HELP!!! ABOUT FWSM PROBLEMS

chenyx · ‎07-03-2003

I have three problems about FWSM when I deployed it .

1. I can't use the FWSM interface ip as the gateway for the PC to route traffic to subnets through routers which is on the same network as the PC.

2. When I ping hosts on higher security level from lower security level area,it doesn't work. I have to do the ping with inverse direction. Then I can ping. The condition is without NAT and permit ip any any.

3. Without NAT and permit ip any any conditions set on the FWSM,I can't ping the floating IP address of the two clustered SUN/HP hosts from lower security level, but I can ping the real ip address of both the SUN/HP hosts.

The platform is Catalyst 6509 with Cat OS version 7.6(1) [cat6000-sup2k9.7-6-1.bin] and Firewall Service Module 1.1(2)

For the reason of deploying on the producing network, I have no more time to do experiments. Does anyone can help me ?

Thanks a lot!

yongxin chen

michel.mueller · ‎07-03-2003

Hi Chen,

1. The FWSM won't route traffic back to the source interface. Use the router as default gateway for the clients not the FWSM.

2. You need to add statics or conduits to communicate from lower security level interfaces to higher security level interfaces.

3. Does the cluster use multicast mac-adresses for clustering?

regards Michel

chenyx · ‎07-03-2003

Hi Michel,

Thanks for answer me back so quickly!

1. OK.(Would you please give me some hints on the internet?)

2. Here is the configuration:

6509:

set vlan 16 firewall-vlan 8

set vlan 50 firewall-vlan 8

set vlan 60 firewall-vlan 8

set vlan 99 firewall-vlan 8

MSFC:

interface vlan50

ip address 130.1.4.253 255.255.255.0

stand 50 preempt

ip address 130.1.4.254

interface vlan12

ip address 132.109.69.254 255.255.255.0

FWSM:

nameif vlan60 outside security0

nameif vlan50 DMZ security50

nameif vlan99 failover security 99

nameif vlan16 inside security100

ip address outside 10.16.196.253 255.255.255.0

ip address DMZ 130.1.2.249 255.255.255.0

ip address failover 172.16.99.254 255.255.255.252

ip address inside 130.1.2.113 255.255.255.0

icmp permit any outside

icmp permit any DMZ

icmp permit any failover

icmp permit any inside

access-list 100 permit ip any any

access-group 100 in interface inside

access-group 100 in interface DMZ

access-group 100 in interface outside

nat (inside) 0 0 0

nat (DMZ) 0 0 0

nat (outside) 0 0 0

router ospf 1

network 130.1.4.0 255.255.255.0 area 0

network 130.1.2.0 255.255.255.0 area 0

network 10.16.196.0 255.255.255.0 area 0

route outside 0.0.0.0 0.0.0.0 10.16.196.254

My testing PC is in DMZ with ip address 132.109.69.42,gateway 132.109.69.254,but I can't ping 130.1.2.25 which is a host ip in inside area.

If I ping 132.109.69.42 at first from host 130.1.2.25, then I can ping 130.1.2.25 from my PC 132.109.69.42.

3. According to the above, the ip I can't ping from my PC 132.109.69.42 is 130.1.2.1(the secondary ip of the SUN host 130.1.2.25 in inside area)

Thanks again!

Yongxin Chen

michel.mueller · ‎07-04-2003

Hi Chen,

ip address DMZ 130.1.2.249 255.255.255.0

ip address inside 130.1.2.113 255.255.255.0

These interfaces are in the same subnet, please explain.

anyway you need statics to ping from dmz to inside

static (inside,dmz) 130.1.2.0 130.1.2.0 netmask 255.255.255.0 0 0

regards Michel

chenyx · ‎07-07-2003

Hi Michel:

I made a written mistake, It shoud be

ip address DMZ 130.1.4.249 255.255.255.0

Yes, I found static command can work.If I don't use it , I have to ping from inside to DMZ to build a address map table in FWSM so I can ping from DMZ to inside.

Thanks for answer me back!

michel.mueller · ‎07-10-2003

Hi Chen,

are all your issues with the FWSM fixed now? or do you still have some questions?

regards Michel

chenyx · ‎07-03-2003

Hi Michel:

nat (outside) 0 0 0

in the configuration I posted should not be exist.

By the way vlan50 should be SVI interface ?

Thanks

mhoda · ‎07-03-2003

Hi,

Surely we can help ! Can you ping to all the interface on your FWSM? Do you SVI interface pointing to MSFC? Or, your default gateway is pointing to an external router? Can you pl. provide us the snippet of switch config (only FWSM portion), FWSM config (only interface, acl and static config), and the MSFC (only the SVI interface).

Regards,

Mynul

chenyx · ‎07-03-2003

Hi, Mynul:

Thanks for answer me so quickly!

Here is the configuration:

6509:

set vlan 16 firewall-vlan 8

set vlan 50 firewall-vlan 8

set vlan 60 firewall-vlan 8

set vlan 99 firewall-vlan 8

MSFC:

interface vlan50

ip address 130.1.4.253 255.255.255.0

stand 50 preempt

ip address 130.1.4.254

interface vlan12

ip address 132.109.69.254 255.255.255.0

FWSM:

nameif vlan60 outside security0

nameif vlan50 DMZ security50

nameif vlan99 failover security 99

nameif vlan16 inside security100

ip address outside 10.16.196.253 255.255.255.0

ip address DMZ 130.1.2.249 255.255.255.0

ip address failover 172.16.99.254 255.255.255.252

ip address inside 130.1.2.113 255.255.255.0

icmp permit any outside

icmp permit any DMZ

icmp permit any failover

icmp permit any inside

access-list 100 permit ip any any

access-group 100 in interface inside

access-group 100 in interface DMZ

access-group 100 in interface outside

nat (inside) 0 0 0

nat (DMZ) 0 0 0

nat (outside) 0 0 0

router ospf 1

network 130.1.4.0 255.255.255.0 area 0

network 130.1.2.0 255.255.255.0 area 0

network 10.16.196.0 255.255.255.0 area 0

route outside 0.0.0.0 0.0.0.0 10.16.196.254

My testing PC is in DMZ with ip address 132.109.69.42,gateway 132.109.69.254,but I can't ping 130.1.2.25 which is a host ip in inside area.

If I ping 132.109.69.42 at first from host 130.1.2.25, then I can ping 130.1.2.25 from my PC 132.109.69.42.

According to the above, the ip I can't ping from my PC 132.109.69.42 is 130.1.2.1(the secondary ip of the SUN host 130.1.2.25 in inside area)

Thanks again!

Yongxin Chen