Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
674
Views
0
Helpful
1
Replies

ICMP echo from Firewall interface

nunoscosta
Level 1
Level 1

‎05-02-2011 06:17 AM - edited ‎03-11-2019 01:27 PM

Hi guys,

Hi have the follwing scenario:

two 6509 chassis with VSS configuration.

One of those chassis have one FWSM installed and the configuration is like this:

Switch:

firewall multiple-vlan-interfaces
firewall switch 1 module 3 vlan-group 1
firewall vlan-group 1  3-5,7,8,10,200

interface Vlan200
ip address 10.50.50.1 255.255.255.252
end

ip route 172.20.80.0 255.255.255.0 10.50.50.2

FSWM:

interface Vlan10
nameif ADMIN
security-level 100
ip address 172.20.80.1 255.255.255.0
!
interface Vlan200
description Lig. CORE
nameif FWSM_INSIDE
security-level 100
ip address 10.50.50.2 255.255.255.252

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list FWSM_INSIDE extended permit ip any any
access-list FWSM_INSIDE extended permit icmp any any echo
access-list FWSM_INSIDE extended permit icmp any any echo-reply
access-list FWSM_INSIDE extended permit icmp any any unreachable
access-list FWSM_INSIDE extended permit icmp any any time-exceeded
access-list FWSM_INSIDE extended permit icmp any any log
...

icmp permit any ADMIN
icmp permit any echo ADMIN
icmp permit any echo-reply ADMIN
icmp permit any unreachable ADMIN
icmp permit any time-exceeded ADMIN
icmp permit any FWSM_INSIDE
icmp permit any echo FWSM_INSIDE
icmp permit any echo-reply FWSM_INSIDE
icmp permit any unreachable FWSM_INSIDE
icmp permit any time-exceeded FWSM_INSIDE
...

I am not receiving icmp replays from the fswm interfaces if i try to ping 172.20.80.1 from 10.50.50.2.

I do not see any debuging info in the logs...

I successfully ping 10.50.50.2 from the inside networks int the cat6500, but int the network 172.20.80.0, can not ping 10.50.50.2.

can you help please?

best regards,

NC

Labels:
0 Helpful
1 Reply 1

brquinn
Level 1
Level 1

‎05-02-2011 06:51 AM

You can only ping the local FWSM interface. You cannot ping the other FWSM interfaces like you can on a router.

Q. I can ping the FWSM interface that is directly connected to my network, but I am unable to ping other interfaces. Is this normal?
A. Yes. This is a built-in security mechanism that also exists on the PIX Firewall.

FWSM FAQ

Thanks,

Brendan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card