07-28-2011 04:07 AM - edited 03-11-2019 02:05 PM
Hi Experts,
I have an FWSM configured which has communication between hosts on the inside interface(10.101.101.254). The inside host 10.101.101.10 with default gateway as FWSM is trying to communicate with another internal host 192.168.200.6 (different vlan).
FWSM has,
1. routes to all internal networks.
2. NAT exempt using nat 0 command for all internal networks.
3. same-security-traffic permit intra-interface.
4. ACL on inside interface permitting any any.
I am able to ping the internal hosts each other, but other ports are not communicating.
Please me if i missed some configuration.
07-28-2011 06:13 AM
Hi Abdulrasheeth,
I'am not expert but I have a good experiences in FWSM. Maybe I can help you.
Is your switch knows networks 10.101.101.0 and 192.168.200.0 as connected networks ?
Can you show your config ?
regards,
07-28-2011 01:42 PM
Hi Blink,
Thanks for your response...
10.101.101.0 is direclty connected, but 192.168.200.0 is 1 hop away in the internal network.
Below are the config...
!
interface Vlan101
nameif inside
security-level 100
ip address 10.101.101.254 255.255.255.0
!
interface Vlan666
nameif MSFC
security-level 0
ip address 10.100.100.253 255.255.255.252
!
access-list outside_acess_in extended permit icmp any any
access-list inside_access_out extended permit ip any any
nat (inside) 0 10.101.101.0 255.255.255.0
nat (inside) 0 192.168.200.0 255.255.255.0
access-group inside_access_out in interface inside
access-group inside_access_out out interface inside
access-group outside_acess_in in interface MSFC
route inside 0.0.0.0 0.0.0.0 10.101.101.250 -------- default gateway to internal core switch---------
same-security-traffic permit intra-interface
!
----------------------------------------------------------------------
I am able to ping from inside host 10.101.101.10 to another inside host 192.168.200.6, but other ports are not opening. E.g i can't telnet from 10.101.101.10 to 192.168.200.6 on port 1433(SQL server). When i bypass the firewall, all ports are working...
Awaiting your reply...
Thanks in advance.
07-29-2011 04:08 AM
Can you explain topology a bit more.
10.101.101.250 is the default-gateway. What is that device ie. is it a 6500 ?
Where does the MSFC (in your config) sit in relation to your default-gateway ?
Jon
07-29-2011 02:21 PM
Hi Jon,
Below is the topology...
LAN-CORE_6500 ---------------------- 7613FWSM-----------------------------------MSFC---------------WAN-ISP----
(10.101.101.250) (10.101.101.254) / (10.100.100.254) (10.100.100.253)
192.168.200.0/24 is another vlan in the LAN-CORE.
07-28-2011 05:30 PM
Hello Abdulah
You want to be able to communicate on the same interface beetwen host on different networks.
My question would be, Its the FWSM the default gateway of the 192.168.200.0 network as well?
Because if not we might need to add a U-Turning
Regards
07-29-2011 12:58 AM
Hi,
I already allowed everything from inside as below,
access-list inside_access_out extended permit ip any any
access-group inside_access_out in interface inside
access-group inside_access_out out interface inside
08-01-2011 02:06 AM
FWSM is not the default gateway for 192.168.200.0. So how i do the U-Turning
08-11-2011 01:00 PM
Hi all,
I got the solution...
The problem is asymmetric network topology. The request was going through the firewall, but the return traffic reaches the server directly via core switch. hence when further packets go through the fwsm was deny because it did not know about the connection.
I used the tcp-state-bypass option for this traffic in the MPF and it solved the problem.
Thanks for all your replies...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide