Re: FWSM from Segun Daini on 2011-11-24 (Ccielab archives 11/2011)

From: Segun Daini <segundaini_at_gmail.com>
Date: Thu, 24 Nov 2011 09:01:50 +0100

Hi Aziz,

The FWSM unlike the router will check the route to the IP you need to
reach. In this case, 4.2.2.2's output interface is inside, this is why it
will not work for the other interfaces.

Regards.

On Thu, Nov 24, 2011 at 8:50 AM, Aamir Aziz <aamiraz77_at_gmail.com> wrote:

> Dear *,
>
> I have a simple setup with a core switch and FWSM. From the FWSM I am
> able to ping from the inside interface (interface between FWSM and
> MSFC) of the FWSM to other vlan on the core switch and to the internet
> however when i source the ping from another vlan of FWSM to internet
> or other vlan of core switch, no reply. Here is my config on FWSM:
>
> FWSM-1# sh run
> : Saved
> :
> FWSM Version 4.0(4)
> !
> hostname FWSM-1
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> dns-guard
> !
> interface Vlan102
> description *** Servers ***
> nameif SRVR
> security-level 50
> ip address 10.10.2.1 255.255.255.0
> !
> interface Vlan103
> description *** Servers Mgmt ***
> nameif SRVR-mgmt
> security-level 50
> ip address 10.10.3.1 255.255.255.0
> !
> interface Vlan174
> description LAN/STATE Failover Interface
> !
> interface Vlan175
> description *** Inside Interface to MSFC ***
> nameif inside
> security-level 100
> ip address 10.10.75.2 255.255.255.0
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> same-security-traffic permit inter-interface
> access-list inside-in extended permit ip any any
> access-list inside-in extended permit icmp any any
> access-list SRVR-in extended permit ip any any
> access-list SRVR-mgmt-in extended permit ip any any
> access-list SRVR extended permit icmp any any
> access-list SRVR-mgmt extended permit icmp any any
> pager lines 24
> mtu SRVR 1500
> mtu SRVR-mgmt 1500
> mtu inside 1500
> failover
> failover lan unit primary
> failover lan interface FAIL Vlan174
> failover key *****
> failover replication http
> failover link FAIL Vlan174
> failover interface ip FAIL 192.168.74.1 255.255.255.252 standby
> 192.168.74.2
> icmp permit any echo SRVR
> icmp permit any SRVR
> icmp permit any echo SRVR-mgmt
> icmp permit any SRVR-mgmt
> icmp permit any inside
> no asdm history enable
> arp timeout 14400
> access-group SRVR-in in interface SRVR
> access-group SRVR-mgmt-in in interface SRVR-mgmt
> access-group inside-in in interface inside
> route inside 0.0.0.0 0.0.0.0 10.10.75.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout sip-invite 0:03:00 sip-disconnect 0:02:00
> timeout uauth 0:05:00 absolute
> http 10.10.0.0 255.255.0.0 SRVR
> http 10.10.0.0 255.255.0.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> service reset no-connection
> telnet 10.10.0.0 255.255.0.0 SRVR
> telnet 10.10.0.0 255.255.0.0 SRVR-mgmt
> telnet 10.10.0.0 255.255.0.0 inside
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map global_policy
> class inspection_default
> inspect dns maximum-length 512
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect netbios
> inspect rsh
> inspect skinny
> inspect smtp
> inspect sqlnet
> inspect sunrpc
> inspect tftp
> inspect sip
> inspect xdmcp
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30
> : end
> FWSM-1#
>
> FWSM-1# ping inside 4.2.2.2
> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 130/140/150 ms
> FWSM-1# ping in
> FWSM-1# ping inside 10.10.10.1
> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
> FWSM-1# ping in
> FWSM-1# ping SRV 4.2.2.2
>
> FWSM-1# ping SRVR 4.2.2.2
> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
> ?????
> Success rate is 0 percent (0/5)
> FWSM-1# ping SRVR 10.10.10.1
> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
> ?????
>
>
> Core Switch:
>
> interface Vlan175
> description *** Connected to FWSM ***
> ip address 10.10.75.1 255.255.255.0
> end
>
> interface Vlan100
> description *** NQA-mgmt ***
> ip address 10.10.1.1 255.255.255.0
> end
>
> ip route 10.10.2.0 255.255.255.0 Vlan175
> ip route 10.10.3.0 255.255.255.0 Vlan175
>
>
> Any help is appreciated as this is the first time i am configuring FWSM.
>
> Thanks,
> Aamir
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 24 2011 - 09:01:50 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART