yes,

I learned it

FWSM-UBV-01# sh arp

        outside 190.202.128.201 58bf.eabf.cb40

        eobc 127.0.0.51 0000.1500.0000

I even has and ACL tha permits anything

I'm even unable to ping my outside vlan int

FWSM-UBV-01# ping inside 190.202.128.204

Sending 5, 100-byte ICMP Echos to 190.202.128.204, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Here' s my config

FWSM-UBV-01# sh run

: Saved

:

FWSM Version 4.0(4)

!

hostname FWSM-UBV-01

domain-name UBV.local

enable password 22hEzYDRd/PSXhZG encrypted

names

dns-guard

!

interface Vlan30

description Internet

nameif outside

security-level 0

ip address 190.202.128.204 255.255.255.248

!

interface Vlan500

description Interfaz Interna

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

access-list 101 extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp permit any outside

icmp permit any inside

no asdm history enable

arp timeout 14400

access-group 101 in interface outside

access-group 101 out interface outside

access-group 101 in interface inside

access-group 101 out interface inside

route outside 0.0.0.0 0.0.0.0 190.202.128.201 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username cpsadmin password uOBCikV6i4nTdDHP encrypted privilege 15

http server enable

http 200.109.233.226 255.255.255.255 outside

http 190.142.129.227 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

service reset no-connection

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect sunrpc

  inspect rsh

  inspect smtp

  inspect sqlnet

  inspect skinny

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

  inspect http

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:2c824700279062c092f17087c47035ef

: end

If i dont specify the source i get the ping:

FWSM-UBV-01# ping 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

FWSM-UBV-01#

Anas Hijjawi
Level 1
Level 1

I,

This is your outside ip address 190.202.128.204 and you are saying that you want to ping 190.202.128.204


FWSM-UBV-01# ping inside 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Can you please confirm what you are trying to ping?

Thanks, Anas *--* Please rate the useful post,its free ;) *--*

I'm trying to ping both first my outside address and my MSFC who is 190.202.128.201

FWSM-UBV-01# ping inside 190.202.128.204

Sending 5, 100-byte ICMP Echos to 190.202.128.204, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

if i dont specify the source i get the ping, but i suppose its because i'm using the outside iface as source addrress

FWSM-UBV-01# ping 190.202.128.201

Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Hi,

You would probably be better of PINGing from an actual host interface behind the "inside" interface (didnt even notice the "inside" interface specified on the first readthrough)

If ICMP to "outside" network doesnt work from an IP address behind "inside" interface then I would either configure Dynamic PAT for the "inside" users or configure a route that tells tha the "inside" network is found behind the "outside" interface IP address.

Notice though that a host behind "inside" wont be able to ICMP to the "outside" interface IP address and host behind "outside" wont be able to ICMP the "inside" interface. This is normal behaviour

- Jouni

JouniForss

"Notice though that a host behind "inside" wont be able to ICMP to the "outside"

interface IP address and host behind "outside" wont be able to ICMP the  "inside" interface. This is normal behaviour"

This is precisely what i wanna do but instead of using a host of the inside interface i want to use the svi inside in the FWSM as source of ping, this is because i'm trying to see if PAT works being able to ping to Internet hosts from the inside interface"

But i'm not able even to ping my own interfaces.....


Hi,

I am not 100% sure about the FWSM but the ASA atleast wont apply NAT configurations for traffic that you generate with the "ping" command. It just forwards the traffic without NAT applied.

I confirmed this on the ASA with traffic capture (my public gw IP replaced with 1.1.1.1)

interface Vlan1

description LAN

nameif LAN

security-level 100

ip address 10.0.10.2 255.255.254.0

ASA(config)# ping LAN 1.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA(config)# sh capture

capture ICMP-CAP type raw-data access-list ICMP-CAP interface WAN [Capturing - 670 bytes]

ASA(config)# sh capture ICMP-CAP

5 packets captured

   1: 19:46:36.814151       802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

   2: 19:46:38.811740       802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

   3: 19:46:40.811847       802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

   4: 19:46:42.811984       802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

   5: 19:46:44.812015       802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request

As you can see I did the capture on the WAN interface and no PAT has been applied to this traffic.

- Jouni

Hmm so its not possible to ping form inside iface to ouside iface after all?

I have issued a sh iface and see a lot of packed dropped

Interface Vlan500 "inside", is up, line protocol is up

  Hardware is EtherSVI, BW Unknown Speed-Capability, DLY 10 usec

        Description: Interfaz Interna

        MAC address d867.d992.5400, MTU 1500

        IP address 192.168.1.1, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

        0 packets input, 0 bytes

        1 packets output, 68 bytes

        4696 packets dropped Interface Vlan500 "inside", is up, line protocol is up
  Hardware is EtherSVI, BW Unknown Speed-Capability, DLY 10 usec
        Description: Interfaz Interna
        MAC address d867.d992.5400, MTU 1500
        IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
        0 packets input, 0 bytes
        1 packets output, 68 bytes
        4696 packets dropped

Even when i have explicitely set an ACL for permit all traffic ...

Hi,

Cisco firewalls and routers tend to drop traffic all the time mostly because the device next to them has a service/setting enabled that the firewall/router doesnt support.

But its a known fact that you cant ping the actual interface IP address from behind another interface.

From the FWSM you should be able to ping any interface IP address configured on the FWSM directly. (Wihtout specifying any interface in the "ping" command)

From behind some FWSM interface you should only be able to ping the IP address of your interface. Not any other FWSM interface IP address.

- Jouni

Yes I beleive Jouni's answer is correct, FWSM will not allow to ping from one vlan to the other vlan gateway

Please rate helpful answers

Thanks, Anas *--* Please rate the useful post,its free ;) *--*

Yes,

Thank you all. I guess I should figure it out and see how can i test PAT without using icmp

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: