10-02-2007 12:06 PM - edited 03-11-2019 04:19 AM
Hi all, Im trying to set up a 6509 with a FWSM and am having some trouble. I have most of the config set up and working, I can ping from inside of the 6509 to a cisco 3750 that is connected on the outside with a L3 SVI with ip 192.168.113.10(represents real IPs)
The Outside interface on fwsm is 192.168.113.8, inside interface is 10.1.0.10. Sup720 L3 SVI 10.1.0.11. Both 10.x.x.x ips are on vlan10, the 192.168.x.x ips are on vlan113.
The problem is that the 3750 with ip 192.168.113.10 cannot ping anything past 192.168.113.8. It is my understanding that my access lists should allow everything thru for testing purposes and I will lock it down more once I have it figured out. I have posted the fwsm config to help with any questions.
======FWSM config=======
FWSM# sh run
: Saved
:
FWSM Version 2.3(4)
nameif vlan113 outside security0
nameif vlan10 inside security100
enable password xxx
passwd xxx
hostname FWSM
ftp mode passive
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 H225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol icmp
fixup protocol icmp error
fixup protocol rsh 514
fixup protocol sip 5060
no fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list deny-flow-max 4096
access-list alert-interval 300
access-list in_out extended permit ip any any
access-list in_out extended permit icmp any any
access-list out_in extended permit icmp any any
access-list out_in extended permit ip any any
access-list test extended permit icmp any any
access-list test extended permit ip any any
pager lines 22
logging buffer-size 4096
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip address outside 192.168.113.8 255.255.255.0
ip address inside 10.1.0.10 255.255.255.0
no failover
failover lan unit secondary
failover polltime unit 1 holdtime 15
failover polltime interface 15
failover interface-policy 50%
icmp permit any outside
icmp permit any inside
no pdm history enable
arp timeout 14400
global (outside) 1 192.168.113.57
global (outside) 1 192.168.113.58
global (outside) 1 192.168.113.59
nat (outside) 0 192.168.113.0 255.255.255.0
nat (inside) 0 192.168.113.0 255.255.255.0
nat (inside) 1 10.1.0.0 255.255.0.0
access-group test in interface outside
access-group test out interface outside
access-group test in interface inside
access-group test out interface inside
!
interface outside
!
!
interface inside
!
!
route outside 0.0.0.0 0.0.0.0 192.168.113.10 1
route inside 10.1.0.0 255.255.0.0 10.1.0.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 rpc 0:10:00 h3
23 0:05:00 h225 1:00:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp
floodguard enable
fragment size 200 outside
fragment chain 24 outside
fragment size 200 inside
fragment chain 24 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum: xxxx
: end
===Relevant Sup720 configs====
firewall module 2 vlan-group 2
firewall vlan-group 2 10,113
interface GigabitEthernet1/1
switchport
switchport access vlan 113
no ip address
!
interface GigabitEthernet1/2
switchport
switchport access vlan 10
no ip address
!
!
interface Vlan10
ip address 10.1.0.11 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.0.10
10-02-2007 12:57 PM
Hi
What are you trying to ping on the inside network. You will need to setup static translations for the machines on the inside of the FWSM eg.
if you want to ping 10.1.0.20 from the 3750
static (inside,outside) 10.1.0.20 10.1.0.20 netmask 255.255.255.255
and you need to do this for all servers on the inside or for testing you can just present the entire network
static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.255.0
Of course this will now conflict with
global (outside) 1 192.168.113.59
nat (inside) 1 10.1.0.0 255.255.0.0
But if you need to initiate connections from outside to inside then you cannot use dynamic PAT like this.
HTH
Jon
10-02-2007 01:29 PM
I have a workstation sitting on the inside network with ip address 10.1.0.50.
Is there a way to have NAT setup so that the internal computers can access outside networks but also be reachable from the outside?
What Im saying is I dont want to have static routes set up for all the computers and I dont want the 'global' static route for ALL computers with the ip 10.1.x.x since it will not NAT if I do that.
10-02-2007 10:32 PM
Hi
"Is there a way to have NAT setup so that the internal computers can access outside networks but also be reachable from the outside?"
If you want to initiate connections from the outside to your internal machines you have 2 options
1) Setup static translations for them
2) Turn off NAT, but then the inside addresses must be routable from the outside.
The problem you face is that you Dynamically NAT all your 10.1.0.x address to one outside address. This is fine for connections initiated from the inside but if you wanted to inititate a connection to 10.1.0.50 from outside, in your current setup you would have to connect to the 192.168.113.59 address. But how would the firewall know which 10.1.0.x address this was meant to be going to ?
If your inside machines are routable from outside then as i say either turn off NAT or
static (inside,outside) 10.1.0.0 10.1.0.0 netmask 255.255.255.0
Jon
10-03-2007 05:39 AM
Thank you, thats what I thought was going to be the problem. The 192.x.x.x addresses actually represent public addresses on the network where I work, we are trying to do a network migration to private addresses (10.1.x.x.) but would need to still be reachable for about a week. Im thinking the only way to do this is move all physical connections to the 6509 in one day and then start changing addresses, since everything will be behind the firewall there would be no problems with connectivity, Im assuming.
Thanks again for the help, its truely appreciated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide