10-09-2013 09:02 AM - edited 03-11-2019 07:49 PM
I have created two vlan interfaces in my FWSM:
interface Vlan30
description Internet
nameif outside
security-level 0
ip address 190.202.128.204 255.255.255.248
!
interface Vlan500
description Interfaz Interna
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
I see them in the route table:
S 0.0.0.0 0.0.0.0 [1/0] via 190.202.128.201, outside
C 190.202.128.200 255.255.255.248 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
I have permitted the traffic icmp in the default class-map:
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect sunrpc
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect http
However i'm unable to ping from inside interface to outside interface:
FWSM-UBV-01# ping inside 190.202.128.201
Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
I have permmitted icmp in both interfaces
icmp permit any outside
icmp permit any inside
Any ideas why?
Thanks in advance
Alejandro Rodríguez
Solved! Go to Solution.
10-09-2013 09:16 AM
I,
This is your outside ip address 190.202.128.204 and you are saying that you want to ping 190.202.128.204
FWSM-UBV-01# ping inside 190.202.128.201
Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Can you please confirm what you are trying to ping?
10-09-2013 10:10 AM
Hi,
Cisco firewalls and routers tend to drop traffic all the time mostly because the device next to them has a service/setting enabled that the firewall/router doesnt support.
But its a known fact that you cant ping the actual interface IP address from behind another interface.
From the FWSM you should be able to ping any interface IP address configured on the FWSM directly. (Wihtout specifying any interface in the "ping" command)
From behind some FWSM interface you should only be able to ping the IP address of your interface. Not any other FWSM interface IP address.
- Jouni
10-09-2013 09:09 AM
Hi,
After the ICMP can you see anything in the ARP table for 190.202.128.201?
show arp
- Jouni
10-09-2013 09:14 AM
Yes,
I learned it
FWSM-UBV-01# sh arp
outside 190.202.128.201 58bf.eabf.cb40
eobc 127.0.0.51 0000.1500.0000
I even has and ACL tha permits anything
I'm even unable to ping my outside vlan int
FWSM-UBV-01# ping inside 190.202.128.204
Sending 5, 100-byte ICMP Echos to 190.202.128.204, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Here' s my config
FWSM-UBV-01# sh run
: Saved
:
FWSM Version 4.0(4)
!
hostname FWSM-UBV-01
domain-name UBV.local
enable password 22hEzYDRd/PSXhZG encrypted
names
dns-guard
!
interface Vlan30
description Internet
nameif outside
security-level 0
ip address 190.202.128.204 255.255.255.248
!
interface Vlan500
description Interfaz Interna
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
access-group 101 out interface outside
access-group 101 in interface inside
access-group 101 out interface inside
route outside 0.0.0.0 0.0.0.0 190.202.128.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username cpsadmin password uOBCikV6i4nTdDHP encrypted privilege 15
http server enable
http 200.109.233.226 255.255.255.255 outside
http 190.142.129.227 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service reset no-connection
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect sunrpc
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2c824700279062c092f17087c47035ef
: end
If i dont specify the source i get the ping:
FWSM-UBV-01# ping 190.202.128.201
Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
FWSM-UBV-01#
10-09-2013 09:16 AM
I,
This is your outside ip address 190.202.128.204 and you are saying that you want to ping 190.202.128.204
FWSM-UBV-01# ping inside 190.202.128.201
Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Can you please confirm what you are trying to ping?
10-09-2013 09:21 AM
I'm trying to ping both first my outside address and my MSFC who is 190.202.128.201
FWSM-UBV-01# ping inside 190.202.128.204
Sending 5, 100-byte ICMP Echos to 190.202.128.204, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
if i dont specify the source i get the ping, but i suppose its because i'm using the outside iface as source addrress
FWSM-UBV-01# ping 190.202.128.201
Sending 5, 100-byte ICMP Echos to 190.202.128.201, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
10-09-2013 09:28 AM
Hi,
You would probably be better of PINGing from an actual host interface behind the "inside" interface (didnt even notice the "inside" interface specified on the first readthrough)
If ICMP to "outside" network doesnt work from an IP address behind "inside" interface then I would either configure Dynamic PAT for the "inside" users or configure a route that tells tha the "inside" network is found behind the "outside" interface IP address.
Notice though that a host behind "inside" wont be able to ICMP to the "outside" interface IP address and host behind "outside" wont be able to ICMP the "inside" interface. This is normal behaviour
- Jouni
10-09-2013 09:39 AM
"Notice though that a host behind "inside" wont be able to ICMP to the "outside"
interface IP address and host behind "outside" wont be able to ICMP the "inside" interface. This is normal behaviour"
This is precisely what i wanna do but instead of using a host of the inside interface i want to use the svi inside in the FWSM as source of ping, this is because i'm trying to see if PAT works being able to ping to Internet hosts from the inside interface"
But i'm not able even to ping my own interfaces.....
10-09-2013 09:49 AM
Hi,
I am not 100% sure about the FWSM but the ASA atleast wont apply NAT configurations for traffic that you generate with the "ping" command. It just forwards the traffic without NAT applied.
I confirmed this on the ASA with traffic capture (my public gw IP replaced with 1.1.1.1)
interface Vlan1
description LAN
nameif LAN
security-level 100
ip address 10.0.10.2 255.255.254.0
ASA(config)# ping LAN 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA(config)# sh capture
capture ICMP-CAP type raw-data access-list ICMP-CAP interface WAN [Capturing - 670 bytes]
ASA(config)# sh capture ICMP-CAP
5 packets captured
1: 19:46:36.814151 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request
2: 19:46:38.811740 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request
3: 19:46:40.811847 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request
4: 19:46:42.811984 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request
5: 19:46:44.812015 802.1Q vlan#10 P0 10.0.10.2 > 1.1.1.1: icmp: echo request
As you can see I did the capture on the WAN interface and no PAT has been applied to this traffic.
- Jouni
10-09-2013 10:05 AM
Hmm so its not possible to ping form inside iface to ouside iface after all?
I have issued a sh iface and see a lot of packed dropped
Interface Vlan500 "inside", is up, line protocol is up
Hardware is EtherSVI, BW Unknown Speed-Capability, DLY 10 usec
Description: Interfaz Interna
MAC address d867.d992.5400, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
0 packets input, 0 bytes
1 packets output, 68 bytes
4696 packets dropped Interface Vlan500 "inside", is up, line protocol is up
Hardware is EtherSVI, BW Unknown Speed-Capability, DLY 10 usec
Description: Interfaz Interna
MAC address d867.d992.5400, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
0 packets input, 0 bytes
1 packets output, 68 bytes
4696 packets dropped
Even when i have explicitely set an ACL for permit all traffic ...
10-09-2013 10:10 AM
Hi,
Cisco firewalls and routers tend to drop traffic all the time mostly because the device next to them has a service/setting enabled that the firewall/router doesnt support.
But its a known fact that you cant ping the actual interface IP address from behind another interface.
From the FWSM you should be able to ping any interface IP address configured on the FWSM directly. (Wihtout specifying any interface in the "ping" command)
From behind some FWSM interface you should only be able to ping the IP address of your interface. Not any other FWSM interface IP address.
- Jouni
10-09-2013 11:00 AM
Yes I beleive Jouni's answer is correct, FWSM will not allow to ping from one vlan to the other vlan gateway
Please rate helpful answers
10-09-2013 11:17 AM
Yes,
Thank you all. I guess I should figure it out and see how can i test PAT without using icmp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide