08-30-2008 07:41 AM - edited 03-11-2019 06:37 AM
Dear All,
I have a very basic scenario, of one 6500 with FWSM.
I have created 4 vlans one inside, outside, dmz1 and dmz2.
the outside interface is connected to the MSFC using SVI and rest of the vlans are part of FWSM vlan group i.e vlan 10, 20, 30, 40. I also have tested by adding outside vlan 101 to the vlan group.
the problem is that I cannot ping from my internal host placed in inside VLAN to the ip configured on inside vlan of FWSM i.e 10.1.10.1. The scenario is attached along with the configuration.
All my vlans are up but still i cannot ping . what can be the problem?
Solved! Go to Solution.
08-30-2008 10:58 PM
can u ping 172.16.1.2 ?
if yes, then dont worry about it too much
by the way for ur informationin cisco firewalls u cant pint any interface from another interface this in ASA not sure if in fwsm too
first try this
icmp permit any echo inside
icmp permit any echo-reply inside
if didnt work try the following ACL and apply it on ur inside interface
access-list allow-in extended permit icmp 10.1.10.0 255.255.255.0 host 10.1.10.1
access-list allow-in extended permit ip any any
access-group allow-in in interface inside
good luck
if helpful rate
08-30-2008 07:49 AM
first of all there is two important point u need to consider
first FWSM no like ASA because by default all traffic is denied even from higher security level to lower sio u need to make ACL on each interface to let it pass traffic
for example oneach inside interface u could make an ACL with permit any any to let it pass traffic
so make sure to put permit ACL
remember anything not permited implicitly by an ACL will be denied
so u need to allow IP and ICMP for ping echo
if u want the firewall itself to make ping u need to permit echo-reply aswel
**by the way u need to add vlan 101 assigned to the outdie interface and used as SVI to the firewall-vlan group**
good luck
please, if helpful Rate
08-30-2008 09:53 AM
Thanks Marwan, but the problem is that i cant ping from a host in inside network to the FW inter vlan in the same inside network. i.e 10.1.10.10 cant ping 10.1.10.1 ( inside interface ip). we havent even tried to reach outside.
We have also checked with the ACLs as mention previously by you. IS there any other command which can connect the switch msfc to the firewall or something like that... OR can you suggest me the confiugration based on my scenaario attached previously.
08-30-2008 06:30 PM
to ping the inside interface from the inside hots do somthing like
Beginning with FWSM 3.1(1) and ASA 7.0(1), an ICMP inspection engine is available. Rather
than explicitly configuring access list rules to permit inbound ICMP traffic, the firewall can
selectively (and automatically) permit return traffic based on the original outbound requests
so make sure under
policy-map global_policy
class inspection_default
u have
inspect icmp
inspect icmp error
and follow the instructions inthe following nice config example
and let me know
good luck
08-30-2008 10:34 PM
Well i have tried every thing u mentioned, the inspect commands, the ACLs, but still i cant ping from my host in 10.1.10.0 network to the inside interface for this network. i have read many config guides but nothing is missing in our config and we are doing a very basic config scenario but still its not working. Any new suggestions.? by the way My FWSM is in slot 2 of 6509 , ver 3.2 and SUP is 720 adv ip services.
besides this we can ping the outside too.
08-30-2008 10:58 PM
can u ping 172.16.1.2 ?
if yes, then dont worry about it too much
by the way for ur informationin cisco firewalls u cant pint any interface from another interface this in ASA not sure if in fwsm too
first try this
icmp permit any echo inside
icmp permit any echo-reply inside
if didnt work try the following ACL and apply it on ur inside interface
access-list allow-in extended permit icmp 10.1.10.0 255.255.255.0 host 10.1.10.1
access-list allow-in extended permit ip any any
access-group allow-in in interface inside
good luck
if helpful rate
08-31-2008 12:50 AM
yes the icmp permit any echo inside and echo-reply inside worked. Thanks very much for your support
08-31-2008 12:53 AM
u welcome :)
08-30-2008 08:05 AM
Along with using ACL with appropriate entries to allow traffic and assigning VLAN 101 to firewall vlan-group; you can also add "firewall multiple-vlan-interfaces".
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide