03-16-2007 05:44 AM - edited 03-11-2019 02:47 AM
I have two C6509-E switch outfitted with one FWSM per each. And use vlan 200 for outside between C6509 and FWSM. the snapshot of configure are as follows, but i can't ping the SVI of vlan 200 from FWSM. However "show arp" on c6509 indicate that C6509 has learned the correct MAC address of outside ip address.
SW Config
firewall multiple-vlan-interfaces
firewall module 2 vlan-group 1
firewall vlan-group 1 101,102,200,210-221
FWSM config
FWSM Version 2.3(4) <system>
resource acl-partition 3
enable password xxx
passwd xxx
hostname Primary
ftp mode passive
pager lines 24
logging buffer-size 4096
class default
limit-resource IPSec 5
limit-resource Mac-addresses 65535
limit-resource PDM 5
limit-resource SSH 5
limit-resource Telnet 5
limit-resource All 0
!
class low
limit-resource All 5.0%
!
failover
failover lan unit primary
failover lan interface faillink vlan 101
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
failover replication http
failover link statelink vlan 102
failover interface ip faillink 172.16.17.1 255.255.255.252 standby 172.16.17.2
failover interface ip statelink 172.16.17.5 255.255.255.252 standby 172.16.17.6
arp timeout 14400
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
terminal width 80
admin-context context-a
context context-a
description used-for-backend-servers
member default
allocate-interface vlan200
allocate-interface vlan210-vlan215
allocate-acl-partition 0
config-url disk:/context-a.cfg
!
context admin
member low
config-url disk:/admin.cfg
!
Cryptochecksum:xxx
FWSM Context-a Config
Primary/context-a# sho run
: Saved
:
FWSM Version 2.3(4) <context>
nameif vlan200 outside security0
nameif vlan210 inside security100
nameif vlan211 dmz1 security50
nameif vlan212 dmz2 security50
nameif vlan213 dmz3 security50
enable password xxx
passwd xxx
hostname context-a
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
fixup protocol rsh 514
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
access-list acl-in extended permit ip any any
pager lines 24
logging buffer-size 4096
mtu outside 1500
mtu inside 1500
mtu dmz1 1500
mtu dmz2 1500
mtu dmz3 1500
ip address outside 10.0.180.253 255.255.255.0 standby 10.0.180.254
ip address inside 10.0.181.253 255.255.255.0 standby 10.0.181.254
pdm location 10.0.181.0 255.255.255.0 inside
no pdm history enable
arp timeout 14400
nat (inside) 0 0.0.0.0 0.0.0.0
access-group acl-in in interface outside
access-group acl-in in interface inside
!
interface outside
!
!
interface inside
!
!
interface dmz1
!
!
interface dmz2
!
!
interface dmz3
!
!
route outside 0.0.0.0 0.0.0.0 10.0.180.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
..
..
floodguard enable
fragment size 200 outside
fragment chain 24 outside
fragment size 200 inside
fragment chain 24 inside
fragment size 200 dmz1
fragment chain 24 dmz1
fragment size 200 dmz2
fragment chain 24 dmz2
fragment size 200 dmz3
fragment chain 24 dmz3
telnet 10.0.181.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
And I can successfully ping the failover and statelnk ip address from FWSM each other.
Solved! Go to Solution.
03-16-2007 07:06 AM
Hi
Try adding to the admin context
"icmp permit any outside"
You don't have to use "any", you can restrict it to only certain ip addresses.
HTH
Jon
03-18-2007 08:53 PM
Hi ..
if you want to allow icmp traffic that terminates at the FWSM interfaces then you need to use the icmp command. The ACL are for traffic that traverses the FWSM.
Quoted from FWSM Command reference Guide ..
"icmp
To configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an
interface, use the icmp command. To remove access rules, use the no form of this command."
I hope it helps .. please rate if it does !!!
03-16-2007 07:06 AM
Hi
Try adding to the admin context
"icmp permit any outside"
You don't have to use "any", you can restrict it to only certain ip addresses.
HTH
Jon
03-18-2007 07:57 PM
in my config, the context-a is the admin-context and I have added the "permit ip any any" ACL both in outside and inside interface. So why still need add icmp related ACL? In addition, I restore the multiple context mode to single context mode and also correctly config the basic setting. But it still didn't work. I can successfuly ping the each other through the failover and stateful link.
An interesting thing is when I execute the "show interface" command regardless on context or system execution space, it showed lots of packets were dropped except for under the edbc interface(internal interface connected to C6509 Switch). WHY?
03-18-2007 08:53 PM
Hi ..
if you want to allow icmp traffic that terminates at the FWSM interfaces then you need to use the icmp command. The ACL are for traffic that traverses the FWSM.
Quoted from FWSM Command reference Guide ..
"icmp
To configure access rules for Internet Control Message Protocol (ICMP) traffic that terminates at an
interface, use the icmp command. To remove access rules, use the no form of this command."
I hope it helps .. please rate if it does !!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide