Showing results for 
Search instead for 
Did you mean: 


FWSM and Asymmetric routing

Hello, I need your help with a problem I have been experiencing for a couple of days.

We got a client with a Wimax Solution. They had a firewall from another vendor and needed to upgrade to a more robust platform so they went with a Cisco 6506-E with a FWSM .

They are using traffic redirection for inside networks, the wimax packet service gateway is not routing internat traffic (public to public IP addresses) instead,public IP addresses assigned to clients are forwarded to the wimax packet service gateway and then the traffic flow is redirected to the outside of the FWSM for firewall inspection. see attached diagram





I already fixed TCP traffic between those networks using TCP state bypass feature, everything works good but ICMP, this has been a total nightmare.

I have a permit any any in the inside and a permit any to public networks in the inside plus the inspect ICMP. With this configuration ICMP is treated as stateful.

when I remove the ICMP inspection, ICMP traffic from inside to outside stops working and redirected ICMP traffic works OK.

Now I tried a solution I read in the book Cisco Press - Cisco Firewalls but it didn't work:

object-group network REDIRECTED_NETWORKS


access-list ICMP extended deny icmp object-group REDIRECTED_NETWORKS object-group REDIRECTED_NETWORKS 
access-list ICMP extended permit icmp any any

class-map inspection_icmp
 match access-list ICMP


policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect skinny 
  inspect smtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
  inspect pptp 

class inspection_icmp
inspect icmp


service-policy global_policy global


Is there any way I could make ICMP work in this scenario?

FWSM Firewall Version 4.1(15)


Thanks a lot,



Content for Community-Ad