06-20-2013 06:28 AM - edited 03-11-2019 07:01 PM
Hi ,
I have connected a firewall inside interface to l3 switch.
on l3 switch
int gi0/1
no switchport
ip address 192.168.10.1 255.255.255.0
no shut
on firewall
int gi0/1
nameif inside
security level 100
ip address 192.168.10.2 255.255.255.0
If i ping to 192.168.10.2 from firewall thus it ping.
As i know inside host can ping to inside interface.But not any opposite interface such as dmz etc.(need access-list)
06-20-2013 06:35 AM
Hi Prashant,
That is right.
Firewall will allow traffic from a high security level (like inside interface which has security level of 100) to low security level interfaces (like outside interface or DMZ interface which has security level which have any value less that 100) by default with out access-list. If you need to allow traffic from low to high then you need to specifically allow it through access-list.
Hope that helps.
Regards
Najaf
Please rate when applicable or helpful !!!
06-20-2013 06:59 AM
Hi,
Since the L3 switch is connected to firewall (inside inetrface).
When i ping from switch to firewaal inside interface it is not pinging.
06-24-2013 02:22 AM
Normally that will work without adding any route or extra configuration. If it's not working then I would check the access list if it's dropping the packet or not and the other thing to check is if you have enabled the icmp inspection on the ASA or not.
06-24-2013 06:21 AM
Hi Prashant,
Here are two things involved.
1. Ping to the far end interface.
The ASA will not allow to ping the far end interface, for example is you are a host connected on the Inside network and ping the Inside interface the ASA will reply, but if you try to ping the DMZ interface from a host on the inside this will not answer and is expected.
2. Permit traffic from lower to higer interfaces.
All the traffic from higher interface level to lower interface level is permitted by default but is deny the other way around, from lower to higher.
If you need to permit traffic from lower to higher you need to enter a access-list on the lower level interface to permit traffic to the higher security level (If you are on version 8.2 or earlier you might need to add a NAT rule)
For example:
Inside security level 100
Outside security level 0
Inside host 192.168.1.1
access-list outside_access_in permit ip any host 192.168.1.1
access-group outside_access_in in interface outside
I hope these helps.
Regards
Godfrey
06-29-2013 08:20 AM
Thanks for reply.
at last i have clear the config of firewall (reconfigure it) .also clear the config of switch (reconfigure it)
And guess: It working with out adding any Special access list.
i have some suspect at switch side becase by connecting a laptop to directly to firwall i can ping inside interface .
Thats why i clear the configure of switch and reconfigure it with latest IOS.
Thanks for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide