Re: FWSM from Aamir Aziz on 2011-11-24 (Ccielab archives 11/2011)

From: Aamir Aziz <aamiraz77_at_gmail.com>
Date: Thu, 24 Nov 2011 13:06:04 +0400

But i should still be able to pin 10.10.1.1 from FWSM which is on core switch?

On Thu, Nov 24, 2011 at 12:01 PM, Segun Daini <segundaini_at_gmail.com> wrote:
> Hi Aziz,
> The FWSM unlike the router will check the route to the IP you need to reach.
> In this case, 4.2.2.2's output interface is inside, this is why it will not
> work for the other interfaces.
> Regards.
>
> On Thu, Nov 24, 2011 at 8:50 AM, Aamir Aziz <aamiraz77_at_gmail.com> wrote:
>>
>> Dear *,
>>
>> I have a simple setup with a core switch and FWSM. From the FWSM I am
>> able to ping from the inside interface (interface between FWSM and
>> MSFC) of the FWSM to other vlan on the core switch and to the internet
>> however when i source the ping from another vlan of FWSM to internet
>> or other vlan of core switch, no reply. Here is my config on FWSM:
>>
>> FWSM-1# sh run
>> : Saved
>> :
>> FWSM Version 4.0(4)
>> !
>> hostname FWSM-1
>> enable password 8Ry2YjIyt7RRXU24 encrypted
>> names
>> dns-guard
>> !
>> interface Vlan102
>> description *** Servers ***
>> nameif SRVR
>> security-level 50
>> ip address 10.10.2.1 255.255.255.0
>> !
>> interface Vlan103
>> description *** Servers Mgmt ***
>> nameif SRVR-mgmt
>> security-level 50
>> ip address 10.10.3.1 255.255.255.0
>> !
>> interface Vlan174
>> description LAN/STATE Failover Interface
>> !
>> interface Vlan175
>> description *** Inside Interface to MSFC ***
>> nameif inside
>> security-level 100
>> ip address 10.10.75.2 255.255.255.0
>> !
>> passwd 2KFQnbNIdI.2KYOU encrypted
>> ftp mode passive
>> same-security-traffic permit inter-interface
>> access-list inside-in extended permit ip any any
>> access-list inside-in extended permit icmp any any
>> access-list SRVR-in extended permit ip any any
>> access-list SRVR-mgmt-in extended permit ip any any
>> access-list SRVR extended permit icmp any any
>> access-list SRVR-mgmt extended permit icmp any any
>> pager lines 24
>> mtu SRVR 1500
>> mtu SRVR-mgmt 1500
>> mtu inside 1500
>> failover
>> failover lan unit primary
>> failover lan interface FAIL Vlan174
>> failover key *****
>> failover replication http
>> failover link FAIL Vlan174
>> failover interface ip FAIL 192.168.74.1 255.255.255.252 standby
>> 192.168.74.2
>> icmp permit any echo SRVR
>> icmp permit any SRVR
>> icmp permit any echo SRVR-mgmt
>> icmp permit any SRVR-mgmt
>> icmp permit any inside
>> no asdm history enable
>> arp timeout 14400
>> access-group SRVR-in in interface SRVR
>> access-group SRVR-mgmt-in in interface SRVR-mgmt
>> access-group inside-in in interface inside
>> route inside 0.0.0.0 0.0.0.0 10.10.75.1 1
>> timeout xlate 3:00:00
>> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
>> timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
>> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
>> timeout sip-invite 0:03:00 sip-disconnect 0:02:00
>> timeout uauth 0:05:00 absolute
>> http 10.10.0.0 255.255.0.0 SRVR
>> http 10.10.0.0 255.255.0.0 inside
>> no snmp-server location
>> no snmp-server contact
>> snmp-server enable traps snmp authentication linkup linkdown coldstart
>> service reset no-connection
>> telnet 10.10.0.0 255.255.0.0 SRVR
>> telnet 10.10.0.0 255.255.0.0 SRVR-mgmt
>> telnet 10.10.0.0 255.255.0.0 inside
>> telnet timeout 5
>> ssh timeout 5
>> console timeout 0
>> !
>> class-map inspection_default
>> match default-inspection-traffic
>> !
>> !
>> policy-map global_policy
>> class inspection_default
>> inspect dns maximum-length 512
>> inspect ftp
>> inspect h323 h225
>> inspect h323 ras
>> inspect netbios
>> inspect rsh
>> inspect skinny
>> inspect smtp
>> inspect sqlnet
>> inspect sunrpc
>> inspect tftp
>> inspect sip
>> inspect xdmcp
>> !
>> service-policy global_policy global
>> prompt hostname context
>> Cryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30
>> : end
>> FWSM-1#
>>
>> FWSM-1# ping inside 4.2.2.2
>> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 130/140/150 ms
>> FWSM-1# ping in
>> FWSM-1# ping inside 10.10.10.1
>> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
>> !!!!!
>> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
>> FWSM-1# ping in
>> FWSM-1# ping SRV 4.2.2.2
>>
>> FWSM-1# ping SRVR 4.2.2.2
>> Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
>> ?????
>> Success rate is 0 percent (0/5)
>> FWSM-1# ping SRVR 10.10.10.1
>> Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
>> ?????
>>
>>
>> Core Switch:
>>
>> interface Vlan175
>> description *** Connected to FWSM ***
>> ip address 10.10.75.1 255.255.255.0
>> end
>>
>> interface Vlan100
>> description *** NQA-mgmt ***
>> ip address 10.10.1.1 255.255.255.0
>> end
>>
>> ip route 10.10.2.0 255.255.255.0 Vlan175
>> ip route 10.10.3.0 255.255.255.0 Vlan175
>>
>>
>> Any help is appreciated as this is the first time i am configuring FWSM.
>>
>> Thanks,
>> Aamir
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 24 2011 - 13:06:04 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART