Cisco 6500 FWSM

diogogoncalves · ‎01-26-2011

Hi

I have a problem with FWSM in routed mode. The server 2 can connect with the cluster and server 1. In the fwsm context I can connect to server1 and cluster, as well as in the ACE. But the cluster can not reach server 1, but can reach the server 2 and firewall.

In the ACE I only have one default route that points to 172.16.21.1 .In the FWSM I have a route to vlan 172.16.22.0 pointing to 172.16.21.10.

I know that the problem is in the FWSM, because if I put a route on the server 1 to point to the network 172.16.22.0 trough 172.16.22.21.10 ip, I can have connectivity between the cluster and the server 1.

The problem is in fact that the gateway of server 2 is the FWSM, and the traffic goes in and then the routing table sends out to the same interface where it enters?. Can you help me with this problem

Thanks

mirober2 · ‎01-26-2011

Hi Diogo,

For communication between the Cluster and Server1, the FWSM should not be in the path. The Cluster should send it's data to the ACE, who should then send it directly to Server1 and vice versa.

Double check the ACE to make sure that the routing table shows Server1 and it's subnet as directly connected. If that checks out, also check the ARP table on the ACE for the IP address of Server1. The MAC address listed should be that of Server1's NIC. If it turns out to be the FWSM's MAC address instead, check to make sure the FWSM's NAT configuration is setup properly. Alternatively, you could disable proxy ARP on the FWSM's interface with the 'sysopt noproxyarp ' command and then clear the ARP table on the ACE. That command will prevent the FWSM from claiming ownership of Server1's IP address if your NAT config is too broad.

Hope that helps.

-Mike

diogogoncalves · ‎01-26-2011

Hi mirober2

thanks for the help. I resolve the problem with the command same-security-traffic permit intra-interface, I don't know if is a good practice use it.

thanks