03-10-2008 07:38 AM - last edited on 03-11-2019 05:14 AM by NikolaIvanov
I am trying to get my config working with 6500 and Virtual FWs with an FWSM.
My first issue is that I cannot even ping from my VLAN5 outside interface which was created in the MSFC and has been allocated to the FWSM admin cxt 'outside' interface. I'm not sure if I need to setup static(inside,outside) mappings on the admin context? Vlans 10 & 20 have also been allocated to the FWSM module but I'm stuck. Can someone please advise on how I can get ip connectivity through VLAN 5 (admin cxt) down to vlan 10 inside (customer-a) cxt?
Display vlan-groups created by both ACE module and FWSM
Group Created by vlans
----- ---------- -----
1 FWSM 5,10,20
5 FWSM <empty>
10 FWSM <empty>
20 FWSM <empty>
6504-B#show firewall mod
Module Vlan-groups
------ -----------
04 1,5,10,20
6504-B#
===========================
FWSM config below
FWSM-B# sho context
Context Name Class Interfaces Mode URL
*admin default Vlan5 Routed disk:/admin.cfg
customer-a default Vlan10,Vlan5 Routed disk:/cust-a.cfg
Total active Security Contexts: 2
FWSM-B#
+++++++++++++++++++++++++++++++++++++++
Admin context
FWSM-B/admin# sho run
: Saved
:
FWSM Version 3.2(2) <context>
!
hostname FWSM-B
enable password xxx
names
!
interface Vlan5
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
!
passwd xxx
access-list 101 extended permit icmp any any
pager lines 24
mtu outside 1500
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.255.255.255 outside
no snmp-server location
no snmp-server contact
telnet timeout 5
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
class-map default
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect smtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
FWSM-B/admin#
thanks,
`Al
03-11-2008 01:55 AM
Hi,
Please add 'icmp permit any outside' in FWSM configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide