FWSM Route statement change

robert.l.mcwhorter · ‎08-23-2006

Had a working config, 6503 fwsm, the route stmt in the Cat pointed to the ip on the fwsm accociated with the same interface (inside) the Vlan40 defined in the switch had an address on the same subnet (class c).

Converted this config to a split up class-c, used same logic and it will not pass a ping.

OLD CONFIGURATION

fwsm

ip address outside 10.200.251.3 255.255.255.0

ip address inside 10.200.252.3 255.255.255.0

ip address dmz 10.200.253.3 255.255.255.0

cat

interface Vlan40

ip address 10.200.252.5 255.255.255.0

nameif vlan30 outside security0

nameif vlan40 inside security100

nameif vlan50 dmz security50

ip route 0.0.0.0 0.0.0.0 10.200.252.3 1

NEW CONFIGURATION

fwsm

interface Vlan30

nameif outside

security-level 0

ip address 10.200.251.33 255.255.255.224

!

interface Vlan40

nameif inside

security-level 100

ip address 10.200.251.1 255.255.255.224

!

interface Vlan50

nameif dmz

security-level 50

ip address 10.200.251.65 255.255.255.224

Cat

interface Vlan40

ip address 10.200.251.3 255.255.255.224

ip route 0.0.0.0 0.0.0.0 10.200.251.1 1

can't figure out what it needs to route !

grant.maynard · ‎08-23-2006

config looks ok. What are you trying to ping?

Is the ARP cache ok on both? Routing table (fwsm) OK?

robert.l.mcwhorter · ‎08-23-2006

I have a pc on the inside using the inside subnet trying to ping a pc on the outside, on the outside subnet.

inside pc 10.200.251.4 255.255.255.224

outside pc 10.200.251.35 255.255.255.224

trying to continuisly ping each other.

I can ping both when I am sessioned into the FWSM>#

Fernando_Meza · ‎08-23-2006

Hi ..

Make sure :

1.- inside PC has 10.200.251.1 as its default gateway

2.- outside PC has 10.200.251.33 as its default gateway.

On the FWSM make sure:

1.- you have icmp permit any inside and icmp permit any outside

2.- make sure you allow that access on the access-list applied to inside and outside interafaces

3.- make sure you have NAT statements configured acccordingly .i.e nat (inside) 1 access-list Inside-OUT

global (outside) 1 interface

access-list Inside-OUT permit ip any any

4.- do a clear xlate

I hope it helps ... please rate it if it does !!

robert.l.mcwhorter · ‎08-24-2006

It will only allow 4000 characters here so I cannot post the whole config, will include important parts:

FWSM Version 3.1(1)

!

hostname FWSM

domain-name ciscopix.com

enable password 8Ry2YjIyt7RRXU24 encrypted

names

name 10.200.251.4 pc-1 description test pc

name 10.200.251.35 pc-2

!

interface Vlan30

nameif outside

security-level 0

ip address 10.200.251.33 255.255.255.224

!

interface Vlan40

nameif inside

security-level 100

ip address 10.200.251.1 255.255.255.224

!

interface Vlan50

nameif dmz

security-level 50

ip address 10.200.251.65 255.255.255.224

access-list inside_access_in extended permit icmp any any

access-list outside_access_in extended permit icmp any any

access-list dmz_access_in extended permit icmp any any

access-list dmz_access_out extended permit icmp any any

access-list inside_access_out extended permit icmp any any

access-list outside_access_out extended permit icmp any any

icmp permit any outside

icmp permit any echo outside

icmp permit 10.200.251.32 255.255.255.224 outside

icmp permit any inside

icmp permit any echo inside

icmp permit 10.200.251.0 255.255.255.224 inside

icmp permit any echo dmz

icmp permit any dmz

icmp permit 10.200.251.64 255.255.255.224 dmz

asdm location pc-1 255.255.255.255 inside

asdm location pc-2 255.255.255.255 outside

nat (outside) 0 access-list nonat

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonat

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group dmz_access_in in interface dmz

access-group dmz_access_out out interface dmz

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect skinny

inspect smtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

robert.l.mcwhorter · ‎08-24-2006

and here is Catalyst config: (most)

upgrade fpd auto

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

service internal

service counters max age 10

!

hostname catalyst-6503-b

!

boot system flash disk0:

logging rate-limit all 10000

enable secret xxx

!

no aaa new-model

clock timezone PST -8

firewall module 2 vlan-group 1

firewall vlan-group 1 30,40,50

ip subnet-zero

!

ip tftp source-interface FastEthernet3/1

no ip domain-lookup

ip address-pool local

mls flow ip destination

mls flow ipx destination

mls verify ip length minimum

mls verify ipx length minimum

no mls acl tcam share-global

!

redundancy

mode rpr-plus

main-cpu

auto-sync running-config

auto-sync standard

spanning-tree mode pvst

spanning-tree extend system-id

hw-module slot 1 memory test full

hw-module slot 2 memory test full

error-detection packet-buffer action none

diagnostic cns publish cisco.cns.device.diag_results

diagnostic cns subscribe cisco.cns.device.diag_commands

!

vlan internal allocation policy ascending

!

interface GigabitEthernet1/1

no ip address

shutdown

!

interface GigabitEthernet1/2

no ip address

shutdown

!

interface FastEthernet3/1

description INSIDE interface

switchport

switchport access vlan 40

switchport mode access

no ip address

speed 100

duplex full

!

interface FastEthernet3/2

description OUTSIDE interface

switchport

switchport access vlan 30

switchport mode access

no ip address

speed 100

duplex full

!

interface FastEthernet3/3

description DMZ interface

switchport

switchport access vlan 50

no ip address

speed 10

duplex full

!

interface FastEthernet3/4

switchport

switchport access vlan 50

no ip address

speed 100

duplex full

!

interface Vlan1

no ip address

!

interface Vlan40

ip address 10.200.251.3 255.255.255.224

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.200.251.1

!

ip http server

ip http path disk0:

!

logging trap debugging

logging 10.200.0.12

logging 10.200.251.4

logging 10.200.251.35

access-list 1 permit any

access-list 3 permit 10.200.251.10

access-list 3 permit 10.200.10.10

access-list 3 permit 10.200.254.254

!

snmp-server user ctcois ctcois v3 access 3

snmp-server group ctcois v2c access 3

snmp-server group ctcois v3 auth access 3

snmp-server group ctcois_v2 v2c read notify

snmp-server community lsi_public RO

snmp-server user ctcois ctcois v2c access 3

snmp-server host 10.200.10.10 version 2c lsi_public

snmp-server manager

snmp ifmib ifalias long

snmp mib notification-log default

!

dial-peer cor custom

!

banner login HIS IS A DEPEAR

!

line con 0

line vty 0 4

password xxxyyyzzz

no login

transport input lat pad mop udptn telnet rlogin nasi

!

ntp clock-period 17179951

ntp access-group peer 1

ntp peer 10.200.0.18

no cns aaa enable

end

grant.maynard · ‎08-23-2006

and this exact test worked before you changed IP addresses around?

Pinging to or from the FWSM itself uses the "icmp" commands (if present - if not it's allowed). Pinging through the PIX would need NAT and ACL statements.

If you don't want to NAT (and you have not mentioned any NAT) then turn NAT off with "no nat-control".

robert.l.mcwhorter · ‎08-24-2006

Yes,

These are the nonat statements:

nat (outside) 0 access-list nonat

nat (inside) 0 access-list nonat

nat (dmz) 0 access-list nonat

grant.maynard · ‎08-24-2006

can you post the full config?

grant.maynard · ‎08-26-2006

ACLs are ok.

I take it your inside PC is on VLAN 40, your outside PC is on VLAN 30.

Must be NAT then. You have "nat (outside) 0 access-list nonat" etc but haven't included that ACL. If you don't want to do any NAT at all, just disable it:

no nat-control

no nat (outside) 0 access-list nonat

no nat (inside) 0 access-list nonat

no nat (dmz) 0 access-list nonat

PCs have firewall in their ARP cache?

enable logging on FWSM.