Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
1
Replies

ICMP through FWSM

Colin Higgins
Level 2
Level 2

‎11-09-2012 07:30 AM - edited ‎03-11-2019 05:21 PM

It seems to me, after a lot of testing, that regardless of ACLs and ICMP settings, you cannot ping a firewalled vlan interface on a FWSM through another interface.

In other words, let's say I have a layer 3 switch connected via a trunk to the switch with the FWSM:

Switch 1                            Switch 2 with FWSM

Vlan10 10.100.66.1   --------> Vlan10 10.100.66.4 ---------> Vlan99 192.168.20.1

If icmp is enabled on both vlan10 and 99 on the FWSM, switch one can ping 10.100.66.4, but it will not be able to ping 192.168.20.1, even if that interface has a totally permissive access list, is set to security 100, and has icmp enabled.

I will also not be able to do

ping Vlan99 10.100.66.1

from the FWSM--in other words, I cannot ping from the interface through another interface on the FWSM.

I tried to add "inspect icmp" under the global MPF, but that didn't change anything.

Am I correct in my assumptions here?

Also, as a side note, I noticed that unsuccessful pings from the FWSM always yield "?????" results, even if it is not a routing problem--is this correct?

Labels:
0 Helpful
1 Reply 1

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-09-2012 09:31 AM

Hello.

That is correct, you cannot ping a far-end interface. That is a security desing setup ( nothing can be done to change that behavior)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card