Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3013
Views
0
Helpful
30
Replies

FWSM ACL/NAT Issue

Go to solution
gignet200
Level 1
Level 1

‎02-25-2013 08:28 AM - edited ‎03-11-2019 06:05 PM

We recently deployed a FWSM on our 6503-e boxes (w/ sup720).  NAT is working (PAT) but the issue I am seeing is private traffic from remote sites is not being allowed through the FW.   I was able to get the remote site to ping the FWSM itself (inside address), but no hosts behind it.  Maybe an ACL issue? Also when I turn off NAT on the remote end, I can than access everything (We are NATng on both ends).   Im a routing guy by nature so I will defer this to the security guys out there.   Thanks in advance.

Topology

Hosts (inside/10.15.25.0/24) > FWSM  (outside/public IP) -> Core Router -> MPLS CLOUD -> Core Router (NATng) - > Hosts (192.168.1.0/24)

ACLs applied to inside/outside interface

FWSM# show access-list ATX-ALLOW-IN

access-list ATX-ALLOW-IN; 15 elements

access-list ATX-ALLOW-IN extended permit tcp any any (hitcnt=222)

access-list ATX-ALLOW-IN extended permit icmp any any (hitcnt=101)

access-list ATX-ALLOW-IN extended permit udp any any (hitcnt=6)

access-list ATX-ALLOW-IN extended permit ip any any (hitcnt=0)

access-list ATX-ALLOW-IN extended permit tcp any any eq www (hitcnt=0)

access-list ATX-ALLOW-IN extended permit tcp any any eq https (hitcnt=0)

access-list ATX-ALLOW-IN extended permit ip any 192.168.1.0 255.255.255.0 (hitcnt=0)

access-list ATX-ALLOW-IN extended permit icmp any 192.168.1.0 255.255.255.0 (hitcnt=0)

access-list ATX-ALLOW-IN extended permit tcp any 192.168.1.0 255.255.255.0 (hitcnt=0)

FWSM# show access-group

access-group ATX-ALLOW-IN in interface outside

access-group ATX-ALLOW-IN out interface outside

access-group ATX-ALLOW-IN in interface inside

access-group ATX-ALLOW-IN out interface inside

Ping Tests

FWSM Inside address (10.15.25.245)

Host behind the FWSM (10.15.25.89)

Remote Router Inside address (192.168.1.1)

FWSM to remote spoke site Router

FWSM# ping 192.168.1.1

    192.168.1.1 response received -- 10ms

    192.168.1.1 response received -- 20ms

    192.168.1.1 response received -- 10ms

Remote Router to FWSM

ATX-CFW1#ping 10.15.25.245

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.15.25.245, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/16 ms

Remote Router to a host behind the FWSM

ATX-CFW1#ping 10.15.25.89

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.15.25.89, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Labels:
0 Helpful
30 Replies 30

Go to solution
gignet200
Level 1
Level 1
In response to Jouni Forss

‎03-01-2013 09:00 AM

yes i had to upgrade to 4.1.  I was on a SUPER old version.  with tcp-state-bypass turned off, i cannot access anything, and once back on, everythings acessible.  For sure there was some asymmetric routing occuring, but im glad the bypass did the trick.  Now i can put away this firewall, and get back into my routers  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card