Solved: Re: FWSM 6500- pinging VLAN interface

ahmad-sajjad · ‎07-27-2008

I have FWSM module installed in 6509e catalyst switch. I have configured 2 vlans as follows.

HR VLAN ID 16--- Gateway----X.X.16.1

Management VLAN ID 18 Gateway---X.X.18.1

i am trying to ping from host in 16 vlan to a host in 18 vlan which is successful but i cant ping 18 vlan gateway which is X.X.18.1. why it is so?

please reply.

Farrukh Haroon · ‎08-07-2008

OK thats great, please rate if helpful.

Regards

Farrukh

View solution in original post

hadbou · ‎08-01-2008

Check the vlan configuration on FWSM module in 6500 as configuration issues may cause the ping to fail.

Refer the following url for more info on assigning the VLANs to FWSM:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/configuration/guide/switch.html#wp1175820

Marwan ALshawi · ‎08-01-2008

check the following

1 ACLs in both direction because FWSM not like ASA regardless the security level u have u need to make ACL to permit traffic to flow by default evrything is denied

secondly

eable icmp and icmp error inspection

also make sure u have the right VLANs assigned to the FWSM, ports and client

finally make sure the client has the right default gateway

good luck

please if helpful Rate

Farrukh Haroon · ‎08-02-2008

Ahmad, are you trying to ping from a 'host' in the vlan 16 subnet to the FWSM's Vlan 18 SVI (Gateway interface)?

If so, I'm afraid this will not work. The FWSM/ASA/PIX do not allow pinging any of its interfaces UNLESS you are part of the same interface subnet/zone. For example Vlan 16 users can only ping -X.X.16.1 and NOT -X.X.18.1 and similarly Vlan 18 users can only ping -X.X.18.1.

Regards

Farrukh

ahmad-sajjad · ‎08-04-2008

Gentlemen!

Thanks alot for your replies, i am going to enable icmp error on the fwsm to make sure about the ping.

Farrukh

someone told me that FWSM will not allow to ping from one vlan to the other vlan gateway. in my case,

it is a host in X.X.16.X vlan can ping its own gateway which is X.X.16.1 and can also ping host in X.X.18.X vlan but cant ping X.X.18.1 which is the gateway for vlan 18. What is the logic, y it cant ping.

Thanks

Farrukh Haroon · ‎08-04-2008

As I told you this is one of the 'rules' of FWSM/ASA/PIX. Perhaps they did this to prevent 'mapping' of zones or something, personally I find it very annoying.

You will 'not' be able to ping X.X.18.1 from ANY machine in the X.X.16.X zone. Please check my previous post also, I said the same things.

Regards

Farrukh

Marwan ALshawi · ‎08-02-2008

in addition

if u wanna try to ping any cisco firewall interface from other interface u will not be able

but as long as u ping the clients behind that interface

so u your configurations if fine

and nothing to worry about

good luck

please, rate if helpful

ahmad-sajjad · ‎08-07-2008

Thanks everyone! I think it was quite helpful.

Regards

Sajjad

Marwan ALshawi · ‎08-07-2008

u welcome

please, rate the helpful post

Farrukh Haroon · ‎08-07-2008

OK thats great, please rate if helpful.

Regards

Farrukh