Solved: FWSM Access inside from outside host

sebastianvandijk · ‎09-24-2013

I have the following question :

I have 2 FWSM's in failover with an outside and inside interface.

I am trying to SSH and Ping from the outside network to the inside interface of the FWSM.

This doesn't work.

Situation is like this :

Workstation(10.32.7.10)-----ROUTER-------10.0.5.34-MSFC-10.0.7.1---------10.0.7.254(outside)-FWSM-10.150.2.1(inside)

I have this configuration

interface Vlan9

nameif outside

security-level 0

ip address 10.0.7.254 255.255.255.0 standby 10.0.7.253

interface Vlan402

nameif inside

security-level 100

ip address 10.150.2.1 255.255.255.0 standby 10.150.2.10

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

management-access inside

ssh 10.32.7.0 255.255.255.0 outside

ssh 10.32.7.0 255.255.255.0 inside

access-list outside_in extended permit icmp any any

access-list outside_in extended permit ip any any

access-group outside_in in interface outside

access-list inside_in extended permit icmp any any

access-list inside_in extended permit ip any any

access-group inside_in in interface inside

no nat is involved.

SSH to the outside address works but not to the inside.

How can i realise this ?

Traffic destined to the inside network is working fine.

Also, i use a syslog for the FWSM. Is it possible to define the source ip address of the syslog messages ?

I want to define the syslog source address 10.0.7.254(outside) but the syslog server is on the inside.

Jouni Forss · ‎09-24-2013

Hi,

You wont be able to connect to a remote interface. What I mean is that you/user can only connect to an interface behind which that user is located. User behind "inside" can connect to "inside" and user behind "outside" can connect to "outside" interface.

Especially in the case of FWSM to my understanding its no possible to achieve this in any way. Atleast I have not seen a way but then again I havent had to look for one.

In the newer firewall models its possible to connect to a remote interface (from the users perspective) if the connections is coming through a VPN connection. But this doesnt really apply to FWSM.

Also regarding the Syslog. I think the Cisco firewalls will always source traffic only from the interface IP addresses for such typical things as Syslog. So I dont think you can modify the source IP address unless you change the interface IP address that is sending the Syslog.

- Jouni

View solution in original post

Jouni Forss · ‎09-24-2013

Hi,

You wont be able to connect to a remote interface. What I mean is that you/user can only connect to an interface behind which that user is located. User behind "inside" can connect to "inside" and user behind "outside" can connect to "outside" interface.

Especially in the case of FWSM to my understanding its no possible to achieve this in any way. Atleast I have not seen a way but then again I havent had to look for one.

In the newer firewall models its possible to connect to a remote interface (from the users perspective) if the connections is coming through a VPN connection. But this doesnt really apply to FWSM.

Also regarding the Syslog. I think the Cisco firewalls will always source traffic only from the interface IP addresses for such typical things as Syslog. So I dont think you can modify the source IP address unless you change the interface IP address that is sending the Syslog.

- Jouni