cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
847
Views
0
Helpful
3
Replies

FWSM : One Way Communication Issue

manuadoor
Level 1
Level 1

Dear Team,

I have an FWSM running in L3 mode, installed in C6509E Switch, L3 of all other distribution layer switches are created in FWSM.

I have a long running problem of one way communication with this FWSM. IOS version is "FWSM Firewall Version 3.2(4)".

I have two pcs (PC1 and PC2) connected to two different zones of FWSM which is connected thru two different L3 Swiches.

The prob is I can ping from PC2 to PC1(I verified the path by traceroute, its coming via fwsm only), but I cannot ping to PC1 to PC2. All zones are binded with access-lists "permit ip any any" and "permit icmp any any".

While ping from PC1 to PC2 I am getting "Destination net unreachable", when tracing FWSM reports "Destination net unreachable". Interesting thing is I can ping the PC2 from FWSM.

I also tried to put a capture in FWSM for this particular source and destination(by attaching a specific access list), where I found that I am getting hits in one of the interfaces connected to PC1, and I cannot see any hits in the interface which is connected to PC2.

I am attaching a diagram for more details, any piece of info is appreciable.

3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

I believe there could be some routing problem

1. Make sure SW1 has a route to 172.16.134.0/24 via 172.16.24.84

2. Make sure SW2 has a route back to 172.16.15.0/24 via 172.16.34.161

3. apply acl (line 1) for icmp traffic between 172.16.15.70 to 172.16.134.16 on the acl facing the interface close to PC1 above the permit ip any any line. Start a continuous ping between PC1 and PC2 and watch the hit counts.

4. apply acl (line 1) for icmp traffic between 172.16.134.16 (source) and 172.16.15.(destination) on the acl applied on the interface close to PC2 above the permit ip any any line. Watch the hit counts to see if you see ICMP response.

5. see if SW1 can ping PC2 and SW2 can ping PC1.

Thanks Kusankar,

I tried the steps u suggested,

1. both the Sw1 and Sw2 has routes to FWSM

2. I Applied accesslist in the vlan interfaces and I couldnot see any logs for ICMP packets.

3. SW1 cannot ping PC2 (Result is UUUUU)

4. SW2 can ping PC1

I have noticed one more thing. When I unchecked ICMP from the inpection policy rule action of Service Policy Rules, I am getting Request Time Out when I ping from PC1 to PC2 (SW1 to PC2), I am getting Network unreachable message when I put ICMP back.

Regarding

1. both the Sw1 and Sw2 has routes to FWSM

I meant SW1 and SW2 have routes to the networks on the other side of the FWSM (not just to the FWSM).

Can the FWSM ping both PC1 and PC2?

"sh ip route" on SW1 and SW2 looks correct?

Review Cisco Networking for a $25 gift card