The FWSM is directly connected to these vlans now  so it can arp and ping all hosts in these vlans.

Please mark the thread as solved so that others can benefit from it in the future.

Rgs,

PK

I am not sure on this one. While I can ping the IP's I cannot see any of the traffic filtered at all. I have tried multiple things, I might have to put this into another thread, but ill bite the bullet and post it. I could see the hits to each of the access with the log functionality enabled on each access-list line. I am not sure I can see that now. I have specific lines left out, to test out the implicit deny at the end of the access-list. It did not block it. Traffic flow is from the 2 SVI interfaces 169.69.100.x and 10.128.142.x into the MSFC then into the FWSM, filter traffic, then allow whats allowed into the Lab areas or drop that traffic. Only the main interface 169.69.100.x can be pinged from the outside. The 192.168.2.x is not allowed to respond to pings, and my secondary 10.128.142.x does not respond, but I can ping all gateways from the FWSM.

My config is designed to block everything into 2 areas of a Lab.

Lab 1 block all except RDP, SSH, SFTP, ICMP to 2 seperate gateway servers. 169.69.100.28 and 48, and allow connectivity to their iLo's: IP's 169.69.100.49 and 52.

All else is blocked to and from these servers....

Lab 2: a more complicated scenerio .

169.69.100.5 and 6 are routers that i need access too.

169.69.100.27 - file server

169.69.100.29 - windows network build server

169.69.100.30 - training svr, this only allows RDP to it.

169.69.100.31 - workstation - full access

169.69.100.32 - logistics server

169.69.100.33 - Wiki web server

We also have 5 servers that do bootp builds. This is a must, to allow that functionality. Thanks in advance. This is all new to me, but I am trying. I am just better at route/switching.

Config as follows.

ese340fwsm# show run
: Saved
:
FWSM Version 3.1(10)0
!
hostname ese340fwsm
enable password xxxxxxxxxxx
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan20
nameif acs
security-level 10
ip address 192.168.2.126 255.255.255.128
!
interface Vlan597
nameif outside
security-level 50
ip address 169.69.100.254 255.255.255.0
!
interface Vlan950
nameif outside2
security-level 49
ip address 10.128.142.10 255.255.255.0
!
ftp mode passive
access-list ITRISK extended permit tcp any host 169.69.100.28 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq ftp log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq ftp log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq ssh log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq ssh log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq 115 log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq 115 log
access-list ITRISK extended permit ip any host 169.69.100.49 log
access-list ITRISK extended permit ip any host 169.69.100.52 log
access-list ITRISK extended deny ip any host 169.69.100.28 log
access-list ITRISK extended deny ip any host 169.69.100.48 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.90.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.30.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.70.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 10.20.75.0 255.
255.255.0 log
access-list ITRISK extended permit ip 10.128.142.0 255.255.255.0 any log
access-list ITRISK extended permit udp any any eq bootpc log
access-list ITRISK extended permit udp any any eq bootps log
access-list ITRISK extended permit tcp any host 169.69.100.30 eq 3389 log
access-list ITRISK extended permit tcp any host 169.69.100.31 eq 3389 log
access-list ITRISK extended permit ip any host 169.69.100.5 log
access-list ITRISK extended permit ip any host 169.69.100.6 log
access-list ITRISK extended permit ip any host 169.69.100.27 log
access-list ITRISK extended permit ip any host 169.69.100.29 log
access-list ITRISK extended permit ip any host 169.69.100.32 log
access-list ITRISK extended permit ip any host 169.69.100.50 log
access-list ITRISK extended permit tcp any host 169.69.100.28 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.48 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.49 eq echo log
access-list ITRISK extended permit tcp any host 169.69.100.52 eq echo log
pager lines 24
logging timestamp
logging console critical
logging buffered debugging
mtu outside 1500
mtu outside2 1500
mtu acs 1500
no failover
icmp permit any outside
icmp permit any outside2
icmp permit any acs
no asdm history enable
arp timeout 14400
access-group ITRISK in interface outside   ========> tried out and tried in/out and just in.
access-group ITRISK in interface outside2 ========> Tried out and tried in/out and just in.
route outside 0.0.0.0 0.0.0.0 169.69.100.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect smtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context

ese340fwsm#